How to make a plan for conducting an audit engagement (ISA-300)

 Establishing the overall audit strategy for the engagement and producing an audit plan are both part of the planning process for an audit. The type and scope of preparatory activities will vary depending on the entity's size and complexity, the past experience of key engagement team members with the entity, and changes in circumstances that occur throughout the audit engagement. Planning is not a distinct phase of an audit; rather, it is a continuous and iterative process that often begins soon after (or in conjunction with) the completion of the prior audit and continues until the current audit engagement is completed.

The audit approach and plan

According to ISA 300, audit planning activities should include:

§  establishing the overall audit strategy for the engagement; and

§  developing an audit plan.

Audit Strategy

The audit strategy lays out in broad terms how the audit will be done, as well as the audit's scope, timing, and direction. After that, the audit strategy directs the creation of the audit plan, which includes the comprehensive responses to the auditor's risk assessment.

Audit Plan

The audit plan is more specific than the overall audit strategy since it specifies the nature, time, and scope of audit procedures that engagement team members will undertake. Prior to the auditor's identification and assessment of the risks of material misstatement, planning includes such matters as:

§  The analytical procedures to be used as risk assessment procedures must be considered.

§  Getting a general grasp of the legal and regulatory framework that applies to the entity, as well as how that framework is being followed.

§  The process of determining materiality.

§  The participation of experts.

§  Performing of other risk assessment techniques.

Benefits of Audit Planning

The audit of financial statements benefits from adequate planning in various ways, including the following:

§  assisting the auditor in devoting adequate attention to critical areas of the audit

§  assisting the auditor in identifying and resolving potential issues in a timely manner.

§  assisting the auditor in appropriately organizing and managing the audit engagement in order for it to be completed in a timely and effective manner.

§  assisting in the selection of engagement team members with the necessary talents and expertise to respond to predicted risks, as well as the suitable assignment of tasks to them.

§  facilitating the direction, supervision, and evaluation of engagement team members' work.

§  assisting, if appropriate, in the coordination of work done by component auditors and experts.

Practice:

At the start of every audit engagement, the auditor must include the following in the audit documentation: (a) the overall audit strategy; (b) the audit plan; and (c) any major changes to the overall audit strategy or the audit plan made during the audit engagement, as well as the reasons for such changes.

 

Source: https://bit.ly/3Gok0V9

  https://bit.ly/3rnf5iZ

Audit Method: Controls

Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples of specific control activities include those relating to the following:

1. Authorization.
2. Performance reviews.
3. Information processing.
4. Physical controls.
5. Segregation of duties.

An auditor would be required to conduct a walk through test to confirm the understanding as documented. Identify the preventive (exercised before occurrence of transactions and event) and detective and corrective (exercised after occurrence of transactions and event) controls established by management to support its assertions. Preventive, detective and corrective controls can be:

1. Application controls
2. IT-dependent manual controls
3. Manual controls

Application controls are automated controls processed by the entity’s IT applications without manual interference. Examples of Application controls are Edit Checks, Validations, Automatic calculations, Authorizations etc.

IT-dependent manual controls are controls in which we consider both the manual and automated aspect of the control e.g. a review of a computer generated sales orders report to determine that all sales are invoiced.

Manual controls are those controls that are operated completely manually e.g. bank reconciliations when the entity reconciles cash to bank statement.

Recommendation

Controls are performed to check the accuracy, completeness, and authorization of transactions.  A concept called The Internal Control Stream is introduced by Thomas P. Houck in his book “Why and How Audits Must Change: Practical Guidance to Improve Your Audits”. According to Thomas P. Houck this concept help auditors better understand the many controls that can exist in a company. The "stream" represents the path that a transaction follows as it moves from inception to its ultimate resting place in the financial statements. Controls can be located at different spots along the stream. Upstream controls help to ensure that transactions are properly entered into the computer system. Information technology controls are automated controls that help to prevent misstatements. Downstream controls come into play after information is processed in a computer system. An auditor is required to apply appropriate tests of controls to assess the reasonableness of design of system of internal control by enquiring relevant client personnel and documenting the same.

Audit Method: Audit Approach

Audit planning is one of the most interesting steps in the audit process. It requires to apply audit specific knowledge, business skills, understanding of the own resources and velocity of their usage.

In this post I am going to make the brief overview of some audit approaches and their applicability in real life.

Audit Process

The audit process could be depicted very simply, but work done and time spent on each stage of audit process have crucial effect on audit efficiency and effectiveness (audit risk). The illustration demonstrates that basically we have two types of approach: business risk approach with controls testing and substantive approach.

Audit Process

The approach in strategy should not be confused with approach in tactics regarding the concrete account connected with business process. In any case, we have to detect most risky and material areas of clients’ financial statements, i.e. substantive testing of all accounts is not reasonable.
         The second step is to identify our tactic regarding concrete type of account and assertion. For example, account is “fixed assets” (FA) and assertion is “valuation”. The process which is reflected by these two elements is “FA purchases” process. So at this point we might decide to test value of FA items substantively or do some preliminary purchases tests of controls to reduce substantive work in later stages. 

To test or not to test?

The outcome of control testing should be combined risk assessment of financial statement risk and audit risk, i.e. the result per well-known models:

         Audit Risk = Inherent Risk x Control Risk x Detection Risk (1);

Audit Risk = Financial Statement Risk x Detection Risk (2).

The audit firms try to formalize risk assessments (low, moderate, high) and spot the point at which it would be reasonable to reduce substantive procedures. However, there is still a problem: test of controls is time and money spent on procedures. And how do we know whether we should even start testing controls? What if after extensive control testing they proved to be ineffective? The mistakes might lead to inefficient audit, harming auditors’ profit margin. Unfortunately, I might say in majority cases the decision is made based on common sense and subjective opinion, i.e. there is no 100% proven scientific way to figure this out. Admittedly, to facilitate a right decision auditors should understand client’s business process, document suggested controls, and do process walk-through. There are also some rules of thumb, e.g. if there are lots of small routine transaction, then tests of controls are likely to be the right option.

Additional factors

The audit with accurate planning stage, through understanding of business processes and risk detection would require highly proficient audit team. However, we live in a real world and we do not always have access to the best dream audit teams J . The point is that the audit approach should be understandable by team members and fit their abilities: for someone it would be easier (time/budget factor) to vouch 1000 transaction than make decision based analytical job of connecting facts from process narrative, walk-through, initial strategy, and audit methodology. I mean, that process need not be overcomplicated. I would suggest following basic principles for establishing strategy:

1. Efficiency (budget);
2. Effectiveness (prudence, audit risk);
3. Complexity/easiness to bring about;
4. Understandability (and acceptability) for all members of team: from partner to audit staff.

In the future blog posts, it would be interesting to elaborate each of the above principles.

Conclusions

This is only outline of audit approaches. The topic is enormous and I will try to cover most arguable areas. Your comments are welcome as usual.

PS Please, do not forget to vote for your top 3 favorite subjects. The polls are going on the right-hand side of the blog.