ISA 300: planning an audit of financial statements establishes standards and guidance on the considerations and activities applicable to planning an audit.


The auditor should:

  • Plan the audit so that the engagement will be performed in an effective manner.
  • Perform certain procedures at the beginning of the audit, namely, the continuance of the client relationship, evaluation of compliance with ethical requirements including independence and establishing an understanding of the terms of the engagement.
  • Establish the overall audit strategy and set out the scope, timing and direction of the audit.
  • Develop an audit plan in order to reduce audit risk to an acceptably low level.
  • Update and change the audit strategy and plan as necessary during the course of the audit.
  • Plan the nature, timing and extent of direction and supervision of the audit team and a review of their work.
  • Document the overall audit strategy and the audit plan, including any significant changes made during the audit engagement.
  • Prior to starting an initial audit, perform procedures regarding the acceptance of the client relationship and the specific audit engagement, and communicate with the previous auditor in compliance with relevant ethical requirements.


Adequate planning helps to ensure that:

  • Appropriate attention is devoted to the important areas
  • Potential problems are identified and resolved on a timely basis
  • The audit engagement is properly organised and managed
  • There is proper assignment of work to engagement members
  • There is direction and supervision of team members and review of their work
  • There is proper co-ordination of work done by experts.


The nature and extent of planning activities will vary according to the size and complexity of the entity, the auditor’s previous experience with the entity and changes in circumstances that occur during the audit engagement.


The establishing of the overall strategy involves considering the important factors that will determine the focus of the audit team’s effort, such as the:

  • The determination of appropriate materiality levels,
  • Preliminary identification of areas where there may be higher risks of material misstatement,
  • Preliminary identification of material components and account balances,
  • Evaluation of whether the auditor may plan to obtain evidence regarding the effectiveness of internal control,
  • The identification of recent significant entity-specific, industry, financial reporting or other relevant developments.


The appendix of ISA 300 sets out examples of matters the auditor may consider in establishing the overall audit strategy.  It is split between the scope of the audit engagement, the reporting objectives, timing of the audit and communications required and the direction of the audit.


ISA 315: Understanding the entity and its environment and assessing the risks of material misstatement establishes standards and guidance on obtaining an understanding of the entity and its environment including its internal control, and on assessing the risks of material misstatement in a financial statement audit.


The auditor should:

  • Obtain an understanding of the entity and its environment, including its internal control. This understanding should be sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and it should be sufficient to design and perform further audit procedures.

The auditor may obtain this understanding through:

  • Performing risk assessment procedures such as inquiries of management and others within the entity, analytical procedures, and observation and inspection.
  • Determining whether changes have occurred that may affect the relevance of information, obtained in prior periods, in the current audit.
  • Ensuring that members of the engagement team discuss the susceptibility of the entity’s financial statements to material misstatements.
  • Obtain an understanding of relevant industry, regulatory, and other external factors including the applicable financial reporting framework.
  • Obtain an understanding of the nature of the entity, such as its operations, ownership, governance, types of investments it is making, structure and financing.
  • Obtain an understanding of the entity’s selection and application of accounting policies and consider whether they are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
  • Obtain an understanding of the entity’s objectives and strategies, and the related business risks that may result in material misstatements of the financial statements.
  • Obtain an understanding of the measurement and review of the entity’s financial performance such as internal management information (budgets, variance analysis, dept. reports) and external information (analyst’s reports and credit rating agency reports). When the auditor intends to make use of the performance measures, he should consider whether the information provides a reliable basis and is sufficiently precise for such a purpose.
  • Obtain an understanding of internal control relevant to the audit. This involves evaluating the design of a control and determining whether it has been implemented.  Not all controls are relevant to the auditor’s risk assessment.
  • Obtain an understanding of the control environment. The control environment sets the tone of an organisation, influencing the control consciousness of its people.  It is the foundation for effective internal control, providing discipline and structure.
  • Obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.


Obtain an understanding of the information systems, including the related business processes, relevant to financial reporting.

