Audit Approach

1. Introduction to the Report

1.1. Summary
We know, audit is an official inspection of an organization's accounts, typically by an
independent body. But audit is a very systematic process. Different types of audit require
different audit approaches based on various types of organizations and the risks involved there.
In this report titled ‘Audit Approach’ we will discuss about different approaches auditors chose
based on different levels of risks, types of organizations and extent of internal control. Besides,
every conduct of audit requires an engagement. The essentials of an audit engagement are also
included in this report. After reading this, the reader will get to know about when to use what
approach and the procedure of engagement.

1.2. Methodology
All the information included in this report are based on secondary data.

1.3. Limitation of the Report

The report includes only theoretical aspects of audit approach. No practical context is included
here due to time, knowledge and scope limitation.

Page | 1
 Audit Approach

2. Audit Approach - Synopsis

An audit approach is the strategy used by an auditor to conduct an audit. The approach taken
varies by client, and depends on a number of factors, including the following:
- The nature of the client and the industry in which it operates.
- The scope of the engagement.
- The adequacy of the client's system of controls.
- The level of cooperation received from the client.

The approach chosen should be both effective and efficient, based on the preceding factors.
The following general audit approaches are most commonly used, depending on the
circumstances:

➢ When the financial reporting system is weak: The emphasis is

on vouching significant transactions. There is little or no attempt to verify the
robustness of the client's system of controls. This approach requires significant labor to
test a sufficient number of transactions.

➢ When the internal control system is strong: The emphasis is on testing and validating
the client's system of internal controls. If the controls are proven to be strong,
then substantive testing can be significantly reduced. This is a more efficient audit
approach.

➢ When the focus is on client risk: The auditor spends time reviewing where there is risk
in a client's systems, and then designs an audit approach that focuses primarily on high-
risk areas. Conversely, low-risk areas receive little auditor attention.

➢ When the focus is on the balance sheet: The audit focus is on testing the balances in
the accounts comprising the balance sheet. By proving the balance sheet, the
assumption is that all other transactions will flush out through the income statement,
which will therefore require little testing.

Page | 2
 Audit Approach

3. Risk Assessment

3.1. Business Risk: Business risk is the risk inherent to the company in its operations. It
includes risks at all levels of the business. There are three general categories of business risk:
- Financial risks are the risks arising from the financial activities or financial
consequences of an operation, for example, cash flow issues or overtrading
- Operational risks are the risks arising with regard to operations, for example, the risk
that a major supplier will be lost and the company will be unable to operate
- Compliance risk is the risk that arises from non-compliance with laws and regulations
that surround the business, for example a restaurant failing to comply with food hygiene
regulations might face fines, enforced closure, legal action from customers and so on

3.2. Audit Risk: The risk of giving an inappropriate opinion in relation to the financial
statements. It has three components.
- Inherent risk is the susceptibility of an assertion to misstatement that could be material,
individually or when aggregated with other misstatements, assuming that there were no
related internal controls.
- Control risk is the risk that a misstatement that could occur in an assertion and that
could be material, individually or when aggregated with other misstatements, will not
be prevented or detected and corrected on a timely basis by the entity's internal control.
- Detection risk is the risk that an auditor’s procedures will not detect a misstatement that
exists in an assertion that could be material, individually or when aggregated with other
misstatements.

4. Responding to the Risk Assessment

Overall responses to risks of material misstatement will be changes to the general audit strategy
or reaffirmations to staff of the general audit strategy. For example:
➢ Emphasizing to audit staff the need to maintain professional skepticism.
➢ Assigning additional or more experienced staff to the audit team.
➢ Using experts, the work of internal auditors or other auditors.
➢ Providing more supervision on the audit.
➢ Incorporating more unpredictability into the audit procedures.
The evaluation of the control environment that will have taken place as part of the assessment
of the client's internal control systems will help the auditor determine whether they are going
to take a substantive approach (focusing mainly on substantive procedures) or a combined
approach (tests of controls and substantive procedures).

Page | 3
 Audit Approach

5. Risk Analysis
Assurance firms will carry out a risk analysis before accepting clients. This is partly to
determine what fee they think is appropriate for the engagement (the higher risk the client, the
greater the benefit that the firm will want from undertaking the engagement) but also to lay
foundations for understanding the risks associated with the engagement if it is taken on and the
amount of work that will have to be undertaken to reduce assurance risk to an acceptable level
for that assignment. When carrying out risk analysis prior to accepting a client, assurance
providers will be seeking to determine:

- Whether the directors/management of the company appear to have integrity: This can
be assessed by looking at the accounting policies of the company (are they prudent and
conservative or imprudent?) and the qualifications of the finance director it employs,
or by obtaining references for key personnel from parties known to the assurance firm,
such as bankers or solicitors, or the previous auditors.
- Whether the company has a good financial record, resources and outlook: This can be
assessed by looking at recent financial performance and reports and by making
enquiries (with permission) from its bankers.
- Whether the company appears to have good internal control, or, at minimum, a good
control environment: This might be indicated by the existence of an internal audit
department, or assessed through inquiries of management.
- Whether the company has unusual transactions: this can be assessed by reviewing
published financial statements.

