Module 2 Planning Audit of Historical Info

Page 69

- Objective of Audit Financial Statements is to enhance degree of confidence of intended user

in the Financial Statements
- Audit Risk: Risk auditor will express an incorrect opinion when financial statements are
materially misstated.
- There are three types of Audi Risk
 Inherent Risk: Nature and uncertainty surrounding some transactions eh. Accounting
estimates.
 Control Risk: Refers to how good the internal controls are
 Detection Risk: Risk auditor will not detect material misstatement

Audit risk model

- Provides a framework for auditors to follow in responding to these assessed risk through
their choice audit procedure
- Auditing standards do not specify what an acceptable level of audit risk is. Use of the Audit
Risk Model requires a significant degree of judgment by the Auditor.
- The auditor generally expresses each component of audit risk in non-quantitative form (Low,
med, high).
- Matrix
 Matrix figure on page 70 demonstrates that acceptable low levels of detection risk
are inversely related to the assents of inherent & Control risks. i.e if inherent and
control risks are high then detection risk MUST be low.
- Auditors plan and perform their audit to keep audit risks to an acceptable low level. If
inherent and control risks are high, then auditor will set detection risk t low to maintain a
low audit risk.

Page 70

- If control and inherent risk is high (there is a likelihood of errors in the financial statements)
than the acceptable level of detection risk will have to be very low.
- If control and inherent risk is low (small likelihood of errors) then the acceptable risk of
detection is high.
- The auditor assesses inherent and control risk jointly when assessing the risk of material
misstatement
- Control and Inherent risk determine the probability that financial statements contain
material misstatements.
- In order to reduce audit risk to an acceptably low level and there by enable the auditor to
form an opinion, it is necessary for the Auditor to obtain sufficient appropriate evidence. In
order to obtain sufficient appropriate evidence, the extent of audit testing is based on the
level of detection risk set by the auditor to achieve a low level of risk.
- Page 41: Factors that increase inherent risk and control risk
Pg.72 Legal, regulatory, professional & ethical requirements.
- The conduct of an audit of financial info is regulated by laws and regulation
(including standards) as well as the auditing profession code of ethics as well as the
auditing professional code of ethics.
- ASIC, legally enforceable framework including auditing standards, and independent
requirements.
- Soundness of corporate governance, law & regulations

Quality control for audits Page 73

- A engagement partner is required to take responsibility for the overall quality of the
audit engagement
- Engagement team is entitled to rely on firms systems. Eg. Competent staff through
recruitment and training, and independence via accumulation and communication of
relevant independence communication.
- Emphasis is placed on engagement partners leadership responsibilities in relation to
quality of audits
Assignment of engagement teams page 74
- Engagement partner needs to be satisfied that the engagement team collectively has
the appropriate capabilities and competence to perform engagement
- Engagement performance: Engagement partner takes responsibility for the
direction, supervision and performance of the audit engagement.
 Direction: The responsibilities, risk-related issued, problems that may arise,
the detailed approach of the performance of the engagement
 Supervision: Tracking the progress of the audit engagement, consideration of
the capabilities, competence, time availability, and understanding
instructions of team members. Monitoring progress of team member.
Modifying the planned approach where appropriate. Identifying matters for
consultation with more experienced engagement members.
Audit independence for the audit of financial statements page74/5
- In Australia the concept of the auditor independence is embodied in the statute
“The corporate law economic reform program (Audit reform and corporate
disclosure) Act 2004. Also known as Clerp 9
- Corp Act 2001 requires auditor provides directors of the client with a written
declaration as to whether auditor contravenes an of the auditor independence
provisions in the corp act of professional conduct. Eg conflict of interest.
- Maximum hours test: A maximum of ten hours of non-audit services can be
provided during the period in which an audit relates. A further 10 hours of non-audit
services can be provided in the 12 months immediately prior to the period to which
the audit relates.
Compliance with audit requirement page 75
As per ISA 220 Engagement partner is required to form a conclusion on compliance with
independence requirements. To do this must:

