AUDIT PLANNING AND SUPERVISION
AUDIT PLANNING
ISA 300 planning an audit of financial statements establishes standards and guidance on the considerations and activities applicable to planning an audit.
The auditor should:
- Plan the audit so that the engagement will be performed in an effective and efficient manner.
- Perform certain procedures at the beginning of the audit:
- the continuance of the client relationship,
- evaluation of compliance with ethical requirements including independence and
- establish an understanding of the terms of the engagement.
- Establish the overall audit strategy, setting out the scope, timing and direction of the audit.
- Develop an audit plan in order to reduce audit risk to an acceptably low level.
- Update and change the audit strategy and plan as necessary during the course of the audit.
- Plan the nature, timing and extent of the direction and supervision of the audit team and a review of their work.
- Document the overall audit strategy and the audit plan, including any significant changes made during the audit engagement.
- Prior to starting an initial audit, perform procedures regarding the acceptance of the client relationship and the specific audit engagement, and communicate with the previous auditor in compliance with relevant ethical requirements.
Adequate planning helps to ensure that:
- Appropriate attention is devoted to the most important areas,
- Potential problems are identified and resolved on a timely basis,
- The audit engagement is properly organised and managed,
- There is proper assignment of work to engagement members,
- There is direction and supervision of team members and review of their work,
- There is proper co-ordination of work done by experts.
The nature and extent of planning activities will vary according to the size and complexity of the entity, the auditor’s previous experience with the entity and changes in circumstances that occur during the audit engagement.
The establishing of the overall strategy involves considering the important factors that will determine the focus of the audit team’s effort, such as the:
- The determination of appropriate materiality levels,
- Preliminary identification of areas where there may be higher risks of material misstatement,
- Preliminary identification of material components and account balances,
- Evaluation of whether the auditor may plan to obtain evidence regarding the effectiveness of internal control,
- The identification of recent significant entity-specific, industry, financial reporting or other relevant developments.
The appendix of ISA 300 sets out examples of matters the auditor may consider in establishing the overall audit strategy. It is split between the scope of the audit engagement, the reporting objectives, timing of the audit and communications required and the direction of the audit.
MATERIALITY (ISA 320)
Materiality needs to be considered by an auditor in evaluating the effect of misstatements on the financial statements and when determining the nature, timing and extent of audit procedures.
In designing the audit plan, the auditor should set an acceptable materiality level. He should consider this materiality at both the overall financial statement level and in relation to classes of transactions, account balances and disclosures.
Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements.
Factors to be considered are both quantitative and qualitative. An item might be material due to its nature, value or impact on users of accounts.
- Nature
Transactions involving directors generally affect users of accounts.
- Value
Inventory stocks in a manufacturing company may represent a high percentage of current assets.
- Impact
An end of year journal could convert a loss into a profit, thus affecting the users of accounts.
The auditor’s assessment of materiality helps the auditor to decide:
- What items and how many to examine
- Whether to use sampling and/or analytical procedures
- What audit procedures can be expected to reduce audit risk to an acceptably low level.
An auditor should consider materiality and its relationship with audit risk when conducting an audit. The higher the material figure is set, the higher the audit risk. The auditor could compensate for this by either
- Reducing the risk, where this is possible, and supporting this by carrying out extended or additional tests of control or
- Reducing detection risk by modifying the nature, timing and extent of planned substantive tests.
Problems with Materiality
- Materiality is a matter of judgement.
- Some matters could fall outside the criteria, although they could affect users of the accounts.
- Percentage guidelines need to be used carefully. What figure do you select to base the percentage? Gross profit, profit before director’s salaries, assets, costs.
Materiality and the audit process
Materiality needs to be tailored to the business and the anticipated user. An auditor should plan materiality based on draft figures and any other recent available financial information. These should be applied to individual balances at the assertion level. All items greater than the set materiality figure should be tested, with a sample selected from the remaining items. The actual errors detected should be extrapolated out for the entire population of transactions. A final materiality should then be based on the results obtained and the actual financial statements produced.
To set a materiality level, an auditor needs to decide what level of misstatement (error) would distort the view given by a set of financial statements.
The materiality level must be reviewed constantly throughout the audit process as changes may be required due to changes in the draft accounts, any external factors that may alter the risk profile of the entity and any actual misstatements uncovered during the audit testing phase.
