ACCA Paper F 8 AUDIT AND ASSURANCE SERVICES (INTERNATIONAL STREAM)

Lecture 3 Audit Planning and Risk

DATE: TUTOR:

Autumn 2008

ISA 300 AUDIT PLANNING

Auditors should plan the audit so that the engagement is conducted in an effective manner. The objectives of planning include:-

Directing appropriate attention to the different areas of the audit such as assessing materiality, so that when the detailed audit plan is prepared, audit procedures can be directed towards the material amounts.

Identify potential problems or risks so that they can be resolved at an early stage. Facilitate review and control of the audit. Assigning and briefing staff with appropriate skills, knowledge, training, proficiency.

Coordinating the work of others such as that of experts. Obtaining knowledge and understanding of the clients business. Providing an economic and effective service within appropriate timescales

Planning an audit will permit development of: An audit strategy based on risk analysis An audit plan that addressing the risks identified.

Planning procedures: Review the previous years working papers Identify problem areas encountered Determine staffing requirements Obtain an indication of time required If the client is new, review the previous auditors working papers to obtain 1 1 1 1 1 closing balances which will affect this years financial statements. Determine the trading pattern and problems faced by the client company. Establish timetable, important dates and deadlines Assess the effect of changes from previous year: 1. Systems 2. Law and regulation 3. Accounting policies 4. Management 5. Other relevant matters

Perform analytical review or procedures on the latest accounts. Request preparation of cash and profit projections where solvency problems are foreseen. Review the work of internal audit. Evaluate whether reliance on other expert is necessary Allocate and brief audit staff.

ISA 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISK OF MATERIAL MISSTATEMENT.

315.2 The auditor must obtain an understanding of the entity and its environment, including internal controls, so that they can identify and assess the risks of material misstatement on financial statements due to fraud or error and design and perform further audit procedures. The objective of this standard is to ensure that auditors obtain sufficient knowledge of the business of the entity to enable them to identify and understand the events, transactions or practice that may have a significant effect on the financial statements or the audit. This knowledge of the business helps to assess the levels of control and inherent risk and to determine audit procedures. Procedures to follow: Enquiry of management Analytical procedures. Observation and inspection.

ISA 400 RISK ASSESSMENT There are 2 main categories of risk 1. Business Risk 2. Audit Risk. 1. Business Risks Business risk is the risk that the business will fail to meet its objective. Elements of Business Risk include

Financial risk which arises from the company activities such as going concern problems, overtrading, credit risk, interest risk, currency risk and breakdown of accounting systems.

Operational risk arising from the operation of the business such as lost business opportunities, loss of physical assets and lack of business orders.

Compliance risk arising from non-compliances with laws and regulations such as breach of companies acts, and health and safety regulations.

2. Audit risk is the risk that the auditor come to an invalid conclusion in audit report and come to an incorrect opinion that either: 1 1. The audit report is unqualified but subsequently material error is

found in the financial statement. 1 2. The audit report is qualified but subsequently no material error is

found in the financial statement.

There are two types of audit risks:-

1. Inherent risk 2. Control risk Inherent and control risk together form risk of material misstatement. Detection risk mainly a part of sampling risk

1. Inherent risk is the risk that misstatement will occur due to factors
inherent in the companys business or environment or the nature of individual transaction or balance. It is the risk attached to an assertion that could cause a material misstatement. Certain assertions, related classes of transactions and account balances such as stock are more prone to risk. Inherent risk depends on the type of business. 1 2 The following have a high inherent risk:

Businesses with products subject to changes in fashion and technology business. The risk is that stock could be overstated. Companies with a dominant chief executive. Small and new companies. Companies experiencing going concern problems. Companies facing a highly competitive environment.

1 2. Control risk is the risk that a misstatement could occur in an account

balance or class of transactions and that could be material either individually or when aggregated with misstatement in other balance or class, would not be detected and corrected on timely basis, by the accounting and internal control systems.

2 This is the risk that the clients internal control system will not prevent
errors occurring or will not detect them after the occurrence so that they may be prevented. Example of control risk corporate culture of slack control procedures, lack of proper reconciliation of ledger balances.

3. Detection risk the risk that auditors substantive procedures do not detect a misstatement that exist in an account balance or class of be material either individually or when aggregated balance. One component of detection risk is possibility that from the the auditors conclusion procedure. transactions that could

with misstatements in other

sampling risk. Sampling risk is the

conclusion, based on a sample, may be different 1

reached if the entire population were subjected to the audit

ISA 320 AUDIT MATERIALITY Auditors must consider materiality and its relationship to audit risk when conducting and audit. Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements.

