Department of Accountancy and Taxation

COLLEGE OF ARTS AND SCIENCES

San Beda University

AUDPRIN J.P. DELA VEGA

HANDOUT 2 1ST SEMESTER A.Y. 2023-2024
==================================================================================================
The Risk-Based Audit of Financial Statements – Part 1
OVERVIEW OF RISK-BASED AUDIT PROCESS

Risk-based Audit Approach – an audit process that begins with an assessment of the types and likelihood of misstatements
in account balances, and then adjust the amount and type of audit work upon such assessment

Audit work related to this approach:

1. Identification of client’s strategy
2. Examination of core business processes and resource management
3. Identification for each of the key processes (and subprocesses): objectives, inputs, activities, outputs, systems,
transactions, control
4. Assessment of the risks that the processes might not meet the goal and controls related to those risks

RISK-BASED AUDIT VS. ACCOUNT-BASED AUDIT

Step 1: Audit team views and understands ALL Step 1: Audit team directly understands ALL control
activities in the organization to its related: activities in the organization
• Strategies
• Objectives Step 2: Audit team assesses the control risks for
particular types of fraud and errors in specific
Step 2: Audit team identifies the risks for each process accounts and cycles

Step 3: Audit team determines management’s plans and

processes to mitigate the identified risks

Step 4: Audit team checks whether those plans are

actually in place and operating effectively

NATURE OF RISKS

Risk – the uncertainty about events and their outcomes that could have a material effect on the entity as a whole

RISKS RELEVANT TO AUDIT

1. Audit Risk – risk that an auditor will issue an unqualified opinion on materially misstated FS
2. Engagement Risk – relates to the auditor's exposure to financial loss and damage to his or her professional reputation
3. Financial Reporting Risk – relates to the recording of transactions and presentation of financial data on an entity’s FS
4. Business Risk – results from significant conditions, events, circumstances, actions or inactions that could adversely
affect an entity's operations and ability to achieve its objectives and execute its strategies

Business risk and financial reporting risk originate from the audit client and its environment, and these risks then affect the
auditor’s engagement risk and audit risk. Hence, risk management is vital for both the client and the audit firm to continue
existing.

THE RISK-BASED AUDIT PROCESS / ENGAGEMENT SETUP

PHASE
Phase 1: Risk Assessment
A. Preliminary Engagement activities
B. Audit Planning
a. Overall Audit Strategy
b. Audit Plan
C. Risk Assessment procedures
a. Identification of risks
b. Assessment of Risk of Material Misstatement - Walkthrough / Test of Design and Implementation
through Understanding the Entity
RELATED DOCUMENTATION / WORKING PAPERS
- Preliminary Fluctuation Analysis
- Materiality Determination
- Planning Matrix
- Planning Meeting presentation with the client
- Time Budget
(TODI)

Phase 2: Risk Responses

A. Designing the Overall Response to Assessed Risk - Test of Controls (TOC)
through ‘audit procedures’ - Substantive Testing (ST)
B. Implementation of Responses
to reduce audit risk to an acceptably low level
 Phase 3: Reporting
A. Evaluation of Audit Evidence - Auditor’s Report
B. Forming an Opinion based on Audit Findings
including Audit Report preparation

PHASE 1 – RISK ASSESSMENT

I. PRELIMINARY ENGAGEMENT ACTIVITIES (PSA 200, 210, 220)

ENGAGEMENT ACCEPTANCE (PSA Framework)

1. Relevant ethical requirements will be satisfied
2. The engagement exhibits all of the following characteristics:
a. The subject matter is appropriate;
b. The criteria to be used are suitable and are available to the intended users;
c. The practitioner has access to sufficient appropriate evidence to support the practitioner’s conclusion;
d. The practitioner’s conclusion, in the form appropriate to either a reasonable assurance engagement or a limited
assurance engagement, is to be contained in a written report; and
e. The practitioner is satisfied that there is a rational purpose for the engagement

CLIENT ACCEPTANCE & CONTINUANCE – Refer to HO1, PSQC1 Element 2

1. Auditor complies with the ethical requirements.
2. Auditor is competent and capable.
3. Client has integrity.

PRE-CONDITIONS TO AUDIT (PSA 210)

1. The financial reporting framework to be applied in the preparation of the financial statements is acceptable.
2. Management agrees, acknowledges, and understands its responsibility for:
a. the preparation of the financial statements
b. the internal control necessary to enable the preparation of FS
3. The auditor has:
a. Access to all information of which management is aware that is relevant to the preparation of the FS such as
records, documentation and other matters;
b. Additional information that the auditor may request from management for the purpose of the audit; and
c. Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit
evidence

