Академический Документы
Профессиональный Документы
Культура Документы
1.1. Summary
We know, audit is an official inspection of an organization's accounts, typically by an
independent body. But audit is a very systematic process. Different types of audit require
different audit approaches based on various types of organizations and the risks involved there.
In this report titled ‘Audit Approach’ we will discuss about different approaches auditors chose
based on different levels of risks, types of organizations and extent of internal control. Besides,
every conduct of audit requires an engagement. The essentials of an audit engagement are also
included in this report. After reading this, the reader will get to know about when to use what
approach and the procedure of engagement.
1.2. Methodology
All the information included in this report are based on secondary data.
Page | 1
Audit Approach
The approach chosen should be both effective and efficient, based on the preceding factors.
The following general audit approaches are most commonly used, depending on the
circumstances:
➢ When the internal control system is strong: The emphasis is on testing and validating
the client's system of internal controls. If the controls are proven to be strong,
then substantive testing can be significantly reduced. This is a more efficient audit
approach.
➢ When the focus is on client risk: The auditor spends time reviewing where there is risk
in a client's systems, and then designs an audit approach that focuses primarily on high-
risk areas. Conversely, low-risk areas receive little auditor attention.
➢ When the focus is on the balance sheet: The audit focus is on testing the balances in
the accounts comprising the balance sheet. By proving the balance sheet, the
assumption is that all other transactions will flush out through the income statement,
which will therefore require little testing.
Page | 2
Audit Approach
3. Risk Assessment
3.1. Business Risk: Business risk is the risk inherent to the company in its operations. It
includes risks at all levels of the business. There are three general categories of business risk:
- Financial risks are the risks arising from the financial activities or financial
consequences of an operation, for example, cash flow issues or overtrading
- Operational risks are the risks arising with regard to operations, for example, the risk
that a major supplier will be lost and the company will be unable to operate
- Compliance risk is the risk that arises from non-compliance with laws and regulations
that surround the business, for example a restaurant failing to comply with food hygiene
regulations might face fines, enforced closure, legal action from customers and so on
3.2. Audit Risk: The risk of giving an inappropriate opinion in relation to the financial
statements. It has three components.
- Inherent risk is the susceptibility of an assertion to misstatement that could be material,
individually or when aggregated with other misstatements, assuming that there were no
related internal controls.
- Control risk is the risk that a misstatement that could occur in an assertion and that
could be material, individually or when aggregated with other misstatements, will not
be prevented or detected and corrected on a timely basis by the entity's internal control.
- Detection risk is the risk that an auditor’s procedures will not detect a misstatement that
exists in an assertion that could be material, individually or when aggregated with other
misstatements.
Page | 3
Audit Approach
5. Risk Analysis
Assurance firms will carry out a risk analysis before accepting clients. This is partly to
determine what fee they think is appropriate for the engagement (the higher risk the client, the
greater the benefit that the firm will want from undertaking the engagement) but also to lay
foundations for understanding the risks associated with the engagement if it is taken on and the
amount of work that will have to be undertaken to reduce assurance risk to an acceptable level
for that assignment. When carrying out risk analysis prior to accepting a client, assurance
providers will be seeking to determine:
- Whether the directors/management of the company appear to have integrity: This can
be assessed by looking at the accounting policies of the company (are they prudent and
conservative or imprudent?) and the qualifications of the finance director it employs,
or by obtaining references for key personnel from parties known to the assurance firm,
such as bankers or solicitors, or the previous auditors.
- Whether the company has a good financial record, resources and outlook: This can be
assessed by looking at recent financial performance and reports and by making
enquiries (with permission) from its bankers.
- Whether the company appears to have good internal control, or, at minimum, a good
control environment: This might be indicated by the existence of an internal audit
department, or assessed through inquiries of management.
- Whether the company has unusual transactions: this can be assessed by reviewing
published financial statements.
In general terms, if the directors appear to have integrity, the financial record is strong and
prospects look good, there is a good attitude to internal control in the company and it has few
unusual transactions, then it is lower risk than a company for which those things are not true.
If a firm determines that a company is a high-risk client, this does not necessarily mean that
the firm will not accept the engagement, but this preliminary assessment of risk will be
incorporated into the audit procedures when risk assessment identification and procedures are
carried out on the engagement. Another area constituting risk to the auditor is the risk that the
client may be money laundering. Accountants are required to report suspicions of money
laundering and failure to report a suspicion is a criminal offence. The auditors are also required
to carry out client due diligence with respect to money laundering at the start of an engagement.
Page | 4
Audit Approach
6. Audit Confidence
To reduce the level of risk that the financial statements might be wrong, the auditors have to
build up audit confidence based on sufficient appropriate audit evidence. There are three
sources of audit confidence.
