LECTURE 5:

MAIN AUDIT CONCEPTS AND

PLANNING THE AUDIT

1
 Learning objectives
After studying this lecture, students should be able to:
 State what the general objective is in planning an audit
 Give the standard planning procedures.
 Understand the knowledge of a client’s business required to plan the audit.
 Discuss the relevant aspects of understanding the entity and its environment
 Describe what is done during initial interviews, discussions and site visits
with the client
 Know how legal obligations of the client are investigated
 Identify the steps in the strategy-oriented framework for understanding the
entity.
 List the different types of risk that auditors must assess in planning
 Define each type of risk

2
 Learning objectives
After studying this lecture, students should be able to:
 Know the auditor’s definition of ‘materiality’
 Illustrate the conditions that determine materiality.
 Understand the difference between financial statement fraud and
misappropriation of assets.
 Discuss the ‘fraud triangle’ factors that may lead to fraud.
 Identify responses to fraud assessment.
 Grasp the role of the auditor’s expert in the audit.
 Be acquainted with the relationship between the external auditor and the
auditee’s internal auditor.
 Be aware of the audit procedures when the entity uses third-party service
organisations for activities that impact the financial statements.
 Comprehend inherent risk and the procedures to assess it.
 Be familiar with the planning memorandum and audit plan
3
 CONTENT
5.1. Planning Objective and Procedures
5.2. Understanding the Entity and its Environment
5.3. Audit Risk Model
5.4. Materiality
5.5. Fraud and Irregularities
5.6. Using the Work of Others and Considering Auditee Use of
Service Organisations
5.7. Inherent Risk Assessment
5.8. Internal control and Control risk assessment
5.9. Other Planning Activities

4
5.1. PLANNING OBJECTIVE AND PROCEDURES

International Standards on Auditing 300 (ISA 300)

‘Planning an Audit of Financial Statements’ states: ‘the
objective of the auditor is to plan the audit so that it will
be performed in an effective manner … The auditor
shall establish an overall audit strategy that sets the
scope, timing and direction of the audit, and that guides
the development of the audit plan.’

5
5.1. PLANNING OBJECTIVE AND PROCEDURES

 Planning Objective

 the objective of planning is to determine timing and scope

of the audit and the amount and type of evidence and
review required to assure the auditor that there is no
material misstatement of the financial statements. This is
Phase II in the Audit Process Model.

6
5.1. PLANNING OBJECTIVE AND PROCEDURES

 Planning Procedures
 The planning procedures are:
1. Perform audit procedures to understand the entity and its
environment, including the entity’s internal control.
2 Assess the risks of material misstatements of the financial
statements.
3. Determine materiality.
4. Prepare the planning memorandum and audit programme
containing the auditor’s response to the identified risks

7
5.2. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

 In the client acceptance phase (Phase I of the audit process

model), the auditors review material that is readily available
about the entity and the entity’s environment (annual reports,
public news, and public information databases).
 In the planning phase the auditor’s understanding of the entity
and its environment should grow significantly. As ISA 315
points out, this understanding is an essential aspect of carrying
out an ISA audit. It establishes a frame of reference within
which the auditor plans the audit and exercises professional
judgement about assessing risks of material misstatement of
the financial statements and responding to those risks.

8
5.2. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

 Procedures to Obtain an Understanding

 ISA 315 provides an overview of the procedures that the auditor should
follow in order to obtain an understanding sufficient to assess the risks
and consider these risks in designing the audit plans. The risk
assessment procedures should, at a minimum, be a combination of the
following:
- Inquiries of management
- Analytical procedures
- Observation and inspection
- Other Information Sources

9
5.2. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

 Procedures to Obtain an Understanding

 Audit Team Discussion
ISA 315 requires a team-wide discussion of the susceptibility of the financial
statements to material misstatement. An important reason for this
requirement is the consideration that the team members collectively have a
broader access to people within the organisation and their insights

 Continuing Client
If the client is a continuing one, prior year’s working papers are reviewed
and reliance can be placed on the observations from prior periods.
The client’s permanent audit file frequently contains information on
company history and records of most important accounting policies in
previous years. However, before relying on existing working papers, the
auditor needs to make sure that there have been no significant changes in the
relevant aspects of the client’s entity or environment
10
5.2. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

 Understanding the Entity and its Environment

ISA 315 distinguishes the following relevant aspects in the understanding of
the entity and its environment:
■ industry, regulatory and other external factors, including the applicable
financial reporting framework;
■ nature of the entity, including the entity’s selection and application of
accounting policies;
■ the entity’s selection and application of accounting policies, including the
reasons for changes the appropriateness for its business and consistency with
the applicable financial reporting framework.
■ objectives and strategies, and the related business risks that may result in a
material misstatement of the financial statements;
■ measurement and review of the entity’s financial performance.

