5. Audit planning

Question 1

What is ‘planning’ and how does it fit into the audit process?

Answer 1

Planning is when the audit team sit down and discuss how the audit is going to be carried out and the key areas of focus where there is likely to be the most incorrect information thus impacting users of the financial statements.

It is usually done before the year end and done after accepting an engagement.

Question 2

What are the key things that planning help with in an audit?

Answer 2

• helping to ensure that sufficient and appropriate attention is directed to the important areas
  of the audit;
• helping to ensure that potential problems are identified and resolved early;
• assisting in the selection of appropriate engagement staff, including the assignment of work
  to them;
• helping to complete work effectively and efficiently; and
• facilitating direction and supervision of the audit.

Question 3

What is the purpose of audit planning?

Answer 3

To help ensure that audit risk is reduced to an acceptably low level.

Question 4

What risk assessment procedures are used to help the auditors gain an understanding of an entity?

& what do they help gain an understanding of?

Answer 4

Analytical procedures;Enquiry; Inspection; and Observation. (AEIO)

Understanding of:
* The entity and its environment, including:
− Organisational structure, ownership and governance and business model
− Industry, regulatory and other external factors
− The measures used, internally and externally, to assess the entity’s financial performance

• The applicable financial reporting framework and the entity’s accounting policies. The auditor
  will evaluate whether the accounting policies are appropriate and consistent with the financial
  reporting framework
• How inherent risk factors identified will affect the susceptibility of assertions to misstatement, and the degree to which they do so
• Internal controls

Question 5

What analytical procedures are used commonly at the planning stage of the audit and why?

Answer 5

Comparison, ratio analysis and reasonableness test are commonly used at planning.

Comparison is evaluating financial data against prior periods, industry standards, or budgets.
Purpose: Identifies unusual trends or variances that may require further investigation.

Ratio Analysis is analysing key financial ratios (e.g., liquidity, profitability).
Purpose: Highlights areas of potential risk or concern by examining relationships between financial metrics.

Reasonableness Test is Assessing whether figures (e.g., expenses, revenue) align with expectations based on available data.
Purpose: Ensures figures are plausible and consistent with business operations, helping to detect anomalies.

Question 6

What is the risk-based approach to auditing?

Answer 6

Auditing standards require the auditor to adopt a risk-based approach to auditing.

This approach focuses attention to the areas most likely to contain a material misstatement and therefore allows for an efficient approach.

Question 7

What is audit risk and what must auditors do in response to this’?

Answer 7

Audit risk is the risk that the auditor gives an inappropriate opinion (effectively the risk that they fail to detect a material misstatement) when the financial statements are materially misstated.

The auditor must reduce the audit risk to an acceptably low level.

Question 8

What is audit strategy and how does it differ from an audit plan?

Answer 8

Audit strategy sets out the scope, timing and direction of the audit engagement (as required by the ISA UK Standards).

An audit plan is a detailed document for gathering evidence to reduce the audit risk to an acceptably low level by describing the approach to the expected nature, timing and extent of the audit procedures to be performed.

Question 9

What is the audit risk model formula?

Answer 9

Audit Risk = Risk of material misstatement x Detection Risk

where Romm = Inherent risk x Control risk

Dectection risk = Sampling risk x Non-sampling risk

Question 10

What is business risk and why does it need to be managed?

ISA 315 

Answer 10

ISA 315 - Business risk is “a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies. Directors are required to manage business risks.”

These risks need to be managed because a failure to recognise the need for change may also give rise to business risk.

Question 11

What are the main categories of risk that could affect businesses?

Answer 11

• Operational risk
• Legal and regulatory risk
• Reputational risk
• Environmental risk
• Disaster risk
• Cybersecurity risk
• Health and safety risk
• Interest rate risk
• Exchange rate risk
• Credit risk
• Liquidity risk
• Refinancing risk

Question 12

What are the 4 main elements of the FRC’s risk management framework?

Answer 12

1. The board’s responsibilities for risk management and internal control, and identification of factors boards should consider in order to exercise those responsibilities effectively.
2. Establishment of risk management and internal control systems.
3. Monitoring and review of risk management and internal control systems.
4. The board’s financial and business reporting responsibilities.

Question 13

What are the boards responsibilities for risk management and control?

Answer 13

• To have appropriate systems in place to identify principal risks facing the company.
• To determine the risk appetite (ie the extent of risks that the organisation is willing to take to achieve its objectives).
• To agree how the principal risks should be managed or mitigated to reduce the likelihood of the risk occurring or its impact on the organisation.
• To monitor the risk management and internal controls systems to ensure that they are functioning effectively and that corrective action is being taken where necessary.
• To take responsibility for external communication (reporting) on risk management and internal control. The board has to ensure that shareholders and other stakeholders are well informed about the principal risks and prospects of the company.

