Auditing Lecture 2

Audit Planning, Audit

Risk and Materiality
Planning, Risk & Materiality
• Audit Engagement
• The Engagement Letter
• Audit Planning
• Understanding the entity
• Audit Risk
• Materiality
The Audit Engagement

“The auditor shall agree the terms of the audit engagement

with management or those charged with governance...the
agreed terms of the audit engagement shall be recorded in
an audit engagement letter...”

ISA 210
Accepting the Engagement
• Nature of company – e.g. Does the company seem well
managed or disorganised? Is it in a business area which
has attracted a bad reputation – perceived or otherwise?
• Extent of difficulties anticipated – e.g. are there accounts
or balances that will be very difficult to get evidence for?
Are there assets that will be difficult for your firm to value –
e.g. bespoke assets, remote assets, complex assets?
• Auditor’s skills – does your firm have the right expertise for
this particular type of client?
• Auditor’s resources – does your firm have sufficient staff
available at the right time to complete the audit?
Resources
• Personnel with sufficient time
• Time available at the right time
• Qualifications of staff
• Skill needs specific to industry or company
• Computer hardware and software
• Transport
• Secretarial and IT support
Areas of Concern
• Management ethics
• Management competence
• Fee levels
• Items which are difficult to audit
Accepting Nomination
• Outgoing auditors
• New appointment received
• Letter of engagement
When to Send a Letter
• All new clients
• To all existing clients
– Change in circumstances

“The auditor shall assess whether

circumstances require the terms of the audit
engagement to be revised and whether there
is a need to remind the entity of the existing
terms of the audit engagement”
ISA 210
Purpose of the Engagement
Letter
• Auditors responsibilities
• Minimise misunderstandings
• Confirm verbal arrangements
• Confirm acceptance of engagement
• Inform and educate
Engagement Letter Contents
• Objective & scope of the audit
• Responsibilities of the auditor
• Managements responsibilities
• Identify the financial reporting framework
• Form & content of reports to be issued by the auditor
• Related services
Engagement Letter Contents
• Audit fees
• Arrangements for involving internal auditors and other
client staff
• Unrestricted access to necessary records
• Agreement of terms
Other Issues
• Procedure for complaints
• Arrangements for involving other auditors and experts
• Proposed timetable
Redrafting the Engagement Letter
• Misunderstandings
• Change of management
• Change in ownership
• Change in nature or size of business
• Change in legal or professional requirements
Audit Planning
“The auditor shall plan and perform an audit with professional
scepticism recognising that circumstances may exist that
cause the financial statements to be materially misstated”

ISA 200
Why Plan?
• Appropriate attention given to different areas of the
audit
• Potential problems identified
• Assist in the selection of engagement team members
• Assigning tasks
• Facilitating review
Audit Planning
• ISA 300 Planning an Audit of Financial
Statements
• ISA 315 Identifying and Assessing the Risks of
Material Misstatement through Understanding the
Entity and its Environment

“The objective of the auditor is to plan the audit so

that it will be performed in an effective manner”
ISA 300
Overall Audit Strategy
“The auditor shall establish an overall audit strategy that sets
the scope, timing and direction of the audit, and that
guides the development of the audit plan”

ISA 300
 Overall Audit Strategy
Knowledge of Analytical
Assess Risk
the Business Review

Overall Audit
Strategy

Scope Timing Direction

Audit Plan

“The audit plan is more detailed than the overall audit

strategy in that it includes the nature, timing and
extent of audit procedures to be performed by
engagement team members. Planning for these
audit procedures takes place over the course of the
audit as the audit plan for the engagement develops”

ISA 300
Planning
“The auditor shall update and change the overall audit
strategy and the audit plan as necessary during the course
of the audit”

ISA 300

Planning is ‘iterative’ – it goes on until the end. The plan set

at the start, may need to change.
 Understanding the Entity

“The objective of the auditor is to identify and

assess the risks of material misstatement,
whether due to fraud or error, at the financial
statement and assertion levels, through
understanding the entity and its environment,
including the entity’s internal control, thereby
providing a basis for designing and
implementing responses to the assessed
risks of material misstatement”

