CHAPTER I

CHAPTER II

THEORIES

There are three main reason why the auditor should properly plan engangements:

1. To obtain sufficient competent evidence for the circumstances

2. To help keep audit costs reasonable
3. To avoid misunderstanding with the client

Planning on audit and designing on audit approach

Accept client and perform

Initial audit planning

Understand the clients business and

industry

Assess client business risk

Perform preliminary analytical procedure

Set materiality and assess acceptable

audit risk and inherent risk

Understand internal control and assess

control risk

Gather information to assess fraud risks

Develop overall audit plan and audit

program
Initial audit planning

1. Client acceptance and continuance

2. Identify client’s reasons for audit
3. Obtain an understanding with the client
4. Develop overall audit strategy

Gain an understanding of the client’s business and industry.

Assess client businnes risk

Client business risk is the risk that the client will fail to achieve its objectives

Materiality

Materiality is a major consideration in determining the appropriate audit report to issue.

Materiality as the magnitude of an omission or misstatement of accounting information that,
in the light of surrounding circumstance, makes it probable that the judgment of a reasonable
person relying on the information would have been changed or influenced by the omission or
misstatement.

2
Because auditors are responsible for determining whether financial statements are materiality
misstated, they must upon discovering a material misstatement, bring it to the client’s
attention so that a correction can be made. If the client refuses to correct the statements, the
auditor must issue a qualified or an adverse opinion, depending how on how material the
misstatement is.

Auditors follow five closely related steps in applying materiality. The auditor fist sets a
preliminary judgment about materiality and then allocates this estimate to the segments to the
segments of the audit.

Set preliminary judgment about

materiality

Allocate preliminary judgment

about materiality

Estimate total misstatement in

segment

Estimate the combined

misstatement

Compare combined estimate with

judgment about materiality

Set Preliminary Judgment about Materiality

2
Auditing Standards require auditors to decide on the combined amount of misstatements in
the financial statement that they would consider material early in the audit as they are
developing the overall strategy for the audit. It refer to this as the preliminary judgment about
materiality. It is called a preliminary judgment about materiality because, although a
professional opinion, it may change during the engagement. This judgment must be
documented in the audit files.

Several factors affect the auditor’s preliminary judgment about materiality for a given set of
financial statements. The most important of these are:

 Materiality is a relative rather than an absolute concept

A misstatement of a given magnitude might be material for small company, whereas
the some dollar misstatement could be immaterial for a large one

 Bases are needed for evaluating materiality

Because materiality is relative, it is necessary to have bases for establishing whether
misstatements are material

 Qualitative factors also affect materiality

Certain types of misstatements are likely to be more important to users tha others, even if
the dollar amounts are the same.

Risk

Risk is a probability or threat of a damage, injury, liability, loss, or other negative occurrence
that is caused by external or internal vulnerabilities, and that may be neutralized through
preemptive action. The audit risk model helps auditors decide how much and what types of
evidence to accumulate in each cycle.

Types of Risk

 Planned detection risk

Is the risk that audit evidence for a segment will fail to detect misstatement exceeding
tolerable misstatement.

 Inherent risk

2
 Inherent risk measures the auditor’s assessment of the likelihood that there are material
misstatement ( errors or fraud ) in a segment before considering the effectiveness of
internal control.

 Control risk
Control risk measures the auditor’s assessment of whether misstatements exceeding a
tolerable amount in a segment will be prevented or detected on a timely basis by the
client’s internal control.

 Acceptable audit risk

Is a measure of how willing the auditor is to accept that the financial statements may be
materiality misstated after the audit is completed and an unqualified opinion has been
issued.

