Print Close window

Not just a phase
blue horizontal line


Carmen Ridley discusses how the new auditing standards will change the planning phase of the audit.

Audit planning is generally considered to be the most important phase for the majority of audit engagements, and the introduction of legally enforceable auditing standards for financial periods, beginning on or after 1 July 2006, provides a good opportunity to assess the planning process.

This article will discuss the process that should be followed in the planning phase and changes that may result due to the introduction of the new aditing standards.

The three auditing standards that have the greatest focus on the planning phase of the audit are:

  • ASA 300: Planning an Audit of a Financial Report
  • ASA 315: Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
  • ASA 330: The Auditor’s Procedures in Response to Assessed Risks

While the key messages and objectives of the new auditing standards have not changed significantly, increased documentation is required to prove that each mandatory requirement has been met.
Each of these standards has been considered and a commentary provided on the likely impact for auditors and their clients.

Planning an Audit

The key features, as documented in the preface to the standard, are that the standard:

  1. ‘requires the auditor to plan the audit so that the engagement will be performed in an effective manner
    – the auditor’s planning activities include establishing the overall audit strategy for the audit
  2. describes the preliminary engagement activities to be performed by the auditor at the beginning of the current audit engagement
  3. outlines additional matters the auditor may consider in initial audit engagements.’

The theme of this standard is ensuring the audit is planned so the audit risk  (of a material misstatement not being detected) is reduced to an acceptably low level.
The requirements include: continuance of client relationship, audit strategy and initial audits.

Client relationship
‘Continuance of client relationship’ means the auditor considering whether the client relationship should continue. This would normally be performed in conjunction with the completion of the previous year’s audit but may be performed before the commencement of any work on the current year’s audit.

Auditors will consider potential issues such as evaluating their compliance with ethical requirements, including independence; management integrity; and understanding by client and auditor of the terms of the audit.
This decision should be documented on an annual basis for each recurring audit.

Audit strategy

Auditors should establish the overall audit strategy for each audit. This may be linked to the audit plan or a discrete document.

In many instances, the audit strategy will be a document provided to the client’s audit committee, summarising the scope, timing, direction and key focus of the audit, whereas the audit plan is likely to be a more detailed document used by the audit team. The plan is a ‘live’ document, which should be updated throughout the engagement as circumstances change or additional information is received.

Initial audits

If an audit is a first-year engagement, ASA 300 requires auditors to perform procedures to ensure they can accept the client, which may include communication with the previous auditors, if applicable.

Understanding the client’s business
ASA 315: Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement sets out the requirements for the auditor to perform risk assessment procedures in understanding each aspect of the client’s business. The object is to gain an understanding of the risk of material misstatement in the financial report.

This means that all audits will need to include an assessment of risk, whereas previously many fully substantive audits did not document any risk procedures performed.

The most significant impact of this standard is therefore likely to be seen at smaller audit clients and audit firms that have not adopted a risk-based audit approach.

The risk assessment must be performed both on a financial report level and an account balance assertion level. The responses to this assessment are discussed in ASA 330: The Auditor’s Procedures in Response to Assessed Risks, which has been analysed below.

The standard confirms that these risk assessment procedures do not necessarily need to be performed in isolation from other audit tests.

This is because gaining an understanding of the risks of an entity and its business environment may satisfy some substantive tests. For example, discussing credit risk with an organisation may lead to evidence relating to subsequent receipts or the compilation of the bad debt provision.

Risk assessment

Paragraph 11 of this standard notes that the following risk assessment procedures would be performed:

  1. ‘enquiries of those charged with governance, management and others within the entity
  2. analytical procedures
  3. observation and inspection.’

Although each procedure is not required to be performed for each aspect of the understanding, each of them will be performed as part of obtaining overall understanding.

It is important to note ‘those charged with governance’ are likely to be the audit committee and/or board of directors.
Therefore this group is expected to become more involved with the planning phase of the audit.

The standard provides suggestions regarding other personnel within the entity who may be consulted and the potential rationale for the consultation.

Where the audit engagement recurs, the standard allows for information obtained in a previous year to be rolled over once the auditor has confirmed that it remains relevant and accurate.

