AUDIT STRATEGY by Graham Cosserat 01 Feb 1999 The audit risk model is at the heart of the audit process

. The application of this model is described in SAS 300, Accounting and Internal Control Systems, (ISA 400, Risk Assessments and Internal Control). Although the components of the audit risk model are reasonably well understood, their application in developing a strategy in a particular audit situation is rarely appreciated by students. This article seeks to remedy that defect by explaining how auditors use the risk model in determining the audit procedures to be applied in any particular audit, particularly the mix of tests of control and substantive procedures. First it is necessary to dispel a couple of widely held misconceptions. The first of these is a belief that the risk model is some kind of mathematical formula. Auditing texts often illustrate the model by presenting it as such. However, its application, as required by SAS 300 (ISA 400), is purely non-mathematical. All that is required is an understanding that there is a positive relationship between each of the components of audit risk (inherent risk, control risk and detection risk) and the overall audit risk of arriving at an incorrect judgement as to the truth and fairness of the financial statements. Since inherent and control risk are outside of the control of the auditors it follows that the higher are the assessed levels of inherent and control risk, the lower must be the level of detection risk if the desired overall level of audit risk is to be attained. The level of detection risk can be varied by the auditors through increasing the level of substantive procedures as necessary. SAS 300 (ISA 400) requires auditors to exercise judgement in assessing inherent and control risks and in determining the required level of substantive procedures. The only time real numbers are required is when auditors choose to apply statistical sampling procedures in the performance of tests. The second misconception is that internal control weaknesses require the performance of additional tests of control. As will be explained, the risk model requires the performance of fewer or even no tests of control where controls are weak, but the performance of additional substantive procedures. Materiality, inherent risk and control environment The assessment of materiality, inherent risk and the control environment all enter into the determination of the appropriate audit strategy. However, for the purpose of this article it will be presumed that the reader is familiar with these terms and they will not be explained in detail. This article will concentrate on the assessment of control risk and, in conjunction with assessments of materiality, inherent risk and the control environment, its implications for the development of an appropriate audit strategy. Account balances transaction classes and assertions As was explained in last month�s article Designing Audit Procedures, the building blocks of the audit evidence process are the financial statement assertions applicable to each transaction class and account balance. Similarly, the assessment of audit risk and determination of the appropriate audit strategy applies at this level. In practice, of course, we recognise that many control procedures apply to several assertions so the assessment of control risk is common to all those assertions. Similarly, transactions and balances are interrelated by double-entry bookkeeping. If we can obtain sufficient evidence about an assertion relating to all transactions affecting an account balance we do not need to obtain evidence as to that account balance itself. For example, if we verify the occurrence all fixed asset additions and the completeness of fixed asset disposals during a period, it may not be necessary to verify existence of the balance of fixed assets at the end of that period. However, subject to these considerations as to the sufficiency of audit evidence, consideration of audit strategy is presumed to apply at the level of each material financial statement assertion. Developing the audit strategy Figure 1 depicts the approach to developing an audit strategy. It commences with

) . The obvious example is with the completeness of cash receipts. substantive procedures are normally costly to perform.obtaining the understanding of the accounting and internal control systems. This is not. control procedures are effectively operated. but a range of strategies determined by the relative effectiveness of applicable control procedures (combined with assessments of inherent risk and materiality). in certain situations. (The fifth diamond (diamond 3a) relates to modifying the application of the strategy. substantive procedures may not be able to provide sufficient evidence and a more effective audit could be performed if certain controls could be relied upon. in fact. a single strategy. 2. The default presumption is that all of the evidence will come from the performance of substantive procedures. that all cash to which the entity is entitled has been properly recorded. Each of these decisions must be supported by relevant evidence in all but the first case. These decisions (depicted by diamonds in Figure 1) are whether: 1. However. results of substantive procedures confirm the assessment of control risk. Unless controls over the receipt of cash are effective it may be impossible to determine. An audit strategy that places reliance on internal controls in supporting a reduced level of substantive procedures is sometimes referred to as a �lower assessed level of control risk� approach. A more efficient audit could be performed if controls are judged to be sufficiently effective to enable a reduction in the level of substantive procedures. This is sometimes referred to as the �predominantly substantive� approach. it is desirable to adopt a �lower assessed level of control risk� strategy. through the use of substantive procedures. This is a requirement of all audits whatever strategy is to be adopted. Furthermore. 4. control procedures are effectively designed. 3. Substantive procedures are those that substantiate the amounts recorded in the financial statements. Auditors must make four separate decisions in adopting such a strategy.