Factor affecting acceptable audit risk

 The degree to which extend users rely on the statements

 The likelihood that a client will have financial difficulties after the audit report is issued
 The auditor’s evaluation management’s integrity

Factor affecting inherent risk

 Nature of the client’s business

 Results of previous audits
 Initial versus repeat engagement
 Related parties
 Non routine transactions

2
 CHAPTER III

ANALYSIS AND IMPLEMENTATION

III.1 Audit Planning

1. Perform risk assessment procedures and identify risks

For the risk assessment, RPM have considered client’s top risks based on:

• Previous experience;
• The Business Plan;
• Discussions with the COO;
• Audit work for the year and their follow up review; and
• A consideration of client’s risk register.
We have summarised below Monitor’s primary risks against the current strategic objectives and
indicate the related audits proposed

2. Determine audit strategy

Example of RPM audit strategy is the internal audit strategy. Their Internal Audit strategy for Monitor
categorises the organisation into 3 systems as follows:

1) Operational systems: these include the main systems associated with the delivery of Monitor’s
core duties as regulator.
 Assessment: The number of Foundation Trusts is planned to increase and, as a result, Monitor
will need to ensure it continues to be restheirced with a capable and experienced team in order
to maintain a rigorous assessment process.
 Compliance: Their Internal Audit strategy will continue to consider Monitor’s approach
scalability and the capacity of senior management and the Board to provide effective
oversight over an increasing number of FTs.
 Intervention: Monitor has recently revised the Compliance Framework to include a core
Escalation and Intervention framework. Their work will include conducting compliance based
audits to ensure the Escalation and intervention framework is being appropriately applied.

2) Support systems: includes those functions and systems which indirectly contribute towards
these core operational duties through the provision of services and restheirces to the operational
systems.
 Knowledge Management: During 2009 Monitor commissioned a review of its information
and knowledge management systems and processes and following the review appointed a
Director of Knowledge Management in 2010.
 Financial Systems: This core area of their internal audit work will fundamentally remain
unchanged. The focus will be on providing assurance to both Monitor and the NAO, as
external auditors, over the design and operation of controls on the core financial systems,

2
 including Accounting Systems, Payroll & Expenses, Treasury Management, Accounts
Payable, Fixed Assets, Budgeting and Forecasting.
 Transition Planning: Monitor will need to commence planning imminently for the design and
implementation of a new organisation which is ‘fit for purpose’ in 2012 while maintaining its
core business of assessment, compliance and intervention.

3) Governance framework: includes the overarching functions. These are processes and entity
level controls in place to ensure the effective and proper performance of both operational and
support systems and to co-ordinate and oversee the progress and direction of Monitor as a whole.
 Corporate Governance: As Monitor is expected to serve as a beacon of good practice in this
area, RPM will continue to review compliance with the Combined Code, the NHS Foundation
Trust Code of Corporate Governance, HM Treasury guidance and current good practice.
 Strategic Planning: Monitor’s three year corporate plan was renewed and the Business Plan
has been published.
 Stakeholder Influencing: Key to Monitor’s ability to influence the development of a devolved
healthcare system is strong stakeholder management and engagement, including how roles
and responsibilities are defined and communicated across the stakeholder network.

3. Determine planned audit approach

RPM have their new VFM audit approach. They will follow a risk based approach to target audit
effort on the areas of greatest audit risk.

Overview of the VFM audit approach, which shoRPMd by the key elements of the VFM audit
approach are summarised below.

1) Audit Risk Assessment: RPM will consider the relevance and significance of the potential
business risks faced by all authorities, and other risks that apply specifically to the Police
Authority. In doing so RPM will consider:
• the Authority’s own assessment of the risks it faces, and its arrangements to manage and
address its risks;
• Information from the Audit Commission’s VFM profile tool;
• evidence gained from previous audit work, including the response to that work; and
• the work of the Audit Commission, other inspectorates and review agencies (where
relevant to their VFM audit responsibilities).
2) Financial Statements Audit: There is a degree of overlap between the work RPM do as part of
the VFM audit and their financial statements audit. RPM have always sought to avoid
duplication of audit effort by integrating their financial statements and VFM work, and this
will continue. RPM will therefore draw upon relevant aspects of their financial statements
audit work to inform the VFM audit.