Question 14

To exercise the boards responsibility for risk management and internal control, what should they do?

Answer 14

1. Should create a culture which promotes risk management at all levels.
2. Should consider whether it has the necessary skills, knowledge and experience to assess the risks the company faces and exercise its responsibilities effectively.
3. Should review reports on risk management, internal control and compliance matters from the company’s internal audit function as well as the external auditor’s communications to the audit committee about matters it considers relevant in fulfilling its responsibilities.

Question 15

What is a principal risk?

Answer 15

A principal risk is a risk that can seriously affect the performance, future prospects or reputation of the entity.

These should include those risks that would threaten its future performance, solvency or liquidity.

Question 16

Explain the establishment of risk management and internal control systems element of the FRC’s risk management framework

Answer 16

The board should ensure that sound risk management and internal control systems are in place to identify the risks facing the company and to consider their likelihood and impact if they were to materialise.

Question 17

What are the risk management and internal control systems of a business?

Answer 17

Risk management and internal control systems are the policies, culture, processes and systems in place to identify risks and safeguard the organisation’s assets.

Question 18

Explain the monitoring and review of the risk management an internal control systems element of the FRC’s risk management framework

Answer 18

The board needs to ensure that it monitors and reviews the effectiveness of risk management and internal controls systems annually to evaluate whether the systems address the company’s risks and are being developed, applied and maintained appropriately.

Question 19

Explain the boards financial and business reporting responsibilities element of the FRC’s risk management framework

Answer 19

The board should bear in mind the need for the annual report and accounts as a whole to be fair, balanced and understandable.

A number of disclosures need to be made in the annual report and accounts. The purpose of such reporting is to provide information about the company’s current position and prospects and the principal risks it faces.

These are:
1. Reporting on the principal risks facing the company and how they are managed or mitigated (as required by the Companies Act 2006 (CA 2006).

2. Reporting on whether the directors have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due.
3. Reporting on the review of the risk management and internal control system (as required by the Code of Corporate Governance), and the main features of the company’s risk management and internal control system in relation to the financial reporting process (as required under the UK Listing Authority’s Disclosure and Transparency Rules).

Question 20

Why do external auditors need to consider client’s business risks?

Answer 20

They allow an auditor to further understand the business and evaluate the level of audit risk as a result of the business risk.

While planning the audit, the auditor has to consider whether the board has an effective system to identify and manage business risks and whether it has an effective system of internal control for risks that can be mitigated.

Auditors will always be interested in their client’s business risks because issues which pose threats to the business may in some cases also be a risk of the financial statements being misstated (which is how it leads to an audit risk).

Question 21

What is audit risk and what are its components?

Answer 21

Audit risk is the risk that the auditor gives an inappropriate opinion on the financial statements when the financial statements are materially misstated.

Components: Inherent risk, control risk, sampling risk, non-sampling risk

Question 22

What is the relationship between risk of material misstatement (RoMM) and detection risk (DR)?

Answer 22

RoMM and detection risk have an inverse relationship;

• if RoMM is high, then detection risk must be low.
• if RoMM is low, then detection risk may be high.

e.g. the higher the risk of misstatement, the more sufficient appropriate evidence the auditors need to gather to offset this back down to reducing the risk of not detecting misstatements to an acceptably low level.

Question 23

What is the relationship between business risk and audit risk?

Answer 23

The business risk model is a vehicle for the identification of audit risk, recognising that most business risks will eventually have financial consequences and, therefore, an effect on the financial statements and become an audit risk.

Question 24

What is materiality?

Answer 24

Materiality is a measure of significance. Where a matter is ‘material’ its omission or misstatement would impact the decisions of the users;

Question 25

How is materiality used in the audit process?

Answer 25

Materiality is used as a threshold throughout the audit process to direct the audit effort towards transactions, balances and items that are significant to the users.

Question 26

What are the types of materiality used in the audit process?

Answer 26

1. Overall materiality represents a threshold as to what is significant to the financial statements as a whole. (This may be referred to as planning materiality or reporting materiality depending on the timing of the materiality calculation.) 2. Performance materiality is set below overall materiality to reduce the probability that uncorrected/undetected misstatements exceed overall materiality to an acceptably low level. 3. Special items materiality - Individual accounts or disclosures in the financial statements may have their own, lower, materiality levels as they may be judged by the auditor to be material (that is, of specific interest or concern) to the users of the financial statements in their own right.