Desirability of adopting a �lower assessed level of control risk� strategy In many situations it is apparent to the auditors that there is nothing to be achieved by assessing control risk. Based on this preliminary assessment. during the interim audit. thus. In evaluating design effectiveness the auditors identify the presence of the suggested control procedures or other compensating controls that have the same effect. conversely. The level of planned tests of control depends on the assessed level of control risk to be confirmed. the higher the level of tests of control required to confirm that assessment. Since both tests are applied to the same records it is more efficient to draft the audit . In all other situations auditors will make a preliminary assessment of control risk. These checklists identify potential misstatements and control procedures likely to prevent or detect such misstatements. experience has shown that the results of tests of control usually confirm the assessed level of control risk and. Where the understanding of the accounting and internal control systems has been obtained through the use of an internal control questionnaire (ICQ). Moreover. tests of control are typically performed. In situations such as these auditors would proceed to draw up an audit programme consisting entirely of substantive procedures. o from the understanding of the accounting and internal control systems it is apparent that controls are inadequate. and. These include situations where: o the entity is small such that controls are unlikely to be effective. assessment of the design of controls is part of the same process. the planned audit strategy. the lower the planned level of substantive procedures. Otherwise most auditing firms have developed internal control evaluation checklists (ICEs) for assessing design effectiveness. the auditors will draw up the audit programme incorporating both tests of control and substantive procedures. The tests of control are designed to verify that control procedures are actually operating as laid down. sometimes as dual-purpose tests. simultaneously with substantive tests of details of transactions. o there are few transactions in a transaction class or items making up an account balance such that substantive procedures are unlikely to be costly. The lower the assessed level of control risk. By designing substantive procedures at this stage detailed planning of the final audit can commence. Preliminary assessment of control risk This phase of the assessment is concerned with the design of control procedures. However. In some respects it might be better if the auditors waited until tests of control were completed before planning substantive procedures. o prior audits have revealed inadequate controls.

Tests of control are aimed at detecting deviations from laid down procedures such as documents not properly approved. If the tests do not confirm the operation of the control as planned. reliance may be placed on a stocktake prior to the year-end updated by transactions in the intervening period. reconciliations not regularly performed or failure to enforce the required segregation of duty. Some failures are to be expected due to both inherent limitations of control and shortcomings already provided for in the assessment of control risk. Since analytical procedures are much less costly to perform this would be the preferred option. Conclusion The determination of audit strategy described in this article is consistent with the requirements of Auditing Standards and is widely applied by auditing firms. are being applied. In examining individual transactions and items making up an account balance tests of details are far more persuasive than analytical procedures which consider only the reasonableness of recorded totals. where a relatively high level of detection risk may be tolerated. For example. When testing the control that purchase invoices are supported by goods inward notes and purchase orders. Performance of procedures prior to the year-end reduces pressure on the auditors and enables the audit to be completed earlier. where controls over stock (inventory) records are effective. further substantive procedures are needed if the desired level of audit risk is to be achieved. The assessment of inherent and control risk as less than high and the performance of a lower level of substantive procedures involves considerable judgement and entails a degree of risk. auditors may vary their nature. Tests of control typically involve: o inspection of documents for evidence of proper approval or acknowledgement of the performance of control procedures. Qualitative assessment is applicable where a �lower assessed level of control risk� strategy is being applied. the audit strategy will need to be reconsidered and the level of substantive procedures increased accordingly. o application of test data to computer programs to ensure that programmed application controls are functioning properly. These tests ensure that the control is operating as planned and thus confirm the preliminary assessment of control risk. Where the level of misstatements indicate a higher level of control risk than that on which the planned audit strategy has been based. Typically this means reliance on smaller sample sizes. Tests of control In order to justify reducing the level of substantive procedures SAS 300 (ISA 400) requires auditors to test the operating effectiveness of controls. o observation of procedures such as wages payout and cash receipts to ensure that proper procedures. The timing of substantive procedures distinguishes between those performed at the balance sheet date and those performed prior to that date. timing or extent. Quantitative assessment relates to the materiality of misstatements. o reperformance to ensure that procedures have been correctly performed. for example. The nature of substantive procedures may vary between tests of details and analytical procedures. Reducing the extent of substantive procedures is the commonest benefit to be achieved from assessment of control risk at less than high.programme so as to incorporate all tests to be conducted on the same records simultaneously. analytical procedures may be sufficient. particularly segregation of duty. Any misstatement suggests the failure of control procedures. Critics argue that auditing firms are using the model in unduly restricting the extent of auditing work and impairing the quality of auditing. . However. Substantive procedures and control risk Misstatements discovered through substantive procedures need to be reviewed both qualitatively and quantitatively. The other argument is that the risk model enables the more effective application of audit effort and enables the profession to perform a more efficient service without increasing the risk of audit failure. Where controls are particularly effective attendance at cyclical stocktakes alone may be sufficient. Effect of the assessment of control risk as less than high on substantive procedures In considering the effect of the assessment of control risk on the level of substantive procedures necessary to achieve the desired level of detection risk. it makes sense to use the same sample of invoices to perform the substantive procedures of ensuring they are mathematically correct and entered into the purchase day book (journal) and purchase (accounts payable) ledger in the correct amount. It is certainly a fact that audit costs are falling and that some of the cost savings are being achieved through intelligent use of the strategy described in this article.

and assign qualified staff to the audit (resource allocation) . designed to assist the auditor in gathering information necessary to obtain an understanding of the client. For successful audits. its business and industry. Planning covers both administration of the audit office as well as administration of the audit assignment. and its internal controls. provides guidance in evaluating the risk of material misstatement of the financial statements An important part of the process for managing an audit function involves planning. we need to know what we want to achieve (audit objectives). determine what procedures we should follow (audit methodology).Audit Strategy Memorandum (Audit Planning) Audit Planning Form/Audit Strategy Memorandum/ Audit Issue Control Document.