2
3) Residual Audit Risk: It is possible that theirfinancial statements audit and previous VFM audit
work may provide the assurance RPM need for the VFM audit. To inform any further work
RPM must draw together an assessment of residual audit risk, taking account of the work
undertaken already.
4) Identifying Further Work: It is possible that RPM may not identify any residualaudit risks and
instead have obtained all the evidence and assurance required from their financial statements
and other audit work. If so, no further work will be necessary prior to issuing the VFM
conclusion. If RPM do identify residual audit risks, then RPM will consider the most
appropriate audit response in each case, including:
• highlighting the risk to the Authority;
• deferring any work because of current or planned work by the body or the Audit
Commission, other in spectorates and review agencies (and/or considering theresults of
such work); or
• carrying out local risk-based work to form a view on the adequacy of the Authority’s
arrangements for securing economy, efficiency and effectiveness in its use of
restheirces.
5) Delivery of Local Risk-Based Work: Depending on thenature of the residual audit risk
identified, RPM will be able to draw on the following audit tools and stheirces of guidance
when undertaking specific local risk-based audit work:
 localsavings review guides based on selected previous Audit Commission national
studies.
Any detailed work will also make reference to the detailed VFM characteristics, as
appropriate, and any self assessment the Authoritymay prepare against the characteristics.
6) Conclude on VFM arrangements: At the conclusion of the VFM audit RPM will consider
theresults of the work undertaken and assess the assurance obtained against each of the VFM
themes regarding the adequacy of the Authority’s arrangements for securing economy,
efficiency and effectiveness in the use of restheirces.
7) Reporting: RPM will report on the results of the VFM audit through their Interim Audit
Report and their Report to those charged with governance. These reports will summarise their
progress in delivering the VFM audit, the results and any specific matters arising, and the
basis for their overall conclusion.
The VFM conclusionwill be one of the following:
• unqualified –meaning RPM are happy that in all significant respectsthe Authorityhas
proper arrangements for securing economy, efficiency and effectiveness in the use of its
restheirces; or

2
 • except for qualification –meaning RPM are generally satisfied with the adequacy of the
arrangements in place, except for one or more specific issues highlighted during the
audit that relate to specific VFM criteria; or
• adversequalification –meaning RPM are unable to conclude that the Authority has
adequate arrangements in place.

III.2 MATERIALITY
Their audit work is planned to detect errors that are material to the accounts as a whole.

What do the company mean by materiality?

In layman terms, materiality is the margin of error the company will accept before the
company qualify their opinion on the accounts.

Why do the company have a level of materiality?

The company only have a limited time in which to complete their work. As a result, the
company focus their testing on a sample of transactions rather than everything. To make their
sample testing most effective, their work is driven by an assessment of risk and a level of
materiality. This means the company sample test the transactions that are more likely to be
prone to significant fraud or error.

Determining materiality
 The company consider quantitative and qualitative factors in setting materiality and
indesigning their audit procedures.

 Materiality has been set at 1.8%of total income.

 The company design their procedures to detecterrors at a lothe companyr level of

precision. The company have some flexibility to adjust this level downwards.

Reporting to Audit Committee

To comply with auditing standards, the following three types of audit differences will be
presented to the Audit Committee :
−summary of adjusted audit differences
−summary of unadjusted audit differences
−summary of disclosure differences (adjusted and unadjusted).

The company will not report audit and disclosure differences that are considered to be trivial

2
Independence and objectivity confirmation
Professional standards require auditors to communicate to those charged with governance, at
least annually, all relationships that maybe ar on the firm’s independence and the objectivity
of the audit engagement partner and audit staff. The standards also place requirements on
auditors in relation to integrity, objectivity and independence. The ISA defines‘ those charged
with governance’ as‘ those persons entrusted with the supervision, control and direction of an
entity’. In ytheir case this is the Audit Committee. RPM is committed to being and being seen
to be independent. APB Ethical Standard1 requires us to communicate to you in writing all
significant facts and matters, including those related to the provision of non- audit services
and the safeguards put in place, in their professional judgement, may reasonably be thought
to be aron RPM independence and the objectivity of the Engagement Lead and the audit
team.

Confirmation statement The company confirm that as of 1 January 2011, in their

professional judgement, RPM is independent with in the meaning of regulatory and
professional requirements and the objectivity of the Appointed Auditor and audit team is
impaired.

III.3 How to evaluate and test internal control

BALANCE OF INTERNAL CONTROLS AND SUBSTANTIVE TESTING
The picture below illustrates how the company determine the most effective balance of
internal controls and substantive audit testing.