In general terms, if the directors appear to have integrity, the financial record is strong and
prospects look good, there is a good attitude to internal control in the company and it has few
unusual transactions, then it is lower risk than a company for which those things are not true.
If a firm determines that a company is a high-risk client, this does not necessarily mean that
the firm will not accept the engagement, but this preliminary assessment of risk will be
incorporated into the audit procedures when risk assessment identification and procedures are
carried out on the engagement. Another area constituting risk to the auditor is the risk that the
client may be money laundering. Accountants are required to report suspicions of money
laundering and failure to report a suspicion is a criminal offence. The auditors are also required
to carry out client due diligence with respect to money laundering at the start of an engagement.

Page | 4
 Audit Approach

6. Audit Confidence
To reduce the level of risk that the financial statements might be wrong, the auditors have to
build up audit confidence based on sufficient appropriate audit evidence. There are three
sources of audit confidence.

Controls

Test of Analytical
Details Procedure

To derive audit confidence from the client’s controls, auditors have to ascertain them by
enquiry, document them and then test them to make sure that:
- They operate in the way they think they do (by walkthrough testing); and
- They are effective (by tests of controls).
During the planning process the audit team decides on the use of these sources to give sufficient
audit confidence and what the mix should be. The audit plan will record the approach to be
used as decided on by the audit team.

7. Reliance on Control
BSA 500 says auditors need to carry out tests of controls under two sets of circumstances:
➢ When they are intending to rely on controls to reduce audit risk
➢ When they are unable to derive sufficient evidence from substantive procedures.

The type of testing will depend on the nature of the control. Where procedures may be more
difficult to devise, the auditors could
➢ Review the minutes of the relevant meetings.
➢ Select a sample of projects and make actual/budget comparisons and then follow up to
see what the client did in response to any overruns.
➢ Attend the relevant meetings and observe how they are conducted –but would need to

be careful about whether the auditors' presence at the meeting will affect the way the
meeting is conducted.

In respect of IT controls, the following questions are relevant:

➢ How do these operate?

➢ Is the auditor justified in assuming that they function properly?

➢ If a client uses a recognized accounting package such as QuickBooks or Sage Line 50,

is the auditor justified in assuming that, for example VAT will be calculated correctly
and that control accounts will be updated properly?

Page | 5
 Audit Approach

8. Substantive Approach
Substantive Audit Approach is one of the audit approaches that is used by auditors to verify
the events and transactions in the financial statements by covering the largest volume of them.
The principle of substantive audit approach is that when auditors cover the largest volumes
with high value of financial transactions and event in financial statements, there is less risks
that material misstatements is uncovered. Substantive procedures fall into two categories:

➢ Analytical procedures and

➢ Tests of details.

The auditor must always carry out substantive procedures on material items. BSA 330 says
“irrespective of the assessed risk of material misstatement, the auditor should design and
perform substantive procedures for each material class of transactions, account balance and
disclosure”. In addition, the auditor must carry out the following substantive procedures:
• Agreeing the financial statements to the underlying accounting records
• Examining material journal entries
• Examining other adjustments made in preparing the financial statements
The auditor must determine when it is appropriate to use which type of substantive procedure.

(a) Analytical procedures tend to be appropriate for large volumes of predictable transactions
(for example, wages and salaries).
(b) Other procedures (tests of detail) may be appropriate to gain information about account
balances (for example, inventories or trade receivables), particularly verifying the
assertions of existence and valuation.

Tests of detail rather than analytical procedures are likely to be more appropriate with regard
to matters which have been identified as significant risks, but the auditor must determine
procedures that are specifically responsive to that risk, which may include analytical
procedures. Significant risks are likely to be the most difficult to obtain sufficient appropriate
evidence about. How much substantive testing is carried out will depend on:
- Whether the auditor wants to rely on controls in the first place (in which case
substantive testing might be reduced)
- Whether controls testing reveals that controls can be relied on (if they cannot, the
auditors will have to increase substantive testing)

Page | 6
 Audit Approach

9. Reliance on Internal Audit

BSA 610 “Considering the Work of Internal Audit” states that as part of their planning
procedures, auditors must consider the activities of internal auditing and their effect, if any, on
the external audit procedures. While the external auditor has sole responsibility for the opinion
expressed, some internal audit work may be helpful to him in forming a decision. Normally
however, internal audit operates in one or more of the following broad areas.