 Obtain info from firm to identify circumstances and relationships that create threats
to independence
 Evaluate info that breaches firms independent policies and assess whether they
create threat to audit engagement
 Take appropriate action to eliminate threats or reduce to acceptable low levels
 Report to firm matters unable to be resolves by appropriate action
Auditor rotation
- Corporations ACT: Where an individual plays a significant role (Lead or review
partner) in audit for 5 successive financial years, then can’t play significant role for
the next 2 years.
- In addition cannot play a significant role for more than 5/7 successive financial years
where the involvement is not in consecutive yea.rs.
Terms of engagement pg83
- ISA 210 assist auditors in preparation of engagement letter for audit of financial
statements
- Engagement letter confirms auditors acceptance of appointments and entities scope
and objectives, as well as responsibilities of the auditor and management
Pre conditions page 83
- Auditor needs to confirm pre-conditions of an audit are established by the following:
 Determine whether financial reporting standards are acceptable. IAS, AAS,
and Corp act are often used as the applicable standards in AUS
 Obtain agreement from management that it acknowledges and understands
responsibilities including for: FS preparation, internal control systems
necessary to enable prep of FS that are free from MS due to fraud and error
and provide auditor with necessary info
 If management does not provide the agreements to the above then the
auditor cannot accept the audit unless required to do so by law or regulation.
Engagement terms and letter of engagement page 84
- The engagement terms are detailed in the letter of engagement. The following are
required in the engagement letter:
 Agreed terms of the engagement
 objective and scope of the audit
 responsibilities of the auditor, including the auditor’s responsibilities under
law, regulation or relevant
 ethical requirements that address reporting identified or suspected non-
compliance with laws and
 Regulations (NOCLAR) to an appropriate authority outside the entity
 Responsibilities of management
 Identification of the applicable financial reporting framework, the expected
form and content of any reports to be issued by the auditor and a statement
that there may be circumstances when the report may differ from the
expected form and content (ISA 210, para. 10 and A24)
 Also a paragraph on how the auditor meets independence requirements

Change to terms pg.84

- Auditors can use same engagement letter for reoccurring audits. However auditors
needs to consider whether there is a need to a send a new engagement letter.
Reasons for a new engagement letter are:
 Any indication that the entity misunderstands the objective scope of the
audit
 Any revised or special terms of the engagement.
 A recent change of senior management [or those charged with governance].
 Any significant change in ownership [or in the] nature or size of the entity’s
business
 A change in legal or regulatory requirements.
 A change in the financial reporting framework . . . [or] other reporting
requirements (ISA 210, para. A30).

- If, prior to completion of the audit, the auditor receives a request from management
to change the engagement to a lower level of assurance (e.g. an audit to a review or
a related service) they need to consider the appropriateness of their reason for
doing so (ISA 210, paras 14–17, A31–A33). For example, it may be appropriate to do
so when there has been a change in circumstances affecting the need for assurance
or a misunderstanding of the nature of an audit.

Audit planning procedures p.86

- IAS 300 – Planning an audit of financial statements, states that an auditor is to plan
the audit so that it will be performance in an effective manner
- Involves developing overall audit strategy in order to reduce audit risk to an
acceptable low level.
- The reasons for planning audit is to:
 Ensure appropriate attention is given to important areas of the audit
 Identify potential problems on a timely basis
 Organise and manage the engagement properly& assist in the selection of
team members
 Facilitate team members’ supervision assist in the coordination of work done
 The nature and extent of planning activities will vary with:
 The size and complexity of the entity (i.e. greater complexity may result in
more planning)
 The auditor’s previous experience with the entity (e.g. on a new audit one
would expect planning to be more extensive)
 Changes in circumstances that occur during the audit engagement (e.g. if the
entity increases the level of management bonuses and their correlation with
profitability levels, the auditor needs to consider this in the audit plan; this
situation increases the incentive for fraud.
- An audit plan is continued & Iterative in nature. Not discrete. Can be changed as new
info becomes available during the audit.
- However there are certain audit planning actives that need to be coordinate early
such as:
 Conducting preliminary analytical procedures as part of risk assessment
 Obtaining an understanding of the legal and regulatory framework
applicable to the entity
 Determining materiality levels
 Considering the need to involve experts and specialists prior to identifying
and assessing risks (e.g. in the
 Mining industry an auditor may need to consult a geologist prior to assessing
risks related to inventory and non-current assets)
 Determining the nature, timing and extent of resources that will be required
(ISA 300, para. A2)

