Chapter 6

Audit Planning and Risk Assessment

Learning Objectives

1. Learn the steps of the planning process for an integrated audit.

2. Become familiar with the components that impact the audit strategy and
audit plan.
3. Understand the relationship of risk assessment, materiality, and planning.
4. Define the Fraud Triangle and recognize fraud risk factors.
5. Identify triggers for reevaluating the audit strategy and audit plan.
6. Summarize important information that is documented as part of audit
planning.
7. Identify changes that can be made to audit approaches for higher risk
areas.
8. Explain different types of audit activities and their purposes.
 Overview of the Planning and Risk Assessment Process

Exhibit 6-1
One Engagement

Planning for an integrated audit must achieve the

objectives of both audits opinion on the financial
statements and opinion on ICFR
Auditor needs sufficient evidence to
Assess risk
Address ICFR effectiveness
For an ICFR opinion in a financial statement audit
For decision on how much to rely on ICFR in a financial
statement audit
Address fairness of the financial statements
Overview of Planning
Audit planning is a continuous process; the audit
plan may need to be adjusted as new information is
obtained
Risk assessment is integrated throughout, including
assessing fraud risk
Steps in planning
Establishing the audit strategy
Planning the audit resources
Develop the audit plan
Communication on planning
Overall Audit Strategy
Big picture of the audit; auditors can do this before
they do audit procedures based on
Experience in and knowledge of the industry
Information gained through client acceptance process
Previous audit engagements, such as quarterly reviews
Components of the audit strategy
Scope of the engagement
Timing
Materiality and risk
Fraud risk
Audit Strategy: Scope of the Engagement

What are deliverables for this particular

client?
How much and what type of work does the
auditor need to do?
When and where does the work need to be
done?
How should the work be scaled to fit the size,
environment and complexity of the audit client?
Audit Strategy: Scope of the Engagement
Client attributes that affect scope:
Accounting presentation
Is the presentation US GAAP, IFRS, GASB, statutory based, other?
Entity structure
Is it public or privately owned? Is it a parent or subsidiary? Does it have multiple
locations, and if so what is the materiality at the other locations?
Information technology
Complexity of the system? Entity level and application controls?
Client outsourcing
How important are outsourced services? How will audit address the service provider?
Work of others
How will this affect the nature, timing and extent of audit procedures?
First year vs. continuing audits
Audit Strategy: Timing

Client events that create audit deadlines

Key dates for communication with management, Audit
Committee and Board of Directors
SEC deadlines for filing quarterly and annually
Date at which other auditors will supply or need audit
reports
Requirements of other regulators
Are audit resources (human resources) available in
the right combinations at the right times?
Audit Strategy: Materiality and Risk

Materiality
the magnitude of an omission or misstatement of
accounting information that, in the light of
surrounding circumstances, makes it probably that
the judgment of a reasonable person relying on the
information would have been changed or
influenced by the omission or misstatements
Audit Strategy: Materiality and Risk

Auditors assess materiality based on whether the

issue would influence the economic decisions of users
with certain qualifications
Appropriate knowledge
Willingness to study the financial statements
Understand the concept of materiality
Understand measurement issues like estimates and
judgments
Will make appropriate economic decisions using the
financial statements
Audit Strategy: Materiality and Risk
Top Down Approach
What amount is material at the financial statement level?
What accounts and disclosures are significant to the financial statements?
What assertions are relevant to the significant accounts and disclosures?
What could go wrong to cause a material misstatement or omission related
to each relevant assertion in each significant account or disclosure?
Is there a control in place that is intended to prevent that event (the risk)
from occurring or that will detect it on a timely basis? If yes, is the control
designed sufficiently well that (if it operates effectively) it will prevent or
detect the risk? If yes, does the control operate well enough (effectively) to
prevent or detect the risk?
Are there any material misstatements or omissions in any significant accounts
or disclosures?
Audit Strategy: Materiality and Risk
Materiality includes both quantitative and qualitative
aspects; something might not be material from a quantitative
perspective but have qualitative characteristics that make it
material regardless of amount. Management fraud is an
example of something that is material regardless of amount.

Significant risks are risks in the business that are important

enough to require special audit consideration. When auditing
a non-public company that does not require an ICFR opinion
the auditor may not choose to rely on internal controls when
planning tests of balances. Even in that situation, the auditor
must identify and assess the impact of significant risks.
Audit Strategy: Materiality and Risk

Materiality
Set at financial statement level and at account balance
level
Planning concepts of materiality:
Tolerable misstatement (for account balances)
Tolerable rate of error (for ICFR)
Qualitative materiality
Auditor judgment
Benchmarks or rule of thumb, or quantitative analysis to
set planning materiality
Audit Strategy: Materiality and Risk

The auditor decides what tolerable misstatement is for an

account balance and tolerable rate of error is for a control.
The auditor conducts the planned audit procedures to test the
account balance. In general, if the conclusion is that the account
balance misstatement is less than the tolerable misstatement
the auditor accepts the account balance.
If a control is effectively designed, the auditor conducts the
planned audit procedures to test the operating effectiveness of
the control. In general, if the conclusion is that the controls
failure rate is less than the tolerable rate of error, then the
auditor concludes that the control is effective.
Audit Strategy: Fraud Risk

