Purpose of planning
‘The objective of the auditor is to plan the audit so that it will be performed in an effective manner.’
[ISA 300 Planning an Audit of Financial Statements, 4]
Audits are potentially complex, risky and expensive processes. Although firms have internal manuals and standardised procedures, it is vital that engagements are planned to ensure that the auditor:
- Devotes appropriate attention to important areas of the audit.
- Identifies and resolves potential problems on a timely basis.
- Organises and manages the audit so that it is performed in an effective and efficient manner.
- Selects team members with appropriate capabilities and competencies.
- Directs and supervises the team and reviews their work.
- Effectively coordinates the work of others, such as experts and internal audit.
[ISA 300, 2]
Planning ensures that the risk of performing a poor quality audit (and ultimately giving an inappropriate audit opinion) is reduced to an acceptable level.
In order to achieve the overall objectives of the auditor, the audit must be conducted in accordance with ISAs.
Conducting the audit in accordance with ISAs:
- Ensures that the auditor is fulfilling all of their responsibilities.
- Allows a user to have as much confidence in one auditor’s opinion as another’s and therefore to rely on one audited set of financial statements to the same extent that they rely on another.
- Ensures that the quality of audits internationally, is maintained to a high standard (thereby upholding the reputation of the profession).
- Provides a measure to assess the standard of an auditor’s work (necessary when determining their suitability as an authorised practitioner).
Professional scepticism and professional judgment
Auditors are also required to perform audits with an attitude of professional scepticism. Professional scepticism was explained in the previous . Having an enquiring mind in itself is not sufficient to comply with a risk based method of auditing, the auditor must also use professional judgment.
Professional judgment – the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.
[ISA 200, 13k]
Therefore the use of a risk based approach requires skill, knowledge, experience and an inquisitive, open mind.
Although risk assessment is a fundamental element of the planning process, risks can be uncovered at any stage of the audit and procedures must be adapted in light of revelations that indicate further risks of material misstatement. It is, ultimately, the responsibility of the most senior reviewer (usually the engagement partner) to confirm that the risk of material misstatement has been reduced to an acceptable level.
The planning process
Planning consists of a number of elements. They can be summarised as:
- Preliminary engagement activities:
– Perform procedures regarding the continuance of the client engagement.
– Evaluating compliance with ethical requirements.
– Ensuring there are no misunderstandings with the client as to the terms of the engagement.
[ISA 300, 6]
The preliminary engagement activities were covered in the previous .
- Planning activities:
– Developing the audit strategy
– Developing an audit plan.
[ISA 300, 7]
The audit strategy and the audit plan must be documented in the audit working papers. Any updates to them must also be documented.
2 The audit strategy
The audit strategy sets the scope, timing and direction of the audit. It allows the auditor to determine:
- The resources to deploy for specific audit areas (e.g. experience level, external experts)
- The amount of resources to allocate (i.e. number of team members) when the resources are to be deployed
- How the resources are managed, directed and supervised, including the timings of meetings, debriefs and reviews.
[ISA 300, A8]
3 The audit plan
Once the audit strategy has been established, the next stage is to develop a specific, detailed plan to address how the various matters identified in the overall strategy will be applied.
The strategy sets the overall approach to the audit, the plan fills in the operational details of how the strategy is to be achieved.
The audit plan should include specific descriptions of:
- The nature, timing and extent of risk assessment procedures.
- The nature, timing and extent of further audit procedures, including:
– What audit procedures are to be carried out
– Who should do them
– How much work should be done (sample sizes, etc.)
– When the work should be done (interim vs. final)
- Any other procedures necessary to conform to ISAs.
[ISA 300, 9]
The relationship between the audit strategy and the audit plan
Interim and final audit
The auditor must consider the timing of audit procedures such as whether to carry out an interim audit and a final audit, or just a final audit.
For an interim audit to be justified the client normally needs to be of a sufficient size because this may increase costs. However, an interim audit should improve risk assessment and make final procedures more efficient.
It is important to note that the interim audit and final audit are two stages of the same audit. One set of financial statements are audited. One auditor’s report will be issued. The audit work however is being performed in two stages – some work before the year-end and some work after the year-end.
|Interim audit||Final audit|
|Timing||Completed part way||Takes place after the year-end|
|through a client’s||at a time agreed with the client|
|accounting year||which enables them to file|
|(i.e. before the year-||their financial statements with|
|end).||the relevant authorities by the|
|Early enough not to||required deadline.|
|Generally a client would not|
|interfere with year-end|
|procedures at the client||want the auditor to be|
|and to give adequate||performing the audit at the|
|warning of specific||year-end as this will cause|
|problems that need to be||disruption for the client’s year-|
|addressed in planning||end procedures.|
|the final audit.|
|Late enough to enable|
|sufficient work to be|
|done to ease the|
|pressure on the final|
|Purpose||Allows the auditor to||To obtain sufficient|
|spread out their||appropriate evidence in|
|procedures and enables||respect of the financial|
|more effective planning||statements to enable the|
|for the final stage of the||auditor’s report to be issued.|
|audit.||The auditor’s report will be|
|Useful when there is||issued once the final audit|
|increased detection risk||complete and this signifies the|
|due to a tight reporting||end of the audit.|
|Work performed ||Documenting|
Additional activities that
can be performed
- Test specific and complete material transactions, e.g. purchasing new non-current assets
- Test transactions such as sales, purchases and payroll for the year to date
- Assess risks that will impact work conducted at the final audit
- Attend perpetual inventory counts.
