5.

PLANNING, RISK ASSESSMENT AND AUDIT RISK

Outline:

A. Preliminary Engagement Activities

B. Planning
C. Documentation
D. Materiality
E. Analytical Procedures
F. Work of others
G. Risk Assessment
H. Audit Risk
I. Understanding the entity and its environment
J. Fraud

(A) PRELIMINARY ENGAGEMENT ACTIVITIES

(i) Learning objectives

 To know the steps in the preliminary engagement activities

 When to issue an engagement letter
 The contents of an engagement letter

(ii) Prospective clients

• An auditor should consider if he wants to accept or continue an audit

engagement

• An audit firm is a business and has to consider the impact of business relations

• Issues to consider (ISA 220R)

(a) Integrity of client

(b) Competency of the auditor

(c) Ethical requirements

Reasons why an auditor may not want to associate with a client

1. Lack of integrity or unethical client

2. Line of business of client eg; gambling, tobacco, pornographic material

Page 1 of 20
 3. Poor history of client with auditors

4. Business decision – fees?

5. Reporting framework used by client

6. Lack of competence and resources

(iii) Continuing clients, issues to consider:

1. Integrity of client

2. Competency of the auditor

3. Ethical requirements

(iv) ISA 220 - Procedures to gather preliminary engagement information

• Communication with the previous auditor (Code of Professional Conduct)

• Discussions with those charged with governance

• Enquiry with bankers and lawyers (permission required)

• Back ground search – internet, newspapers etc

• Public information EG annual reports

• Independence checks

(v) Terms of engagement

• Formalizing the terms of an engagement into an engagement letter

• Clarifies the purpose and nature of the engagement – bridge the

“Expectation Gap”

• ISA 210 – Terms of the audit engagement, this standard establishes and
provides guidance to the engagement letter standard

• The auditors duty and right is to decide in how the audit will be conducted

(vi) Terms of engagement

• Objective – this should be stated explicitly or clearly implied.

• Scope – An outline of the work to be done, including where appropriate the

applicable legislation.

Page 2 of 20
 • Management responsibilities – preparation of AFS in line with the applicable
standard (IFRS); maintaining accounting records and internal controls;
accounting policies and risk management.

• Auditors responsibilities – conduct an audit free from restrictions and issue an

audit opinion.

• Applicable reporting framework – use of IFRS or specific GAAP for preparation

of AFS

• Reports to be issued – reference to form and nature of reports to be issued

(vii) Other aspects of engagement terms

• Control weaknesses

• Involvement of other parties

• Other services to be rendered

• Audit timelines

• Audit fee and billings

• Signature of client and auditor

(B) PLANNING (ISA 300)

(i) Learning objectives

To formulate the aspects that relate to the planning of an audit

1. Audit strategy

2. Audit plan

The auditor should plan the audit work so that it will be performed in an effective
manner.

(ii) Importance of planning

1. Focuses the audit – eg significant risk are identified and addressed

2. Audits are carried out in an efficient and timely manner

Page 3 of 20
 3. Appropriate staffing can be done based on the work available, eg experts, other
auditors and internal audit.

4. Direction and supervision of the audit staff as well as review of work is

facilitated

5. Timely completion

6. Basis for the production of the audit plan

(iii) Audit Strategy

An overall audit strategy is the formulation of the general strategy for the audit, which:

 sets the direction for the audit,

 describes the expected scope and conduct of the audit and

 provides guidance for the development of the audit plan.

In summary it sets the scope, timing and direction/nature of the audit and guides the
development of the audit plan

ISA 300 Planning an Audit of Financial statements

Audit Strategy – key contents

(a) Understanding of the entity's environment:

i. Economic factors

ii. Business

iii. Strategies

iv. Reporting requirements

v. Changes from last audit

vi. Competence of mgt

(b) Understanding of the accounting and internal control systems:

i. Accounting policies adopted by the company

ii. Changes in accounting standards

iii. Prior audit experience

Page 4 of 20
(c) Risk and materiality:

i. Assessment of risks of fraud and error

ii. Identification of significant audit areas

iii. Setting materiality for audit planning purposes

iv. Possibility of error or fraud

v. Complex accounting areas and estimates

(d) Consequence nature, timing and extent of procedures:

i. Effect of IT

ii. Work of internal audit

iii. Change of emphasis on certain areas

(e) Co-ordination, direction, supervision and review

i. Involvement of other auditors

ii. Involvement of experts

iii. The number of locations

iv. Staffing requirements

(f) Other matters:

i. Going concern

ii. Related parties

iii. Terms of the engagement and statutory requirements

iv. Nature and timing of reports or communications during the audit

v. Tour of client facilities.

vi. Minutes of meetings ( Exco, Board, etc)

Page 5 of 20
(iv) The audit plan

In terms of ISA 300, the audit plan must contain;

• A description of the nature, timing and extent of planned risk assessment

procedures sufficient to assess the risks of material misstatement.