Preliminary assessment of fraud risk during

planning; brainstorming session
Responsibility to maintain professional skepticism
Fraud Triangle: incentive, opportunity,
rationalization
Auditor specifically tests the operating effectiveness
of anti-fraud controls
Audit planning also includes clients risk of illegal
acts that could materially impact the financial
statements
Audit Strategy: Fraud Risk

Anti-fraud controls include those:

Over significant, unusual transactions particularly late
or unusual journal entries
Over journal entries and adjustments made in the
period-end financial reporting process
Over related party transactions
Related to significant management estimates
That mitigate incentives for, and pressures on
management to falsify or inappropriately manage
financial results
Audit Strategy
Recent significant developments
Recurring engagement: events since the last audit
New engagement: events since the client was accepted
Can be internal events or external developments
Auditor spends more time on these issues
Sources of information for the audit strategy
Client acceptance and continuance activities
Understanding the clients system
Other engagements for the client
Planning meeting and planning memorandum
Planning the Audit Resources

Assignments of the audit team

Timing of audit work
High-risk areas
Engagement budget
Audit Resources: Assignments
The work must be planned and any assistants must be properly
supervised; required by auditing standards and quality control
standards
Supervision includes instruction and review
The firm should match jobs to individuals based on difficulty
and complexity of the job and experience and expertise of
the individual
How much time of people at which levels does the audit
require?
Sometimes there is a trade-off a person with greater skills can
perform the task faster and better, will require less instruction and
the review will be easier
Audit Resources: Timing
Terms
Interim procedures, interim date
Busy season
Timing of procedures in audit plan is for best effectiveness and efficiency.
Interim work helps
Discover problems earlier so the client can fix them or the auditor can
plan to spend more time on them during year end work
When the client does not retain records or not in the original format
Some work must be done at or after year end
ICFR audit work on the clients year end financial reporting process
Agreeing financial statements to the accounting records
Examining adjustments made when preparing the financial statements
Audit Resources: Timing
Roll forward audit procedures
When procedures performed at an interim date have
to be carried forward through fiscal year end
Applies to ICFR work for financial statement and
ICFR audits
Does a control that was tested at an interim date
continue to operate in the same way (either good or
bad) through the end of the year?
Applies to financial statement audit work
Reconcile an account balance tested at an interim date
with the year end account balance
Audit Resources: High Risk Areas
Based on risk assessment procedures
More audit effort is directed toward high risk areas
e.g., more tests, more experienced staff, specialists
Specialist: a person or firm possessing special skill or knowledge in a
particular field other than accounting or auditing
Can work for client, CPA firm or may be an outsider
Audit evaluates qualifications and work of specialist before using it
If specialists work is unreasonable, auditor does more work
Examples: actuaries, appraisers, engineers, environmental consultants,
geologists, lawyers
A professional particularly knowledgeable about IT may be needed
Computer system is pervasive and critical to operations; is new, recently
changed, complex; uses emerging technology; used for e-commerce
Audit Resources: High Risk Areas

IT experts potential contributions to the audit

Determining the effect of IT on the audit
Understanding the IT controls
Designing and performing tests of IT controls
Designing and performing IT-related or IT-based
substantive procedures
Audit Resources: Engagement Budget

Audit planning includes preparing a preliminary time budget

Detailed by areas of the audit
Indicates anticipated time of professionals at various experience levels
for each area
Purposes and uses of a time budget
Planning engagements
Evaluating staff
Managing the firm
Audit professionals track and report time spent on the engagement
Firm can compare budget with actual outcomes
Budgeted to actual is used for billing, evaluating staff performance and
bidding on future engagements
Develop the Audit Plan

Nature, timing and extent of audit

procedures
Top down approach
Different types of audit procedures
Audit Plan: Nature, Timing and Extent

First the auditor has to know:

Management assertions (which requires knowing which
accounts are important), materiality, risk, timing driven by
client specifics
Terms are used a lot; meaning is simple:
Nature is type of test, control or substantive, and which
specific audit procedures is to be performed
Timing is when it is to be performed; considerations are
having audit resources available, evidence availability,
being able to test the period for which evidence is needed
Extent is quantity of testing to be performed
Audit Plan: Nature, Timing and Extent
Nature: Tests of controls
For ICFR audit, the auditor must test controls
For financial statement audit, auditor tests those controls that are to be relied
upon for entire period of planned reliance
If a significant account, type of transaction, or disclosure is susceptible to material
misstatement, the auditor defines what causes that susceptibility. If a control exists
that is effectively designed to prevent or detect the event that will cause the
account or disclosure to be materially misstated, the auditor plans how to test the
controls operating effectiveness.
Nature: Substantive Procedures
Purpose is straightforward, tests are planned to detect material misstatements that
exist in the financial statements
Nature: Types of procedures to obtain audit evidence
Inspection, observation, inquiry, external confirmation, recalculation,
reperformance, analytical procedures
Audit Plan: Nature, Timing and Extent