The Audit Planning stage involves

 Risk assessment
 Development of overall audit strategy
 Preparation of detailed audit plan
Overall Audit strategy pg 87
- Establishes scope, timing & detection of audits
- Overall audit strategy establishes the following
 Identify characteristics of the engagement that define its scope such as the
financial reporting framework used
 Ascertain the reporting objectives of the engagement to plan timing of the
audit and nature of communications required eg deadlines
 Consider factors that are significant factors in directing focus of the
engagement i.e determining areas with high risk of material misstatement.
- Based on assessments of materials, audit risk, and what constitutes appropriate
audit evidence the auditor has two main alternative strategies (with combinations
in between)
 1. The lower assessed level of control risk approach
 2. A predominantly substantive testing approach
Page 88
- 1. The lower assessed level of control risk approach: The auditor assessed level of
control risk is low & medium. The plan involves obtaining a substantial
understanding of the internal control systems, planning extensive tests of controls
but restricting extent of substantive procedures.
- 2. .A predominantly substantive testing approach: The auditor planned assessed
level of control risk is high, plan requires minimum understanding of internal
controls, no tests of controls but extensive use of substantive audit procedures.
- Substantive procedures are aimed at detecting material misstatements in the dollar
value of the information containing in the accounting records or in the FS.
 - Tests of controls are audit procedures designed to evaluate he operating
effectiveness of controls in preventing, or detecting and correcting material
misstatements at the assertion level.
The Audit Plan page 88.
- Auditor require to develop an audit plan
- Audit strategy guides the strategy of this more detailed audit plan
- Audit plan documents the auditors initial assessment of the evidence that will be
required to form an opinion and the method of obtaining this evidence
- Audit plan must be dynamic to reflect new info obtained
- Audit plan needs to include description of the following:

Financial Statements of assertions pg91

- Financial statements assertions and representations by management, explicit or
otherwise, that are embodied in the financial statements, and used by the auditor to
consider the different types of potential misstatement that may occur.
- Assertions are classed in to two categories pg91
 1. Classes of transactions and events (Rev & Exp) for the period
 2. Account balances at period end (Assets & Lib)
Documentation pg94
- IAS 230 Audit Documentation deals with auditors responsibilities to prepare audit
documents for an audit of financial statements.
- Audit documentation needs to :
-

- Important to prove issues were considered through the support of evidence

otherwise hard to prove that issue was ever considered
- No guidance given on how much documentation
- Engagement letter, audit plan, detailed audit program, are examples of
documentation
Materiality page 95
- Fundamental importance to both prepares of financial statements and auditors
- Entity makes material judgment when preparing Financial Statements
- As such material is of utmost importance to auditors, as the auditor gathers evidence
to assess FS is trust and fair and with Miss statements
- For audit planning purposes, when establishing overall audit strategy, the auditor
will determine materiality for financial statements as a:
1. Whole (overall materiality) usually by selecting a percentage of particular
benchmarks
2. Performance materiality. Overall materiality is reduced to reduce risk of several
number of errors aggregating to result in material misstatement.
- Page 100 Figure 2.8 shows phase of an audit
- Planning audit > performing audit > conclusion & reporting
- The steps in planning audit are:
 Understanding the entity
 Internal controls
 Risk assessment
 Strategic analysis
 Analytical procedures
 Audit analytics
 Responding to assessed risks
 Over audit strategy
Understanding the entity
- ISA 315 establishes the mandatory requirements and explanatory materials to the
auditor on obtaining/understanding of the entity environment and on assessing the
risk of material misstatement in the financial statements
- ISA 315 includes the following:
1. The entity industry, regulatory and other external bodies
 Understanding industry conditions – Understanding market for client
products, competitors,
 If the industry has weak conditions overall, there is more sensitive to bad
news. Increases pressure on management to meet targets therefore
increases risk of earnings management
 The auditor needs to understand the entity’s regulatory environment. As
economic consequences may arise from government imposed tariffs which
may materially impact company. Noncompliance with laws may also result in
major legal consequences with material impact.
 ISA 250 states auditor must obtain general understanding of legal and
regulatory framework, applicable to the entity and the industry and the
entity level of compliance.
 Other external factors: Considering the general economy, interest rates,
availability of finance, level of inflation etc.
2. The Nature of the entity page 103
 Auditor should obtain and understanding of the nature of the audit client
when planning the audit. The auditor should understand. Business operations
(business model – method of obtaining revenue), Products& Services of the
market (Major customers, terms of payment, profit margins), Conduct of
operations (stages of production, fixed v variable costs), location of
production facilities, employment )wage level, super benefits, unions)
 Auditor uses knowledge of entity operations to develop a knowledgeable
perspective about financial amounts and disclosures specific to the entity
 Auditor also uses knowledge of the entities operations to identify significant
inherent risk eg manufacturing companies are usually concerns about the
timeness of assertion relating to receivables inventories, such assertions may
not be significant for service companies
 Another important aspect of understanding business operation involves
obtaining knowledge of related party transactions. As may not have
economic substance. These transactions represent high inherent risk as not
arm length transactions and may not have economic substance.