The materiality level is often set a percentage of profits as it is generally the figure that most interested parties check out first. However, there are other figures that are also used. A range of those values is as follows:
Value | % |
Profit before tax | 5 |
Gross profit | ½-1 |
Turnover | ½-1 |
Total assets | 1-2 |
Net assets | 2-5 |
Profit after tax | 5-10 |
AUDIT RISK AND ITS COMPONENTS
Auditors should assess the risk of material misstatements arising in the financial statements and carry out procedures in response to assessed risks.
Risk can be analysed as follows:
Overall risk is split into audit risk and business risk. Audit risk is sometimes known as assignment or engagement risk. It is focused on the financial statements of the business. This is the auditor’s main focus.
Inherent risk is the susceptibility of an account balance or class of transactions to material misstatement, irrespective of related internal controls. It may be due to the characteristics of those items such as the fact they are estimates, complex calculations or that they are important items in the accounts. Auditors use their professional judgment and their understanding of the client company to assess the inherent risk.
Control risk is such that the client’s controls fail to prevent, detect and/or correct material misstatements. There will always be an element of control risk due to the inherent limitations of internal controls.
Detection risk is such that the audit procedures applied by the auditor will fail to detect material misstatements. There are limitations to the audit process and detection risk relates to the inability of auditors to examine all evidence. As a result, some detection risk always exists. Auditors may fail to detect misstatements for a number of reasons including selecting inappropriate audit procedures, incorrectly applying an appropriate procedure or simply misinterpreting the results of testing.
The auditor’s assessment of inherent and control risk will influence the nature, timing and extent of the substantive procedures which are required to reduce the detection risk and hence, audit risk.
Examples of risk factors affecting client:
- Integrity and attitude to risk of management – Problems can be caused where there is domination by a single individual.
- A lack of management experience and knowledge can affect the quality of financial management.
- Unusual pressures on management can lead to tight reporting deadlines or market or financing expectations.
- The nature of the business can lead to potential problems such as technological obsolescence or over-dependence on single products.
- Industry factors such as competitive conditions, regulatory requirements, technology developments.
- IT problems include lack of supporting documentation, expertise heavily dependent on a few people and potential risk of unauthorised access to systems.
Examples of risk factors affecting account balances or transactions:
- Areas which require prior year adjustments or require high level of estimation,
- Where expert valuations are required due to complex issues,
- Account balances such as cash, stock, portable assets which are prone to fraud,
- The existence of high volume transactions where systems may be unable to cope,
- Unusual transactions,
- Major changes in staff or low morale issues.
Business risk arises in the operations of a business. It is split into three distinct types:
- Financial risk – arising from financial activities or financial consequences such as cash flow issues, overtrading, going concern, breakdown of accounting systems, credit risk and currency risk.
- Operational risks arise with regard to the operations of the business such as risk of losing a major supplier, physical disasters, loss of key personnel and poor brand management.
- Compliance risks arise from non-compliance with laws and regulations within which the company operates or environmental issues.
Relationship between risks
Initially, it would appear that audit risk and business risk are unrelated, as audit risks are limited only to the financial statements. However, business risks include all risks facing the business and this includes inherent risks and control risks, which form part of the audit risk.
Although audit risk is very financial statement focused, business risk does form part of the inherent risk associated with the financial statements, because if such risks materialise, then the whole going concern basis of the business could be affected and this has major implications for the financial statements.
IMPACT OF RISK
AR=IR*CR*DR
AUDIT STRATEGIES
The risk approach
Risk is a key issue in any audit and the most common approach to carrying out an audit incorporates recognition of those risks. This is called the risk-based approach.
There are other approaches and other techniques and the risk based approach is used in conjunction with these other approaches.
Auditors apply judgment to determine what level of risk pertains to different areas of a client’s system and devise appropriate audit tests. Risk-based auditing ensures that the greatest effort is directed at those areas of the financial statements that are most likely to be misstated. The chance of detecting errors is therefore improved and time is not wasted on testing safe areas.
For example, in a small manufacturing company, an auditor will need to do more work on inventory than say land & buildings. Inventory can be a complex area, with probably a significant number of line items and there is the risk of obsolete stock.
