Massimo Laudato, technical adviser at ACCA, discusses the essential elements of a time-saving risk-based approach. 

Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units. 

Objectives of an audit and risk-based approach

When conducting an audit engagement, the auditor should bear in mind what the overall objectives of his/her work are, ie to obtain reasonable assurance as to whether the financial statements are free from material misstatement, which may arise from fraud or error, so that he/she can express an opinion on whether the financial statements are prepared in accordance with the adopted financial reporting framework and report accordingly.

To obtain reasonable assurance, the International Standards on Auditing (UK and Ireland) (ISAs) require the auditor to obtain sufficient appropriate audit evidence to reduce the risk of giving an inappropriate audit opinion when the financial statements are materially misstated, in this way allowing the auditor to draw reasonable conclusions on which to base his/her audit opinion.

Under the ISAs, an effective audit should be performed by adopting a risk-based approach that seeks to identify and assess specific risks of material misstatement concerning the financial statements of an entity and addresses them with audit procedures designed to result in audit evidence that is sufficient, relevant and reliable. 

A risk-based approach to auditing involves assessing the risks of material misstatement, which may be inherent to the entity or its environment. For example technological developments might make a particular product obsolete causing inventory to be more susceptible to overstatement. The greater the risk of material misstatement estimated by the auditor in respect of an item in the financial statements, the more persuasive the audit evidence needed and extensive the audit procedures required to detect it. On the other hand, in respect of items that are less expected to be at risk of material misstatement the auditor may apply less effort in terms of procedures and evidence.


Planning is the bedrock of the audit. In the performance of a risk-based audit, adequate planning is of paramount importance as it allows to direct the audit effort towards the areas expected to be most at risk of material misstatement.

Additionally, adequate planning helps identify and resolve problems on a timely basis and allows the auditor to organise the engagement, including selecting suitably experienced team members to deal with specific risks, so that it can be performed in an effective and efficient manner.

In planning an audit of financial statements the auditor should bear in mind the requirements and guidance of the most relevant ISAs for such purpose:

  • ISA (UK and Ireland) 300, Planning an Audit of Financial Statements
  • ISA (UK and Ireland) 315, Identifying and assessing the risks of material misstatement through understanding the entity and its environment and
  • ISA (UK and Ireland) 330, The auditor’s responses to assessed risks.    

ISA 300 in particular requires setting out an overall audit strategy and a detailed audit plan. The overall audit strategy should indicate the scope of the work, the resources to be allocated to specific high-risk areas in terms of experienced staff or hours and the timing of the work. A more detailed audit plan follows on from the approach identified in the audit strategy and indicates the audit procedures to be performed in respect of specific items in the financial statements and their timing.

The audit strategy and the audit plan are not necessarily separate documents or processes as they are strictly interrelated. For example the results of initial risk assessment procedures, like the entity’s business risk assessment or the assessment of internal control, will inform the planning for further audit procedures and, vice versa, the outcome of detailed audit procedures may be so different from what expected at the time of planning to require a modification of the audit strategy and audit plan. As such, the audit strategy and detailed audit plan are not necessarily developed in sequence in view of their interaction.

In the case of the audit of a small entity, which in many cases involves the engagement partner, who may be a sole practitioner, and just a member of staff, or no other staff at all, establishing the overall audit strategy should not be a complex or time consuming exercise, as it should be proportionate to the size and complexity of the entity. It should save the auditor time and result in a more efficient audit. A brief memorandum prepared at the completion of the previous audit, based on a review of the working papers and highlighting issues identified in the audit just completed, and updated in the current period following discussions with the owner-manager, can serve as the documented audit strategy. In respect of the audit plan for a small entity, standard audit programmes and checklists may be used, normally prepared on the basis the entity has in place limited internal control, but bearing in mind that they need to be tailored to the circumstances of the engagement in order to specify audit procedures that effectively address the assessed risks.

Identification and assessment of risks

Albeit planning for the audit of a small entity may be less complex and structured it still needs to be based on the identification and assessment of risks of material misstatement to which the entity is exposed.

ISA 315 deals with this aspect by requiring the auditor to identify risks during the process of obtaining an understanding of the entity and its environment and to assess the potential impact of such risks on the financial statements as a whole and on specific assertions.

It is important to point out that the process of identifying risks should start from developing knowledge of the nature, characteristics and dynamics of the entity and of the environment in which it operates and then move to the assessment of the potential effect in terms of misstatement that such risks could have on the financial statements, rather than going in the opposite direction of starting to assess risk by reading the financial statements, which could result in missing relevant and pervasive risks relating to the entity’s industry or its specific circumstances.   