Question 27

What is the difference between overall materiality and performance materiality?

Answer 27

Overall materiality is calculated at the overall financial statement level and so relates to the accounts as a whole. If all the misstatements in the financial statements added together are above overall materiality, the accounts are materially misstated and not true and fair. Performance materiality is when the auditor calculates a lower testing or performance materiality to design procedures that will detect more misstatements that, together, could add up to more than the overall materiality threshold.

Question 28

What are audit data analytics? 

Answer 28

International Auditing and Assurance Standards Board defined audit data analytics (ADA) as follows: "Audit data analytics is the science and art of discovering and analysing patterns, deviations and inconsistencies, and extracting other useful information in the data underlying or related to the subject matter of an audit through analysis, modelling and visualisation for the purpose of planning and performing the audit."

Question 29

What are the advantages of using ADA techniques? 

Answer 29

1. Data can be processed more quickly and accurately by automated processes which allows sampling risk to be reduced. 2. Once suitable technology has been invested in, the use of ADA can make the audit process more cost effective. 3. Improving audit quality, for example, through: - Allowing a deeper understanding of the entity - Improved focus of audit testing on the areas of highest risk through stratification of large populations  - Enabling the auditor to perform tests on large or complex data sets where a manual approach would not be feasible  - Identifying instances of fraud

Question 30

How are ADA techniques used at the planning stage?

Answer 30

- Performing risk assessment procedures. The results of these can then be used to focus on different areas of the audit at the planning stage etc.

Question 31

What is fraud? 

Answer 31

An intentional act involving deception to obtain an unjust or illegal advantage.

Question 32

What are the two types of fraud?

Answer 32

There are two types of fraud: 1. Fraudulent financial reporting (e.g.deliberate failure to process transactions, misapplication of accounting policies.) 2. Misappropriation of assets (An intentional theft of company assets or inappropriate and unauthorised use of company assets.)

Question 33

What are the responsibilities of directors and external auditors with respect to fraud? 

Answer 33

Directors - The directors (and management) of the company are responsible for preventing and detecting fraud by implementing a sound system of internal control at the company and encouraging an appropriate culture. Auditors - The auditor is responsible for obtaining reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error.

Question 34

How is the risk of fraud considered at the planning stage? 

Answer 34

Fraud is considered via the fraud triangle. (Incentive, opportunity and rationalisation). Where these factors exist the auditor should perceive a higher risk of fraud and thus test more. ISA (UK) 240 states that auditors should consider the risk of material misstatement in the financial statements due to fraud as part of the overall risk assessment.

Question 35

How does fraud affect audit risk?

Answer 35

A high risk of fraud will result in a higher RoMM (risk of material misstatement). Therefore, the detection risk will need to be lowered and the auditor will perform additional procedures to collect sufficient, appropriate evidence to offset this.

Question 36

What is the fraud triangle?

Answer 36

Models the reasons for why an individual may commit fraud. 1) incentive, 2) Opportunity and 3) Rationalisation

Question 37

What is the audit strategy memorandum?

Answer 37

The audit strategy memorandum is an internal document produced during the planning stage and summarises the key decisions made during the planning phase as set out in the audit strategy, such as the results of the risk assessment and materiality levels, and also contains administrative details such as logistics, timetables, budget and resourcing.

Question 38

Explain some of the typical contents of the audit strategy memorandum (Section heading and small explanation)

Answer 38

1. Understanding the client, its environment, the financial reporting framework being used and system of internal control Explanation: Overview of the key aspects of the client. e.g. industry information, regulatory environment, key processes/systems/control framework at the client. 2. Risk assessment findings and procedures planned in response Explanation: Summary of the key areas of risks of material misstatements in the financial statements identified by the auditor at the planning stage. As well as the approach that the auditor will adopt in auditing the risks identified and the auditor’s intended testing strategy 3. Analytical procedure results Explanation: explanations provided for unusual or unexpected numbers or information. 4. Materiality Explanation: Overall performance and specific items materiality figures included in document. As well as methodology used to calculate these figures, including judgements. 5. Staffing and key client contacts Explanation: Number of audit team members required, along with their skills and competence. A list of key contacts at the client. 6. Timetable Explanation: The audit planning meeting, The year-end date, Dates of any key meetings with the client, including those charged with governance and Dates the audit team will be on-site at the client. 7. Other matters Explanation: the use of information technology in the audit process will need to be documented in the audit strategy memorandum.

Question 39

What is the difference between assertion level risks and financial statement level risks?

Answer 39

Assertion level risks relate to individual transactions and balances. FS level risks are if there is a lack of financial stability etc and could be wrong.