Why is the risk-based auditing used more increasingly?
- Growing complexity of the business environment, such as advanced computer systems and the globalisation of business, increases the risk of fraud or misstatement.
- Pressure on auditors to keep fees down but improve the level of service.
ISA 315 requires that auditors consider the entity’s process for assessing its own business risks. They must consider the factors that lead to the problems which may cause material misstatements and what can the audit contribute to the business pursuing its goals.
The risk analysis stage is a very important part of the planning of an audit as it allows the auditor to:
- Identify the main areas where possible errors might occur,
- Plan the work to address any of these possible errors,
- Uncover errors as early as possible during the audit process,
- Carry out the audit as efficiently as possible, Reduce the risk of an incorrect audit opinion,
- Reduce the risk of litigation.
The risk based approach will affect:
- How the audits are planned,
- The nature of the audit evidence to be gathered by the auditor, The nature of the procedures that need to be carried out by the auditor,
- The amount of evidence that needs to be gathered.
The business risk approach was developed because it was believed that in some instances the risk of misstatement arises mainly from the business risks of the company.
This business approach tries to mirror the risk management steps that have been taken by the directors. It is also known as the top down approach in that it starts at the objectives of the company and works down to the financial statements, rather than working up from the financial statements which has been the historical approach to auditing.
Controls’ testing is aimed at high level controls and substantive testing is reduced.
Principal risks include:
- Economic pressures causing reduced sales and eroding margins,
- Demands for extended credit,
- Product quality issues re inadequate control over supply chain etc.,
- Customer dissatisfaction re order requirements and invoicing errors etc., Unacceptable service response calls,
- Out of date IT systems.
These risks can impact on inventory values, receivables recoverable, provisions and contingencies and going concern.
The effect of the top down approach is that the auditor pays more attention to high level controls such as the control environment and corporate governance than the traditional approaches. In addition, analytical review procedures are used more extensively as the auditor is keen to understand the business more clearly. The combination of the above two factors will result in reduced substantive detailed testing, although it is not eliminated completely.
Business risk approach advantages:
- There is added value given to clients as the approach focuses on the business as a whole rather than just the financial statements.
- Where audit attention is focused on high levels of controls and use of analytical procedures, there is increased audit efficiency.
- There is no need to focus on routine processes where technological developments have rendered them less prone to error than in previous times.
- The approach responds to corporate governance issues in recent years.
- There is a lower engagement risk through a better understanding of the clients business.
Systems and controls
This approach is always used in conjunction with other approaches as substantive testing can never be eliminated completely.
Management is required to institute a system of controls which is capable of safeguarding the assets of the shareholders. Auditors assess the controls put in place by directors and ascertain whether they are effective and can be relied on for the purposes of the audit. They carry out tests to ensure that the systems operate as they are supposed to. If the controls are ineffective, the control risk is high and it is important to undertake higher levels of substantive testing.
Cycles and transactions
An auditor may choose to carry out substantive tests on the transactions of the business in the relevant period. Cycles’ testing is closely linked to systems testing, as it is based on the same systems. However, with the cycles approach, the auditors test the transactions which have occurred, resulting in the entries in the books, such as sales transactions, purchases, expenses etc. The auditor substantiates the transactions which appear in the financial statements.
A sample of transactions is selected and each transaction is tested to ensure that the transaction is complete and is processed correctly through the complete cycle.
Balance Sheet approach
An auditor may choose to carry out substantive tests on the year end balances. This is the most common approach to substantive testing after controls have been tested.
The balance sheet shows a snapshot of the financial position. If it is fairly stated and the previous years’ figures were also fairly stated, then it is reasonable to undertake lower level testing on the profit and loss transactions e.g. analytical review.
There is a relationship with the business risk approach. The element of substantive testing which remains in a business risk approach can be undertaken in this approach.
In some cases, most notably small companies, the business risks may be strongly linked to management concentration in one person, and/or balance sheets may be uncomplicated. In these cases, it is probable more cost effective to undertake a highly substantive balance sheet audit rather than to undertake a business risk assessment.