  • Understand how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting.
  • Obtain a sufficient understanding of control activities to assess the risks of material misstatements and to design further audit procedures responsive to assessed risks. Examples of specific control activities include authorisation, performance reviews, information processing, physical controls and segregation of duties.
  • Obtain an understanding of how the entity has responded to risks arising from IT. The auditor considers whether the entity has responded adequately to the risks arising from IT by establishing effective general controls and application controls.
  • Obtain an understanding of the major types of activities that the entity uses to monitor internal controls over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective actions to its controls.
  • Identify and assess the risks of material misstatements at the financial statement level, and at the assertion level for classes of transactions, account balances and disclosures.
  • Determine which of the risks identified require special audit consideration. In considering the nature of the risks, the auditor should consider the risk of fraud, relationship to recent developments, complexity of transactions, significant related transactions, the degree of subjectivity and the existence of unusual transactions.  Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions because the latter have probably more management intervention or complex accounting principles.
  • Inform management as soon as is practicable, and at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal controls which come to the auditor’s attention.
  • Document the discussion among the audit team of the susceptibility of the entity’s accounts to material misstatements and significant decisions reached, key elements of the understanding obtained of the entity, identified and assessed risks of material misstatement and the risks identified and related controls evaluated.


Risk assessment procedures


The auditor may consider making inquiries of the entity’s legal counsel or of valuation experts.  Reviewing information obtained from external sources such as reports by analysts, banks or other rating agencies, trade and economic journals may also be useful in obtaining information about the entity.


Although much of the information can be obtained from management and those responsible for financial reporting, inquiries of others such as production and internal audit personnel may be useful in providing a different prospective in identifying risks of material misstatements.


Observation and inspection may support inquiries of management.  Such audit procedures include:

Observation of activities and operations

  • Inspection of documents and records
  • Reading reports prepared by management
  • Visits to premises and plant facilities
  • Carrying out walk-through tests


Controls relevant to the audit


Ordinarily, controls that are relevant to an audit pertain to the objective of preparing financial statements.  Controls over the completeness and accuracy of information may also be relevant if the auditor intends to make use of the information in designing and performing further procedures.  Controls relating to operations and compliance objectives may be relevant if they pertain to data the auditor evaluates or uses in applying audit procedures.


Information systems


The auditor should obtain an understanding of the information systems, including the business processes, relevant to financial reporting, including the following areas:

  • The classes of transactions in the entity’s operations that are significant to the financial statements
  • The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements
  • The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions
  • How the information systems capture events and conditions, other than classes of transactions, that are significant to the financial statements
  • The financial reporting processes used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.


IT controls


General IT controls are policies and procedures that relate to many applications and support the effective functioning of such controls by helping to ensure the continued proper operation of information systems.  These controls maintain the integrity of information and security of data and include:

  • Data centre and network operations
  • System software acquisition, change and maintenance
  • Access security
  • Application system acquisition, development and maintenance
  • Encryption


Application controls are manual or automated procedures that typically operate at a business process level.  They can be preventative or detective in nature and are designed to ensure the integrity of the accounting records.  Examples include:

  • Edit checks of input data

Numerical sequence checks


Assessing the risks of material misstatement

The auditor should:

  • Identify risks throughout the process
  • Relate the risk to what can go wrong at the assertion level
  • Consider whether the risks are of a magnitude that could result in a material misstatement in the financial statements
  • Consider the likelihood that the risks could result in a material misstatement of the financial statements.


A1- A 134 ISA 315 provides additional guidance on understanding the entity and its environment and lays out conditions and events that may indicate risks of material misstatement.


ISA 330: The auditor’s procedures in response to assessed risks establishes standards and provides guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatements.


The standard requires the auditor to determine overall responses to address risks of material misstatement at the financial statement level and provides guidance on the nature of those responses.


The auditor is required to design and perform further audit procedures, including tests of the operating effectiveness of controls, when relevant or required, and substantive procedures, whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level.  In addition, this section includes matters the auditor considers in determining the nature, timing, and extent of such audit procedures.


The auditor is required to evaluate whether the risk assessment remains appropriate and to conclude whether sufficient appropriate audit evidence has been obtained.


The standard establishes related documentation requirements.