• A description of the nature, timing and extent of planned further audit

procedures at the assertion level for each material class of transactions,
account balance and disclosure

• Any other procedures which may be necessary to comply with the ISAs

Important considerations:

• Needs a lot of information about the client thus we should get a

detailed understanding of the entity and its environment

• An auditor should identify risks or material misstatement and respond

to the risks in a manner that the risk is reduced to an acceptable level

(C) AUDIT DOCUMENTATION (ISA - 230 )

Nature and purpose:

• Appropriate and sufficient evidence of the auditors basis for the auditors
reports

• Evidence that the audit was planned and performed in accordance with
ISA’s and applicable legal and regulatory requirements.

• Assist the audit team to plan and perform audit

• Assist relevant members of the team to direct and supervise work

• Assist the team in complying with ISA 220

• Retain a record of significance matters to future audits

• Enable an experienced auditor to carry out quality control reviews

• Enable monitoring (ISQC 1 and external inspections)

Page 6 of 20
Essentials of documentation:

• The auditor shall prepare audit documentation on a timely basis

• The auditor shall prepare audit documentation that is sufficient to

enable an experienced auditor, having no previous connection with the
audit, to understand;-

(a) Nature of audit procedures performed

(b) The identified risks of material misstatements

(c) The extent of judgment required in performing work and

evaluation results

(d) The significance of the audit evidence obtained

(e) The nature and extent of exceptions identified

(f) The need to document a conclusion or the basis of a conclusion

not readily determinable

(g) The audit methodology and tools used

Examples of audit documentation:

• Bank Statements
• Invoices
• Procedures and policies
• Engagement letter
• Stock take records
• AFS
• Internal Control – Process documentation (D&I)
• Info from previous auditors
• IAS
• Key areas of focus (ASM)
• Bank Recons
• Payroll file
• Info on team members
• Audit fee discussion
• Trial Balance
• Audit time frame
• Time analysis
• Engagement acceptance
• Client acceptance
• Audit plan
• Audit programme

Page 7 of 20
Example of working paper:

Name of Client: WP Ref:

Year End: Prepared By:

Subject: Date Prepared:

Aim:

Work done: Sample Selection

Work Done

Source of Information

Key to Audit risk

Appropriate cross referencing

Results:

Conclusion

Legends/tick-marks:

Reviewed by:

Date Reviewed:

Page 8 of 20
Note:

(a) The auditor should record the identifying characteristics of specific matters or
matters being tested.

(b) Firms are to have a standard referencing and filing procedure for working
papers – to facilitate review.

(c) Names of the preparer, review and dates done must be on the workpaper

(d) Audit files are divided into:

I. Permanent file – Contain information of continued importance to the audit

For example:

 Engagement letters
 New client questionnaire
 The memorandum and articles of association.
 Details of history of the client’s business.
 Board minutes of continuing importance.
 Previous signed accounts.
 Accounting system notes.

II. Current Audit file – contain information of relevance to current year audit.

For example:

 AFSs
 Accounts checklists
 Management accounts details.
 A summary of unadjusted errors.
 Review notes.
 Audit planning.
 Management letter.
 Representation letter.
 Audit programmes.
 Risk assessments
 Sampling plans.

• File close out or file assembly– legislation require files to be closed out after a
certain time frame (60 days for unlisted entities and 45 days for listed entities)

• Changes made after assembly date

• Document who made changes and who reviewed them

• Document reasons for making changes

• Document the effect of changes on the auditors conclusions

Changes made to the audit file after the audit report has been signed:

Page 9 of 20
 ■ Document the circumstances

■ Document the audit procedures performed, evidence obtained and

conclusions drawn

■ Document when and whom changes to audit documents were

made and reviewed

■ Legislation requires audit files to be retained for 5 years in

Swaziland. However, ACCA recommend that 7 years as a
minimum period.

