4. Planning An Audit (Basics) Flashcards
Key considerations for audit strategy (OBT)?
- The entity and its environment
- Materiality
- Preliminary analytical procedures
- Risk assessment
- Audit approach
- Coordination of the audit (timing, team, locations, budgets and deadlines).
What should an audit plan include?
Nature, extent and timing of:
1. Risk assessment
2. Further audit procedures (assertion level)
Audit plan: Why can’t individual account balances be audited at the start?
Haven’t completed (detailed) risk assessment procedures yet
Can the audit plan be changed?
Yes
The audit plan should be modified where necessary in response to new information,
or the results of audit testing carried out
4 ways an understanding of the entity is obtained?
-
Firm
Partner
Manager briefing
Industry experts
Last year’s team -
Client
Discussion
Observation
Website/brochures
Analytical procedures -
Me
Past experience -
Other
Industry surveys
Credit reference
agencies
Companies House
Internet search
Understanding the entity and environment: Environment examples
Laws and regulations
Industry conditions (e.g.
competition, technology,
seasonality)
Data protection regulations
(e.g. GDPR)
Understanding the entity and environment: Entity examples
Operations
Ownership and governance
Investments
Structure and finance
Accounting policies
Objectives and strategies
System of internal control
Use of outsourcing
Applicable financial reporting framework
Understanding an entity’s accounting policies: Where should attention be paid?
- Methods applied to unusual transactions
- Controversial areas/emerging issues
- Environment changes
- New financial reporting standards/laws and regulations
Understanding the entity: Climate risks to consider
- Business model/supply chain
- Industry
- Regulation (climate laws)
Is materiality a matter of professional judgement?
Yes
Materiality percentages: What can be used?
- Revenue
- Profit before tax
- Total assets
- Gross profit
- Net assets
- Profit after tax
Materiality percentages: Revenue
(0.5-) 1%
Materiality percentages: Profit before tax
5%
Materiality percentages: Total assets
(1-) 2%
Materiality percentages: Gross profits
(0.5-) 1%
Materiality percentages: Net assets
(2 - ) 5%
Materiality percentages: Profit after tax
(5-) 10%
Things that are material by nature
- Misleading descriptions
-
Critical points
E.g. profit to loss threshold
company size - Transactions with directors
- Related party transactions
Why have PM?
To reduce aggregate small misstatements Could become material
Can climate disclosures be material?
Yes
(If important to users)
When MUST analytical procedures be used?
- Planning
- Forming overall conclusion
When CAN analytical procedures be used?
As a substantive procedure
Analytical procedures: Limitations
- Require good knowledge/experience
- Require experienced staff
- Depends on reliability of source data
Analytical procedures: Steps
- Understand the business
- Develop an expectation
- Compare to actual
Any unexpected variations = risk
Can you use ratios in APs?
Yes
Ratios: Performance
- Gross profit margin
- Operating margin
- ROCE
Ratios: Short-term liquidity
- Current
- Quick
Ratios: Solvency
- Gearing
- Interest cover
Ratios: Efficiency
- Tr Re Coll Period
- Inv hold period
- Tr Pay payment period
Ratios: Gross profit margin calculation
Gross profit/Revenue * 100
Ratios: Operating margin calculation
Operating profit/Revenue * 100
Ratios: ROCE calculation
Operating profit/(Equity + debt) * 100
Ratios: Current ratio calculation
Current assets/Current liabilities
Ratios: Quick ratio calculation
(Current assets - inventory)/Current liabilities
Ratios: Gearing ratio calculation
Net debt/equity
Ratios: Interest cover calculation
Profit before interest payable/Interest payable
Ratios: TR Coll Per calculation
TR/Revenue * 365
Ratios: Inv hol per calculation
Inv/COS * 365
Ratios: TP pay per calculation
TP/Purchases * 365
Ratios: Purpose: GPM
Assess profitability before taking overheads into account
Ratios: Purpose: Operating profit
Assess profitability after taking overheads into account
Ratios: Purpose: ROCE
Measure how effectively resources are used to generate profit
Ratios: Purpose: Current ratio
Assess ability to pay current liabilities from current assets
Ratios: Purpose: Quick ratio
Assess ability to pay current liabilities from reasonably liquid assets
Ratios: Purpose: Gearing ratio
Assess reliance on external finance
Ratios: Purpose: Interest cover
Assess ability to pay interest charges
Ratios: Purpose: TR coll per
Assess average time taken to collect cash from credit customers
Ratios: Purpose: Inv hol per
Assess average length of time inventory is held
Ratios: Purpose: TP pay per
Assess average time taken to pay suppliers
Business risk definition (OBT)
Could adversely affect objectives and strategies
Who should manage business risk?
