Chapter 6 Audit Planning and Risk Assessment

Learning Objectives 1. Learn the steps of the planning process for an integrated audit. 2. Become familiar with the components that impact the audit strategy and audit plan. 3. Understand the relationship of risk assessment, materiality, and planning. 4. Define the Fraud Triangle and recognize fraud risk factors. 5. Identify triggers for reevaluating the audit strategy and audit plan. 6. Summarize important information that is documented as part of audit planning. 7. Identify changes that can be made to audit approaches for higher risk areas. 8. Explain different types of audit activities and their purposes.

Overview of the Planning and Risk Assessment Process Exhibit 6-1

One Engagement  Planning for an integrated audit must achieve the objectives of both audits – opinion on the financial statements and opinion on ICFR  Auditor needs sufficient evidence to  Assess risk  Address ICFR effectiveness  For an ICFR opinion in a financial statement audit  For decision on how much to rely on ICFR in a financial statement audit  Address fairness of the financial statements

Overview of Planning  Audit planning is a continuous process; the audit plan may need to be adjusted as new information is obtained  Risk assessment is integrated throughout, including assessing fraud risk  Steps in planning  Establishing the audit strategy  Planning the audit resources  Develop the audit plan  Communication on planning

Overall Audit Strategy  Big picture of the audit; auditors can do this before they do audit procedures based on  Experience in and knowledge of the industry  Information gained through client acceptance process  Previous audit engagements, such as quarterly reviews  Components of the audit strategy  Scope of the engagement  Timing  Materiality and risk  Fraud risk

Audit Strategy: Scope of the Engagement  What are deliverables for this particular client?  How much and what type of work does the auditor need to do?  When and where does the work need to be done?  How should the work be scaled to fit the size, environment and complexity of the audit client?

Audit Strategy: Scope of the Engagement Client attributes that affect scope:  Accounting presentation  Is the presentation US GAAP, IFRS, GASB, statutory based, other?  Entity structure  Is it public or privately owned? Is it a parent or subsidiary? Does it have multiple locations, and if so what is the materiality at the other locations?  Information technology  Complexity of the system? Entity level and application controls?  Client outsourcing  How important are outsourced services? How will audit address the service provider?  Work of others  How will this affect the nature, timing and extent of audit procedures?  First year vs. continuing audits

Audit Strategy: Timing  Client events that create audit deadlines  Key dates for communication with management, Audit Committee and Board of Directors  SEC deadlines for filing quarterly and annually  Date at which other auditors will supply or need audit reports  Requirements of other regulators  Are audit resources (human resources) available in the right combinations at the right times?

Audit Strategy: Materiality and Risk  Materiality  …the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatements

Audit Strategy: Materiality and Risk  Auditors assess materiality based on whether the issue would influence the economic decisions of users with certain qualifications  Appropriate knowledge  Willingness to study the financial statements  Understand the concept of materiality  Understand measurement issues like estimates and judgments  Will make appropriate economic decisions using the financial statements

Audit Strategy: Materiality and Risk Top Down Approach  What amount is material at the financial statement level?  What accounts and disclosures are significant to the financial statements?  What assertions are relevant to the significant accounts and disclosures?  What could go wrong to cause a material misstatement or omission related to each relevant assertion in each significant account or disclosure?  Is there a control in place that is intended to prevent that event (the risk) from occurring or that will detect it on a timely basis? If yes, is the control designed sufficiently well that (if it operates effectively) it will prevent or detect the risk? If yes, does the control operate well enough (effectively) to prevent or detect the risk?  Are there any material misstatements or omissions in any significant accounts or disclosures?

Audit Strategy: Materiality and Risk  Materiality includes both quantitative and qualitative aspects; something might not be material from a quantitative perspective but have qualitative characteristics that make it material regardless of amount. Management fraud is an example of something that is material regardless of amount.  Significant risks are risks in the business that are important enough to require special audit consideration. When auditing a non-public company that does not require an ICFR opinion the auditor may not choose to rely on internal controls when planning tests of balances. Even in that situation, the auditor must identify and assess the impact of significant risks.

Audit Strategy: Materiality and Risk  Materiality  Set at financial statement level and at account balance level  Planning concepts of materiality:  Tolerable misstatement (for account balances)  Tolerable rate of error (for ICFR)  Qualitative materiality  Auditor judgment  Benchmarks or rule of thumb, or quantitative analysis to set planning materiality

Audit Strategy: Materiality and Risk  The auditor decides what tolerable misstatement is for an account balance and tolerable rate of error is for a control.  The auditor conducts the planned audit procedures to test the account balance. In general, if the conclusion is that the account balance misstatement is less than the tolerable misstatement the auditor accepts the account balance.  If a control is effectively designed, the auditor conducts the planned audit procedures to test the operating effectiveness of the control. In general, if the conclusion is that the control’s failure rate is less than the tolerable rate of error, then the auditor concludes that the control is effective.