MANAGEMENT’S RESPONSIBILITY (PSA 200)

1. To prepare and present the FS in accordance with the applicable financial reporting framework, and includes the:
• design
• implementation; and
• maintenance of internal control
2. To provide the auditor with:
• all information such as records and documentation relevant to the preparation and presentation of the FS;
• any additional information that the auditor may request
• unrestricted access to those within the entity
3. To assess the entity’s ability to continue as a going concern
4. To oversee the entity’s financial reporting process

*Sample MRL

General purpose financial statements - FS prepared in accordance with a financial reporting framework designed to meet
the common financial information needs of a wide range of users

Special purpose financial statements - FS prepared in accordance with a financial reporting framework designed to meet the
financial information needs of specific users. The financial information needs of the intended users will determine the
applicable financial reporting framework in these circumstances

AUDITOR’S RESPONSIBILITY
• To properly plan the audit
• To conclude and report on the FS (written)
• To obtain reasonable assurance whether the financial statements are free from material misstatement
• To comply with the Philippine Ethics Code
• To professionally perform the audit (exercising PJ and PS)
• To comply with the requirements of Quality Control
• To obtain sufficient and appropriate evidence which can either support or refutes the management’s assertions
• To maintain professional competence
• To communicate with the management about any material errors and any instances of fraud or illegal acts
• Others required by the PSA
ENTITY’S INTERNAL CONTROLS
1. Preventive – before fraud / error
2. Detective – after fraud / error
3. Corrective – after fraud / error

An independent audit conducted in accordance with the PSAs does not act as a substitute for the maintenance of internal
control necessary for the preparation of financial statements by management.

LIMITATION ON SCOPE PRIOR TO AUDIT ENGAGEMENT ACCEPTANCE

If there is a limitation on the scope of the auditor’s work in the terms of a proposed audit engagement such that the auditor
believes the limitation will result in the auditor disclaiming an opinion on the financial statements, the auditor SHALL
NOT ACCEPT such a limited engagement as an audit engagement, unless required by law or regulation to do so.

TERMS OF THE AUDIT ENGAGEMENT

The agreed terms of the audit engagement shall be recorded in an audit engagement letter* or other suitable form of written
agreement.

MINIMUM CONTENT OF AN ENGAGEMENT LETTER (EL)

1. Objective and scope of the audit of the financial statements;
2. Auditor’s responsibilities;
3. Management’s responsibilities;
4. Applicable financial reporting framework for the FS preparation; and
5. Reference to the expected form and content of audit report

Other items may be included in the EL such as:

• Elaboration of the scope of the audit, including reference to applicable legislation, regulations, PSAs, and ethical and
other pronouncements of professional bodies to which the auditor adheres
• The form of any other communication of results of the audit engagement
• The fact that because of the inherent limitations of an audit, together with the inherent limitations of internal control,
there is an unavoidable risk that some material misstatements may not be detected, even though the audit is properly
planned and performed in accordance with PSAs
• Arrangements regarding the planning and performance of the audit, including the composition of the audit team
• The expectation that management will provide written representations
• The agreement of management to make available to the auditor draft financial statements and any accompanying
other information in time to allow the auditor to complete the audit in accordance with the proposed timetable
• The agreement of management to inform the auditor of facts that may affect the financial statements, of which
management may become aware during the period from the date of the auditor’s report to the date the financial
statements are issued
• The basis on which fees are computed and any billing arrangements
• A request for management to acknowledge receipt of the audit engagement letter and to agree to the terms of the
engagement outlined therein
• Arrangements concerning the involvement of other auditors and experts in some aspects of the audit
• Arrangements concerning the involvement of internal auditors and other staff of the entity
• Arrangements to be made with the predecessor auditor, if any, in the case of an initial audit
• Any restriction of the auditor’s liability when such possibility exists
• A reference to any further agreements between the auditor and the entity
• Any obligations to provide audit working papers to other parties

Recurring Audits:
The auditor shall assess whether circumstances require the terms of the audit engagement to be revised and whether there is
a need to remind the entity of the existing terms of the audit engagement (through an Annual Arrangement Notification
letter / AAN).

