Chapter 4 Planning an audit (basis) Flashcards
1.1 Why plan
ISA 300 requires the auditor to plan the audit engagement and identifies the following benefits of planning:
- Attention is devoted to important areas
- Potential problems are identified and resolved on a timely basis
- The audit is organised to ensure it is performed in an effective and efficient way
- Staff with an appropriate level of competence can be selected
- Facilitates direction, supervision, and review of audit work
- Aids coordination of work done by auditors of components or experts
ISA 300 also requires the auditor to establish and document an overall audit strategy and a detailed audit plan. These documents should be updated as necessary as the audit progresses.
2.1 Audit strategy
ISA 300 sets out the key considerations when establishing the overall audit strategy. This covers areas such as the entity and its environment, materiality, preliminary analytical procedures, risk assessment, audit approach and coordination of the audit (timing, teams, locations, budgets, and deadlines).
2.2 Understanding the entity and its environment
ISAs 315 and 330 require the auditor to assess risk, which is only possible with a thorough understanding of the client. How to obtain an understanding:
- Your firm: partner, manager briefing, industry experts and last year’s team
- The client: discussion, observation, website/brochures, and analytical procedures
- You: past experience
- Other: industry surveys, credit reference, agencies, companies house and internet search
ISA 315 contains a list of the areas that the auditor needs to understand. The auditor should understand the environment (laws and regulations, industry conditions like competition and technology and data protection regulations) and the entity (operations, ownership and governance, structure, accounting policies, objectives, system of internal control and outsourcing).
2.3 Materiality
ISA 320 states information is material if its omission or misstatement could influence economic decisions of users. Auditors set a materiality threshold for the accounts as a whole, often based on the following ranges:
- 5% of profit before tax
- 0.5% - 1% of gross profit
- 0.5% - 1 % of revenue
- 1% - 2% of total assets
- 2% - 5% of net assets
- 5% - 10% of profit before tax
Some matters may be material by nature, for example matters relating to directors or related party transactions which are required to be disclosed in the accounts regardless of their value, small companies that impact on critical points or affect thresholds such as whether a company is small or medium sized under Companies Act 2006 and descriptions which are misleading.
Performance materiality is an amount set as less than materiality to the accounts, to reduce the risk that the aggregate of smaller misstatements in individual account balances or classes of transactions could exceed materiality for the accounts as a whole.
2.3 Preliminary analytical procedures
ISAs 315 and 520 cover the use of analytical procedures during the audit. These are used at planning to identify risk, as a form of substantive procedures to gather audit evidence and used to assist in forming an overall conclusion on the accounts.
Limitations: they require a sound knowledge/experience of the entity which can be limited in a first year audit, experienced staff may be required to carry them out and the quality of the procedure depends upon the reliability of source data.
Process: understand the business, develop an expectation, compare actual to expectation, unexpected variations equal risk.
2.4 Analytical procedures – ratios
- Gross profit margin, used to assess profitability before taking overheads into account (gross profit/revenue x 100%)
- Operating margin, assesses profitability after overheads are taken into account (operating profit/ revenue x 100%)
- Return on capital employed measures how effectively resources are used to generate profits (operating profit/(equity + debt) x 100%
- Current ratio assesses ability to pay current liabilities from current assets (current assets/current liabilities)
- Quick ratio assesses ability to pay current liabilities from reasonably liquid assets (current assets excluding inventory/ current liabilities)
- Gearing ratio assesses reliance on external finance (net debt/equity)
- Interest cover assesses ability to pay interest charges (profit before interest payable/interest payable)
- Trade receivables collection period assesses the average time taken to collect cash from credit customers (trade receivables/revenue x 365)
- Inventory holding period assesses the average length of time inventory is held (inventory/cost of sales x 365)
- Trade payables payment period assess the average time taken to pay suppliers (trade payable/purchases x 365).
2.5 Risk assessment
ISA 315 defines business risk as the risks that could adversely affect an entity’s ability to achieve its objectives and execute its strategies. Directors should manage business risks for such as financial, operational and compliance. The auditors are interested in business risk that impacts on the accounts.
Business risks also arise due to climate change. Auditors should challenge the business assessment/reporting on this area and how their conclusions are reached. Business risks in relation to climate change includes non-compliance with regulation (can result in fines, licences lot and forced closure), sectoral risks, loss of investors, failure to evolve or adapt and extreme climate events. When something happens to a client consider the impact on the accounts, business risks, connect it to audit risks and the going concern assumption.
2.6 Audit risk
Audit risk is the risk that the auditor expresses an inappropriate opinion on the accounts. Audit risk = inherent risk x control risk x detection risk.