It should be noted though, that when not undertaken in conjunction with a risk based approach or systems testing, the level of detailed testing required can be high in a balance sheet approach making it very costly. Directional testing
Directional testing is a method of discovering errors and omissions in the financial statements through undertaking detailed substantive testing. It can be broken down into two categories, tests to discover errors and tests to discover omissions.
Checking entries from the books back to supporting documentation should help to detect errors causing an overstatement or an understatement. For example, selecting sales transactions from the sales ledger and tracing them back to sales invoices and price lists to ensure that sales are priced correctly.
To discover omissions the auditor must start from outside the accounting records and trace through to the records in the books. For example, to check the completeness of purchases, select a number of GRNs and check through to the stock records and the purchase ledger.
Directional testing is appropriate when testing the financial statement assertions of existence, completeness, rights & obligations, and valuation.
The concept of directional testing derives from the principle of double entry bookkeeping. Therefore any misstatement of a debit entry will result in either a corresponding misstatement of a credit entry or a misstatement in the opposite direction of another debit entry.
A test for an overstatement of an asset also gives comfort on understatement of other assets, overstatement of liabilities, overstatement of income and understatement of expenses. In other words by performing tests, the auditor obtains audit assurance in other audit areas.
A major advantage of this approach is its cost-effectiveness. Assets and expenses are tested for overstatement only, while liabilities and income for understatement only. Directional testing is particularly useful when there is a high level of detailed testing to be carried out, such as when the auditors have assessed the controls and accounting systems and have found them to be ineffective.
Auditing around the computer
The auditor is primarily interested in verifying that the data are being correctly input and processed by the computer.
Audit activity is focused on ensuring that the source documentation is processed correctly and the auditor would verify this by checking the output documentation.
What happens within the computer itself is ignored.
However, there are issues with a lack of a paper trail and it is not practical for large company audits.
Auditing through the computer system
The auditor performs tests on the computer and its software to evaluate if they are both effective.
If the auditor finds that the computerised controls and systems are effective, the auditor will perform reduced substantive testing. This is likely to involve the use of computer assisted auditing techniques (CAATs).
The use of a computer as an audit tool or the use of CAATs may improve the efficiency and effectiveness of audit procedures.
It is particularly of use in tests of numerous details of transactions and balances.
General
When seeking to identify an appropriate strategy for a particular audit, it is important to remember that the approaches are linked and in some cases it is wise to use two or more.
- Directional testing with balance sheet approach as they are both substantive testing issues.
- Risk and cycles based approach with low level of large transactions.
- Risk and balance sheet approach where substantial numbers of sales transactions with substantial receivables.
KNOWLEDGE OF THE ENTITY AND ITS ENVIRONMENT
ISA 315 Understanding the entity and its environment and assessing the risks of material misstatement establishes standards and guidance on obtaining an understanding of the entity and its environment including its internal control, and on assessing the risks of material misstatement in a financial statement audit.
Why do we need an understanding of an entity?
- Helps identify risks of material misstatements.
- Helps auditor to design and perform relevant audit procedures.
- Helps auditor in the exercise of judgement where necessary.
How do we obtain understanding?
- Performing risk assessment procedures such as inquiries of management and others within the entity, analytical procedures, and observation and inspection.
- Determining whether changes have occurred that may affect the relevance of information, obtained in prior periods, in the current audit.
- Ensuring that members of the engagement team discuss the susceptibility of the entity’s financial statements to material misstatements.
What do we need to understand?
- Obtain an understanding of the entity and its environment, including its internal control. This understanding should be sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and it should be sufficient to design and perform further audit procedures.
- Obtain an understanding of relevant industry, regulatory and other external factors including the applicable financial reporting framework.
- Obtain an understanding of the nature of the entity, such as its operations, ownership, governance, types of investments it is making, structure and financing.
- Obtain an understanding of the entity’s selection and application of accounting policies and consider whether they are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
- Obtain an understanding of the entity’s objectives and strategies, and the related business risks that may result in material misstatements of the financial statements.
- Obtain an understanding of the measurement and review of the entity’s financial performance such as internal management information (budgets, variance analysis, department reports) and external information (analyst’s reports and credit rating agency reports). When the auditor intends to make use of the performance measures, he should consider whether the information provides a reliable basis and is sufficiently precise for such a purpose.
- Obtain an understanding of internal control relevant to the audit. This involves evaluating the design of a control and determining whether it has been implemented. Not all controls are relevant to the auditor’s risk assessment.