Standardised and automated working papers:

Examples of standardised and automated working papers:

Vector Caseware

KAM Auditpro

AS2

Audit

Advantages of standardised and automated working papers:

1. The risk of error is reduced

2. Working papers will be neater and easier to review

3. Time is saved as adjustments can be easily made

4. Standard forms do not have to be carried to audit locations

5. Audit working papers can be remotely reviewed.

Page 10 of 20
 (D) MATERIALITY ISA 320

What is materiality?

Information is material if its omission or misstatement could influence the

economic decision of users taken on the basis of the financial statements.

Materiality depends on size of the item or error

Provides a threshold or cut-off point

“Materiality is the magnitude of an omission or misstatement of accounting

information that, in the light of surrounding circumstances, makes it probable that
the judgment of reasonable person relying on the information would have been
changes or influenced by the omission or misstatement”.

The auditors’ responsibility is to determine whether financial statements are

materially misstated. If the auditor determines that there is a material
misstatement, he/she will bring it to the client’s attention so that a corrective
action would be made. If the client refuses to correct the statements, a qualified or
adverse opinion must be issued.

 To understand who the users are.

 To understand the economic decisions they need to make
 Sell/buy decision might make materiality to be low.

To set the materiality level, the auditors need to decide the level of error which will
distort the view given by the accounts. Because many users of accounts are primarily
interested in the profitability of the company the level is often expressed as proportion
of its profits.

Materiality can be thought of in terms of size of the business. Hence if the company
remains fairly constant, the materiality level should not change, similarly if the
business is growing the level of materiality will increase from year to year.

This size of a company can be measured in terms of turnover or total assets before
deducting any liability.

To note:

• Should be calculated at the planning stage of all audits

• Should be re-evaluated at the final stages when evaluating the effects of

misstatement

• Calculation should be based on experience and judgment

• Considers quantitative and qualitative factors

Page 11 of 20
Nature of Materiality

1. Materiality is very subjective

■ Give 10 auditors one TB and they will come up with 10 materiality

levels

■ It is not a defined concept, professional judgment plays a great

part

■ Consideration of other quantitative factors

■ Sign off by Partner

2. Materiality is relative, not absolute (varies from user to user)

If using different benchmarks, we use different percentages. E.G.

 Profit before tax ……………………… 5%,

 Gross Profit……………………………. 0.5% - 1%
 Total Assets………………. …………. 1% - 2%,
 Turnover ……………………………… 0.5% - 1%.
 Net Assets…………………………….. 2% - 5%
 Profit Tax After………………………. 5% - 10%

Some circumstances where we use a different materiality for B/S and I/S.

Materiality is both qualitative and quantitative

 Example – disclosure requirements

Other considerations:

• There is an inverse relationship between materiality and audit risk

• The lower the materiality, the higher the audit risk.

(i) Low materiality levels mean less margin of error

(ii) Low materiality mean Auditors detect most

misstatements

(iii) Lower materiality, the greater the extent of testing

required

• Tolerable error or performance materiality is the maximum

level of error that the auditor is willing to accept

Page 12 of 20
 (E) ANALYTIC PROCEDURES ISA 520

Definition

“For the purposes of the ISA, the term “analytical procedures” means evaluations of
financial information through analysis of plausible relationships among both financial
and non-financial data. Analytical procedures also encompass such investigation as is
necessary of identified fluctuations or relationships that are inconsistent with other
relevant information or that differ from expected values by a significant amount. (ISA
520)”

Purpose

1. Used at planning stage as a means of understanding the business and

identifying audit risk.

2. To substantiate an assertion – substantive tests

3. Provide corroborative evidence at final stage of an audit

Analytic Procedures – ISA 330 requirements

a. Determine the suitability of the AP for the given assertion

b. Evaluate the reliability of data used by auditor in his expectation

c. Develop an expectation and evaluate whether its sufficient

d. Determine the acceptable difference b/n expectation and actual.

What do you do when you have variances on results of AP

Investigate such differences by:

a. Inquiry with MGT and obtaining appropriate audit evidence to support that

b. Perform other audit procedures as necessary

Nature of analytic procedures

I) Comparison of entities financial information with:

• Similar prior year information

• Budgets and forecasts (client determined expected results)

• Similar industry information

Page 13 of 20
 • Predictions made by auditors ( auditor expected results)

• Expected results using non- financial data

II) Elements of financial info that are expected to conform to a predicted pattern.
E.g. Sales to sales commissions, gross profit to sales

III) Elements between financial information and relevant non-information such as

Payroll Costs to number of employees.