For such purpose the auditor should obtain, among other things, an understanding of the following:

  1. The factors at play in the industry sector in which the entity operates, like market size, level of competition, supplier and customer relationships;
  2. Regulatory factors such as significant laws and regulations, which could be general or industry specific, like environmental requirements specific to an industry, general employment legislation, health and safety regulations and the applicable financial reporting framework;
  3. Relevant external factors affecting the entity like the general economic conditions, interest rates and the availability of finance;
  4. The nature and history of the entity, including its operations, revenue sources, products, services, markets served, key personnel, locations, ownership structure, business investments underway or planned, key customers, key suppliers and its financing structure;
  5. The selection, application and appropriateness of the accounting policies used by the entity and reasons for any changes;
  6. Objectives and strategies of the entity and related business risks;
  7. The measurement and review of the entity’s financial performance.

Another important element of the entity that the auditor needs to obtain an understanding of, in order to identify possible sources of risk, is internal control, or the system of controls put in place by the entity to ensure reliability of financial reporting, effectiveness and efficiency of its operations and compliance with applicable laws and regulations.

In developing an understanding of controls relevant to the audit, the auditor needs to evaluate whether the design of specific controls is capable of effectively preventing, or detecting and correcting, material misstatements in respect of identified risks. Additionally the auditor needs to verify whether the controls have been implemented and operate effectively. For such purpose inquiry of personnel is not sufficient and the auditor may need to observe the application of the controls and/or trace transactions through the information system. 

ISA 315 identifies five components of internal control:

  1. The control environment;
  2. The entity’s risk assessment process;
  3. The information system, including business processes, relevant to financial reporting;
  4. Control activities relevant to the audit, and
  5. Monitoring of controls

Although all components of internal control can be relevant to the audit, the control environment, intended as the culture created and fostered by management in respect of integrity, ethics, attitude towards control, commitment to employee competence, communication of values, risk management, assignment of authority and responsibility, can be seen as the foundation that determines the strength of other components of internal control. The nature of the control environment is pervasive to the whole entity and it affects, positively or negatively, the effectiveness of other controls that are applied to the entity’s transactions. In fact, deficiencies in the control environment undermine other controls, even if properly designed, as override can happen more easily, while a positive control environment is conducive to a stronger internal control. It is therefore important to obtain an understanding of the control environment in most or all engagements, especially in respect of smaller entities where controls tend to be informal, by conducting inquiries of management and employees and inspecting documents like statement of internal policies to observe their application.

In respect of the audit of a small entity, it is likely that some components of internal control may not be formally established. The entity is unlikely to have in place a risk assessment process as the management will probably identify risks by their direct involvement in the business. In such a case the auditor will still need to inquire about identified risks and how management addresses them. Similarly, information systems and related business processes are likely to be less sophisticated in smaller entities and should be easier to understand for the auditor. In respect of control activities relevant to the audit, ie the policies and procedures aimed at the application of management directives, such as the authorisation procedures for purchases or credit on sales, the segregation of specific duties or the review of the entity’s performance, it may be the case that some of them may not be relevant to small entities. That may happen because management may have sole authority for, say, granting credit to customers and approving significant purchases and therefore have direct control over the most important balances and transactions so that more detailed policies and procedures may not be needed.

In order to identify and assess risks of material misstatement at the financial statements level and at the assertion level for classes of transactions, account balances and disclosures, the auditor gathers information while obtaining an understanding of the entity and its environment, including its internal control, which is used as evidence for the risk assessment. The risks identified during such process, including relevant controls relating to them, are assessed to evaluate whether they relate pervasively to the financial statements as a whole and can affect many assertions. The risks identified are also assessed by taking into account relevant controls that may prevent, or detect and correct, material misstatement in specific assertions. 

As part of the risk assessment procedures, the auditor needs to determine whether the risks identified constitute significant risks that require special consideration. Significant risks often relate to transactions that are unusual, due to size or nature, or that involve judgemental matters.

The outcome of the risk assessment procedures determines the nature, timing, and extent of further audit procedures to be performed in respect of the risks identified.

The information gathered and the knowledge acquired by the auditor in respect of the entity, its environment and controls, as well as the risks of material misstatement resulting from the assessment procedures, are best documented in the permanent section of the audit file. The information recorded will be in fact of permanent interest in respect of the client and, as long as it is being reviewed and appropriately updated or confirmed year on year, it will be the basis for future audits of the entity, as it will feed through to the current section of the audit file and enable the planning of further audit procedures, both in terms of overall audit strategy and detailed audit plan.