Materiality is an important concept in the audit process and affects: Audit risk evaluation The nature, timing and extent of audit procedures (e.g. sample sizes). The determination of whether the financial statements are distorted by misstatements discovered. The auditors assessment of materiality is influenced by the following: The overall impact on the financial statements. Individual account balances and transactions The size of the item. For example, an item may be large in relation to certain items in the financial statements profit, turnover, gross assets, individual assets, and liabilities. Quantitative materiality 1 2 3 4 5 An item is material if it is :> 5-10% of profit before tax > 1% of turnover

1 2 3 1 2

> 1 2% of gross total assets > 2 -5% of net assets > 10% of an individual asset/liability Qualitative materiality is :-

3 The nature of an item which is immaterial in size could be material if it

4 5 6 7 8

1. Illegal payment or otherwise immaterial amounts could be material. Material contingency could rise and results in a material loss of assets or revenue. 2. Inadequate or improper description of an accounting policy could be material. Users of the financial statements could be misled. 3. The requirement to disclose information in compliance with the Companies Act or other regulations (e.g. directors transaction even if immaterial in size).

4. Items required to be precisely stated (e.g. share capital & reserves, dividends, audit fees).

Assessing Risk: ISA 330 The auditor's procedures in response to assessed risks 10 ISA 330 indicates that the auditor must determine the nature and extent of audit evidence to be obtained from the performance of substantive procedures in response to the related assessment of the risk of material misstatement. This varies depending on the assessment of inherent and control risks, and that, irrespective of the assessed risk of material misstatement, the auditor designs and performs substantive procedures for each material class of transactions, account balance, and disclosure and that the assessed levels of inherent and control risk cannot be sufficiently low to eliminate the need to perform any substantive procedures. These substantive procedures may include the use of external confirmations for certain specific financial statement assertions. The higher the auditors assessment of inherent and control risk, the more reliable and relevant is the audit evidence the auditor needs to obtain from the performance of substantive procedures. The use of confirmation procedures may be effective in providing sufficient appropriate audit evidence. On the other hand, the assessed risk of material misstatement and the level of inherent and control risk is low, the less assurance the auditor needs from substantive procedures. For example, if an entity has a loan that it is repaying according to an agreed schedule, the terms of which the auditor has confirmed in previous years and the other work carried out by the auditor including tests of controls indicates that the terms of the loan have not

10

changed, this means that the risk of material misstatement level of inherent and control risk is low, and the auditor can limit substantive procedures to testing details of the payments made, rather than again confirming the balance directly with the lender.

In order to reduce risk to an acceptably low level, the auditor should determine overall responses to the assessed risks at the financial statement level and design and perform further audit procedures to respond to assessed risks at assertion level. ISA 240 defines assertions as representations by management that are

included in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. Responses to risk at the financial statement level include:-

Emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence. Assigning more experienced staff or those with special skills or using experts, providing more supervision. Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. Make general changes to the nature, timing, or extent of audit procedures as an overall response, for example, performing substantive procedures at period end instead of at an interim date.

The assessment of the risks of material misstatement at the financial statement level is affected by the auditors understanding of the control environment. An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, allow the auditor

11

to conduct some audit procedures at an interim date rather than at period end. If there are weaknesses in the control environment, the auditor should conduct more audit procedures as of the period end rather than at an interim date, seek more extensive audit evidence from substantive procedures, and modify the nature of audit procedures to obtain more persuasive audit evidence. Responses to risk at the assertion level include:The auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level. In designing further audit procedures, the auditor considers such matters as the following: The significance of the risk. The likelihood that a material misstatement will occur. The characteristics of the class of transactions, account balance, or disclosure involved. The nature of the specific controls used by the entity and in particular whether they are manual or automated. Whether the auditor expects to obtain audit evidence to determine if the entitys controls are effective in preventing, or detecting and correcting, material misstatements.

12

The auditors assessment of the identified risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures.

The response must use:1. Test of controls In some cases, the auditor may determine that only by performing tests of controls will he achieve an effective response to the assessed risk of material misstatement for a particular assertion. Tests of control are an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. The auditor designs tests of controls to obtain sufficient appropriate audit evidence that the controls operated effectively throughout the period of reliance. Matters the auditor may consider in determining the extent of the auditors tests of controls include the following: The frequency of the performance of the control by the entity during the period. The length of time during the audit period that the auditor is relying on the operating effectiveness of the control.
13

 The relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects, material misstatements at the assertion level. The extent to which audit evidence is obtained from tests of other controls related to the assertion. 2. Substantive Procedures. If the auditor determines that performing only substantive procedures is appropriate for specific assertions, he can exclude the effect of controls from the relevant risk assessment. This may be because the auditors risk assessment procedures have not identified any effective controls relevant to the assertion, or because testing the operating effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive procedures for the relevant assertion would be effective in reducing the risk of material misstatement to an acceptably low level. Often the auditor may determine that a combined approach using both tests of the operating effectiveness of controls and substantive procedures is an effective approach. Substantive procedure An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise: (i) Tests of details (of classes of transactions, account balances, and disclosures), and (ii) Substantive analytical procedures. Tests of detail are appropriate for matters identified as significant risks. These include complex or unusual transactions which make indicate fraud or other special risks. Timing of Substantive Procedures