(F) WORK OF OTHERS - ISA 610 AND 620

Work of internal audit – ISA 610

As part of planning, auditors must consider the activities of internal auditing and their
effect, if any, on the external procedures.

How do we assess whether we will use the work of internal audit?

Perform an assessment of the Internal Audit function through;-

A) Organisational status – Whom IA reports, operational responsibilities,

constraints and restrictions etc

B) Scope of function – Extent and nature of assignments performed and action

taken by MGT as a result of IA reports.

C) Technical competence – Technical training and competence/proficiency

D) Due professional care – Is IA work properly planned, supervised, reviewed and

documented.

Using work of others or experts – ISA 620

Define – An expert is a person or firm possessing special skill, knowledge and

experience in a particular field other than accounting or auditing.

Why we need Experts?

• Auditors have a limited skill set (consider materiality of item, risk of

misstatement and quality of other available audit evidence)

Who may engage an expert?

• Client – to provide a specialist advice on a matter affecting the AFS

• Auditors – to obtain sufficient audit evidence regarding certain FS assertions.

Page 14 of 20
Work of experts -

• Consideration by auditors:

• Professional Certification

• Experience and reputation

• Objectivity

• Assessing Expert’s work – consider the following:

• Source data used

• Assumptions and methods and their consistency

• Timing of carrying work

• Results of the experts work in light of CAKE

(G) RISK ASSESSMENT

Introduction:

A risk assessment carried out under the ISAs helps the auditor to identify financial
statement areas susceptible to material misstatements and provides a basis for
designing and preforming further procedures.

The overall objective of the auditor:

At all stages of the audit; including during risk assessment, the auditor must bear in
mind what the overall objectives of the independent auditor and the conduct of an
audit in accordance with International Standards on Auditing. The overall objectives
are:

“To obtain reasonable assurance about whether the financial statements as a

whole are free from material misstatement, whether due to error or fraud, thereby
enabling the auditor to express an opinion on whether the financial statements
are prepared, in all material aspects, in accordance with an applicable financial
reporting framework; and to report on the financial statements, and communicate
as required by the ISAs, in accordance with the auditor’s findings”

In order to obtain assurance about whether the financial statements are free from
material misstatement, the auditor needs to consider how and where misstatements
are most likely to arise. A risk assessment under the ISAs helps the auditor to ensure
that key areas more susceptible to material misstatements are adequately investigated

Page 15 of 20
and tested during the audit. It helps the auditor identify how risk areas where
reduced testing may be appropriate, ensuring time is not wasted by over testing these
areas.

In order to achieve the overall objective auditors also need to plan and perform the
audit with professional skepticism and apply their professional judgment.

Professional skepticism – is an attitude that includes a questioning mind, being

alert to conditions which may indicate possible misstatement due to error or fraud,
and a critical assessment of audit evidence.

For example:

 Audit evidence that contradicts other audit evidence obtained.

 Conditions that may indicate possible fraud.
 Circumstances that suggest the need for audit procedure in addition to those
required by ISAs.

Professional judgment – is the application of relevant training, knowledge and

experience in making informed decisions about courses of action that are appropriate
in the circumstances of the audit engagement.

For example:

 Materiality and audit risk.

 Nature, timing and extent of audit procedures.
 Evaluation whether sufficient appropriate audit evidence has been obtained.
 Evaluating management’s judgment in applying the applicable financial
reporting framework.
 Drawing conclusions based on audit evidence obtained.

(H) AUDIT RISK

Definition:

“Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated. It is a function of the material
misstatement (inherent risk and control risk) and the risk that the auditor will not detect
such misstatements (detection risk)”

Audit risk = Inherent Risk x Control Risk x Detection Risk.

Inherent Risk – is the susceptibility of an assertion to a misstatement that could be

material individually or when aggregated with other misstatements, assuming there
were no related controls.

It is a risk which derives from the nature of the entity and its environment prior to the
establishment of internal controls.

Page 16 of 20
Control Risk – is the risk that a material statement that could occur in an assertion
and that could be material, individually or when aggregated with other misstatements,
will not be prevented or detected and corrected on a timely basis by the entity’s
internal control.