Directors
What type of business risk are auditors interested in?
If impacts FS
3 types of business risk?
- Financial
- Operational
- Compliance
Business risks associated with climate change?
Non-compliance
Sector risks (agriculture, supermarkets)
Investor loss
Lack of evolution
Extreme climate events
Who’s impact to consider when something happens to a client?
- FS
- Business (+related audit) risks
- Going concern
Audit risk definition?
Wrong opinion on FS
What 2 things does audit risk comprise of?
- Material misstatement
- Detection
What are the 2 risks of material misstatement
- Inherent risk
- Controls risk
What are the 2 detection risks?
- Sampling risk
- Non-sampling risk
Audit risk calculation:
Inherent risk
TIMESED BY
Control risk
TIMESED BY
Detection risk
Risk of material misstatement: Timing
BEFORE audit commences
Risk of material misstatement: 2 levels
- Overall FS
E.g. lack of skilled personnel, control deficiencies, past misstatements - Assertion-level
(inherent and control risk)
2 things risk assessment procedures help understand?
- Entity and environment
- FR Framework & accounting policies
What is inherent risk?
The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material (either individually or when aggregated with other misstatements) before consideration of any related controls
Three levels of inherent risk
- Industry level
- Entity level
- Balance level
Control risk definition
Misstatement is not prevented/detected/corrected by entity’s controls
What is detection risk?
Procedure performed by auditor does not detect a misstatement that could be material
What is detection risk made up of?
- Sampling risk
- Non-sampling risk
Detection risk: What is sampling risk?
Different result form sample as would have been gained if whole population tested
Detection risk: What is non-sampling risk?
Risk of drawing the wrong conclusion (from reasons not sampling risk)
E.g.
1st year audit
Undue time pressure
(Poor risk assessment by auditor)
Significant risk definition
Inherent risk close to upper end
e.g.
Subjective transactions (multiple accounting treatments)
High estimation uncertainty/complex models
Complex data collection/processing
Complex calculations
Differing accounting interpretations
Accounting changes from business changes (mergers & acquisitions)
Risk factors common to most audits
- Management override
- Journals
- Revenue recognition
- Cyber security
Journals: Which types shoudl be selected?
Unusual items
Round numbers
Unusual people
Outside hours
Suspense acocunts
Revenue recognition risk higher when?
Management reward linked to revenue/profit
OBT: How should auditor reduce audit risk?
- Overall responses to FS level risks
- Perform procedures at assertion level
Responding to risks: Overall responses examples
Emphasis to staff the need to maintain professional skepticism
Assign extra or more experienced staff
Use the work of experts, internal auditors or other auditors
Change the nature, timing and extent of supervision and review during the audit
Incorporate more unpredictability into audit procedures
Change the audit strategy.
Responding to risks: Assertion level examples
Adjust nature, extent and timing
Consider climate risks
What needs to be done if auditor relying on work of others
E.g. internal audit
3P is assessed:
- General assessment
- Specific assessment
3P assessment: General assessment
Is 3P competent and independent?
3P assessment: Specific assessment
Is the specific piece of work suitable?
OBT: What needs to be documented?
Audit team discussions/decisions
Elements of the auditor’s understanding
Evaluation of identified controls
Risks (at both the financial statement and assertion levels)
Responses to address risks of material misstatement at the financial statement level
Results of audit procedures/conclusions
Previous audit work relied upon (and why it is appropriate)
How the financial statements agree/reconcile with accounting records.
Cyber security definition
Protecting
Systems, networks and data
In cyberspace
Unauthorized modification, disclosure and destruction
Information system from failure
Why is cyber security a key risk?
Increasing use of tech
Constantly evolving risk
Some key cyber risks
Hacking
Theft of funds (fraud)
Sabotage
Viruses, malware, corruption
DOS attacks
Some big data risks
Reputational damage
Legislation breaches
Misstatement
General procedures IT controls should address
- Prevention
- Detection
- Deterrence
- Recovery
Some IT security controls
Business continuity
System access control
Systems development and maintenance
Physical and environmental security
Compliance
Personal security
Security organization
Computer and network management
Asset classification and control
Security policy
IT controls: System development and maintenance
Should ensure projects etc. don’t detriment security
IT controls: Computer and network management
Protection from viruses
Protection of info esp when exchanged with other organizations
IT controls: Assist classification and control
Assign ‘ownership’ of info assets
Benefits of cloud computing
Cost savings
Detriments of cloud computing
Lack of control:
3P doesn’t have adequate security
(Auditor should assess 3P controls)