- Statement of financial position balances which will only be known at the year-end.
- Transaction testing for transactions that have occurred since the interim audit took place.
- Year-end journals which may include adjustments to the transactions tested at the interim audit.
- Obtaining evidence that the controls tested at the interim audit have continued to operate during the period since the interim audit took place.
- Completion activities such as the going concern and subsequent events reviews, overall review of the financial statements and communication of misstatements with management and those charged with governance.
Impact of interim audit work on the final audit
- If the controls tested at the interim stage provided evidence that control risk is low, fewer substantive procedures can be performed.
- If substantive procedures were performed at the interim stage, fewer procedures will be required at the final audit in general.
- As fewer procedures are being performed, the final audit will require less time to perform.
- The auditor’s report can be signed closer to the year-end resulting in more timely reporting to shareholders.
- If the interim audit identified areas of increased risk, for example, controls were found not to be working effectively, increased substantive procedures will be required at the final audit.
5 Fraud and error
Fraud is an intentional act by one or more individuals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage. [ISA 240 the Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, 11a]
Fraud can be split into two types:
- Fraudulent financial reporting – deliberately misstating the financial statements to make the company’s performance or position look better/worse than it actually is.
- Misappropriation – the theft of a company’s assets such as cash or inventory.
[ISA 240, 3]
An error can be defined as an unintentional misstatement in financial statements, including the omission of amounts or disclosures, such as the following:
- A mistake in gathering and processing data from which financial statements are prepared.
- An incorrect accounting estimate arising from oversight or a misinterpretation of facts.
- A mistake in the application of accounting principles relating to measurement, recognition, classification, presentation or disclosure.
[ISA 450 Evaluation of Misstatements Identified During the Audit, A1]
Directors’ responsibilities in respect of fraud
The primary responsibility for the prevention and detection of fraud rests with those charged with governance and the management of an entity. This is achieved by:
- Implementing an effective system of internal control, reducing opportunities for fraud to take place and increasing the likelihood of detection (and punishment)
- Creating a culture of honesty, ethical behaviour, and active oversight by those charged with governance.
The directors should be aware of the potential for fraud and this should feature as an element of their risk assessment and corporate governance procedures.
The audit committee should review these procedures to ensure that they are in place and working effectively.
This will normally be done in conjunction with the internal auditors.
[ISA 240, 4]
Internal auditors can help management fulfil their responsibilities in respect of fraud and error. Typical functions the internal auditor can perform include:
- Testing the effectiveness of the internal controls at preventing and detecting fraud and error and provide recommendations for improvements to the controls.
- Performing fraud investigations to identify:
– how the fraud was committed
– the extent of the fraud
– provide recommendations on how to prevent the fraud from happening again.
- Performing surprise asset counts to identify misappropriation.
The presence of an internal audit department may act as a deterrent to fraud in itself as there is a greater chance of being discovered.
External auditor’s responsibilities in respect of fraud
Misstatement in the financial statements can arise from either fraud or error. The distinguishing factor is whether the underlying action that resulted in the misstatement was intentional or unintentional. [ISA 240, 2]
There is an unavoidable risk that some material misstatements may not be detected even if properly planned in accordance with ISAs as fraud is likely to be concealed. [ISA 240, 5]
The ability to detect fraud depends on the skill of the perpetrator, collusion, relative size of amounts manipulated, and the seniority of the people involved. [ISA 240, 6]
The auditor’s role is two-fold:
- Assess the risk of material misstatement due to fraud, and
- Respond to the assessed risks.
Assessing the risk of fraud
The auditor should:
- Obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. [ISA 240, 5]
- Apply professional scepticism and remain alert to the possibility that fraud could take place. [ISA 240, 8]
This means that the auditor must recognise the possibility that a material misstatement due to fraud could occur, regardless of the auditor’s prior experience of the client’s integrity and honesty.
- Consider the potential for management override of controls and recognise that audit procedures that are effective for detecting error may not be effective for detecting fraud. [ISA 240, 8]
This can be achieved by performing the following procedures:
- Discuss the susceptibility of the client’s financial statements to material misstatement due to fraud with the engagement team. [ISA 240, 15]
– Consider any incentives to commit fraud such as profit related bonuses or applications for finance.
– Opportunities to commit fraud such as ineffective internal controls.
– Management’s attitude e.g. disputes with the auditor over auditing matters or failure to remedy known deficiencies.