This is another area where members of the audit team are required to have discussions about the risk assessment of the client. The results of the assessment regarding susceptibility of the entity to material misstatement will need to be documented in order for the auditor to confirm that it has complied with the mandatory requirement.

Other areas for consideration
The mandatory requirements in the standards mean that the auditor should obtain an understanding of the following areas:

  • nature of the entity
  • selection and application of accounting policies
  • industry and regulatory framework
  • objectives and strategies of the entity and related business risks
  • measurement and review of the entity’s financial performance
  • internal control, control environment, control activities and monitoring of controls
  • entity’s process for identifying business risks relevant to financial reporting and their responses to these
  • information system and the responses to IT risk
  • communication of financial reporting roles and significant matters relating to financial reporting

This is a significant amount of work, particularly for smaller audits, and will increase the audit time required. Much of this work, however, can be performed during the interim/planning visits.

Response to Assessed Risks
ASA 330: The Auditor’s Procedures in Response to Assessed Risks requires auditors to obtain an understanding of the risks within an organisation, both at the financial report level and also at the individual assertion level. Once these risks are understood, a response to them should be formulated.

Overall response
This section considers the auditors’ understanding of the risks of material misstatement at the financial report level and the response to these risks.

Obtaining this understanding is likely to mean more detailed planning meetings – both within the engagement teams and between the auditor, client management and those charged with governance.

The likely responses arising in this area would include:

  • determination of the general audit approach; substantive only versus a combination of substantive and controls testing
  • use of experts for complex areas 
  • timing of audit procedures; year-end versus interim

Material misstatement at the assertion level

Auditors are required to identify and assess the risk of material misstatement at the assertion levels for each material balance, class and disclosure item.

Once these risks have been determined, then the audit procedures needed to ensure that the risk of misstatement of the assertion is at an acceptably low level can be designed. These procedures cover the nature, extent and timing of testing.

The determination of the audit procedures will include an assessment of the controls covering the balance to gauge whether they can be relied upon.

If the auditor expects to be able to place reliance on any controls, then tests of design and tests of operating effectiveness of these controls need to be performed to determine if this is the case.

The standard confirms that enquiry alone is not sufficient when performing tests of controls. The enquiry must be supported by another audit method, such as inspection or reperformance.\

If controls testing indicates material weaknesses in any internal controls, then the auditor may elect to complete a substantive audit. However, the auditor must make management, or those charged with governance at the appropriate level of responsibility, aware of material weaknesses in the internal control environment.

Evaluating audit evidence

Once the procedures have been completed, the auditor is required to reassess the risks and determine whether the audit evidence obtained through the performance of the audit procedures is sufficient and appropriate.

The standard requires auditors to design substantive procedures for each audit assertion, again reducing the risk of misstatement to an acceptably low level.

ASA 330 provides for auditing procedures performed before year end, provided consideration is given to the additional evidence, which must be obtained for the remaining period until year end. Evidence obtained in prior periods can be rolled forward. However, evidence must be obtained regarding whether there have been any changes in operating controls.

In order to decrease the amount of work required to be completed at year end, a number of the procedures discussed above can be performed at an interim date.

This allows the entity time to rectify any anomalies noted, and the auditor time to design additional auditing procedures as required to respond to weaknesses identified.

Communication between auditor and client

Although this article has focused on the likely changes that auditors will have to make to the planning phase of the audits, it is important for clients to be aware of these new requirements. Clients should be discussing the new standards with their auditors.

Early communication will ensure that client deadlines continue to be met, because the additional work that may need to be performed can be undertaken during an interim audit before the year end.

Open communication regarding audit fees should take place prior to the planning phase to ensure that both parties to the audit are aware of changes in focus and additional requirements.

Up-front discussion will also allow clients to be informed of any changes they need to make to their systems or processes. These need to be put in place to satisfy additional questions the auditors may have or additional documentation that may be needed.


Reference: August 2006, volume 76:07, p. 64-67
 

This page is available online at:
http://www.cpaaustralia.com.au/cps/rde/xchg/cpa/hs.xsl/724_19451_ENA_HTML.htm

Page last updated: Monday, 31 July 2006
© Copyright 1997-2008 CPA Australia