The risk that the accounts are materially misstated is made up of:
- Inherent risk: susceptibility of an assertion about transactions, balances or disclosure to a misstatement which could be material, assuming there were no related internal controls
- Control risk: risk that a misstatement is not prevented, detected, or corrected by the entity’s internal control systems
Detection risk is the risk that the procedures performed by the auditor do not detect a misstatement that exists and could be material and is made up of sampling risk (risk the conclusion drawn from the results of a sample test is different from the conclusion that would have been drawn had the whole population been tested) and non-sampling risk (risk of drawing the wrong conclusion for other reasons).
ISA 315 identifies significant risks that require special audit consideration (fraud, related party transactions, subjective items, complex items, and unusual transactions). This can be seen in audit by carrying out the risk assessment procedures yourself and in industry assurance providers may carry out the procedures in their office.
2.8 Risk factors
ISA 315 requires the auditor to identify the specific risks arising at each audit client. the most common risk factors are:
- Management override: management manipulates accounting records so auditors must assess this risk at planning stage
- Journals: auditor should select journal entries for testing including unusual items, round number entries, journals made by individuals who do not normally do so, journals made outside normal office hours and postings to suspense accounts
- Revenue recognition: risk of misstatement is higher where management reward is linked to revenue or profit
2.9 Audit approach
ISA 330 states in order to reduce audit risk to an acceptable level, the auditor should determine overall responses to assessed risks at the account level and perform audit procedures to respond to assessed risks at the assertion level.
For overall responses: emphasise to staff the need to maintain professional scepticism, assign extra or more experienced staff, use work of experts, provide more supervision on the audit, and incorporate more unpredictability into audit procedures. Responses at the assertion level include adjust the nature, extent, and timing of procedures in response to the assessed risks (nature is type of test, extent is how much testing and timing is during the year, at year-end or after year-end). Also consider risks from climate change.
When the auditor plans to reply on the work of others (such as internal audit or third party) they need to assess the general assessment (consider whether the third party is competent and independent) and a specific assessment (consider whether the piece of work on which the auditor wishes to place reliance is suitable for this purpose).
2.10 Reliance on controls vs substantive approach
Do a preliminary assessment of internal controls including a walkthrough test. If controls are expected to be effective undergo tests of control. If tests are effective there can be limited substantive testing (perform some substantive testing due to inherent limitations of controls). If controls are ineffective perform substantive testing (analytical procedures, tests of detail). If they do not expect controls to be effective perform substantive testing.
3.1 Audit plan
ISA 300 requires the auditor to develop a plan, this includes a description of the nature extent and timing of planned risk assessment procedures and of further audit procedures at the assertion level. The plan develops over time, do not plan how to audit individual account balances until they consider the results of the risk assessment. The audit plan can be modified where necessary.
Audit data analytics: data analytics can be embedded to assist with transaction analysis (look at 100% of transactions to identify those where controls have failed), judgemental areas (using sensitivity analysis to test assumptions on the net realisable value of inventory) and analytical procedures (using external market or economic data to form expectations).
The use of data analytics has the potential to improve audit quality as it provides a practical way to deal with big data. Enables 100% checking to take place, enhances quality of audit information, procedures are quicker and allows procedures to be carried on a continuous basis. The results need to be evaluated using professional risks and judgement to draw conclusions.
The potential problems with data analytics include the initial cost, staff training is required, data security must be ensured, and the quality of data depends on the reliability of the underlying data used.
4.1 Cyber security
Protects systems, networks, and data in cyberspace. Including protection of data from unauthorised modification, disclosure or destruction, and the protection of the information system from failure. Key risks to IT systems include hacking, fraudulent theft of funds, deliberate sabotage, viruses and other corruption and denial of service attacks.
4.2 Risks
The growth of big data in the business environment has introduced new risks for business and their auditors to react to, including reputational damage, breaches of data protection legislation leading to fines and misstatements in the accounts.
4.3 IT security controls
Security controls should cover prevention, detection, deterrence, and recovery procedures. Practical measures taken by organisations include:
- Business continuity planning: measures to ensure the business can continue in the event of disaster or system failure
- Systems access control: protection of systems and detection of unauthorised activity
- Systems development and maintenance: IT projects should be conducted securely, and development/maintenance should ensure systems and data are protected
- Physical and environmental security: prevention of unauthorised access, damage, theft, or interference of assets/systems
- Compliance: monitor compliance with legal requirements and organisational policies
- Personnel security: recruitment of trustworthy employees, training, and reporting arrangements
- Security organisation: clear reporting lines and responsibility for information security
- Computer and network management: protection of system integrity and information especially when exchanged between organisations
- Asset classification and control: assign ownership of information assets
- Security policy: written policy available to all employees