In order to reduce the audit risk to an acceptably low level, the auditor should determine overall responses to assessed risks at the financial statement level.


Overall responses may include:

  • Emphasising to the audit team of the need to maintain professional scepticism
  • Assigning more experienced staff or hiring expert help when needed
  • Providing more supervision
  • Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed

• Making changes to the nature, timing, or extent of audit procedures


The assessment of the risk of material misstatement is affected by the auditor’s understanding of the control environment.



An effective control environment may allow an auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity.


If there are weaknesses in the control environment, the auditor:

  • conducts more audit procedures as at the period end rather than at an interim date,
  • seeks more extensive audit evidence from substantive procedures,
  • modifies the nature of audit procedures to obtain more persuasive audit evidence,
  • Increases the number of locations to be included in the audit scope.


The evaluation of the control environment will help the auditor determine whether there should be a substantive or a combined approach (tests of controls and substantive procedures).


In designing further audit procedures, the auditor should consider:

  • the significance of the risk
  • the likelihood that a material misstatement will occur
  • the characteristics of the class of transactions or account balances
  • the nature of specific controls and in particular whether they are manual or automated
  • Whether the auditor expects to obtain evidence to determine if controls are effective in preventing, or detecting and correcting material misstatements.


The nature of further audit procedures refers to their:

  • Purpose:

Tests of controls or substantive procedures;

  • Type:

Inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical procedures.


Certain audit procedures may be more appropriate for some assertions.  The selection of the procedure is based on the assessment of risk.  The higher the risk, the more reliable and relevant is the audit evidence from substantive tests.


The auditor may perform audit procedures at an interim date or at period end (timing).  The higher the risk, the more likely the auditor will perform substantive tests nearer to or at the period end.  Certain audit procedures can only be performed at or after the period end, such as agreeing the financial statements to the accounting records and examining adjustments made during the course of preparing the financial statements.


The extent (sample size or number of observations) is determined by the judgement of the auditor after considering:

  • Materiality
  • Assessed risk
  • Degree of assurance required


The auditor is required to perform tests of controls when the auditor relies on the effectiveness of controls or when substantive tests alone do not provide sufficient appropriate audit evidence.


The auditor should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls.


Irrespective of the assessed risk of material misstatements, the auditor should design and perform substantive tests for each material class of transaction, account balance and disclosure.   Remember, an auditor’s assessment of risk is judgemental and there are inherent limitations to internal control.


The auditor’s substantive procedures should include the following related to the financial statement closing process:

  • Agreeing the financial statements to the underlying accounting records and
  • Examining material journal entries and other adjustments made during the course of preparing the financial statements.


Where an auditor determines that an assessed risk at the assertion level is a significant risk, he should perform substantive procedures that are specific to that risk.


The auditor should perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, are in accordance with the applicable financial reporting framework.


Based on the audit procedures performed and the audit evidence obtained, the auditor should evaluate whether the assessments of the risks at the assertion level remain appropriate.


He should conclude whether sufficient appropriate audit evidence has been obtained to reduce to an acceptably low level the risk of material misstatement in the financial statements.

Where it is not sufficient and the auditor is unable to obtain further evidence, he should express a qualified opinion or a disclaimer of opinion.


Finally, the auditor should document the overall responses to address the risks and the nature, timing and extent of the further audit procedures and the results thereof.  In addition, where there is reliance on controls, the auditor should document the conclusions reached with regard to relying on such controls that were tested.


General planning matters


When planning an audit you also need to consider some admin matters:


Audit Staff

Have the staff got the correct level of qualifications and experience.  Do they have specialist skills that may be required. What about the staff’s relationship among themselves and with client staff.  Are staff available and what about travel arrangements.


Client management

Continuity of staff is often important to client companies.  Also, consistency of staff may help audit efficiency.


Location of audit

Need to consider the distance for audit staff to travel, the staff’s mobility and the location of the review by manager.  Multiple locations often require some decision as to which locations should be visited, the allocation of your staff to these locations and managing the visits to each selected sites.



Key deadlines are stock-counts, date of draft accounts available, main audit visit, audit manager review, partner review, audit clearance meeting, audit report to be signed and date of Annual Meeting.  It is important to plan the work so that these deadlines can be achieved.