[ISA 240, Appendix 1]
- Enquire of management about their processes for identifying and responding to the risk of fraud. [ISA 240, 17]
- Enquire of management, internal auditors and those charged with governance if they are aware of any actual or suspected fraudulent activity. [ISA 240, 18, 19, 20]
- Consideration of relationships identified during analytical procedures. [ISA 240, 22]
Responding to the assessed risks
The following procedures must be performed:
- Review journal entries made to identify manipulation of figures recorded or unauthorised journal adjustments:
– Enquire of those involved in financial reporting about unusual activity relating to adjustments.
– Select journal entries and adjustments made at the end of the reporting period.
– Consider the need to test journal entries throughout the period. [ISA 240, 32a]
- Review management estimates for evidence of bias:
– Evaluate the reasonableness of judgments and whether they indicate any bias on behalf of management.
– Perform a retrospective review of management judgments reflected in the prior year.
[ISA 240, 32b]
- Review transactions outside the normal course of business, or transactions which appear unusual and assess whether they are indicative of fraudulent financial reporting.
[ISA 240, 32c]
- Obtain written representation from management and those charged with governance that they:
– Acknowledge their responsibility for internal controls to prevent and detect fraud.
– Have disclosed to the auditor the results of management’s fraud risk assessment.
– Have disclosed to the auditor any known or suspected frauds.
– Have disclosed to the auditor any allegations of fraud affecting the entity’s financial statements.
[ISA 240, 39]
Reporting of fraud and error
- If the auditor identifies a fraud they must communicate the matter on a timely basis to the appropriate level of management (i.e. those with the primary responsibility for prevention and detection of fraud). [ISA 240, 40]
- If the suspected fraud involves management the auditor must communicate the matter to those charged with governance. If the auditor has doubts about the integrity of those charged with governance they should seek legal advice regarding an appropriate course of action. [ISA 240, 41]
- In addition to these responsibilities the auditor must also consider whether they have a responsibility to report the occurrence of a suspicion to a party outside the entity. Whilst the auditor does have an ethical duty to maintain confidentiality, it is likely that any legal responsibility will take precedence. In these circumstances it is advisable to seek legal advice. [ISA 240, 43]
- If the fraud has a material impact on the financial statements the auditor’s report will be modified. When the auditor’s report is modified, the auditor will explain why it has been modified and this will make the shareholders aware of the fraud.
6 Laws and regulations
Guidance relating to laws and regulations in an audit of financial statements is provided in ISA 250 Consideration of Laws and Regulations in an Audit of
Non-compliance means acts of omission or commission intentional or unintentional, committed by the entity, which are contrary to the prevailing laws or regulations. Non-compliance must specifically relate to the business activities i.e. transactions entered into on behalf of the company. It does not include personal misconduct.
[ISA 250, 12]
Responsibilities are considered from the perspective of both auditors and management.
Responsibilities of management
It is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with relevant laws and regulations, including those that determine the reported amounts and disclosures in the financial statements. [ISA 250, 3]
Responsibilities of the auditor
The auditor must perform audit procedures to help identify non-compliance with laws and regulations that may have a material impact on the financial statements.
The auditor must obtain sufficient, appropriate evidence regarding compliance with laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements (e.g. completeness of a tax provision in accordance with tax law, or the presentation of the financial statements in accordance with the applicable financial reporting framework). [ISA 250, 11a]
The auditor must perform audit procedures to help identify non-compliance with other laws and regulations that may have a material impact on the financial statements (e.g. data protection, environmental legislation, public health and safety). Non-compliance in respect of such matters could affect the company’s ability to continue as a going concern or could result in the need for material liabilities to be recognised or disclosed. [ISA 250, 11b]
Audit procedures to identify instances of non-compliance
- Obtaining a general understanding of the legal and regulatory framework applicable to the entity and the industry, and of how the entity is complying with that framework. [ISA 250, 13]
- Enquiring of the management and those charged with governance as to whether the entity is in compliance with such laws and regulations. [ISA 250, 15a]
- Inspecting correspondence with relevant licensing or regulatory [ISA 250, 15b]
- Remaining alert to the possibility that other audit procedures applied may bring instances of non-compliance to the auditor’s attention. [ISA 250, 16]
- Obtaining written representation from the directors that they have disclosed to the auditors all those events of which they are aware which involve possible non-compliance, together with the actual or contingent consequences which may arise from such non-compliance. [ISA 250, 17]
Investigations of possible non-compliance
When the auditor becomes aware of information concerning a possible instance of non-compliance with laws or regulations, they should:
- Understand the nature of the act and circumstances in which it has occurred.
- Obtain further information to evaluate the possible effect on the financial statements.
[ISA 250, 19]
Audit procedures when non-compliance is identified
- Enquire of management of the penalties to be imposed.
- Inspect correspondence with the regulatory authority to identify the consequences.
- Inspect board minutes for management’s discussion on actions to be taken regarding the non-compliance.
- Enquire of the company’s legal department as to the possible impact of the non-compliance.