Audit Strategy: Fraud Risk  Preliminary assessment of fraud risk during planning; brainstorming session  Responsibility to maintain professional skepticism  Fraud Triangle: incentive, opportunity, rationalization  Auditor specifically tests the operating effectiveness of anti-fraud controls  Audit planning also includes client’s risk of illegal acts that could materially impact the financial statements

Audit Strategy: Fraud Risk  Anti-fraud controls include those:  Over significant, unusual transactions particularly late or unusual journal entries  Over journal entries and adjustments made in the period-end financial reporting process  Over related party transactions  Related to significant management estimates  That mitigate incentives for, and pressures on management to falsify or inappropriately manage financial results

Audit Strategy  Recent significant developments  Recurring engagement: events since the last audit  New engagement: events since the client was accepted  Can be internal events or external developments  Auditor spends more time on these issues  Sources of information for the audit strategy  Client acceptance and continuance activities  Understanding the client’s system  Other engagements for the client  Planning meeting and planning memorandum

Planning the Audit Resources  Assignments of the audit team  Timing of audit work  High-risk areas  Engagement budget

Audit Resources: Assignments  The work must be planned and any assistants must be properly supervised; required by auditing standards and quality control standards  Supervision includes instruction and review  The firm should match jobs to individuals based on difficulty and complexity of the job and experience and expertise of the individual  How much time of people at which levels does the audit require?  Sometimes there is a trade-off – a person with greater skills can perform the task faster and better, will require less instruction and the review will be easier

Audit Resources: Timing  Terms  Interim procedures, interim date  Busy season  Timing of procedures in audit plan is for best effectiveness and efficiency.  Interim work helps  Discover problems earlier so the client can fix them or the auditor can plan to spend more time on them during year end work  When the client does not retain records or not in the original format  Some work must be done at or after year end  ICFR audit work on the client’s year end financial reporting process  Agreeing financial statements to the accounting records  Examining adjustments made when preparing the financial statements

Audit Resources: Timing  Roll forward audit procedures  When procedures performed at an interim date have to be carried forward through fiscal year end  Applies to ICFR work for financial statement and ICFR audits  Does a control that was tested at an interim date continue to operate in the same way (either good or bad) through the end of the year?  Applies to financial statement audit work  Reconcile an account balance tested at an interim date with the year end account balance

Audit Resources: High Risk Areas  Based on risk assessment procedures  More audit effort is directed toward high risk areas  e.g., more tests, more experienced staff, specialists  Specialist: a person or firm possessing special skill or knowledge in a particular field other than accounting or auditing  Can work for client, CPA firm or may be an outsider  Audit evaluates qualifications and work of specialist before using it  If specialist’s work is unreasonable, auditor does more work  Examples: actuaries, appraisers, engineers, environmental consultants, geologists, lawyers  A professional particularly knowledgeable about IT may be needed  Computer system is pervasive and critical to operations; is new, recently changed, complex; uses emerging technology; used for e-commerce

Audit Resources: High Risk Areas  IT expert’s potential contributions to the audit  Determining the effect of IT on the audit  Understanding the IT controls  Designing and performing tests of IT controls  Designing and performing IT-related or IT-based substantive procedures

Audit Resources: Engagement Budget  Audit planning includes preparing a preliminary time budget  Detailed by areas of the audit  Indicates anticipated time of professionals at various experience levels for each area  Purposes and uses of a time budget  Planning engagements  Evaluating staff  Managing the firm  Audit professionals track and report time spent on the engagement  Firm can compare budget with actual outcomes  Budgeted to actual is used for billing, evaluating staff performance and bidding on future engagements

Develop the Audit Plan  Nature, timing and extent of audit procedures  Top down approach  Different types of audit procedures

Audit Plan: Nature, Timing and Extent  First the auditor has to know:  Management assertions (which requires knowing which accounts are important), materiality, risk, timing driven by client specifics  Terms are used a lot; meaning is simple:  Nature is type of test, control or substantive, and which specific audit procedures is to be performed  Timing is when it is to be performed; considerations are having audit resources available, evidence availability, being able to test the period for which evidence is needed  Extent is quantity of testing to be performed

Audit Plan: Nature, Timing and Extent  Nature: Tests of controls  For ICFR audit, the auditor must test controls  For financial statement audit, auditor tests those controls that are to be relied upon – for entire period of planned reliance  If a significant account, type of transaction, or disclosure is susceptible to material misstatement, the auditor defines what causes that susceptibility. If a control exists that is effectively designed to prevent or detect the event that will cause the account or disclosure to be materially misstated, the auditor plans how to test the controls operating effectiveness.  Nature: Substantive Procedures  Purpose is straightforward, tests are planned to detect material misstatements that exist in the financial statements  Nature: Types of procedures to obtain audit evidence  Inspection, observation, inquiry, external confirmation, recalculation, reperformance, analytical procedures