- Obtain an understanding of the control environment. The control environment sets the tone of an organisation, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.
- Obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.
- Obtain a sufficient understanding of control activities to assess the risks of material misstatements and to design further audit procedures responsive to assessed risks. Examples of specific control activities include authorisation, performance reviews, information processing, physical controls and segregation of duties.
Risk assessment procedures
The auditor may consider making inquiries of the entity’s legal counsel or of valuation experts. Reviewing information obtained from external sources such as reports by analysts, banks or other rating agencies, trade and economic journals may also be useful in obtaining information about the entity.
Although much of the information can be obtained from management and those responsible for financial reporting, inquiries of others such as production and internal audit personnel may be useful in providing a different prospective in identifying risks of material misstatements.
Observation and inspection may support inquiries of management. Such audit procedures include:
- Observation of activities and operations,
- Inspection of documents and records,
- Reading reports prepared by management,
- Visits to premises and plant facilities,
- Carrying out walk-through tests.
Controls relevant to the audit
Ordinarily, controls that are relevant to an audit pertain to the objective of preparing financial statements. Controls over the completeness and accuracy of information may also be relevant if the auditor intends to make use of the information in designing and performing further procedures. Controls relating to operations and compliance objectives may be relevant if they pertain to data the auditor evaluates or uses in applying audit procedures.
Information systems
The auditor should obtain an understanding of the information systems, including the business processes relevant to financial reporting and in the following areas:
- The classes of transactions in the entity’s operations that are significant to the financial statements;
- The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements;
- The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions;
- How the information systems capture events and conditions, other than classes of transactions, that are significant to the financial statements;
- The financial reporting processes used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.
Assessing the risks of material misstatement
The auditor should:
- Identify risks throughout the process,
- Relate the risk to what can go wrong at the assertion level,
- Consider whether the risks are of a magnitude that could result in a material misstatement in the financial statements,
- Consider the likelihood that the risks could result in a material misstatement of the financial statements.
Appendix 1 of ISA 315 provides additional guidance on understanding the entity and its environment.
Appendix 2 lays out conditions and events that may indicate risks of material misstatement.
RESPONSE TO ASSESSED RISKS OF MATERIAL MISSTATEMENT
ISA 330 The auditor’s procedures in response to assessed risks establishes standards and provides guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatements.
The standard requires the auditor to determine overall responses to address risks of material misstatement at the financial statement level and provides guidance on the nature of those responses.
The auditor is required to design and perform further audit procedures, including tests of the operating effectiveness of controls, when relevant or required, and substantive procedures, whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level. In addition, this section includes matters the auditor considers in determining the nature, timing, and extent of such audit procedures.
The auditor is required to evaluate whether the risk assessment remains appropriate and to conclude whether sufficient appropriate audit evidence has been obtained.
The standard establishes related documentation requirements.
In order to reduce the audit risk to an acceptably low level, the auditor should determine overall responses to assessed risks at the financial statement level.
Overall responses may include:
- Emphasising to the audit team the need to maintain professional scepticism,
- Assigning more experienced staff or hiring expert help when needed,
- Providing more supervision,
- Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed,
- Making changes to the nature, timing, or extent of audit procedures.
The assessment of the risk of material misstatement is affected by the auditor’s understanding of the control environment. An effective control environment may allow an auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity.
If there are weaknesses in the control environment, the auditor:
- conducts more procedures as of the period end rather than an interim date ,
- seeks more extensive audit evidence from substantive procedures,
- modifies the nature of procedures to obtain more persuasive audit evidence,
- Increases the number of locations to be included in the audit scope.
The evaluation of the control environment will help the auditor determine whether there should be a substantive or a combined approach (tests of controls and substantive procedures).
In designing further audit procedures, the auditor should consider:
- the significance of the risk,
- the likelihood that a material misstatement will occur,
- the characteristics of the class of transactions or account balances,
- the nature of specific controls and whether they are manual or automated,
- Whether the auditor expects to obtain evidence to determine if controls are effective in preventing, or detecting and correcting material misstatements.
The nature of further audit procedures refers to their:
- Purpose –
Tests of controls or substantive procedures;
- Type –
Inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical procedures.