ISA 315
Risk Assessment Procedures
“Audit procedures performed to obtain an understanding
of the entity and its environment, including the entity’s
internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error,
at the financial statement and assertion levels”

ISA 315
Identifying & Assessing Risks of
Material Misstatement
Risk assessment procedures:
1.Inquiries of management & appropriate staff
2.Analytical procedures
3.Observation & inspection

ISA 315
Identifying & Assessing Risks of
Material Misstatement
Inquiries of management & appropriate staff to
understand:
the environment in which the financial statements
are prepared
the role of internal audit & actions taken
the processing of complex or unusual transactions
on-going litigation, legal compliance, knowledge of
fraud (legal team)
Changes in marketing strategy & sales trends
(sales team)
ISA 315
Identifying & Assessing Risks of
Material Misstatement
Analytical procedures used to identify:
broad initial indication of possible material
misstatement
aspects of which the auditor was unaware
existence of unusual transactions or events
unusual or unexpected relationships between
items of financial & non-financial data

ISA 315
Identifying & Assessing Risks of
Material Misstatement
Observation & inspection of:
The entity’s operation
Business plans, strategies, internal control manuals
Management reports, minutes of board meetings
The entity’s premises & plant facilities

ISA 315
Understanding the Entity
The auditor should understand:
Industry & regulatory guidance
Financial reporting framework
Ownership & governance structures
Operations undertaken
Investment plans
Entity’s objectives & strategies
Financing
Selection & application of accounting policies
Use of Knowledge
• Assess risks
• Identify problems
• Plan and perform the audit
• Evaluate audit evidence
Audit Risk
Materiality
“The auditor shall consider materiality and its relationship
with audit risk when conducting an audit”

ISA 320
Materiality

Information is material if omitting, misstating or

obscuring it could reasonably be expected to
influence the decisions that the primary users of
general purpose financial statements make on the
basis of those financial statements, which provide
financial information about a specific reporting entity.

ISA 320
[updated/ammended definition effective from 1 January
2020]
Materiality

A material error is one which could reasonably

affect the actions of a user of the accounts:

‘The amount by which the Financial Statements

must change in order to change the decisions
made by users of the Financial Statements. There
are no hard rules over materiality and items can
be material by nature as well as by value’
[ISA320]
Materiality
Materiality depends on:

•The size of the item or error judged in

the particular circumstances of its
omission or misstatement.
•Sensitivity of item in question
Materiality Levels - examples
Profit before tax 5%
Gross profit ½ - 1%
Turnover ½ - 1%
Total assets 1 - 2%
Net assets 2 – 5%
Profit after tax 5 – 10%
Performance Materiality
“The auditor shall determine performance materiality for the
purposes of assessing the risks of material misstatements
and determining the nature, timing and extent of further
audit procedures”

ISA 320

There is a difference between ‘materiality’ and ‘performance

materiality’
Performance Materiality

• ISA 320.9 the amount(s) set by auditors at below overall

materiality to reduce to an appropriately low level the
probability that the aggregate of uncorrected and
undetected misstatements exceeds overall materiality.

• It is the ‘working materiality’ – set at a numerical level to

guide auditors to do enough work (but, importantly, not too
much) to support their audit opinion.