Use of IT

Need to consider whether the client has a computerised system and whether the auditor will use CAATs[1].  Will the auditor use computers to complete the working papers and communicate with the partner.


Time budgets

These are an important part of planning.  Times should be estimated accurately and communicated to the audit team.  The audit team should record variances with the budget for planning purposes for the next audit.


The budget will be based on prior year records, risk assessments and materiality.


Example of an outline audit plan


Initial visit

If this is a new client, this visit should occur as soon as possible after the terms of the engagement have been agreed between the client and the audit partner.

This visit is essential in building up a background about the client company in order to assist in the detailed planning of the audit.


The auditor will use techniques such as inquiry, observation and review of documentation in order to understand details about the company such as:

  • The development and past history
  • The nature of the environment in which it operates
  • Products and processes
  • Organisational plans
  • Accounting and internal controls in operation

[1] CAAT – Computer aided auditing techniques

  • The maintenance of accounting records.


In respect of the internal controls, it would be expected to carry out walkthrough tests to confirm the operation of the controls as described.  If this is an existing client, the visit may simply take the form of a brief meeting, or simply be a phone call, to establish any changes since the previous audit in respect of the company’s operations or environment.


Interim Visit

Ideally this visit should take place close to the year end.


The purpose of this visit is to carry out detailed tests on the client’s accounting and internal controls with a view to establishing those controls on which you can rely.  Where controls are operating effectively, restricted only substantive procedures need be carried out.  Where controls are ineffective in practice, more extensive substantive tests will need to be carried out

At this stage, if any weaknesses in controls have been noted, it may be appropriate to draft a letter to the client management.


Final Visit

This visit will take place after the accounting year end.


On this visit, the detailed substantive procedures will be carried out in order to substantiate the figures in the accounting records and subsequently, the financial statements.  After an overall review of the financial statements, the auditor will be able to assess whether sufficient and appropriate evidence has been obtained in order to draw reasonable conclusions so that an opinion can be expressed on the financial statements.


Examples of the work to be carried out would include:

  • Discussion with management of known risk areas
  • Attendance at stock count
  • Verification of assets/liabilities and income/expenditure
  • Follow up on outstanding interim audit issues
  • Review of post balance sheet events
  • Seek and obtain representations from management
  • Review financial statements
  • Draft an audit report




An auditor should consider materiality and its relationship with audit risk when conducting an audit.  In designing the audit plan, the auditor should set an acceptable materiality level.  He should consider this materiality at both the overall financial statement level and in relation to classes of transactions, account balances and disclosures.


Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements.


An item might be material due to its nature, value or impact on users of accounts.

• Nature • Value

Transactions involving directors generally affect users of accounts.

Inventory stocks in a manufacturing company may represent a high percentage of current assets.

• Impact

An end of year journal could convert a loss into a profit, thus affecting the users of accounts.


The auditor’s assessment of materiality helps the auditor to decide:

  • What items and how many to examine
  • Whether to use sampling and analytical procedures
  • What audit procedures can be expected to reduce audit risk to an acceptably low level.


There is a relationship between materiality and the level of audit risk.  The higher the material figure is set, the higher the audit risk.  The auditor could compensate for this by either

  • Reducing the risk, where this is possible, and supporting this by carrying out extended or additional tests of control or
  • Reducing detection risk by modifying the nature, timing and extent of planned substantive tests.



  • Materiality is a matter of judgement.
  • Some matters could fall outside the criteria, although they could affect users of the accounts.
  • Percentage guidelines need to be used carefully. What figure do you select to base the percentage on – Gross profit, profit before director’s salaries, assets, costs?


Materiality needs to be tailored to the business and the anticipated user.


There is currently an exposure draft on Materiality.  The key issues are:

  • Clear definition of materiality,
  • Auditors should consider users as a whole rather than considering individual users,
  • More guidance on the use of percentage benchmarks,
  • Requires auditors to communicate all discovered misstatements to management,
  • Setting a level doesn’t mean that some matters should be ignored.



Auditors should assess the risk of material misstatements arising in the financial statements and carry out procedures in response to assessed risks.