Certain audit procedures may be more appropriate for some assertions. The selection of the procedure is based on the assessment of risk. The higher the risk, the more reliable and relevant must be the audit evidence from substantive tests.
The auditor may perform audit procedures at an interim date or at period end (timing). The higher the risk, the more likely the auditor will perform substantive tests nearer to or at the period end. Certain audit procedures can only be performed at or after the period end, such as agreeing the financial statements to the accounting records and examining adjustments made during the course of preparing the financial statements.
The extent (sample size or number of observations) is determined by the judgement of the auditor after considering:
- Materiality,
- Assessed risk,
- Degree of assurance required.
The auditor is required to perform tests of controls when the auditor relies on the effectiveness of controls or when substantive tests alone do not provide sufficient appropriate audit evidence.
Irrespective of the assessed risk of material misstatements, the auditor should design and perform substantive tests for each material class of transaction, account balance and disclosure. Remember, an auditor’s assessment of risk is judgemental and there are inherent limitations to internal control.
The auditor’s substantive procedures should include the following related to the financial statement closing process:
- Agreeing the financial statements to the underlying accounting records and
- Examining material journal entries and other adjustments made during the course of preparing the financial statements.
Where an auditor determines that an assessed risk at the assertion level is a significant risk, he should perform substantive procedures that are specific to that risk.
The auditor should perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, is in accordance with the applicable financial reporting framework.
Based on the audit procedures performed and the audit evidence obtained, the auditor should evaluate whether the assessments of the risks at the assertion level remain appropriate.
He should conclude whether sufficient appropriate audit evidence has been obtained to reduce to an acceptably low level the risk of material misstatement in the financial statements.
Where it is not sufficient and the auditor is unable to obtain further evidence, he should express a qualified opinion or a disclaimer of opinion.
Finally, the auditor should document the overall responses to address the risks and the nature, timing and extent of the further audit procedures and the results thereof. In addition, where there is reliance on controls, the auditor should document the conclusions reached with regard to relying on such controls that were tested.
General planning matters
When planning an audit you also need to consider some admin. matters:
Staffing
Have the staff got the correct level of qualifications and experience. Do they have specialist skills that may be required? What about the staff’s relationship amongst themselves and with client staff. Are staff available and what about travel arrangements.
Client management
Continuity of staff is often important to client companies. Also, consistency of staff may help audit efficiency.
Location of audit
Need to consider the distance for audit staff to travel, the staff’s mobility and the location of the review by the manager. Multiple locations often require a decision as to which locations should be visited, the allocation of your staff to these locations and managing the visits to each selected sites.
Deadlines
Key deadlines are stock-counts, date of draft accounts available, main audit visit, audit manager review, partner review, audit clearance meeting, audit report to be signed and date of the Annual Meeting. It is important to plan the work so that these deadlines can be achieved.
Use of IT
Need to consider whether the client has a computerised system and whether the auditor will use CAATs. Will the auditor use computers to complete the working papers and communicate with the partner? Time budgets
These are an important part of planning. Times should be estimated accurately and communicated to the audit team. The audit team should record variances from the budget for planning purposes for the next audit.
Audit Evidence
The purpose of ISA 500 is to establish standards and provide guidance on what constitutes audit evidence in an audit of financial statements, the quantity and quality of audit evidence to be obtained, and the audit procedures that auditors use for obtaining that audit evidence.
In order to form an opinion, an auditor must obtain evidence. This evidence should be sufficient, relevant and reliable. The auditor designs substantive procedures to obtain this evidence about the financial statement assertions.
By approving the financial statements, the directors are making representations about the information therein. These assertions may fall into the following categories:
- Assertions about classes of transactions and events for the period under audit:
- Occurrence—transactions and events that have been recorded have occurred and pertain to the entity.
- Completeness—all transactions and events that should have been recorded have been recorded.
- Accuracy—amounts and other data relating to recorded transactions and events have been recorded appropriately.
- Cut-off—transactions and events have been recorded in the correct accounting period.
- Classification—transactions and events have been recorded in the proper accounts.
- Assertions about account balances at the period end:
- Existence—assets and liabilities exist.
- Completeness—all assets and liabilities that should have been recorded have been recorded.