11
5.3.AUDIT RISK MODEL

 The Risk Assessment Process

 Before risk can be assessed, the auditor must perform procedures to obtain
an understanding of accounting and internal control systems.
 Audit procedures to obtain an understanding are referred to as ‘risk
assessment procedures’ because some of the results may be used by the
auditor as audit evidence to support the assessments of the risks of
material misstatement of the financial statements.
 The audit evidence obtained might also apply to transactions, account
balances, disclosures, and the operating effectiveness of controls.
 The auditor examines the risks of material misstatement at the financial
statement level and at the financial statement assertion level for classes of
transactions, account balances and disclosures.
 Risks that exist at the financial statement level are pervasive, i.e. they
have a potential impact on a large number of items in the financial
statements 12
5.3.AUDIT RISK MODEL

 Assessment Tasks

To assess the risks of misstatement of the financial statements, the auditor

performs four tasks:
1. Identify risks by developing an understanding of the entity and its
environment, including relevant controls that relate to the risks. Analyse the
strategic risks and the significant classes of transactions.
2. Relate the identified risks to what could go wrong in management’s
assertions about completeness, existence, valuation, occurrence, and
measurement of transactions or assertions about rights, obligations,
presentation, and disclosure.
3. Determine whether the risks are of a magnitude that could result in a
material misstatement of the financial statements.
4. Consider the likelihood that the risks will result in a material misstatement
of the financial statements and their impact on classes of transactions, account
balances and disclosures. 13
5.3.AUDIT RISK MODEL

 Business Risk, Audit Risk and its Components

Business risks: result from significant conditions, events, circumstances, or

actions that could adversely affect the entity’s ability to achieve its objectives
and execute its strategies.

- Even though such risks are likely to eventually have an impact on an entity’s
financial statements, not every business risk will translate directly in a risk of
a material misstatement in the financial statements, which is often referred to
as audit risk.

14
5.3.AUDIT RISK MODEL

 Business Risk, Audit Risk and its Components

Audit Risk:
* Audit risk is the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated.
* Audit risk is a measure the reliability of the information used by the
accounting system is, i.e. how much reliance can be put on it. The higher the
audit risk, the more evidence must be gathered in order for the auditor to
obtain sufficient assurance as a basis for expressing an opinion on the
financial statements
* Audit risk has three components: inherent risk, control risk and detection
risk

15
5.3.AUDIT RISK MODEL

Audit Risk
Risk of Risk that the Auditors
Audit Risk Material * Fail to
= Misstatement Detect the
Misstatement

= Inherent Control Detection

Risk * Risk * Risk

Risk of material misstatement: The risk that the

financial statements contain a material
misstatement due to fraud or error prior to the
audit.
5.3.AUDIT RISK MODEL

 Business Risk, Audit Risk and its Components

Inherent risk: is the susceptibility of an account balance or class of

transactions to misstatements that could be material, individually or when
aggregated with misstatements in other balances or classes, assuming that
there were no related internal controls.
Control risk: is the risk that a misstatement that could occur in an account
balance or class of transactions and that could be material – individually
or when aggregated with misstatements in other balances or classes – will
not be prevented or detected and corrected on a timely basis by
accounting and internal control systems.
Detection risk: is the risk that an auditor’s substantive procedures will not
detect a misstatement that exists in an account balance or class of
transactions that could be material, individually or when aggregated with
misstatements in other balances or classes