- The entities business model: pg 104

 Business Model: Describes everything about how the business creates and
delivers value to its stakeholders.
 Elements of business model: Business systems, product services, customer
experiences> these elements can be improved to create a competitive
advantange
 Necessary for the auditor to develop a comprehensive understanding of the
client business model because it will help auditors assess the nosiness risk
and material misstatements of FS
  Therefore Auditor will be in a better position to understand: Risk, appropriate
recording of transactions, Valuation of assets,clients abilitiy to continue as
going concern, likelihood of management fraud
- Investments pg104
 Understanding the nature of an entity’s investments helps the auditor
develop expectations of financial statement amounts. Eg. Capital investment,
acquisitions, mergers, disposals investments in security and loans,
investments in non-consolidated entities.
 Companies ability to generate revenue depends on their investment
- Financing pg. 105
 Understanding debt structure, leasing or PPE, beneficiary owners, use of
derivate instruments.
 Sophisticated financing structures may increase risk of misapplication of
accounting standards. Auditors shall also be alert to violation of debt
covenants or events that might trigger guarantees. Might greatly effect entity
capacity to be a going concern.

3. Entity selection and application of accounting policies pg 105.

 Important auditor evaluates the accounting policies selected by the entity to
ensure they are appropriate for business and consistent with industry
 In understanding accounting policies the auditor should be aware of the
methods to account for significant and unusual transactions
4. The entities objectives, strategies, and relevant business risks pg 105
 Business risks: Risks results from significant conditions, events,
circumstances, actions that could adversely effect entities ability to achieved
its objectives and execute its strategies.
 IAS 315: States auditor shall evaluate an entity objectives, strategies and
business risks to obtain understanding of whether they are associated with
risks of material misstatement
 5. Measurement and Review of the entity Financial performance pg.108
 Auditing standards require auditors to obtain an understanding of the
measure and review of the entities financial performance, including both
internal & external measures. Such measures include

 Company might use a variety of financial & Non-financial measures to

monitor performance. Eg Manufacture company measure manufacturing
process by comparing quantity of raw material used v goods produced v
labour house
 Many performance measures are produced by entities IT system. If
management assumes data is accurate but is not, potentially leads
management and auditor who use same info to make inaccurate conclusions.
 Auditors should consider reliability of the IT system

The Entities Internal Controls pg 109

 - IAS 315 requires auditors to understand internal controls relevant to audit. The
understanding of internal controls is used by the auditor to identify potential types
of misstatements and factors that affect the risk of material misstatements. And in
designing the nature, timing and extent of further audit procedures.

Refer to page 110 which defines and discusses each component

Controls in an IT environment page 113

 - IT environment influences the internal control and the procedures adopted by the
entity because:
1. Concentration of recording, processing and control functions in the IT
department
2. Human checking disappears. Reduces potential to detect errors
3. Increase potential of fraud or errors
4. The partial of complete loss of audit trials
5. Access by multiple users may create unauthorised access
6. Poor pogroming = system errors
7. Risk on error in item effects a number of different items

Types of IT controls pg 113.

 General IT Controls: Refers to overall control over IT department. Purpose

to establish framework of overall control of IT actives and provide
reasonable assurance overall objectives of IT activities being me. Eg of
general IT controls: Organisation structure of IT activities, policies and
procedures necessary to ensure performance duties, Segregation of
incompatible functions. Backup of recovery procedures, physical
safeguards, contingency plans.
 Application controls: Refers to controls specific to individual accounting,
accounting application (debtors, creditors, payroll etc). Purpose to ensure
transactions are authorised, recorded and processed correctly.