- Rights and obligations—the entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
- Valuation and allocation —assets and liabilities are included in the financial statements at appropriate amounts.
- Assertions about presentation and disclosure:
- Occurrence and rights and obligations—disclosed events, transactions, and other matters have occurred and pertain to the entity.
- Completeness—all disclosures that should have been included in the financial statements have been included.
- Classification and understanding—financial information is appropriately presented and described, and disclosures are clearly expressed.
- Accuracy and valuation—financial and other information are disclosed fairly and at appropriate amounts.
Procedures used by auditors to obtain evidence
- Inspection of tangible assets
Inspection confirms existence and valuation and gives evidence of completion. It does not however confirm rights and obligations.
- Inspection of documents and records
Confirmation of documentation confirms existence of an asset or that a transaction has occurred. Confirmation that items are in the books shows completeness. Also helps testing cut-off. It provides evidence of valuation, measurement, rights and obligations and presentation and disclosure.
- Observation
This procedure is of limited use in that it only confirms that a procedure took place when it was observed.
- Inquiry and confirmation
Information sought from client or external sources. The strength of the evidence depends on knowledge and integrity of the source of the information.
- Recalculation and Re-Performance Checking calculations of client records.
- Audit automation tools
Such as computer assisted auditing techniques.
- Analytical procedures
Sufficient and appropriate
Sufficiency is the measure of the quantity of the evidence, while the appropriateness is the measure of the quality (reliability & relevance) of the evidence. This applies to both tests of controls and substantive procedures.
An auditor’s judgment as to what is sufficient appropriate evidence is influenced by the following factors:
- Risk assessment, is it low or high?
- The nature of the accounting and internal control systems,
- The materiality of the item being examined,
- The experience gained during previous audits,
- The auditors’ knowledge of the business and industry,
- The results of audit procedures, The source and reliability of the information available.
Appropriate- relevance
The relevance of audit evidence should be considered in relation to the overall objective of forming an audit opinion and reporting on the financial statements. The evidence should allow the auditor to conclude on the following:
- Balance sheet items
Are there suitable completeness, existence, ownership, valuation and disclosure issues?
- Profit and loss items
Are there suitable completeness, occurrence, valuation and disclosure issues?
Appropriate – reliable
Reliability of audit evidence depends on the particular circumstances of each case. However, the following should be considered:
- Documentary evidence is more reliable that oral evidence,
- Evidence from external independent sources is generally more reliable than that within an entity,
- Evidence from the auditor by such means as analysis and physical inspection is more reliable than evidence obtained by others.
Sufficiency
The auditor needs to obtain sufficient, relevant and reliable evidence to form a reasonable basis for his opinion on the financial statements. His judgement of sufficiency will be influenced by such factors as:
- His knowledge of the business and its environment,
- The risk of misstatement,
- The quality of the evidence.
However, merely obtaining more audit evidence may not compensate for its poor quality.
DOCUMENTATION
Audit planning memo
An audit plan is the formulation of the general strategy for the audit, which sets out the direction for the audit, describes the expected scope and conduct of the audit and provides guidance for the development of the audit programme. This plan is in the form of a written document. Included will be:
- The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements including any key decisions reached;
- Key elements of the understanding gained of the entity;
- The identified and assessed risks of material misstatement;
- Significant risks identified and related controls evaluated;
- The overall responses to address the risks of material misstatements;
- The nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level;
- If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate.
Example of an outline audit plan
Initial visit
This visit is essential in building up a background about the client company in order to assist in the detailed planning of the audit.
The auditor will use techniques such as inquiry, observation and review of documentation in order to understand details about the company such as:
- The development and past history,
- The nature of the environment in which it operates,
- Products and processes,
- Organisational plans,
- Accounting and internal controls in operation,
- The maintenance of accounting records.