17
5.3.AUDIT RISK MODEL

Illustration of Audit Risk

5.3.AUDIT RISK MODEL

Audit Risk
Model

Risk of Material Risk that the Auditors

Audit Risk Misstatement * Fail to
= Detect the
Misstatement

= Inherent Contro Detectio

l n
Risk * Risk * Risk
 Audit Risk Formula
Solving for Detection Risk

AR
DR
 IR
CR
 Implications
» Assuming constant, sufficiently low AR, detection
risk is inversely related to IR and CR

↑ combined IR and CR ↓ allowed DR ↑

substantive
evidence
 Interrelationship of the components of audit risk

Assessment of Control Risk

Detection risk matrix
High Medium Low

High Low Low Medium

Assessment
of Inherent Medium Low Medium High
Risk

Low Medium High High

5.4. MATERIALITY

Materiality

Materiality is the magnitude of

an omission or misstatement of
accounting information that, in
the light of surrounding
circumstances, make it probable
that the judgment of
reasonable person relying on
the information would have
been changed or influenced by
the
omission or misstatement.

Slide 5- 13
5.4. MATERIALITY

Materiality
 Materiality is a relative rather than absolute
concept
 Materiality includes both quantitative and qualitative
consideration (size and nature of the misstatement)
5.4. MATERIALITY

Evaluating Materiality
 Quantitative materiality level
No official guidelines within auditing standards
Bases for evaluating Materiality
5-10% of Net Income before Taxes
½-1% of Total Assets
½-1% of Total Revenue
1- 2% of Equity
Auditor add up all individually immaterial
misstatements in order to detect material
misstatement in aggregate.
5.4. MATERIALITY

Materiality

Net profit before tax is $4 million in

current year and the auditor uses 5% of
net profit before tax to determine the
overall materiality

=> Determine Overall materiality level?????

5.4. MATERIALITY

Evaluating Materiality

 Qualitative Considerations
- Amount involve fraud are usually more important than
unintentional errors of equal dollar amounts => reflect on
honest and reliability of management.
- Misstatements that are otherwise minor may be material if
there are consequences influenced related significant
accounts
- Misstatements that are otherwise material if they affect
a trend in earning.
- Note: Materiality is a matter of Professional Judgement
5.5. FRAUD AND IRREGULARITIES

What is Fraud?
 Fraud is an intentional act by one or more individuals among
management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an unjust
or illegal advantage.
 Two types (In the context of auditing ):
» Misstatements resulting from fraudulent financial
reporting
» Misstatements resulting from misappropriation of
assets.
5.5. FRAUD AND IRREGULARITIES

Types of Fraud
Fraudulent Financial Reporting (“management
fraud”)
 Misrepresentation in, or intentional omission from, the
financial statements of events, transactions, or other
significant information
 Manipulation, falsification or alteration of records or
documents from which financial statements are prepared
 Intentional misapplication of accounting principles
relating to amounts, classification, manner of
presentation, or disclosures.

Slide 5-
28
5.5. FRAUD AND IRREGULARITIES

Types of Fraud - cont

Misappropriation of assets
“employee fraud”
 Misappropriation of assets – often
accompanied by false or misleading
records in order to conceal that the assets
are missing
Examples include:
 Embezzling receipts
 Stealing physical assets or
intellectual property
 Payroll fraud
 ……

Slide 5-
29
 Bookkeeping
scandals

October
16,
June 20, 2002 September, 2003 March 28, 2002
2001
Issue: Off-Balance Issue: Financial Issue: Financial Issue: Financial
Sheet Accountingand Reporting Fraud Reporting Fraud Reporting Fraud
Financial Reporting and inappropriate and embezzlement
Fraud consolidation
Impact: $9 billion
Impact: $3 billion in unreported Impact: $2.5
Impact: $ millions
in undisclosed expenses billion of hidden
Slide 5-
losses in overstated
debt
30 earnings
5.5. FRAUD AND IRREGULARITIES

Causes of Fraud
– Fraud Triangle

Attitudes/Rationalizations

Fraud
Triangl
e

Incentive/Pressures Opportunities

Slide 5-
31
5.5. FRAUD AND IRREGULARITIES

What is Error?
Unintentional mistakes in financial
information such as:
 Errors of commission: mathematical or clerical mistakes in
the recording and accounting data;
 Errors of omission: transactions, events is left out of an
accounting statement by mistake.
 Errors of principle: misapplication or misunderstanding of
accounting policies unintentionally. Ex: wrong allocation
between different accounts, wrong valuation of assets,…

Slide 5-
32
5.5. FRAUD AND IRREGULARITIES

Causes of accounting errors

 Pressures: Time pressure in the process of recording
accounting transaction, pressure of working
environment,…

 Working style of accountants : Careless or

negligent, distraction,..