Possible revisions include:

• Any indication that the entity misunderstands the objective and scope of the audit
• Any revised or special terms of the audit engagement
• A recent change of senior management
• A significant change in ownership
• A significant change in nature or size of the entity’s business
• A change in legal or regulatory requirements
• A change in the financial reporting framework adopted in the preparation of the financial statements
• A change in other reporting requirements

Auditor’s Response to Change in Terms of the Audit Engagement:

• Do not agree if there is no reasonable justification
• For any change that conveys a lower level of assurance, determine if there is a reasonable justification to do so
 • If terms are changed, record the new terms of the engagement in an engagement letter or other suitable form of
written agreement
• If terms are not changed as the auditor is unable to agree to on it and therefore is not permitted by management to
continue the original audit engagement, the auditor:
a. Withdraw from the audit engagement; and
b. Determine whether there is any obligation to report such to other parties, such as those charged with
governance, owners or regulators.

*Sample EL and AAN

II. AUDIT PLANNING (PSA 300)

The auditor plans the audit so that it will be performed in an effective manner.

AUDIT PLANNING DEFINED

• involves establishing the overall audit strategy for the engagement and developing an audit plan in order to reduce
the audit risk to an acceptably low level
• not a discrete phase of an audit, but rather a continual and iterative process
• often begins shortly after (or in connection with) the completion of the previous audit and continues until the
completion of the current audit engagement
• includes consideration of the timing of certain activities and audit procedures that need to be completed prior to the
performance of further audit procedures, such as:
o analytical procedures to be applied as risk assessment procedures.
o obtaining a general understanding of the legal and regulatory framework applicable to the entity and how
the entity is complying with that framework
o determination of materiality
o involvement of experts
o performance of other risk assessment procedures

Adequate planning ensures that:

• Appropriate attention is devoted to important areas of the audit.
• Potential problems are identified and resolved on a timely basis.
• The audit engagement is properly organized and managed so that it is performed in an effective and efficient
manner.
• There is proper selection of and assignment of work to engagement team members with appropriate levels of
capabilities and competence to respond to anticipated risks.
• There is a facilitation of direction and supervision of engagement team members and the review of their work.
• There is coordination of work done by auditors of components and experts, where applicable.

NATURE AND EXTENT OF PLANNING

The nature and extent of planning activities will vary according to:
• the size and complexity of the entity
• the key engagement team members’ previous experience with the entity, and
• changes in circumstances that occur during the audit engagement

Auditor also needs to expand planning activities for initial engagements because he has no previous experience with the
entity.

DIRECTION, SUPERVISION, REVIEW OVER PLANNING

Factors affecting the extent:
• size and complexity of the entity
• area of audit
• risks of material misstatement
• capabilities and competence of team members performing the audit work

OVERALL AUDIT STRATEGY

In establishing the overall audit strategy, the auditor shall:

• Identify the characteristics of the engagement that define its scope;

• Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the
communications required;
• Consider the factors that, in the auditor’s professional judgment, are significant in directing the engagement team’s
efforts;
• Consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on
other engagements performed by the engagement partner for the entity is relevant; and
• Ascertain the nature, timing and extent of resources necessary to perform the engagement.
The process of establishing the overall audit strategy assists the auditor to determine, subject to the completion of the
auditor’s risk assessment procedures, such matters as:

• The resources to deploy for specific audit areas, such as the use of appropriately experienced team members for
high-risk areas or the involvement of experts on complex matters.
• The amount of resources to allocate to specific audit areas, such as the number of team members assigned to
observe the inventory count at material locations, the extent of review of other auditors’ work in the case of group
audits, or the audit budget in hours to allocate to high risk areas;
• When these resources are to be deployed, such as whether at an interim audit stage or at key cut-off dates; and
• How such resources are managed, directed and supervised, such as when team briefing and debriefing meetings are
expected to be held, how engagement partner and manager reviews are expected to take place (for example, on-site
or off-site), and whether to complete engagement quality control reviews.

BRIDGING THE OVERALL AUDIT STRATEGY WITH THE (DETAILED) AUDIT PLAN

Once the overall audit strategy has been established, an audit plan can be developed to address the various matters
identified in the overall audit strategy, taking into account the need to achieve the audit objectives through the efficient use
of the auditor’s resources.

The establishment of the overall audit strategy and the detailed audit plan are not necessarily discrete or sequential
processes, but are closely inter-related since changes in one may result in consequential changes to the other.

AUDIT PLAN
• more detailed than the overall audit strategy
• includes the nature, timing and extent of audit procedures to be performed by engagement team members
• Planning for these audit procedures takes place over the course of the audit as the audit plan for the engagement
develops.
Examples:
o Planning of the auditor's risk assessment procedures occurs early in the audit process. However, planning
the nature, timing and extent of specific further audit procedures depends on the outcome of those risk
assessment procedures.
o The auditor may begin the execution of further audit procedures for some classes of transactions, account
balances and disclosures before planning all remaining further audit procedures.