- The auditor should report non-compliance to management and those charged with governance, unless prohibited by law or regulation. [ISA 250, 23]
- If the auditor believes the non-compliance is intentional and material the matter should be reported to those charged with governance. [ISA 250, 24]
- If the auditor suspects management or those charged with governance are involved in the non-compliance, the matter should be reported to the audit committee or supervisory board. [ISA 250, 25]
- If the non-compliance has a material effect on the financial statements, a qualified or adverse opinion should be issued. [ISA 250, 26]
- The auditor should also consider whether they have any legal or ethical responsibility to report non-compliance to third parties e.g. to a regulatory authority. [ISA 250, 29]
NOCLAR: Auditor responsibilities in addition to ISA 250
The IESBA Code of Ethics for Professional Accountants sets out new ethical requirements in relation to an entity’s compliance with laws and regulations.
The ethical standard, Responding to Non-compliance with Laws and Regulations (NOCLAR), provides guidance to accountants as to the actions that should be taken if they become aware of an illegal act committed by a client or employer.
The additional requirements have been introduced to address concerns that the duty of confidentiality was acting as a barrier to the disclosure of potential NOCLAR to public authorities in the appropriate circumstances. Auditors were resigning from client relationships without NOCLAR issues being appropriately addressed.
NOCLAR sets out responsibilities in relation to:
- Responding to identified or suspected non-compliance
- Communicating identified or suspected non-compliance with other auditors
- Documenting identified or suspected non-compliance.
The aim is to generate an earlier response by management or those charged with governance, thereby mitigating adverse consequences for stakeholders and the general public and timelier intervention from public authorities on reports of potential NOCLAR to mitigate any adverse consequences for stakeholders and the general public.
7 Quality control
ISA 220 Quality Control for an Audit of Financial Statements requires the firm to establish a system of quality control to ensure the firm complies with professional standards and issues reports that are appropriate in the circumstances.
Policies and procedures should be established which address:
- Leadership responsibilities for quality within the firm
- Relevant ethical requirements
- Acceptance and continuance of client relationships and specific engagements
- Human resources
- Engagement performance
[ISA 220, A1]
The engagement partner takes overall responsibility for the overall quality of the engagement. [ISA 220, 8]
The engagement partner should ensure:
- Compliance with ethical requirements during the engagement.
- Appropriate acceptance and continuance procedures have been performed.
- The engagement team and auditor’s experts used have the appropriate competence and capabilities.
- Reviews have been performed in accordance with the firm’s review policies.
- Sufficient appropriate evidence has been obtained to support the audit conclusion through a review of the documentation and discussion with the audit team.
- Appropriate consultation on difficult or contentious matters has been undertaken.
Relevant ethical requirements
The firm should ensure compliance with the requirements of the ACCA Code of Ethics. This is covered in 4.
Acceptance and continuance of client relationships
The firm should ensure only clients and work of an acceptable level of risk are accepted. This requires consideration of:
- Integrity of management.
- Competence of the engagement team.
- Compliance with ethical requirements.
- Significant matters that have arisen during the current or previous audit engagement and their implications for continuing the relationship.
[ISA 220, A8]
The engagement partner should ensure that the engagement team collectively have the competence and capabilities to perform the audit in accordance with professional standards. This includes knowledge of professional standards, knowledge of relevant industries in which the client operates, the ability to apply judgment and an understanding of the firm’s quality control policies and procedures. [ISA 220, A11]
Engagement performance comprises direction, supervision and review of the engagement.
Direction involves informing team members of:
- Their responsibilities
- Objectives of the work to be performed
- The nature of the business
- Problems that may arise
- The detailed approach to the performance of the engagement. [ISA 220, A13]
- Tracking the progress of the audit to ensure the timetable can be met
- Considering the competence of the team
- Addressing significant matters arising and modifying the planned approach accordingly
- Identifying matters for consultation. Consultation may be required where the firm lacks appropriate internal expertise.
[ISA 220, A15]
Review responsibilities include consideration of whether:
- The work has been performed in accordance with professional standards
- Appropriate consultations have taken place
- The work performed supports the conclusions reached
- The evidence obtained is sufficient and appropriate to support the auditor’s report.
[ISA 220, A17]
The engagement partner should perform a review of critical areas of judgment, significant risks and other areas of importance throughout the audit. The extent and timing of the partner’s reviews should be documented. [ISA 220, A18]
Engagement Quality Control Review
Listed entities and other high risk clients should be subject to an engagement quality control review (EQCR). [ISA 220, 19]
This is also referred to as a pre-issuance review or ‘Hot’ review.
High risk clients include those which are in the public interest, those with unusual circumstances and risks, and those where laws or regulations require an EQCR.
An EQCR includes:
- Discussion of significant matters with the engagement partner.
- Review of the financial statements and proposed auditor’s report.
- Review of selected audit documentation relating to significant judgments and conclusions reached. This includes:
– Significant risks and responses to those risks
– Judgments with respect to materiality and significant risks
– Significance of uncorrected misstatements
– Matters to be communicated to management and those charged with governance, and where applicable, other parties such as regulatory bodies.