 Limited qualification of accountants

Slide 5-
33
5.5. FRAUD AND IRREGULARITIES

Responsibility for
Prevention & Detection

Management Responsibility
 The primary responsibility for the prevention and
detection of fraud and error rests with both those
charged with governance and the management of an
entity. The respective responsibilities may vary from
entity to entity.
 The management is responsible for establishing and
maintain policies and procedures by implementing
and ensuring continued operation of internal
control, which are designed to detect and prevent
fraud and error.
5.5. FRAUD AND IRREGULARITIES

Responsibility for
Prevention & Detection

Auditor’s Responsibility
 The auditor should consider the risk of material
misstatements in the financial statements resulting from fraud
or error.

 An auditor cannot obtain absolute assurance that material

misstatements in the financial statements will be detected. The
auditor is able to obtain reasonable assurance that material
misstatements in the financial statements will be detected.
5.6. USING THE WORK OF OTHERS AND
CONSIDERING AUDITEE USE OF SERVICE ORGANISATIONS
Using the Work of an Auditor’s Expert

 ISA 620 ‘Using the Work of an Auditor’s Expert’ deals with the
auditor’s responsibilities relating to the work of an auditor’s expert
when that work is used to assist the auditor in obtaining sufficient
appropriate audit evidence.
 An auditor’s expert is an individual or organisation possessing
expertise in a field other than accounting or auditing, whose work in
that field is used by the auditor to assist the auditor in obtaining
sufficient appropriate audit evidence.
 An auditor’s expert may be either an auditor’s internal expert (who is a
partner or staff, including temporary staff, of the auditor’s firm or a
network firm), or an auditor’s external expert.

36
5.6. USING THE WORK OF OTHERS AND
CONSIDERING AUDITEE USE OF SERVICE ORGANISATIONS
Using the Work of the Auditee’s Internal Auditors
 ISA 610 ‘Using the Work of Internal Auditors’ deals with the external
auditor’s responsibilities relating to the internal audit function when the
external auditor has determined that the internal audit function is likely to be
relevant to the audit.
 The internal audit function is an appraisal activity established or provided as
a service to the entity. Its functions include, amongst other things,
examining, evaluating and monitoring the adequacy and effectiveness of
internal control.
 The external auditor has sole responsibility for the audit opinion expressed,
and that responsibility is not reduced by the external auditor’s use of the
work of the internal auditors

37
5.6. USING THE WORK OF OTHERS AND
CONSIDERING AUDITEE USE OF SERVICE ORGANISATIONS
Audit Considerations Relating to an Auditee Using a Service Organisation
 ISA 402 ‘Audit Considerations Relating to an Entity Using a Service
Organisation’ discusses the external auditor’s responsibility to obtain
sufficient appropriate audit evidence when an auditee uses the services of
one or more service organisations.
 A service organisation is a third-party organisation (or segment of a third-
party organisation) that provides services to user entities that are part of
those entities’ information systems relevant to financial reporting.

38
5.6. USING THE WORK OF OTHERS AND
CONSIDERING AUDITEE USE OF SERVICE ORGANISATIONS
Audit Considerations Relating to an Auditee Using a Service Organisation
 A service organisation’s services are part of a user entity’s information
system if these services affect any of the following:
■ The classes of transactions in the auditee’s operations that are significant to
their financial statements.
■ The procedures, within both information technology (IT) and manual
systems, by which the entity’s transactions are initiated, recorded, processed,
corrected, transferred to the general ledger and reported in the financial
statements.
■ The related accounting records supporting information and specific accounts
in the user entity’s financial statements.
■ The financial reporting process used to prepare the user entity’s financial
statements, including significant accounting estimates and disclosures.
■ Controls surrounding journal entries, including non-standard journal entries
used to record non-recurring, unusual transactions or adjustments
39
5.6. USING THE WORK OF OTHERS AND
CONSIDERING AUDITEE USE OF SERVICE ORGANISATIONS
Audit Considerations Relating to an Auditee Using a Service Organisation