Cloud computing 115

- Adv: Scalability, flexibility, lower capital investment
- Dis: Major risks, availability, contradicting, integrity of company info
- There are 4 types of cloud computing: Public cloud, private cloud, hybrid colour,
community cloud
- Key considerations for cloud bases risks on page 116

Application controls page 117-120

Includes controls over:

 Input
 Processing and computer files
 Output

Risk assessments for Specific Matter page 121

 - During planning stage have to identify significant risks due to:
 Fraud risk page 121-126 types of Fraud page 122
 Accounting estimates page 126-127
 Related parties page 128
 Going Concern page 129
 Climate related issues page 130
 NOCLAR page 131
Fraud
- Engagement team must discuss sucessbiltiy of entity to Fraud
- Auditor require to perform certain procedure to identify sucesiblitly
- Major technique is enquires. Auditor is required to ask management, those charge
with governance about:
 Their assessment of the risk of material misstatement
 Procedure carried out by management to identify, respond to risk at the
account balance, transaction class and disclosure level
 Their knowledge of any actual, suspected or alleged fraud
- Fraud Risk Factors (Not limited to ) page 124
 Need to meet expectation to third parties
 Inappropriately designed compensation schemes
 Weak & Ineffective control environment.
- Conditions generally present when fraud exist page 125
 Fraud Triangle: Opportunity, Incentive, Attitude/Rationalism
Accounting estimates page 126
- Examples:
 Allowance for doubtful debts
 Net reliable value for inventory
 Revenues from long-term contracts
 Future liabilities on product warranties and guarantees
- Three factors that are important in identification, assessment and response to risk
of MM relating to accounting estimates page 127
1. Complexity
2. Use of judgment by management
3. Estimation uncertainty

Risk Assessment Procedures page 134

 - Risk assessment procedures are methods used to obtain understanding during risk-
assessment phase of the audit
- There are 3 main methods:
 Strategic analysis page 134 (SWOT, PEST, Value chain Analysis)
 Analytical procedures page 142 (Simple comparison, comparison to prior
periods, ratio analysis, profitability ratios…others listed refer to page 142 and
onwards)
 Audit Data Analytics (ADA) page 150. All about “Big data” (Descriptive data
analytics, predictive analytics, perceptive analytics). 5 step process for
planning and performing ADA page 152. Use of ADA for risk assessment page
153-158

Overall Audit Strategy page 160

- Two main strategies with combination and in between:
 Control risk approach
 Substantive testing approach

- How the approaches are developed affect nature, timing, and extent of the work
performed.
Developing Audit Strategy page 160
- The first step is obtaining understanding of the internal control structure
- If appropriate control do NOT exist or likely to be ineffective, than control risk = high
and substantive approach adopted
- Substantive approach = substantive amounts recorded in FS and more expensive to
carry out than test of controls
- An audit is more efficient when control risk is low and therefore substantive
procedures reduced
Test of controls page 161
- Once understanding of the internal control that is sufficient for audit planning
obtained, auditor must then assess the control risk or risk of MS occurring
- If control risk is less than high that auditor relies to some extent on key controls
- Auditor needs to obtain evidence support reliance on these controls
- “Test of controls” gathers this evidence.
- If control risk is assessed as high, no testing of controls occur and substantive testing
undertaken

Substantive procedures pg 162

- Aimed at detection MM at the assertion level
- Two Categories of Substantive procedures: Substantive analytical procedures and
Test of Details
- Substantive Analytical procedures: Include comparisons of the entities financial
systems with prior period information, budgeted information and similar industry
information. Also includes consideration of relationship of elements of financial info
where once would expect predictable pattern. Eg gross margin to sales and between
non-financial and financial info eg payroll costs an employee numbers.
- Test of details: Test transactions and balances designed to obtain direct evidence to
support the account balances shown in the financial statements. This is usually done
by sampling transactions and projecting results to entire population.
- Important to consider Nature, Timing & Extent of substantive tests
 Nature: Test of details or Substantive analytical procedures
 Timing; Year-end or interim
 Extent: Will increase when risk of MM is greater and controls are week.