Relevant to ACCA Qualification Paper P7
Paper P7, Advanced Audit and Assurance, regularly features questions set in the planning phase of an audit. Effective planning will focus the auditor’s attention on key areas of the audit and ensure that sufficient resources are allocated to the engagement. Planning should result in an audit that is well directed and supervised and ultimately good planning will reduce audit risk.
Candidates will benefit from understanding the wider aspects of audit planning, and so this article summarises the main requirements and guidance contained in ISA 300, Planning an Audit of Financial Statements.
When does audit planning take place?
Naturally, it is reasonable to assume that planning occurs towards the start of an audit engagement. However, according to ISA 300, planning should not be seen as a discrete and separate part of the overall audit. Planning often begins shortly after, or in connection with, the completion of the previous audit, for example, with a review of issues that were discussed with management, such as control deficiencies or unadjusted errors. Such matters are relevant to the next year’s audit and need to be considered when planning.
Similarly, the audit plan may be revised as the audit progresses, and should not be viewed as being fixed in place once the main planning phase has ended. For example, a significant event may take place as the audit is in progress, meaning that the audit plan needs to be changed.
The nature and extent of planning activities depends on the size and complexity of the audit client, previous experience of the audit firm with the client, and any changes in circumstance that may occur during the audit.
ISA 300 contains a requirement that the auditor shall undertake the following activities at the beginning of the current audit engagement:
- Performing procedures regarding the continuance of the client relationship and the specific audit engagement.
- Evaluating compliance with relevant ethical requirements, including independence.
- Establishing an understanding of the terms of the engagement.
These requirements are also contained in and ISA 220, Quality Control for an Audit of Financial Statements and ISA 210, Agreeing the Terms of Audit Engagements and remind us that planning is a wider activity than just obtaining understanding of the business and performing risk assessment.
Audit strategy and audit plan
ISA 300 states that audit planning activities should:
- establish the overall audit strategy for the engagement
- develop an audit plan.
The audit strategy sets out in general terms how the audit is to be conducted and sets the scope, timing and direction of the audit. The audit strategy then guides the development of the audit plan, which contains the detailed responses to the auditor’s risk assessment. An underpinning principle of audit planning under the Clarified ISAs is that the audit plan should contain detailed responses to the specific risks identified from obtaining an understanding of the audited entity. ISA 300 requires the auditor to consider specific matters when establishing the audit strategy, and provides a list of typical matters to be considered in its appendix. These matters are discussed below.
Identify the characteristics o f the engagement that define its scope
Some audit engagements have specific characteristics that mean the audit has a wider scope than the audit of other entities. For example, a group audit engagement or the audit of a multinational company will both have wider scopes than an audit of a small, owner-managed entity. Matters such as the ability to use the work of internal auditors, the need to liaise with external service organisations, and the effect of IT on audit procedures are also relevant. The scope is also affected by the applicable financial reporting framework, the nature of the audited entity’s business and whether it operates business segments, the business activities conducted, and the availability of client personnel and data.
Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required
Reporting requirements will vary from audit to audit. For example, some entities have additional reporting requirements to comply with corporate governance regulations or industry requirements, and the auditor must understand these requirements from the start of the audit. The nature of other communications that may be necessary during the audit should be considered, such as liaison with component auditors, and communications to management and to those charged with governance.
Consider the factors that are significant in directing the audit team’s efforts in the auditor’s professional judgment
The strategy must consider issues to do with quality control, such as how resources are managed, directed and supervised, when team briefing and debriefing meetings are expected to be held, how engagement partner and manager reviews are expected to take place (for example, on-site or off-site), and whether to complete engagement quality control reviews.
Consider the results of preliminary engagement activities and knowledge gained on other engagements
This includes the initial assessments of materiality, risks identified from preliminary activities such as fraud risks, significant events that have occurred at the entity or in the industry in which it operates since the last audit, and the results of previous audits that involved evaluating the operating effectiveness of internal control, including the nature of identified deficiencies and action taken to address them. The audit firm may also have performed other services for the client that may be relevant in determining the audit strategy, for example, reviews of business plans or cash flow forecasts.