- Evaluation of conclusions reached in forming the audit opinion.
[ISA 220, 20]
For listed entity audits, the EQCR should also consider:
- Independence of the engagement team.
- Whether appropriate consultation has taken place on contentious matters or differences of opinion.
- Whether documentation reflects the work performed in relation to significant judgments.
[ISA 220, 21]
The engagement quality control reviewer:
- Should have the technical qualifications to perform the role, including the necessary experience and authority, and
- Should be objective. To be objective the reviewer should not be selected by the engagement partner and should not participate in the engagement.
[ISA 220, 7a]
Note: An engagement quality control reviewer may also be referred to as an independent review partner.
Quality control policies alone do not ensure good quality work. They must be implemented effectively. Therefore the firm must evaluate:
- Adherence to professional standards and regulatory/legal requirements.
- Whether quality control procedures have been implemented on a day-to-day basis.
- Whether the firm’s quality control policies and procedures are effective so that reports issued by the firm are appropriate in the circumstances.
Firms should carry out post-issuance or ‘cold’ reviews to ensure that quality control procedures are adequate, relevant and operating effectively.
|Post-issuance (cold) review|
|Purpose||To assess whether the firm’s policies and procedures|
|were implemented during an engagement and to|
|identify any deficiencies therein.|
|When||After the auditor’s report has been signed.|
|Which files||A selection of completed audit files.|
|Conducted by||A dedicated compliance or quality department/a|
|qualified external consultant/an independent partner.|
|Matters considered||Working papers should demonstrate that:|
|||Sufficient appropriate evidence has been|
|||All matters were resolved before issuing the|
|All working papers should be:|
|||Signed as completed|
|||Evidence as reviewed.|
|Outcomes||A report of the results will be provided to the partners|
|of the firm flagging deficiencies that require corrective|
|action. Recommendations will be made including:|
|||Communication of findings|
|||Additional quality control reviews|
|||Changes to the firm’s policies and procedures|
8 Audit documentation
Purposes of audit documentation
ISA 230 Audit Documentation, requires auditors to prepare and retain written documentation that:
- Provides a sufficient appropriate record of the auditor’s basis for the auditor’s report.
- Provides evidence that the audit was planned and performed in accordance with ISAs and applicable legal and regulatory requirements.
[ISA 230, 2]
In addition, audit documentation:
- Assists the engagement team to plan and perform the audit.
- Assists members of the engagement team responsible for supervision to direct, supervise and review the audit work.
- Enables the engagement team to be accountable for its work.
- Retains a record of matters of continuing significance to future audits.
- Enables the quality control reviews to be performed.
- Enables the external quality inspections to be performed.
[ISA 230, 3]
Form and content of audit documentation
Documentation should be sufficient to enable an experienced auditor, with no previous connection to the audit, to understand:
- The nature, timing and extent of audit procedures performed
- The results of the procedures performed and the evidence obtained
- The significant matters arising during the course of the audit and the conclusions reached thereon, and significant professional judgments made in reaching those conclusions.
[ISA 230, 8]
Retention of working papers
Documentation is retained in an audit file, which should be completed in a timely fashion after the date of the auditor’s report (normally not more than 60 days after) and retained for the period required by national regulatory requirements (this is normally five years from the date of the auditor’s report).
[ISA 230, A21, A23]
Illustration 1 – Wimble & Co working paper
Wimble & Co Audit and Accounting Practitioners: Working Paper
To identify the risks of material misstatement in the financial statements of Murray Co for the year-ended 31 December 20X4, in order to provide a basis for designing and performing audit procedures that respond to the assessed risks.
Discussion among the engagement team of the susceptibility of the financial statements to material misstatement: RA1/1of the financial statements to material misstatement: RA1/1
A summary of the understanding of the entity and its environment obtained, detailing the key elements including internal control components, sources of information and risk assessment procedures performed: RA/2
Analytical procedures performed: RA/3
The identified and assessed risks of material misstatement: RA/4
The overall responses to address the risks of material misstatement: RA/5
An Audit Manager
December 5 20X4
Wimble & Co working paper
Features of Wimble & Co working paper
Name of client: identifies the client being audited.
Period-end date: identifies the period to which the audit work relates.
Subject: identifies the topic of the working paper such as the area of the financial statements being audited, or the overall purpose of the work.
Working paper reference: provides a clear reference to identify the working paper. RA1 is the first working paper in the risk assessment section.
Preparer: identifies the name of the audit team member who prepared the working paper to enable any queries to be directed to the relevant person.
Date prepared: the date the audit work was performed, the end of the time period to which issues were considered.
Objective: this explains the relevance of the work being performed (in relation to financial statement assertions where appropriate).
Work performed: the work done cross-referenced to supporting working papers, including details of the sources of information, and items selected for testing (where relevant).
Results of work performed: any significant issues identified, exceptions or other significant observations including whether further audit work is necessary.
Conclusions: key points (including whether the area is true and fair where relevant).
Reviewer: the name of the audit team member who reviewed the work.