Audit Plan: Nature, Timing and Extent  Extent: If test are properly designed for the audit issue being evaluated, the assumption is that more testing provides more evidence.  Extent considerations includes sampling decisions  Discussed more in later chapters  Properly designed sampling approaches can provide sufficient evidence to permit the auditor to draw valid conclusions without examining all the transactions

Audit Plan: Top Down Approach  How to plan substantive audit steps…identify, assess and decide upon:  Significant accounts, transactions or disclosures  Relevant assertions for them  Risks of material misstatement related to those assertions  Substantive audit procedures to address those possible material misstatements

Audit Plan: Top Down Approach  How to plan control audit steps…identify, assess and decide upon:  Significant accounts, transactions or disclosures  Relevant assertions for them  Risks of material misstatement related to those assertions  Causes of the risks  Controls that address the causes of the risks  Tests of the controls

Audit Plan: Types of Audit Procedures  Audit evidence: an accumulation of activities, documents and information that persuades the auditor to have reasonable assurance that management’s assertions are appropriate.  AS 5, to test controls:  Inquiries, inspection of documents, observation, reperformance  Walkthrough is the term for tracing a transaction through initiation, authorization, processing and recording.  Walkthroughs are used to understand the system and assess design effectiveness

Audit Plan: Types of Audit Procedures  Audit procedures for a financial statement audit include those listed by AS 5 for controls, and more:  Inspection of records, documents, tangible assets  Observation  Inquiry  External confirmation  Recalculation  Reperformance  Analytical procedures

Communication on Planning  After initial audit planning, auditor may meet with management  Auditor may provide an overview of the plan for the audit  Auditor provides general information about scope and timing, but not a level of detail that would compromise the audit’s effectiveness

Overview of Planning Exhibit 6-9

Appendix A: Using the Work of Others

Other Independent Auditors vs. “Others”  Sometimes more than one independent auditor works on an audit  Auditor who does the most is called the principle auditor  Principle auditor must decide whether it was sufficiently involved in the work of the other firm to take responsibility for the conclusions on that work  Impacts the audit report  “Work of others” guidance does not address the principal auditor – other auditors situation

Deciding to Rely on the Work of Others  In deciding whether to rely on the work of others in planning and executing the audit, the auditor must evaluate  The individual who performed the work  Competence  objectivity  The subject matter or target of the work performed  Materiality  Risk associated with controls  Subjectivity of the evaluations in the procedures

Effect on the Independent Auditor’s Work  The auditor will be very careful in deciding whether to use the work of others that has been done on the control environment since that work has such a big impact on other decisions in the audit.  When a account, disclosure or control is associated with greater risk (including because of materiality) the auditor performs more work personally and relies less on the work of others.  The work of others may cause the auditor to change the nature, timing and extent of audit procedures; can result in either more or less audit attention to a particular area.

Effect on the Independent Auditor’s Work  The auditor relies less on the work of others if more judgment is required to determine whether a misstatement is important or a control is performing effectively.  The auditor does more work personally on controls over period-end financial reporting because problems in this process present significant risk of misstatement to the financial statements.  Accounts that incorporate important estimates or judgments made by management require more personal work by the auditor and less use of the work of others; e.g., revenue recognition, collectibility of receivables, appropriate accounting for derivatives.

Effect on the Independent Auditor’s Work  If an account is susceptible to management override the auditor relies less on the work of others.  Some accounts may have a low enough risk of material misstatement that the auditor may choose to rely on the work of others rather than performing procedures; possibilities are existence of cash, prepaid assets and fixed asset additions.  High risk and judgment needs can cause the auditor to perform more audit work in addition to that performed by others; examples are  Valuations requiring significant estimates  Related party transactions, contingencies, uncertainties, subsequent events

Evaluating and Testing Other’s Work  Auditor must decide how much evaluation and testing to do on the work of others; professional judgment  How much will the work of others affect audit decisions?  How competent and objective is the other person?  What were the accounts and controls the other person worked on?  Procedures to test work of others  Examine some of the controls, transactions or balances that others examined and compare results  Examine controls, transactions or balances similar to the ones examined by others and compare results

Audit Impact of Work of Others  The auditor can consider the work of others in planning and performing audit procedures; can either increase or decrease audit work because of the work of others and results  Others can actually provide direct assistance on the audit; auditor must:  Assess competence and objectivity  Supervise, review, evaluate, and test work  Inform works on responsibilities, objectives of procedures, important accounting and auditing matters, need to report significant findings to the auditor

Copyright “Copyright © 2011 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.”