 The objectives of the auditor when the auditee uses the

services of a service organisation are to obtain an
understanding of the nature and significance of the services
provided by the service organisation and their effect on the
user entity’s internal control and to design and perform
audit procedures responsive to those risks

40
5.7. INHERENT RISK ASSESSMENT

 Inherent risk is the susceptibility of an assertion about a class of

transaction, account balance or disclosure to a misstatement that
could be material, either individually or when aggregated with
other misstatements, before consideration of any related controls
 The assessment of the risks of material misstatement may be
expressed in quantitative terms, such as in percentages, or in non-
quantitative terms

41
5.7. INHERENT RISK ASSESSMENT

 Factors affecting inherent risk:

- combination of industry, regulatory and other external factors
- the entity’s operations, its ownership and governance structures, the
types of investments
- the entity’s objectives and strategies, and those related business
risks.

Auditors assess IR , do not manage the IR

42
5.8. INTERNAL CONTROL AND CONTROL RISK ASSESSMENT

International Auditing and Assurance Standards Board

(IAASB) issues:
 International Standards on Auditing (ISAs) as the standards to be
applied by auditors in reporting on historical financial information.
 International Standards on Assurance Engagements (ISAEs) as the
standards to be applied by practitioners in assurance engagements
dealing with information other than historical financial information
 International Standards on Quality Control (ISQCs) as the
standards to be applied for all services falling under the Standards of
the IAASB, and
 International Standards on Related Services (ISRSs) as the
standards to be applied on related services, as it considers appropriate
 International Standards on Review Engagements (ISREs) as the
standards to be applied to the review of historical financial
information.
43
5.8. INTERNAL CONTROL AND CONTROL RISK ASSESSMENT

Internal control
A system of internal control consists of policies and
procedures designed to provide management with
reasonable assurance that the company achieves its
objectives and goals.

Main objectives of a system of internal control:

1. Reliability of Reporting
2. Efficiency and Effectiveness of Operations
3. Compliance with Laws and Regulations
5.8. INTERNAL CONTROL AND CONTROL RISK ASSESSMENT

Coso components of internal control

COSO’s Internal Control—Integrated Framework

Developed in 1992 and updated in 2013 and 2017
The COSO Framework describes five components of
internal control:
1. Control environment 4.Information and
communication
2. Risk assessment 5. Monitoring
3. Control activities

Copyright ©2017 Pearson Education, Inc.

5.8. INTERNAL CONTROL AND CONTROL RISK ASSESSMENT

Control risk assessment

• Control Risk: Risk that a material misstatement in

an assertion will not be prevented or detected on a
timely basis by the company’s internal control.
• Auditors assess CR through evaluating the
effectiveness of internal control system.
• Auditor can not manage CR

Copyright ©2017 Pearson Education, Inc.

5.8. INTERNAL CONTROL AND CONTROL RISK ASSESSMENT

Control risk assessment

When planning an audit, in order to assess control risk the
auditor undertakes a number of tasks:
- Considers the results of previous audits that involved
evaluating the operating effectiveness of internal control,
including the nature of identified deficiencies and action
taken to address them.
- Interview entity personnel to find evidence of
management’s commitment to the design, implementation
and maintenance of sound internal control and the
importance attached to internal control throughout the
entity.
- Knowledge of the industry and the environment might
also help in determining control risk
- …..
5.9. OTHER PLANNING ACTIVITIES

Other planning activities include:

- Planning discussions with those charged with governance (like
the board of directors
- Preparing the audit planning memorandum
The audit planning memorandum summarises the overall audit
strategy and contains the decisions regarding the overall scope,
emphasis, and conduct of the audit, planned audit responses at the
overall financial statement level, along with a summarisation of
significant matters documented in the audit plan

48
5.9. OTHER PLANNING ACTIVITIES

Audit Plan (Audit Programme)

- The audit plan (audit programme) sets out the nature, timing and
extent of planned audit procedures required by ISA 315 and ISA
330 to implement the overall audit strategy into a comprehensive
description of the work to be performed.
- It serves as a set of instructions to staff involved in the audit and as
a means to control and record the proper execution of the work.

49