In respect of the internal controls, it would be expected to carry out walkthrough tests to confirm the operation of the controls as described. If this is an existing client, the visit may simply take the form of a phone call or brief meeting to establish any changes since the previous audit in respect of the company’s operations or environment. Interim Visit
Ideally this visit should take place close to the year end. The purpose of this visit is to carry out detailed tests on the client’s accounting and internal controls with a view to establishing those controls on which you can rely. Where controls are operating effectively, restricted substantive procedures need only be carried out. Where controls are ineffective in practice, more extensive substantive tests will need to be carried out. At this stage, if any weaknesses in controls have been noted, it may be appropriate to draft a letter to the client management. Final Visit
This visit will take place after the accounting year end. On this visit, the detailed substantive procedures will be carried out in order to substantiate the figures in the accounting records and subsequently, the financial statements. After an overall review of the financial statements, the auditor will be able to assess whether sufficient and appropriate evidence has been obtained in order to draw reasonable conclusions so that an opinion can be expressed on the financial statements.
Examples of the work to be carried out would include:
- Discussion with management of known risk areas,
- Attendance at stock count,
- Verification of assets/liabilities and income/expenditure,
- Follow up on outstanding interim audit issues,
- Review of post balance sheet events,
- Seek and obtain representations from management, Review financial statements,
- Draft an audit report.
Audit programme
An audit programme is a set of written instructions to the audit team that sets out the audit procedures the auditor intends to adopt and may include references to other matters such as the audit objectives, timing, sample size and basis of selection for each area. It also serves as a means to control and record the proper execution of the work.
Working Papers
All evidence obtained during an audit should be documented. Working papers are the property of the auditor. The auditor’s working papers are the evidence of all the work done which supports his audit opinion. In addition, it provides evidence that the audit was carried out in accordance with the standards and other regulatory requirements. Furthermore, it helps in the planning, performance, supervision and subsequent review of the audit.
Working papers should be reviewed by more senior members of staff before an audit conclusion is reached. The review should consider whether:
- The work has been performed in line with the detailed audit programmes,
- The work performed and the results thereof have been adequately documented,
- Any significant matters have been resolved or are reflected in the audit opinion,
- The objectives of the audit procedures have been achieved,
- The conclusions expressed are consistent with the results of the work performed and support the opinion of the auditor.
For recurring audits, working papers may be split into a permanent audit file and a current audit file.
Audit working papers should be retained for a period of at least 7 years.
AUDIT SUPERVISION AND REVIEW
Auditing standards stress the importance of quality control, both at the audit firm level and the audit engagement level.
ISQC1 Quality Control for firms that perform audits and reviews of historical financial information, and other assurance and related services engagements helps audit firms establish quality standards for their own business, while ISA 220 Quality Control for audits of historical financial information requires firms to implement quality control procedures over individual audit assignments.
Quality control at audit engagement level
Engagement performance
ISA 220.21 states that the engagement partner should take responsibility for the direction, supervision and performance of the audit engagement in compliance with professional standards and regulatory and legal requirement, and for the auditor’s report that is issued to be appropriate in the circumstances.
The audit engagement can be directed by informing members of the team of:
- Their responsibilities such as maintaining an objective state of mind, an appropriate level of professional scepticism and performing the work in accordance with due care;,
- The nature of the entity’s business,
- Risk related issues,
- Problems that may arise,
- The detailed approach to the performance of the engagement.
Supervision includes:
- Tracking the progress of the engagement,
- Considering the capabilities and competence of members of the team, whether they have sufficient time, that they understand their instructions, and whether the work is been carried in accordance with the planned approach;
- Addressing significant issues as they arise, considering their significance and modifying the planned approach appropriately;
- Identifying matters for consultation by more experienced engagement team members during the engagement. Not just partner doing this, but all members of staff at different levels.
Review responsibilities are determined on the basis that the more experienced members of the audit engagement, review work performed by less experienced persons. The reviewers consider whether:
- The work has been performed in accordance with professional standards,
- Significant matters have been raised for further consultation,
- Appropriate consultations have taken place and the consultations have been documented and implemented,
- There is a need to revise the nature, timing and extent of the work performed,
- The work performed supports the conclusions reached and is appropriately documented,
- The evidence obtained is sufficient and appropriate to support the auditor’s report,
- The objectives of the audit engagement procedures have been achieved.
Before the auditor’s report is issued, the engagement partner, through review of the audit documentation and discussion with the engagement team, should be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the audit report to be issued.
Quality control review
For audits of financial statements of listed companies, the engagement partner should:
- Appoint a quality control reviewer,
- Discuss significant matters with the reviewer which have arisen,
- Not issue the audit report until completion of the review.