Detection Risk – is the risk that procedures performed by the auditor to reduce audit
risk to an acceptable level will not detect a misstatement that exists and that could be
material, individually or when aggregated with other misstatements.

This is the component of audit risk that the auditors have a degree of control over,
because, if the risk is too high to be tolerated, the auditors can carry out more work to
reduce this aspect of audit risk and, therefore, audit risk as a whole.

One way to reduce detection risk is to increase sample sizes. Sampling risk and non-
sampling risk are components of detection risk.

It may also be caused by:

 Time pressure.
 Lack of competence and application.
 Failure to consult with seniors.
 Irresponsibility.
 Lack of commitment.
 Personal or emotional stress.

Although increasing sample sizes or doing the following actions can also improve the
effectiveness and application of procedures and therefore help reduce detection risk.

 Adequate planning.
 Assignment of more experienced personnel to the engagement team.
 The application of professional skepticism.
 Increased supervision and review of audit work performed.

All these reduce the possibility that the auditor might select an inappropriate audit
procedure, misapply an appropriate procedure, or misinterpret the audit results.

(I) UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

This is done to: (why?)

 To identify and assess the risks of material misstatements in the AFs.

 To enable the auditor to design and perform further audit procedures.
 To provide a frame of reference for exercising audit judgment when setting audit
materiality.

Page 17 of 20
This can done through: (How?)

 Enquiries from management and others within the entity.

 Analytical procedures
 Observation and inspection.
 Use of prior knowledge.
 Discussions among the engage team.
 Information from other engagements undertaken from the entity.

This is done on factors like: (What?)

 Industry, regulatory and other external factors, including the reporting

framework.
 Nature of the entity including the selection and application policies.
 Objectives and strategies and relating business risk that might cause material
misstatement in the AFs.
 Internal control.
 Measurement and review of financial performance.

The following factors indicate that a risk might be a significant risk.

 Risk of fraud.
 Degree of subjectivity in the financial statements (eg when a lot of accounting
estimates are used)
 Unusual transactions.
 Significant transactions with related parties.
 Complexity of the transactions.

Page 18 of 20
 (J) FRAUD

Fraud is an intentional act by one or more individuals among management, those

charged with governance (management fraud), employees (employee fraud) or third
parties involving the use of deception to obtain an unjust or illegal advantage. Fraud
may be perpetrated by an individual, with people internal or external to the business.

While fraud is broad concept, in the context of financial statements the auditors’ main
concern is with fraud that causes material misstatements in the financial statements.
It is different from error which is when a material misstatement is caused by a
mistake.

The two main categories of fraud are fraudulent financial reporting and
misappropriation of assets.

Fraudulent financial reporting is an intentional misstatement or omission of amounts

or disclosures with the intent to deceive users.

Misappropriation of assets is fraud that involves theft of an entity’s assets, e.g.:

 Embezzling receipts (transferring receipts to personal bank accounts).

 Stealing or intellectual property like formula or receipts.
 Causing an entity to pay for undelivered goods.
 Using assets for personal use. E.g using company machinery to fix your car.

There are three conditions for fraud, these normally referred to as the Fraud Triangle.

1. Incentives/Pressures

2. Opportunities
3. Attitudes/Rationalization

1. Incentives/pressures – management or other employees have incentives or

pressures to commit fraud.

 Excessive pressures for management to meet debt repayments or other

debt agreement requirements
 Personal financial obligations.
 Adverse relationships with management e.g. expected layoffs, poor
compensations.

Page 19 of 20
 2. Opportunities – circumstances that provide opportunities for management and
employees to commit fraud.

 Significant accounting estimates which involve subjective judgments or

uncertainties that are difficult to verify.
 Presence of large amounts of cash on hand or inventory items that are
small, of high value and demand (like jewellery, cellphones, etc).

3. Attitudes/rationalization – an attitude, character or set of ethical values exist

that allows management or employees to commit a dishonest act or they are in
an environment that impose sufficient pressure that cause them to rationalize
committing a dishonest act.

 Management practice of making overly aggressive or unrealistic forecast

to creditors and other third parties.
 Disregard of internal controls by overriding exist controls or failing to
correct known internal control weaknesses.

Source of information gathered to assess fraud risk.

 Communication among the audit team.

 Inquiries of management.
 Analytical procedures.
 Considering when risk factors are present.
 Consideration of any other information.

Page 20 of 20