This provides evidence of the review as required by ISAs.
Date of review: this must be before the audit opinion is signed.
Types of audit documentation
Audit documentation includes:
- Planning documentation
– overall audit strategy
– audit plan
– risk analysis
- Audit programmes
- Summary of significant matters
- Written representation from management
- Copies of client records.
Permanent audit file
For large audits much of the knowledge of the business information may be kept on a permanent file and the audit plan may contain a summary or simply cross refer to the permanent file. Typical information on a permanent file includes:
- Names of management, those charged with governance, shareholders
- Systems information
- Background to the industry and the client’s business
- Title deeds
- Directors’ service agreements
- Copies of contract and agreements.
Example contents of a current audit file
The audit work for a specific period is kept on a current file.
Typically, there are at least three sections:
The main element of this section is likely to be the Audit Planning Memorandum.
This document is the written audit plan and will be read by all members of the audit team before work starts. Its contents are likely to include:
- Background information about the client, including recent performance
- Changes since last year’s audit (for recurring clients)
- Key accounting policies
- Important laws and regulations affecting the company
- Client’s trial balance (or draft financial statements)
- Preliminary analytical procedures
- Key audit risks
- Overall audit strategy
- Materiality assessment
- Timetable of procedures
- Staffing and a budget (hours to be worked x charge out rates)
- Locations to be visited.
Working papers are likely to consist of:
- Lead schedule – showing total figures, which agree to the financial statements.
- Back-up schedules – breakdowns of totals into relevant sub-totals.
- Audit work programme detailing:
– The objectives being tested
– Work completed
– How samples were selected
– Conclusions drawn
– Who did the work
– Date the work was completed
– Who reviewed it.
The completion (also known as review) stage of an audit has a number of standard components:
- Going concern review
- Subsequent events review
- Final analytical procedures
- Accounting standards (disclosure) checklist
- Written representation from management
- Summary of adjustments made since trial balance produced
- Summary of unadjusted misstatements
- Draft final financial statements
- Draft report to those charged with governance and management letter.
Security of working papers
Who owns the working papers?
The auditor owns the audit working papers. This is important because:
- Access to the working papers is controlled by the auditor, not the client, which is an element in preserving the auditor’s independence.
- In some circumstances care may need to be taken when copies of client generated schedules are incorporated into the file.
Working papers must be kept secure.
- By its nature, audit evidence will comprise confidential, sensitive information. If the files are lost or stolen, the auditor’s duty of confidentiality will be compromised.
- Audits are expensive. If the files are lost or stolen, the evidence they contain will need to be recreated, so the work will need to be done again. The auditors may be able to recover the costs from their insurers, but otherwise it will simply represent a loss to the firm.
- There have been cases of unscrupulous clients altering auditors’ working papers to conceal frauds.
The implications of IT-based audit systems are also far reaching.
- By their nature, laptops are susceptible to theft, even though the thief may have no interest in the contents of the audit file. Nevertheless, all the problems associated with re-performing the audit and breaches of confidentiality remain.
- It is more difficult to be certain who created or amended computer based files than manual files – handwriting, signatures and dates have their uses – and this makes it harder to detect whether the files have been tampered with.
This means that the following precautions need to be taken.
- If files are left unattended at clients’ premises – overnight or during lunch breaks – they should be securely locked away, or if this is impossible, taken home by the audit team.
- When files are left in a car, the same precautions should be taken as with any valuables.
- IT-based systems should be subject to passwords, encryption and back up procedures.
Test your understanding 1
You are an audit senior responsible for understanding the entity and its environment and assessing the risk of material misstatements for the audit of Rock Co for the year-ending 31 December. Rock Co is a company listed on a stock exchange. Rock Co is engaged in the wholesale import, manufacture and distribution of basic cosmetics and toiletries for sale to a wide range of stores, under a variety of different brand names. You have worked on the audit of this client for several years as an audit junior.
- Describe the information you will seek, and procedures you will perform in order to understand the entity and its environment and assess risk for the audit of Rock Co.
- You are now nearing the completion of the audit of Rock Co. Draft financial statements have been produced. You have been given the responsibility of performing a review of the audit files before they are passed to the audit manager and the audit partner for their review. You have been asked to concentrate on the proper completion of the audit working papers. Some of the audit working papers have been produced electronically but all of them have been printed out for you.
Describe the types of audit working papers you should expect to see in the audit files and the features of those working papers that show that they have been properly completed.
(Total: 20 marks)
Test your understanding 2
You are the audit manager responsible for planning the audit of Rottnest Co. During the planning of the audit you have identified an increased risk of material misstatement due to fraud. The audit strategy and audit plan reflect this increased risk.
- Which of the following statements regarding fraud is correct? A The auditor may not detect all material fraud in the financial
statements but this won’t necessarily mean the auditor has been negligent due to the nature of fraud and the likelihood of concealment
B The auditor must detect all material fraud in the financial statements
C The auditor must detect every fraud in the financial statements
D The auditor is not responsible for detecting fraud as this is management’s responsibility
- If material misstatement as a result of fraud is detected during the audit, and is not corrected by management, how will this be communicated to the shareholders?