➢ Review of the accounting and internal control systems

➢ Examination of financial and operating information
➢ Review of economy, efficiency and effectiveness
➢ Review of compliance with laws and regulations
➢ Special investigations

An effective internal audit function may reduce, modify or alter the timing of external audit
procedures, but it can never eliminate them entirely. Even where the internal audit function is
deemed ineffective, it may still be useful to be aware of the internal audit conclusions. The
effectiveness of internal audit will have a great impact on how the external auditors assess the
whole control system and the assessment of audit risk. The BSA says that 'the external auditor
should obtain a sufficient understanding of internal audit activities to identify and assess the
risks of material misstatement of the financial statements and to design and perform further
audit procedures. The external auditor should perform an assessment of the internal audit
function when internal auditing is relevant to the external auditor's risk assessment'.

The following important criteria will be considered by the external auditors.

Consider to whom internal audit reports (should be the board or the audit
committee, a subcommittee of the board, which, when it exists,
Organizational monitors the work of internal audit), whether internal audit has any
Status operating responsibilities and constraints or restrictions on it (e.g. that
it is not adequately resourced)

Scope of Consider extent and nature of assignments performed and the action
taken by management as a result of internal audit reports
function

Technical Consider whether internal auditors have adequate technical training and
Competence Proficiency

Due professional Consider whether internal audit is properly planned, supervised,

Care reviewed and documented

Page | 7
 Audit Approach

10. Practical Issues

10.1. The Audit Team
As part of the audit planning process, the right team will need to be selected. This will depend
on matching the need for experience, specialist knowledge and ensuring that work is done at
the right level with the risks associated with the audit. For every engagement there will be an
engagement partner who takes overall responsibility for the engagement and who has specific
responsibility for ensuring the firm and the team’s competence and objectivity, and for:
➢ Approving the audit strategy
➢ Communicating his or her knowledge of the client to the audit team

➢ Ensuring that staff are briefed and supervised appropriately

➢ Ensuring appropriate reviews are carried out of staff’s work
➢ Reviewing the financial statements, the key areas and any working papers not otherwise
reviewed.

There should normally be at least one other person involved on the audit to review the work
done. Beyond this the precise make-up of the team will depend on the scale of the engagement
and the different roles can be filled by people with different levels of experience within the
firm. Most engagements will have a 'senior' or 'in charge' responsible for the day-to-day running
of the audit and supervising assistants. The audit strategy should make clear who is responsible
for which aspects of the audit, and should strike the difficult balance between:
- Ensuring each member of the team has sufficient experience for the job in hand
- Setting new challenges so that experience can be gained, and
- Cost

10.2. Budgets and Deadlines

Audit firms are in business to make a profit. Whilst the pursuit of profit must not take
precedence over professional and quality considerations, nevertheless the audit plan should
make it perfectly clear:
➢ When the deadline is.
➢ How much the budget is.

10.3. Location
As hinted at above, the location that the audit work takes place at will depend on the nature of
the client and the risk assessment. Some clients will only have one location, in which case the
audit will take place at that location. Other clients may have several locations, and the auditors
will have to make judgements about which locations are riskier than others and need the auditor
to visit them. It may be necessary to attend all locations that a client has at some stage during
the audit.

Page | 8
 Audit Approach

10.4. Interim & Final Audits

Typically, much of the systems assessment work and tests of details on the profit and loss
account, will be carried out at the interim stage, with greater focus on the balance sheet at a
final audit. However, auditors think about a number of factors here:
▪ What about the income statement for the last couple of months of the year?
▪ If the auditors are relying on controls, were they effective in the period between the
interim audit and the year end?
▪ If the auditors have tested inventory, or receivables at the interim stage, are they happy
with the 'roll forward' to the year end?

10.5. Nature of Evidence

It will be important to address the practical issue of what sources of evidence the audit firm
expects to obtain during the audit. Information generated by the client is never as good quality
as information generated by the auditor or from third parties. The audit strategy should set out
where information should be sought from third parties (such as in respect of receivables or
confirmation of a loan).

Page | 9
 Audit Approach

11. Audit Engagement

An audit engagement is an arrangement that an auditor has with a client to perform an audit of
the client's accounting records and financial statements. The term usually applies to the
contractual arrangement between the two parties, rather than the full set of auditing tasks that
the auditor will perform. To create an engagement, the two parties meet to discuss the services
needed by the client. The parties then agree on the services to be provided, along with a price
and the period during which the audit will be conducted. This information is stated in
an engagement letter, which is prepared by the auditor and sent to the client. If the client agrees
with the terms of the letter, a person authorized to do so signs the letter and returns a copy to
the auditor. By doing so, the parties indicate that an audit engagement has been initiated.