• Items typically included in an audit plan:

a. Description of the client company
b. Audit objectives
c. Timetable of audit work
d. Work to be done by the client’s employer
e. Assignment of audit staff
f. Target completion dates of major segments of the engagement
g. Preliminary evaluation and judgment about materiality level
h. Any special problems to be resolved particularly those revealed by analytical procedures
i. Conditions that may require changes in audit testing

CHANGES TO PLANNING DECISIONS DURING THE COURSE OF THE AUDIT

The auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of the audit.
Change may occur as a result of:
• unexpected events
• changes in conditions
• audit evidence obtained from the results of audit procedures
• when information comes to the auditor’s attention that differs significantly from the information available when the
auditor planned the audit procedures Example: Audit evidence obtained through the performance of substantive
procedures may contradict the audit evidence obtained through tests of controls.

PLANNING DOCUMENTATION
The auditor shall document:
a. The overall audit strategy;
b. The audit plan; and
c. Any significant changes made during the audit engagement to the overall audit strategy or the audit plan,
and the reasons for such changes

Audit Program – serves as a set of instructions to assistants involved in the audit plan and as a means to control and record
the proper execution of the work
– may also contain the audit objectives for each area and a time budget in which hours are budgeted for the
various audit areas and procedures
 OVERALL AUDIT STRATEGY
(OAS)
The documentation of the overall
audit strategy is a record of the key
decisions considered necessary to
properly plan the audit and to
communicate significant matters to
the engagement team. For example,
the auditor may summarize the
overall audit strategy in the form of
a memorandum that contains key
decisions regarding the overall
scope, timing and conduct of the
audit.
AUDIT PLAN (AP)
The documentation of the audit plan is a
record of the planned nature, timing and
extent of risk assessment procedures and
further audit procedures at the assertion
level in response to the assessed risks. It
also serves as a record of the proper
planning of the audit procedures that can
be reviewed and approved prior to their
performance. The auditor may use
standard audit programs or audit
completion checklists, tailored as needed
to reflect the particular engagement
circumstances.
CHANGES IN OAS AND AP
A record of the significant changes to
the overall audit strategy and the audit
plan, and resulting changes to the
planned nature, timing and extent of
audit procedures, explains why the
significant changes were made, and the
overall strategy and audit plan finally
adopted for the audit. It also reflects the
appropriate response to the significant
changes occurring during the audit.

*Sample Planning Matrix

PLANNING DISCUSSION WITH THE CLIENT

The auditor may decide to discuss elements of planning with the entity’s management to facilitate the conduct and
management of the audit engagement. When discussing matters included in the overall audit strategy or audit plan, care is
required in order not to compromise the effectiveness of the audit. For example, discussing the nature and timing of detailed
audit procedures with management may compromise the effectiveness of the audit by making the audit procedures too
predictable.

*Sample Planning Meeting PresMat

III. MATERIALITY (PSA 320)

WHAT IS MATERIALITY?
• Information is MATERIAL if its omission or misstatement could influence the economic decisions of users taken
on the basis of the financial statements.
• Materiality depends on the SIZE (quantity) and NATURE (quality) of the item or error judged in the particular
circumstances of its omission or misstatement.
• Materiality provides a threshold or cut-off point rather than being a primary qualitative characteristic which the
information must have if it is to be useful.
• The concept of materiality is applied by the auditor BOTH in PLANNING and PERFORMING THE AUDIT,
and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any,
on the financial statements and in forming the opinion in the auditor’s report.

Assessment and determination of what is MATERIAL is a matter of professional judgment of the auditor, and is affected by
the auditor’s perception of the financial information needs of the users of the financial statements. In this context, it is
reasonable for the auditor to assume that users:

a. Have a reasonable knowledge of business and economic activities and accounting and a willingness to study the
information in the financial statements with reasonable diligence;
b. Understand that financial statements are prepared, presented and audited to levels of materiality;
c. Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates, judgment and
the consideration of future events; and
d. Make reasonable economic decisions on the basis of the information in the financial statements.

In planning the audit, the auditor makes judgments about the size of misstatements that will be considered material. These
judgments provide a basis for:

a. Determining the nature, timing and extent of risk assessment procedures;

b. Identifying and assessing the risks of material misstatement; and
c. Determining the nature, timing and extent of further audit procedures.
LEVELS OF MATERIALITY

OVERALL MATERIALITY (OM)

SPECIFIC MATERIALITY (SM)
(or simply, ‘MATERIALITY’)
• materiality level for the FS as a whole • materiality level for particular classes of transactions,
• the HIGHEST AMOUNT of misstatement that could account balances, or disclosures
be included in the financial statements (or that the • established for some cases to identify misstatements
auditor can tolerate) WITHOUT affecting economic lower than the OM due to, but not limited to:
decisions taken by intended users based on common a. compliance with legislation
financial information needs b. certain terms in a contract
• If: c. transactions upon which bonuses are based
(management remuneration)
Total Amount of Uncorrected d. industry-specific data
Misstatements, either > Overall e. related party transactions
individually or aggregated Materiality , f. significant events and important changes in
operations that needed to be disclosed
Then, FS is MATERIALLY MISSTATED.