• If auditors simply applied the overall materiality throughout

the planning and fieldwork stages they would be taking an
undue risk that material misstatements were not detected
by their audit work.
 Risk & Performance Materiality
• There is a relationship between risk
and performance materiality:
• The greater the risk of material
misstatement
• The lower the level of materiality
• E.g. instead of checking every item
over £100 in a listing of stock items
you’d sample every item over £70.
Three Components of Risk

• Inherent Risk

• Control Risk

• Detection Risk
ISA 200

Inherent Risk and Control Risk combined =

Risk of Material Misstatement (ROMM)
Total Audit Risk

Total Audit Risk =

Inherent Risk x Control Risk x Detection Risk

Risk of Material Misstatement

ROMM
Inherent Risk
• Risk assessment required
• Entity as a whole
• Properly documented
• Reduce audit work?
• Judgement
Assessing Inherent Risk

Risk Area Problems

• Integrity & Attitude • Domination
• Experience & Knowledge • Management Changes
• Unusual Pressures • Deadlines
• Nature of Business • Technological
Obsolescence
• Industry Factors • Competition
• IT • Unauthorised Access
Assessing Inherent Risk

Risk Area Problems

• Accounts prone to • Estimation Required
misstatement
• Complex Accounts • Experts
• Asset Loss • Portable Assets
• Unusual Transactions • Large Amounts
• Staff • Morale / bonuses
Control Risk
• Control environment
• Control activities
Control Environment
“The control environment includes the governance
and management functions and the attitudes,
awareness, and actions of those charged with
governance and management concerning the
entity’s internal control and its importance in the
entity”

ISA Glossary of Terms

Control Activities

“Control activities are the policies and

procedures that help ensure that
management directives are carried out”

ISA Glossary of Terms

Control Activities
Company directors will set many goals for a
business. Most will have the goal of
maintaining reliable, up to date financial
information.
The controls around achieving this are of
interest to the auditor.
Q: What control is used to ensure the cash
balance on the balance sheet is correct?
What other financial account balances can
be checked using this control?
Tests of Controls
‘The auditor shall design and perform tests of
controls to obtain sufficient appropriate audit
evidence as to the operating effectiveness of
relevant controls if’……
• the assessment of ROMM has indicated that
controls are probably working and so less
substantive testing could be required or,
• Substantive procedures alone can’t provide
sufficient appropriate evidence
[source: ISA330 – revised July 2017)
Tests of Control – how to perform
• Corroborative Enquiries – ask different staff about
the procedures for storing, collecting, recording
and banking any cash receipts for the week.
• Inspection of Documents – see if senior
purchasing manager has authorised a sample of
purchases made by staff.
• Reperform – try to access the warehouse using
the security key pad and random codes.
• Remember: controls are what the audit client
does (not the auditor). The auditor tests the
client’s controls to see if they are working.
Tests of Control - results
• The results of controls testing will tell you whether
control risk is high, medium or low for a particular
account balance (or assertion – e.g. valuation,
accuracy, existence etc)
• If control risk is high, say for valuation of stock,
then you will increase the work you do during the
post year end audit. You will check/verify a bigger
sample of stock items to get the assurance you
need regarding valuation of stock.
• Doing more work to detect errors will reduce the
detect risk (risk you fail to detect material
misstatement)
Acceptable Risk
• There is a risk that the auditor’s opinion will be
incorrect and that this will result in somebody
suffering loss
• This risk primarily results from the possibility that
the auditor will fail to detect a material
misstatement in the accounts
• The auditor can reduce this risk to an acceptable
level without eliminating it – keeping Audit Risk at
an acceptable level requires doing more or less
substantive testing in response to the level of
ROMM assessed.
Detection Risk
• Consider inherent and control risk (Risk of Material
Misstatement)
• Reduce to acceptable level by doing more work (usually at
the substantive testing stage – e.g by increasing sample
sizes and other work).
Uncontrollable Risk
Two sources of uncontrollable (for the auditor) risk:
1.Inherent risk
– Also uncontrollable for the company’s management
2.Control risk
– Controllable by the company’s management only
Uncontrollable Risk
Inherent Risk * Control Risk =
Risk that there is a material
misstatement to be found
Controllable Risk
• The risk that if there is a material misstatement
the auditor will not find it
• This results from detection risk - can be lowered
by the auditor doing more (usually) substantive
testing (increased sampling etc).
Reading
Chapters:
3, 5, 8, 10