Considerations at the Commencement of New Audit

- An audit is generally conducted with some definite objects in view. The objects should
be constantly kept in mind in the initial stages of audit.
- He should see that his appointment in case of a joint-stock company is in accordance
with the provisions of the Companies Act 1994. If he does not do so, he will be held
liable. If he has been appointed in place of another auditor, he should enquire from the
retiring auditor, the reasons for the changes.
- He should obtain definite instructions from the clients about the nature and scope of his
work and duties, whether he is to do the accountancy work or audit work or both, by
which date the work is to be completed, time by which the report is required etc.
- He should examine the system of accounting employed by his client. If he finds any
weak point he must study it thoroughly and make recommendations to his client to
remove these weak spots.
- If internal check system is in operation, he should get a written statement to that effect
and examine that system.
- He should get a list of the officers of the company containing particulars about their
duties, powers and their specimen signatures.
- He should obtain the previous year’s audited balance sheet, if any, and see that the
accounts during the current year have been opened with those balances which appeared
in the previous balance sheets.
- He should get the report of the auditor, if any, relating to the accounts of the previous
year for information regarding the state of the affairs of the company during the year.
- He must read the clauses of the Memorandum of Association and the Articles of
Association of the company which have a bearing on the accounts or the Articles of the
Partnership of the firm whose accounts he is auditing.

Page | 10
 Audit Approach

12. Ethical Clearance

When deciding whether to accept an assurance engagement, the auditors need to consider
whether there are any ethical issues which prevent acceptance. The IFAC Code of Ethics sets
out the following points in relation to changes in professional appointment.

- Prospective Auditors: Before accepting a specific client engagement, a professional

accountant in public practice should consider whether acceptance would create any
threats to compliance with the fundamental principles. For example, a self-interest
threat to professional competence and due care is created if the engagement team does
not possess, or cannot acquire, the competencies necessary to properly carry out the
engagement. A professional accountant in public practice who is asked to replace
another professional accountant in public practice, or who is considering tendering for
an engagement currently held by another professional accountant in public practice,
should determine whether there are any reasons, professional or other, for not accepting
the engagement, such as circumstances that threaten compliance with the fundamental
principles. For example, there may be a threat to professional competence and due care
if a professional accountant in public practice accepts the engagement before knowing
all the pertinent facts.

- Existing Auditors: An existing accountant is bound by confidentiality. The extent to

which the professional accountant in public practice can and should discuss the affairs
of a client with a proposed accountant will depend on the nature of the engagement and
on:
▪ Whether the client's permission to do so has been obtained; or
▪ The legal or ethical requirements relating to such communications and
disclosure, which may vary by jurisdiction.
In the absence of specific instructions by the client, an existing accountant should not
ordinarily volunteer information about the client's affairs. Circumstances where it may
be appropriate to disclose confidential information are set out in Section 140 of Part A
of the ICAB Code of Conduct.

- Additional Work: A professional accountant in public practice may be asked to

undertake work that is complementary or additional to the work of the existing
accountant. Such circumstances may give rise to potential threats to professional
competence and due care resulting from, for example, a lack of or incomplete
information. Safeguards against such threats include notifying the existing accountant
of the proposed work, which would give the existing accountant the opportunity to
provide any relevant information needed for the proper conduct of the work.

Page | 11
 Audit Approach

13. AUDIT ENGAGEMENT LETTER

In the interest of both client and auditor, the auditor should send an engagement letter before
the commencement of the engagement. The engagement documents and confirms the auditor’s
acceptance of the appointment, the objectives and scope of the audit and the extent of auditor’s
responsibilities to the client. The principle contents of the audit engagement letter are:
➢ The objective of the audit of financial statements.

➢ Management responsibility for the financial statements.

➢ Management responsibility for selection of appropriate accounting policies,

implementation of applicable accounting standards, explanation for material departure

from those accounting standards.
➢ Management responsibility for preparing the accounts on a going concern basis.
➢ Management responsibility for making judgements and estimates for true and fair
compilation of financial statements.
➢ Management responsibility for maintenance of adequate accounting records and
internal control.
➢ The scope of audit including reference to applicable legislation, regulations, and the
pronouncement of the institute.
➢ The fact that certain material misstatement resulting from fraud and sometimes from
error may remain undetected even after the audit in view of inherent limitations of the
audit.
➢ The right of unrestricted access to records and information needed by auditor for
conducting audit.
➢ The fact that the audit process may be subject to peer review under the Chartered
Accountants Act.
➢ Expectation from the management of receiving written confirmation concerning
representation made in connection with the audit.
➢ Basis on which the fees for audit is to be computed and billing arrangements.
➢ Arrangement for involvement of other experts, auditors, internal auditors etc. where
deemed necessary for the audit.

Page | 12