A The auditor must send a letter to the shareholders informing them of the fraud
B The auditor must speak at the annual general meeting and specifically inform them
C The auditor will report it to the police and the police will notify the shareholders
D Through the auditor’s report as the opinion will be modified
- Which of the following procedures must the auditor perform to respond to the risk of fraud?
- The auditor must obtain written representation from management confirming they have disclosed all known and suspected frauds to the auditor.
- The auditor must incorporate an unpredictable element into the design of their audit procedures.
- The auditor must test year-end journal entries and estimates which may be used to manipulate the financial statements.
- (i) and (ii) only
- (i) and (iii) only
- (ii) and (iii) only
- (i), (ii) and (iii)
- Which of the following statements is true in respect of the audit plan?
A The audit plan sets out the scope, direction and framework for the audit
B The audit plan contains the detailed audit procedures designed to obtain sufficient appropriate evidence including the objective of each procedure and the sample size to be tested
C The plan includes preliminary engagement activities such as materiality and risk assessment
D The audit plan is developed before the audit strategy
- Which matters will not be included in the audit strategy? A Risk assessment and materiality
B Communications with the client
C Specific audit procedures to respond to the risks assessed D The need for professional scepticism
Test your understanding 3
Your firm has recently been appointed auditor of Albany Co, a large company with sophisticated computer systems. The planning is shortly due to commence. It has been agreed with the client that an interim and final audit will be performed.
- Which of the following is NOT a benefit of planning the audit? A It ensures the audit is performed efficiently and effectively B It helps identify the resources to be allocated
C It ensures the financial statements will be correct
D It minimises the risk of issuing an inappropriate audit opinion
- Which of the following is NOT part of the planning stage of the audit?
A Preliminary materiality assessment B Risk assessment
C Developing the audit strategy D Final analytical procedures
- Which of the following is the most appropriate time to perform an interim audit?
A After the year-end before the auditor’s report is signed B Before the year-end
C At the same time as the final audit
D After the auditor’s report has been signed
- Which of the following will NOT be performed at the interim audit?
A Obtaining written representation from management B Tests of controls
C Transaction testing for transactions that have occurred to date D Performing risk assessment procedures
- What are the main reasons for performing an interim audit?
- To increase fee income for the firm.
- To reduce time pressure at the final audit.
- To assess the level of control risk and determine the amount of substantive testing required at the final audit.
- (i) and (ii) only
- (i) and (iii) only
- (ii) and (iii) only
- (i), (ii) and (iii)
Test your understanding 4
You are the partner within Mosaic Co. Your firm has an established reputation for performing high quality audits. Your firm has a quality control procedures document which is updated regularly. The procedures document is published in the employee handbook which each employee receives a copy of on joining the firm. The procedures are also available on your firm’s intranet site so staff are able to access it at any time. The firm’s procedures have been designed to ensure compliance with ISA 220 Quality Control for an Audit of Financial Statements.
- At the start of an audit, all audit team members are required to attend a planning meeting where they are informed of the nature of the client, the risks identified to date and any other issues of which they should be aware when performing the audit.
This is an example of which element of quality control? A Direction
B Consultation C Review
- Which of the following is NOT an element of a quality control system?
A Human resources
B Engagement performance
C Engagement quality control review D Monitoring
- Which of the following are primary reasons why a firm should perform audits to a high standard of quality?
- To maintain confidence in the audit profession.
- To ensure auditor’s reports issued are appropriate.
- To avoid punishment.
- To ensure clients receive a competent and professional service.
- (i) and (ii)
- (i), (iii) and (iv)
- (iii) and (iv)
- (i), (ii) and (iv)
- Which of the following should NOT perform an Engagement Quality Control Review?
A External consultant
B Engagement partner of the client subject to review
C Engagement partner of the audit firm not involved with the client subject to review
D Senior manager or director of the audit firm not involved with the client subject to review
- Which of the following statements regarding quality control is false?
A Where deficiencies in quality control procedures are identified the firm should take action such as providing additional training or increasing the frequency of quality control reviews.
B The firm only needs to act on quality control deficiencies identified by an external quality control review such as that performed by the ACCA.
C The firm should monitor its quality control procedures and policies on a regular basis to ensure they are working effectively.
D Every person within the audit firm has a responsibility to ensure quality control is adhered to.
Test your understanding 1
- Information and procedures: understanding the entity and its environment and risk assessment for Rock Co
- Understanding the entity and risk assessment is likely to involve a review of prior year risk assessments as a starting point and the identification of changes during the year from the information gathered that may alter that assessment.
- Risk assessment procedures involve enquiries of management and others, analytical procedures and observation and inspection. Members of the engagement team should discuss the susceptibility of the financial statements to material misstatements.
- Risk assessment also involves obtaining an understanding of the relevant industry, regulatory and other matters including the financial reporting framework, the nature of the entity, the application of accounting policies, the entity’s objectives and related business risks, and its financial performance. This may involve:
- Review of prior year working papers noting any particular issues that require attention in the current year.