Ascertain the nature, timing and extent of resources necessary to perform the engagement
One of the main objectives of developing the audit strategy is to effectively allocate resources to the audit team, for example, the use of specialists on particular areas of the audit, or building a team of highly experienced auditors for a potentially high-risk audit engagement. If the audit is time pressured due a tight deadline, then more resources will need to be allocated to ensure that all necessary audit work is completed, and can be reviewed in time to meet the deadline.
ISA 300 states that once the overall audit strategy has been established, an audit plan can be developed to address the various matters identified in the overall audit strategy, taking in to account the need to achieve the audit objectives through the efficient use of the auditor’s resources. The establishment of the overall audit strategy and the detailed audit plan are not necessarily discrete or sequential processes, but are closely interrelated since changes in one may result in consequential changes to the other.
Therefore it is not necessarily the case that the audit strategy is prepared and completed before the audit plan is devised, and in practice it is typical for the two to be developed together.
The audit plan is a detailed programme giving instructions as to how each area of the audit will be conducted. In other words, the audit plan details the specific procedures to be carried out to implement the strategy and complete the audit.
ISA 300 provides guidance on what should be included in the audit plan, stating that the audit plan should describe:
- the nature, timing and extent of planned risk assessment procedures
- the nature, timing and extent of planned further audit procedures at the assertion level
- other planned audit procedures that are required to be carried out so that the engagement complies with ISAs.
Typically an audit plan will include sections dealing with business understanding, risk assessment procedures, planned audit procedures ie the responses to the risks identified and other mandatory audit procedures.
Changes to the audit strategy and audit plan
The audit strategy and audit plan are not fixed once the planning stage of the audit is complete. It is important that both are updated and changed as necessary as the audit progresses. For example, as a result of unexpected events, or changes in conditions, the auditor may need to modify the overall audit strategy and audit plan and thereby the resulting planned nature, timing and extent of further audit procedures, based on the revised consideration of assessed risks.
This may be the case when information comes to the auditor’s attention that differs significantly from the information available when the auditor planned the audit procedures, for example, an event may take place after audit planning has been initially completed which creates doubt over going concern. Or, as a result of performing planned audit procedures additional information may come to light which may lead the auditor to amend initial risk assessment, or level of performance materiality, for all, or part, of the audit.
ISA 300 requires that as well as the audit strategy and audit plan being thoroughly documented, a record of significant changes made to the audit strategy and audit plan is needed.
Documentation is crucial, because key decisions about how the audit will be performed are contained in the audit strategy and audit plan. The documentation should therefore include the response made by the auditor to any significant changes that occur during the audit, as discussed above.
The audit strategy and audit plan do not need to be documented in a particular way. Some audit firms use memoranda, others checklists. Some use standardised documentation such as standardised audit programmes while others tailor the specific form of the documentation to each audit engagement. The form of the documentation does not matter as long as it provides a clear record of how the audit was planned.
Direction, supervision and review
ISA 300 requires that the auditor shall plan the nature, timing and extent of direction and supervision of engagement team members and the review of their work.
It is crucial that the audit plan includes the detail as to how supervision and review should be conducted during the audit, in order to perform a high quality audit. Inadequate supervision and review can lead to the audit team making errors, for example, selecting inappropriate items for sampling, or failing to properly conclude on audit procedures performed.
The amount of detail included in the audit plan in relation to supervision and review will depend on factors such as the size and complexity of the entity being audited, the assessed risk of material misstatement, and the capabilities and competence of the audit team members.
Additional considerations in initial audit engagements
The final section of ISA 300 relates to initial audit engagements, and requires the auditor to perform client and engagement acceptance procedures (as also required by ISA 220), and also to communicate with the predecessor auditor, where there has been a change of auditors, in compliance with relevant ethical requirements. The ISA recognises that for an initial audit engagement, the auditor may need to expand the planning activities because the auditor does not ordinarily have the previous experience with the entity that is considered when planning recurring engagements.
Planning an audit involves more than just obtaining business understanding and performing risk assessment. Planning is a dynamic process that may evolve during the audit, and should always respond to changes in the circumstances of the audited entity. Adherence to the requirements of ISA 300 should result in a well-focused audit, staffed by appropriate personnel, performing relevant and appropriate audit procedures.
Written by a member of the Paper P7 examining team