2
 In the picture above we can see that the balance of the substantive testing and the
internal control testing in RPM. The RPM will use extensive control testing and reduced
the substantive testing if the type of the transaction/accounts is low value transaction,
high volume, and homogeneous transaction . The example of this type of
transactions/accounts is income and debtors, purchases and payables, and payroll. And
for the situation the RPM use moderate control testing and moderate substantive testing is
when the type of transaction is low/medium value and high/medium volume. The
example of this type of transaction/accounts is tangible of fixed asset. And the last is the
RPM will use limited control testing and extensive substantive testing when the type of
transaction is high value and low volume.

And now how the RPM do the test of control?

The senior assessment team should test the effectiveness of the controls to determine if
the controls are operating effectively and may be relied upon to ensure the assertions are
valid. The determination of whether the controls have been applied throughout the period of
testing may be accomplished by the senior assessment team selecting a sample of transactions
processed throughout the period, based on the sampling plan. The sample should be selected
from the complete population of the transactions for which controls are to be tested. The
completeness of the population should be verified by comparison with the original data
source. Testing the controls requires reperforming the transactions or controls or applying

2
 other test techniques to the selected transactions and determining if the controls performed as
designed and expected. The type of the document that can be take for the sample are: Existing
policy and procedure manuals, Existing forms and documents, Transaction cycle narrative,
Transaction cycle flowchart.

RPM also use the five components of internal control that basic of COSO (The Commite
Of Sponsoring Organizations) internal control-intergrate framework. And the components
are:

1. Evaluate Control environment : The control environment is the organization structure and
culture created by management
and employees to sustain organizational support of internal control. The control
environment
is the foundation for all other components of internal control. Following aspects of
control environment is:
 Management’s philosophy and operating style
 Delegating authority and responsibility.
 Organization structure and resources.
 Commitment to competence
 Integrity and ethical standards

2. Evaluate risk assessment process: determining how the organization establishes

objectives, identifies the risks that would prevent achievement of the objectives, estimates
the significance of the risks in relation to financial reporting, assesses the possible
existence of the risks in the current environment, and continues to monitor changes to the
environment that mayincrease or reduce the risks.

3. Evaluate the control activities: Control activities, frequently referred to simply as

controls, include policies, procedures, and mechanisms that help ensure the control
objectives are met and that management’s. Examples of control activities that might be
present include:
• Top-level reviews of actual performance
• Reviews by management at the functional or actual level
• Controls over information processing
• Physical controls over vulnerable assets
• Establishment and review of performance measures and indicators
• Segregation of duties

2
4. Evaluate the Information and Communication Processes : Information related to
financial reporting should be communicated to relevant personnel at all levels within the
organization. The information should be relevant, reliable, and timely. evaluate the
organization’s financial reporting processes to determine whether information is based
upon integrated systems or the same source information
5. Evaluate the monitoring process: evaluate whether each agency is performing its own,
independent monitoring and evaluation of the ICOFR environment and identifying and
correcting deficiencies in a timely fashion throughout the year.

III.4 How to design audit program

The audit process of RPM
The ftheir key stages of RPM financial statements audit process are presented below.

The RPM International Audit Methodology addresses both manual and automated
controls and requires use of information technology professionals and other specialists by
member firms in the core audit engagement team when appropriate. The methodology also
includes procedures aimed at detecting and responding to the risk of material misstatement
resulting from fraud; Communications relating to the engagement team’s exercise of
professional skepticism with respect to potential fraud risk factors have been reinforced and
enhanced.

There is a suite of technology tools to support the RPM International Audit

Methodology. These tools promote consistent implementation of the audit process globally,
and drive audit quality. Leveraging technology to further improve the audit experience for

2
clients and audit professionals is a key component of RPM International’s Audit IT strategy.
RPM International’s next generation audit tool, eAudIT, is scheduled for full global
deployment in 2010.

CHAPTER IV

CONCLUSION

The audit planning implemented by RPM are the same with the theory we learned, but with
those who have much experience, they've revised the audit planning they do. RPM
summarized their audit planning into three activities, which are perform risk assessment
procedures and identify risks, determine audit strategy and determine planned audit approach.
Also in determining materiality and evaluating internal control, they do based on their audit
program, RPM International Audit Methodology, which includes all the requirements of the
International Standards on Auditing (ISAS).