14

In most cases, audit evidence from a previous audits substantive procedures provides little or no audit evidence for the current period. Exceptions:* A legal opinion obtained in a previous audit related to the structure of a securitization to which no changes have occurred, may be relevant in the current period. In such cases, it may be appropriate to use audit evidence from a previous audits substantive procedures if that evidence and the related subject matter have not fundamentally changed, and audit procedures have been performed during the current period to establish its continuing relevance.

Using audit evidence obtained during an interim period In some circumstances, the auditor may determine that it is effective to perform substantive procedures at an interim date, and to compare and reconcile information concerning the balance at the period end with the comparable information at the interim date to: (a) Identify amounts that appear unusual (b) Investigate any such amounts (c) Perform substantive analytical procedures or tests of details to test the interim period.

15

Performing substantive procedures at an interim date without undertaking additional procedures at a later date increase the risk that the auditor will not detect misstatements that may exist at the period end. Test of Controls at interim stage: When the auditor obtains evidence about the operating effectiveness of controls during an interim audit, the auditor should determine what additional audit evidence should be obtained for the remaining period. Documentation The form and extent of audit documentation is a matter of professional judgment, and is influenced by the nature, size and complexity of the entity and its internal control, availability of information from the entity and the audit methodology and technology used in the audit. Must document the following: Key elements of the entity Identified or assessed risk of material misstatement Responses to address risk Nature, extent, timing of procedures. Conclusions

ISA 240 The auditor's responsibility to consider fraud in the audit of the financial statements. External Auditors Responsibilities 1. The objective of the auditor is to identify and assess the risks of material misstatement,

16

whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. 2. In planning the audit and in performing audit procedures to reduce audit risk to an acceptably low level, auditor must consider the risks of material misstatements in the financial statements due to fraud. 3. Auditors must be aware of the possibility of material misstatements due to fraud. The auditor must adopt an attitude of professional scepticism during the audit and be alert to circumstances that may lead to fraud. 4. Risk assessment procedures for fraud: Inquiries of management charged with corporate governance Consideration of fraud risk factors Changes in the entity such as large acquisitions or reorganizations or other unusual events. Use of off-balance-sheet finance, special-purpose entities, and other complex financing arrangements. Weaknesses in internal control, especially those not addressed by management Significant amount of non-routine or non-systematic transactions including inter-company transactions and large revenue transactions at period end. Consideration of results of analytical procedures. Non-compliance with laws and regulations that may materially affect the financial statements. 5. Appropriately design audit procedures. Increase sample size where assessed risk is high. 6. Obtain written management representations * Acknowledging that it is their responsibility to prevent and detect fraud

17

* Confirming that they have disclosed to the auditor, their own assessment of risk of fraud and any knowledge of fraud or suspected fraud. 7. Report * To appropriate level management if auditor has identified fraud or is suspicious of fraud. * To those charged with governance if fraud involves management, significant employees and third parties. * To regulators if there is a statutory duty.

ISA 620 - USING THE WORK OF AN EXPERT Expert means a person or firm possessing special skill, knowledge and experience in a particular field other than accounting and auditing. An expert may be: (a) Engaged by the entity; (b) Engaged by the auditor;
18

(c) Employed by the entity; or (d) Employed by the auditor. When the auditor uses the work of an expert employed by the auditor, that work is used in the employees capacity as an expert rather than as an assistant on the audit. The auditor should obtain sufficient appropriate audit evidence that the scope of the experts work is adequate for the purposes of the audit. An experts work can be used :-

At the planning stage to obtaining an understanding of the entity and performing further procedures in response to assessed risks. During the audit to obtain audit evidence in the form of reports, opinions, valuations and statements of an expert.

The auditor needs to assess 4 issues in relation to an expert:1. Necessity to use him 2. Competence and objectivity is he an employee or a contracted third party. 3. Scope of work of the expert.

4. Actual work. Consider the source data used, assumptions, methods

and results.

Reference to an Expert in the Auditors Report 1. When issuing an unqualified report, the auditor should not refer to the work of an

19

expert. Such a reference might be misunderstood to be a qualification of the auditors opinion or a division of responsibilities. 2. If as a result of the work of an expert, the auditor decides to issue a qualified audit report, it may be appropriate to refer to or describe the work of the expert (including the identity of the expert and the extent of the experts involvement). In these circumstances, the auditor would obtain the permission of the expert before making such a reference. If permission is refused and the auditor believes a reference is necessary, the auditor may need to seek legal advice.

20