- Discussions with the audit manager of Rock in prior years to establish any particular problem areas.
- Discussions with Rock to identify any problem areas.
- Review of any third party information on the client such as press reports.
- Review of management accounts, any financial information provided to the stock exchange or draft financial statements that may be available to establish trends in the business.
- Review of any changes in stock exchange requirements.
- Review of systems documentation (either generated by Rock Co or held by the firm) to see if it needs updating.
- Auditors should obtain an understanding of the control environment, the entity’s process for identifying and dealing with risks, information systems, control activities and monitoring of contents.
- Risks should be assessed at the financial statements level, and at the assertion level, and identify significant risks that require special audit consideration, and risks for which substantive procedures alone do not provide sufficient, appropriate audit evidence.
- Analytical procedures are often used to highlight areas warranting particular audit attention. In the case of Rock Co, they are likely to focus on inventory which is likely to have a significant effect on profit (there may be slow-moving or obsolete inventory that needs to be written down) and on property, plant and equipment which (as a manufacturer and distributor) is likely to be a significant item on the statement of financial position.
- Risk assessment will facilitate the determination of materiality and tolerable error (calculations are normally based on revenue, profit and assets) that will be used in determining the sample sizes and in the evaluation of errors.
- Types and features of audit working papers
- Types of audit working papers include:
- Systems documentation (flowcharts, systems manuals, narrative notes, checklists and questionnaires, etc.)
- Constitutional documents
- Agreements with banks and other providers of finance
- Details of other advisors used by the entity such as lawyers
- Regulatory documentation relating to the stock exchange listing
- Audit planning documentation
- Audit work programs
- Working papers showing the work performed
- Lead schedules showing summaries of work performed and conclusions on individual account areas and the amounts to be included in the financial statements
- Trial balances, management accounts and financial statements
- Standard working papers relating to the calculation of sample sizes, for example
- Schedules of unadjusted differences
- Schedules of review points
- Letters of deficiency and written representation letters.
- Features of audit working papers. All working papers (without exception) should show:
- By whom they were prepared and when.
- When they were reviewed and/or updated, and by whom, by means of signatures and dates – these may be electronic in the case of electronic working papers.
- Audit planning documentation should include the risk assessment which should be cross referenced to the audit program, and the audit program should be cross referenced to the audit working papers and vice versa.
- Working papers showing the work performed should be cross referenced to the audit program and the lead schedule on that particular section of the audit file, and should describe the nature of the work performed, the evidence obtained, and the conclusions reached.
- Each section of the audit file should have a lead schedule which should be cross referenced back to the relevant working papers.
- Trial balances should be cross referenced back to the relevant section of the audit file, and cross referenced forward to the financial statements.
- The financial statements should be cross referenced to the trial balance.
- Schedules of unadjusted differences should be cross referenced to the sections of the file to which they relate.
- Schedules of review points should all be ‘cleared’ to show that all outstanding matters have been dealt with.
Test your understanding 2
|(1)||A||The auditor should plan and perform the audit to have a|
|reasonable expectation of detecting material fraud and|
|error. However, if a fraud is very well concealed, even a|
|very thorough audit may not detect it.|
|(2)||D||Material misstatements are brought to the attention of|
|the shareholders by modifying the audit opinion.|
|(3)||D||All three procedures must be performed to respond to|
|the risk of fraud.|
|(4)||B||Options A and C describe aspects of the audit strategy|
|The audit strategy is developed before the audit plan.|
|(5)||C||Specific procedures are included in the audit plan.|
Test your understanding 3
|(1)||C||Financial statements cannot be verified as being|
|correct due to the inclusion of estimates and|
|(2)||D||‘Final’ analytical procedures are performed at the|
|completion stage of the audit.|
|(3)||B||The interim audit helps to develop the audit strategy. It|
|should take place before the year-end to avoid|
|interfering with the client’s year-end procedures but|
|should not be so early to be of little use.|
|(4)||A||Written representations are obtained at the end of the|
|audit, just before the auditor’s report is signed.|
|(5)||C||An interim audit may result in increased fees for the|
|firm if a greater amount of work is performed. However,|
|this is not a reason for performing an interim audit. The|
|interim audit is a means of spreading the workload|
|over a longer period to avoid time pressure.|
|Test your understanding 4|
|(1)||A||Briefing of the audit teams forms part of the direction of|
|(2)||C||Engagement quality control review is part of|
|engagement performance and monitoring.|
|(3)||D||Quality is important for upholding the reputation of the|
|profession and the firm in order to maintain investor|
|confidence. Avoiding punishment is not the primary|
|reason for ensuring a quality audit is performed.|
|(4)||B||An EQCR should be performed by someone|
|independent of the engagement and someone of|
|suitable authority such as a senior manager, director or|
|(5)||B||The firm should perform its own quality control reviews|
|and take action as necessary to ensure quality control|
|procedures are followed.|