Extent: If test are properly designed for the audit

issue being evaluated, the assumption is that more
testing provides more evidence.
Extent considerations includes sampling decisions
Discussed more in later chapters
Properly designed sampling approaches can
provide sufficient evidence to permit the auditor to
draw valid conclusions without examining all the
transactions
Audit Plan: Top Down Approach

How to plan substantive audit stepsidentify,

assess and decide upon:
Significant accounts, transactions or disclosures
Relevant assertions for them
Risks of material misstatement related to those
assertions
Substantive audit procedures to address those possible
material misstatements
Audit Plan: Top Down Approach

How to plan control audit stepsidentify, assess

and decide upon:
Significant accounts, transactions or disclosures
Relevant assertions for them
Risks of material misstatement related to those
assertions
Causes of the risks
Controls that address the causes of the risks
Tests of the controls
Audit Plan: Types of Audit Procedures
Audit evidence: an accumulation of activities, documents and
information that persuades the auditor to have reasonable
assurance that managements assertions are appropriate.

AS 5, to test controls:
Inquiries, inspection of documents, observation,
reperformance
Walkthrough is the term for tracing a transaction through
initiation, authorization, processing and recording.
Walkthroughs are used to understand the system and assess
design effectiveness
Audit Plan: Types of Audit Procedures

Audit procedures for a financial statement audit

include those listed by AS 5 for controls, and more:
Inspection of records, documents, tangible assets
Observation
Inquiry
External confirmation
Recalculation
Reperformance
Analytical procedures
Communication on Planning

After initial audit planning, auditor may meet with

management
Auditor may provide an overview of the plan for
the audit
Auditor provides general information about scope
and timing, but not a level of detail that would
compromise the audits effectiveness
 Overview of Planning

Exhibit 6-9
Appendix A: Using the Work of Others
Other Independent Auditors vs. Others

Sometimes more than one independent auditor

works on an audit
Auditor who does the most is called the principle
auditor
Principle auditor must decide whether it was sufficiently
involved in the work of the other firm to take
responsibility for the conclusions on that work
Impacts the audit report
Work of others guidance does not address the
principal auditor other auditors situation
Deciding to Rely on the Work of Others

In deciding whether to rely on the work of others in

planning and executing the audit, the auditor must
evaluate
The individual who performed the work
Competence
objectivity
The subject matter or target of the work performed
Materiality
Risk associated with controls
Subjectivity of the evaluations in the procedures
Effect on the Independent Auditors Work

The auditor will be very careful in deciding whether to use the

work of others that has been done on the control environment
since that work has such a big impact on other decisions in the
audit.
When a account, disclosure or control is associated with
greater risk (including because of materiality) the auditor
performs more work personally and relies less on the work of
others.
The work of others may cause the auditor to change the
nature, timing and extent of audit procedures; can result in
either more or less audit attention to a particular area.
Effect on the Independent Auditors Work

The auditor relies less on the work of others if more judgment

is required to determine whether a misstatement is important
or a control is performing effectively.
The auditor does more work personally on controls over
period-end financial reporting because problems in this
process present significant risk of misstatement to the financial
statements.
Accounts that incorporate important estimates or judgments
made by management require more personal work by the
auditor and less use of the work of others; e.g., revenue
recognition, collectibility of receivables, appropriate
accounting for derivatives.
Effect on the Independent Auditors Work

If an account is susceptible to management override the

auditor relies less on the work of others.
Some accounts may have a low enough risk of material
misstatement that the auditor may choose to rely on the work
of others rather than performing procedures; possibilities are
existence of cash, prepaid assets and fixed asset additions.
High risk and judgment needs can cause the auditor to perform
more audit work in addition to that performed by others;
examples are
Valuations requiring significant estimates
Related party transactions, contingencies, uncertainties, subsequent
events
Evaluating and Testing Others Work
Auditor must decide how much evaluation and testing to do on
the work of others; professional judgment
How much will the work of others affect audit decisions?
How competent and objective is the other person?
What were the accounts and controls the other person
worked on?
Procedures to test work of others
Examine some of the controls, transactions or balances that
others examined and compare results
Examine controls, transactions or balances similar to the ones
examined by others and compare results
Audit Impact of Work of Others
The auditor can consider the work of others in planning and
performing audit procedures; can either increase or decrease
audit work because of the work of others and results
Others can actually provide direct assistance on the audit;
auditor must:
Assess competence and objectivity
Supervise, review, evaluate, and test work
Inform works on responsibilities, objectives of procedures,
important accounting and auditing matters, need to report
significant findings to the auditor
Copyright

Copyright 2011 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted
in Section 117 of the 1976 United States Copyright Act without
the express written permission of the copyright owner is
unlawful. Request for further information should be addressed
to the Permissions Department, John Wiley & Sons, Inc. The
purchaser may make back-up copies for his/her own use only and
not for distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages, caused by the
use of these programs or from the use of the information
contained herein.