Overall risk is split into audit risk and business risk.  Audit risk is sometimes known as assignment or engagement risk.  It is focused on the financial statements of the business.


Inherent risk is the susceptibility of an account balance or class of transaction to material misstatement, irrespective of related internal controls.  It may be due to the characteristics of those items such as the fact they are estimates or that they are important items in the accounts. Auditors use their professional judgment and their understanding of the client company to assess the inherent risk.


Control risk is such that the clients controls fail to prevent, detect and/or correct material misstatements.


Detection risk is such that the audit procedures applied by the auditor will fail to detect material misstatements.  There are limitations to the audit process and detection risk relates to the inability of auditors to examine all evidence.  Also, we have seen previous that audit evidence is persuasive rather than conclusive, so some detection risk always exists.


The auditor’s assessment of inherent and control risk will influence the nature, timing and extent of the substantive procedures which are required to reduce the detection risk and, hence, audit risk.


Examples of risk factors which affect the client:

  • Integrity and attitude to risk of management. Problems can be caused where there is domination by a single individual,
  • A lack of management experience and knowledge can affect the quality of financial management,
  • Unusual pressures on management can lead to tight reporting deadlines or market or financing expectations,
  • The nature of the business can lead to potential problems such as technological obsolescence or over-dependence on single products,
  • Industry factors such as competitive conditions, regulatory requirements, technology developments,
  • IT problems include lack of supporting documentation, expertise heavily dependent on a few people and potential risk of unauthorised access to systems.


Examples of risk factors affecting account balances or transactions:

  • Areas which require prior year adjustments or require high level of estimation,
  • Where expert valuations are required due to complex issues,
  • Account balances such as cash, stock, portable assets which are prone to fraud,
  • The existence of high volume transactions where systems may be unable to cope,
  • Unusual transactions,
  • Major changes in staff or low morale issues.


Business risk arises in the operations of a business.  It is split into three distinct types:

  • Financial risk arising from financial activities or financial consequences such as cash flow issues, overtrading, going concern, breakdown of accounting systems, credit risk and currency risk.
  • Operational risks arise with regard to the operations of the business such as risk of losing a major supplier, physical disasters, loss of key personnel and poor brand management.
  • Compliance risks arise from non-compliance with laws and regulations within which the company operates or environmental issues.


Relationship between risks


Initially, it would appear that audit risk and business risk are unrelated, as audit risks are limited only to the financial statements.  However, business risks include all risks facing the business and this includes inherent risks and control risks, which form part of the audit risk. Although audit risk is focused on the financial statements, business risk does form part of the inherent risk associated with the financial statements because, if such risks materialise, then the whole going concern basis of the business could be affected and this has major implications for the financial statements.




Risk is a key issue in any audit and the most common approach to carrying out an audit incorporates a recognition of those risks.  This is called the risk-based approach.

There are other approaches and other techniques and the risk based approach is used in conjunction with these other approaches.

Auditors apply judgment to determine what level of risk pertains to different areas of a client’s system and devise appropriate audit tests.  Risk-based auditing ensures that the greatest effort is directed at those areas of the financial statements that are most likely to be misstated.  The chance of detecting errors is therefore improved and time is not wasted on testing safe areas.


For example, in a small manufacturing company, an auditor will need to do more work on inventory than say land & buildings.  Inventory can be a complex area, with probably a significant number of line items and there is the risk of obsolete stock.


Why is the risk-based auditing used more increasingly:

  • Growing complexity of the business environment, such as advanced computer systems and the globalisation of business, increases the risk of fraud or misstatement.
  • Pressure on auditors to keep fees down but improve the level of service.


ISA 315 requires that auditors consider the entity’s process for assessing its own business risks.  They must consider the factors that lead to the problems which may cause material misstatements and what can the audit contribute to the business pursuing its goals.


The business risk approach was developed because it was believed that in some instances the risk of misstatement arose mainly from the business risks of the company.

This business approach tries to mirror the risk management steps that have been taken by the directors.  It is also known as the top down approach in that it starts at the objectives of the company and works down to the financial statements, rather than working up from the financial statements which has been the historical approach to auditing.