Controls
Test of Analytical
Details Procedure
To derive audit confidence from the client’s controls, auditors have to ascertain them by
enquiry, document them and then test them to make sure that:
- They operate in the way they think they do (by walkthrough testing); and
- They are effective (by tests of controls).
During the planning process the audit team decides on the use of these sources to give sufficient
audit confidence and what the mix should be. The audit plan will record the approach to be
used as decided on by the audit team.
7. Reliance on Control
BSA 500 says auditors need to carry out tests of controls under two sets of circumstances:
➢ When they are intending to rely on controls to reduce audit risk
➢ When they are unable to derive sufficient evidence from substantive procedures.
The type of testing will depend on the nature of the control. Where procedures may be more
difficult to devise, the auditors could
➢ Review the minutes of the relevant meetings.
➢ Select a sample of projects and make actual/budget comparisons and then follow up to
see what the client did in response to any overruns.
➢ Attend the relevant meetings and observe how they are conducted –but would need to
be careful about whether the auditors' presence at the meeting will affect the way the
meeting is conducted.
is the auditor justified in assuming that, for example VAT will be calculated correctly
and that control accounts will be updated properly?
Page | 5
Audit Approach
8. Substantive Approach
Substantive Audit Approach is one of the audit approaches that is used by auditors to verify
the events and transactions in the financial statements by covering the largest volume of them.
The principle of substantive audit approach is that when auditors cover the largest volumes
with high value of financial transactions and event in financial statements, there is less risks
that material misstatements is uncovered. Substantive procedures fall into two categories:
The auditor must always carry out substantive procedures on material items. BSA 330 says
“irrespective of the assessed risk of material misstatement, the auditor should design and
perform substantive procedures for each material class of transactions, account balance and
disclosure”. In addition, the auditor must carry out the following substantive procedures:
• Agreeing the financial statements to the underlying accounting records
• Examining material journal entries
• Examining other adjustments made in preparing the financial statements
The auditor must determine when it is appropriate to use which type of substantive procedure.
(a) Analytical procedures tend to be appropriate for large volumes of predictable transactions
(for example, wages and salaries).
(b) Other procedures (tests of detail) may be appropriate to gain information about account
balances (for example, inventories or trade receivables), particularly verifying the
assertions of existence and valuation.
Tests of detail rather than analytical procedures are likely to be more appropriate with regard
to matters which have been identified as significant risks, but the auditor must determine
procedures that are specifically responsive to that risk, which may include analytical
procedures. Significant risks are likely to be the most difficult to obtain sufficient appropriate
evidence about. How much substantive testing is carried out will depend on:
- Whether the auditor wants to rely on controls in the first place (in which case
substantive testing might be reduced)
- Whether controls testing reveals that controls can be relied on (if they cannot, the
auditors will have to increase substantive testing)
Page | 6
Audit Approach
An effective internal audit function may reduce, modify or alter the timing of external audit
procedures, but it can never eliminate them entirely. Even where the internal audit function is
deemed ineffective, it may still be useful to be aware of the internal audit conclusions. The
effectiveness of internal audit will have a great impact on how the external auditors assess the
whole control system and the assessment of audit risk. The BSA says that 'the external auditor
should obtain a sufficient understanding of internal audit activities to identify and assess the
risks of material misstatement of the financial statements and to design and perform further
audit procedures. The external auditor should perform an assessment of the internal audit
function when internal auditing is relevant to the external auditor's risk assessment'.
Consider to whom internal audit reports (should be the board or the audit
committee, a subcommittee of the board, which, when it exists,
Organizational monitors the work of internal audit), whether internal audit has any
Status operating responsibilities and constraints or restrictions on it (e.g. that
it is not adequately resourced)
Scope of Consider extent and nature of assignments performed and the action
taken by management as a result of internal audit reports
function
Technical Consider whether internal auditors have adequate technical training and
Competence Proficiency
Page | 7
Audit Approach
There should normally be at least one other person involved on the audit to review the work
done. Beyond this the precise make-up of the team will depend on the scale of the engagement
and the different roles can be filled by people with different levels of experience within the
firm. Most engagements will have a 'senior' or 'in charge' responsible for the day-to-day running
of the audit and supervising assistants. The audit strategy should make clear who is responsible
for which aspects of the audit, and should strike the difficult balance between:
- Ensuring each member of the team has sufficient experience for the job in hand
- Setting new challenges so that experience can be gained, and
- Cost
10.3. Location
As hinted at above, the location that the audit work takes place at will depend on the nature of
the client and the risk assessment. Some clients will only have one location, in which case the
audit will take place at that location. Other clients may have several locations, and the auditors
will have to make judgements about which locations are riskier than others and need the auditor
to visit them. It may be necessary to attend all locations that a client has at some stage during
the audit.
Page | 8
Audit Approach
Page | 9
Audit Approach
Page | 10
Audit Approach
Page | 11
Audit Approach
Page | 12