Some of the factors influencing the Materiality levels:

• Legal and regulatory requirements
• Relationships between individual financial statement account balances

PERFORMANCE MATERIALITY (PM)

• amount or amounts set by the auditor at less than OM to reduce, to an appropriately low level, the probability that
the aggregate of uncorrected and undetected misstatements exceeds the OM, or the SM
• set at a lower amount(s) than OM, or SM on most cases
• Why is it REQUIRED to set a PM?
o To ensure that misstatements less than the OM or SM are detected
o To provide a margin or buffer for possible undetected misstatements where the buffer is between the:
a. detected BUT uncorrected misstatements at aggregate; and
b. OM or SM

The margin provides some assurance for the auditor that the undetected misstatements, along with all the
uncorrected misstatements, will not likely accumulate to reach an amount that would cause the FS to be
materially misstated (meaning, higher than OM or SM).

AUDIT MISSTATEMENT POSTING THRESHOLD (AMPT) – materiality level used for a single transaction / entry in
the entity’s books. A transaction is considered clearly trivial, at least as to quantity, if it is not equal or higher than AMPT.

Sequence of Materiality Levels as to Amount (both Quality and Quantity):

OM > PM > AMPT
OM >, <, = SM
HOW TO DETERMINE MATERIALITY?

Planning Materiality / Preliminary Judgment about Materiality*

• materiality levels set when the auditor makes a preliminary assessment of OM by determining the amount by which
they believe the financial statements could be misstated without affecting users’ decision
• being set to assist the auditor in planning the audit procedures that will provide sufficient appropriate audit
evidences

*Materiality assessment is based on professional judgment and may change during the course of the engagement if
circumstances change.

MATERIALITY DETERMINATION GUIDELINES (BASED ON PRACTICE)*

OM SM PM
Profit from continuing operations (ranges from 3% Establishing a lower, specific Percentages range from 60%
to 7%) is often used in practice as the benchmark materiality amount (based on PJ) (of OM or SM) for higher
having the greatest significance to financial for the audit of specific or assessed RoMM, up to 80% for
statement users. sensitive financial areas. lower RoMM.

If profit is not a useful measure (like for

not-for-profit organizations or where profit is not a
stable base), other bases may be considered such
as:
• Revenues or expenditures (1% to 3%)
• Assets (1% to 3%)
• Equity / net assets (3% to 5%)
 *no specific guidance is provided in the PSA
Other Considerations:
1. Materiality used by the previous auditor
2. Experts employed by the entity or experts used by the audit team are instructed to use appropriate materiality level
in the related work they perform

MATERIALITY AND AUDIT RISK

As audit risk increases, the auditor will compensate for this risk by lowering materiality. This has the effect of increasing
the amount of audit procedures (in the form of substantive tests) in order to obtain sufficient evidence. The lower the
materiality, the higher the audit risk as a lower materiality means there is less room for error. To wit:

↑ Audit risk, ↓ Materiality ↑ Audit procedures needed inverse relationship

The resulting increased audit risk may be compensated by: HOW?

a. Reducing the assessed level of control risk - by carrying out extended and additional tests of
or controls
b. Reducing the detection risk - by modifying the nature, timing, and extent of
planned substantive procedures
In short:
Audit risk rises, materiality decreases, testing increases
Audit risk decreases, materiality increases, testing decreases

IV. OTHER MATTERS IN ENGAGEMENT PLANNING

1. Application of Analytical Procedures in Planning the Audit (PSA 520) *Sample Prelim Flucs
2. Establishment of an Audit Engagement Team
3. Consideration of Work Performed by Other Auditors / Parties
a. Predecessor auditor
b. Other CPA
c. Specialists
d. Use of client’s staff
e. Internal auditors
4. Assessment of Going Concern Assumption
a. Financial
b. Operating
c. Others
5. Identification of Related Parties
6. Client’s Legal Obligations
7. Completion of Initial Audit Program
8. Preparation of Time Budget *Sample Time Budget
9. Assignment of Personnel to the Engagement
10. Scheduling of Work