Controls testing is aimed at high level controls and substantive testing is reduced.


Principal risks include:

  • Economic pressures causing reduced sales and eroding margins,
  • Demands for extended credit,
  • Product quality issues re inadequate control over supply chain etc.,
  • Customer dissatisfaction re order requirements and invoicing errors etc., Unacceptable service response calls,
  • Out of date IT systems.


These risks can impact on inventory values, receivables recoverable, provisions and contingencies and going concern.


The effect of the top down approach is that the auditor pays more attention to high level controls, such as the control environment and corporate governance, than the traditional approach.  In addition, analytical review procedures are used more extensively as the auditor is keen to understand the business more clearly.  The combination of the above two factors will result in reduced substantive detailed testing, although it is not eliminated completely.


Business risk approach advantages:

  • There is added value given to clients as the approach focuses on the business as a whole rather than just the financial statements.
  • Where audit attention is focused on high levels of controls and use of analytical procedures, there is increased audit efficiency.
  • There is no need to focus on routine processes where technological developments have rendered them less prone to error than in previous times.
  • The approach responds to corporate governance issues in recent years.
  • There is a lower engagement risk through a better understanding of the client’s business.




This approach is always used in conjunction with other approaches as substantive testing can never be eliminated completely.


Management is required to institute a system of controls which is capable of safeguarding the assets of the shareholders.  Auditors assess the controls put in place by directors and ascertain whether they are effective and can be relied upon for the purposes of the audit.  They carry out tests to ensure that the systems operate as they are supposed to.  If the controls are ineffective, the control risk is high and it is important to undertake higher levels of substantive testing.




An auditor may choose to carry out substantive tests on the transactions of the business in the relevant period.  Cycles testing is closely linked to systems testing as it is based on the same systems.  However, with the cycles approach, the auditors test the transactions which have occurred, resulting in the entries in the books, such as sales transactions, purchases, expenses etc.  The auditor substantiates the transactions which appear in the financial statements. A sample of transactions is selected and each transaction is tested to ensure that the transaction is complete and is processed correctly through the complete cycle.




An auditor may choose to carry out substantive tests on the year end balances.  This is the most common approach to substantive testing after controls have been tested.

The balance sheet shows a snapshot of the financial position.  If it is fairly stated and the previous year’s figures were also fairly stated, then it is reasonable to undertake lower level testing on the profit and loss transactions e.g. analytical review.


There is a relationship with the business risk approach.  The element of substantive testing which remains in a business risk approach can be undertaken in this approach.

In some cases, most notably small companies, the business risks may be strongly linked to management being concentrated in one person, and/or balance sheets may be uncomplicated.  In these cases, it is probably more cost effective to undertake a highly substantive balance sheet audit rather than to undertake a business risk assessment.

It should be noted though, that when not undertaken in conjunction with a risk based approach or systems testing, the level of detailed testing required can be high in a balance sheet approach making it very costly.




Directional testing is a method of discovering errors and omissions in the financial statements through undertaking detailed substantive testing.  It can be broken down into two categories: tests to discover errors and tests to discover omissions.


Checking entries from the books back to supporting documentation should help to detect errors causing an overstatement or an understatement. For example, selecting sales transactions from the sales ledger and tracing them back to sales invoices and price lists to ensure that sales are priced correctly.


To discover omissions the auditor must start from outside the accounting records and trace through to the records in the books.  For example, to check the completeness of purchases, select a number of GRNs and check through to the stock records and the purchase ledger.


Directional testing is appropriate when testing the financial statement assertions of existence, completeness, rights & obligations, and valuation.


The concept of directional testing derives from the principle of double entry bookkeeping.  Therefore any misstatement of a debit entry will result in either a corresponding misstatement of a credit entry or a misstatement in the opposite direction of another debit entry.

A test for an overstatement of an asset also gives comfort on understatement of other assets, overstatement of liabilities, overstatement of income and understatement of expenses. In other words by performing tests, the auditor obtains audit assurance in other audit areas.


A major advantage of this approach is its cost-effectiveness.  Assets and expenses are tested for overstatement only, while liabilities and income for understatement only.

Directional testing is particularly useful when there is a high level of detailed testing to be carried out, such as when the auditors have assessed the controls and accounting systems and have found them to be ineffective.



These procedures are important at all stages of the audit, such as planning, substantive procedures and the overall review.


It consists of comparing items like current financial information with prior year financial information and analysing predictable relationships such as the relationship between receivables and credit sales.


The use of analytical procedures generally arises in the business risk approach and is also used in reviews, assurance engagements and reviewing prospective financial information.


When deciding to use analytical procedures as substantive procedures, the auditor must consider:

  • The plausibility and predictability of the relationships, such as the strong relationship between turnover and sales commission,
  • The objectives of the procedures and the extent to which their results are reliable,
  • The detail to which information can be analysed, such as info at dept. level,
  • The availability of information both financial and non-financial,
  • The relevance of the information such as budgets,
  • The comparability of the information – Average performances over an industry may vary widely,
  • The knowledge gained during previous audits such as effectiveness of controls.


When determining that reliance can be placed on the results of such testing the auditor should consider whether there are other audit procedures directed towards the same assertions, the accuracy with which the results can be predicted and the frequency with which a relationship is observed.


Practical techniques


Important accounting ratios

  • Gross profit margins
  • Average collection period
  • Stock turnover
  • Current ratio
  • Acid test ratio
  • Debt to equity capital
  • Return on capital employed


Related items

  • Payables and purchases
  • Inventories and cost of sales
  • Non-current assets and depreciation, repairs and maintenance
  • Loans and interest
  • Receivables and bad debts
  • Receivables and sales


Ratios on their own are of little use.  They should be compared to previous years and other comparable companies.  In addition, the auditor should use non-financial information to produce ratios such as sales revenue per unit of sale.


Other analytical techniques include:

  • Examining related accounts in conjunction with others
  • Trend analysis
  • Reasonableness tests such as calculating expected values.


Information technology can be used in trend analysis to enable auditors to see trends graphically with relative ease and speed.




When seeking to identify an appropriate strategy for a particular audit, it is important to remember that the approaches are linked and in some cases it is wise to use two or more:

  • Directional testing with balance sheet approach as they are both substantive testing issues,
  • Risk and cycles based approach with low level of large transactions,
  • Risk and balance sheet approach where substantial numbers of sales transactions with substantial receivables.Question 6.2 is a company with a chain of shops selling gifts to the tourist market.  The company has been a long standing client.  Half way through the year the two directors who are also shareholders decided to close down some of the smaller shops which have not been performing well.  Instead they have decided to set up a mail order business and to trade through their website.  Customers can order gifts via an email order form giving their credit card details on that form.  The goods will then be posted to the customer or the gift recipient.


    The company has retained its major shops in solid locations.  Customers may log on in the shops and order what they require, if it is not available in the store they are in.  At the same time as launching the mail order system, the owners decided that they would offer a mailing service for goods bought in the shops as well.

    Some of the staff from the closed shops have been transferred to the warehouse where the electronic arm of the business now operates.


    The website is not integrated into the sales ledger.  A sales clerk, Ange prints 2 copies of every email request.  She checks the order to the availability of stock and then emails the customer if the gift is going to take more than a week to process.  She offers them the chance to change their order if they do so wish.  When the item is in stock, she sends one copy of the order to the warehouse where the order is packed and despatched to the customer.  The warehouse manager returns the first copy of the order to another sales clerk, Mary, marked despatched.  Mary retrieves the second copy of the order, processes the credit card payment, marks the first order as paid and shreds the second copy of the order.  The marked up invoice is filed in a paid invoices file.  When there are lots of orders, Mary helps Ange out and vice versa if lots of orders have been despatched.




    1. Identify the business risks now facing the company with its e-commerce operations;
    2. Identify any additional audit risks which may have arisen from the decision;
    3. Propose and justify an audit strategy;
    4. Suggest minor amendments to control procedures in order to make operations run more smoothly.
(Visited 91 times, 1 visits today)
Share this:

Written by 

Leave a Reply

Your email address will not be published. Required fields are marked *