The documentation of the auditor’s understanding of the entity, its controls and related risk assessment may be recorded in various ways, including free-form notes. However the use of the schedules and checklists of an audit programme may be useful in indicating specific factors, controls and aspects of the entity’s operations that would normally be relevant to an audit. Additionally such programmes may prompt consideration of risks particularly relevant to the entity’s circumstances. Some schedules commonly found in audit programmes, like a register of significant laws and regulations, a list of related parties, a business risk assessment, controls checklists and systems diagrams, are of relevance for such purposes. As already mentioned, when auditing a small entity some controls or systems may not be formalised and therefore the relevant schedules and checklists will need to be tailored, and scaled down if necessary, to reflect the way that the entity actually operates. 

A recent report, Audit Quality - Thematic review into auditors’ identification of and response to fraud risks, and their consideration of compliance with laws and regulations by audited entities is aimed at auditors and audit committees and suggests a number of areas where audit quality should be considered and ‘enhanced’.

Responses to assessed risks  

The knowledge of the entity and its environment and the risks resulting from the assessment procedures are the basis for the planning of further audit procedures.

ISA 330 requires the auditor to design and implement overall responses to address the risks of material misstatement at the financial statement level and further audit procedures that are responsive to the assessed risks of material misstatement at the assertion level, so that sufficient appropriate evidence can be obtained in respect of those risks. Such responses are embodied in the overall audit strategy and in the detailed audit plan.

As already mentioned, the audit strategy indicates the key decisions in terms of scope, timing and direction of the audit. The audit strategy would also identify the general approach to the audit, that is whether emphasis will be on substantive procedures (substantive approach) or whether tests of controls will be used alongside substantive procedures (combined approach), and the resources needed. Tests of controls, ie tests on the operating effectiveness of controls in preventing, or detecting and correcting, material misstatement at the assertion level, are necessary when the auditor intends to rely on the effectiveness of controls in respect of a specific assertion or when substantive procedures cannot, on their own, provide sufficient appropriate evidence in respect of an assertion.

An illustrative example of an audit strategy memorandum that shows a possible format for the audit of a small entity is included at the end of the article. The memorandum has been adapted from the examples published in Practice Note 26, Guidance on smaller entity audit documentation (revised), issued by the Financial Reporting Council in UK and Ireland.

The detailed audit plan records the risk assessment procedures and the further audit procedures at the assertion level in response to the assessed risks. The audit plan describes the nature, extent and timing of the audit procedures to be performed by team members in respect of specific classes of transactions, account balances and disclosures. As already mentioned, in the case of an audit of a small entity the audit plan would normally be included in standard audit programmes and schedules used for the various transactions and account balances. In any case the standard programmes need to be tailored so that the approach to an item, in terms of the use of substantive procedures, tests of controls or both, is proportional to the risk assessed for that item and is directed at obtaining audit evidence capable of verifying the underlying assertions, for example, for stock/inventory, that would typically be evidence that confirms the existence, ownership, completeness and valuation of stock. 

The audit plan, and related audit programmes, should document why for certain items in the financial statements, limited or no further audit procedures would be undertaken, perhaps because the item is immaterial or carries a low risk of material misstatement, and why, for other items, extensive procedures would be undertaken, perhaps to deal with significant risks of material misstatement. The auditor may determine that in respect of a specific item the only effective approach would be that of performing tests of controls; as it may be the case when the entity conducts its business using exclusively IT and no documentation of transactions is produced other than in the IT system, therefore making it impossible to perform effective substantive procedures on their own. The auditor may otherwise conclude that only substantive procedures would be an effective approach for certain assertions, perhaps for the absence of controls relevant to the assertions, or that a combined approach is preferable. 

However, irrespective of the approach selected and of the assessed risks of material misstatement, the auditor should bear in mind that ISA 330 specifically requires that substantive procedures should be planned and performed for each material class of transactions, account balance and disclosure. Therefore an approach contemplating only the performance of tests of controls would be possible only in respect of immaterial items, while for material assertions, even those for which substantive procedures alone are not effective, substantive analytical procedures or tests of details, or a combination of both, will need to be planned and performed. 


The determination of materiality at the planning stage of an audit is of essential importance as it influences the choice of further audit procedures in respect of specific assertions.  

Materiality in planning and performing an audit

ISA (UK and Ireland) 320, Materiality in Planning and Performing an Audit, addresses the issue of the approach to materiality determination by clarifying that materiality depends on the size and nature of an item, or by a combination of both, considered in light of the particular circumstances of its occurrence.

The standard does not outline a specific methodology, or suggests a formula, that should be applied for the determination of materiality, but it rather introduces guidance on the use of possible benchmarks, such as categories of reported income (like profit before tax, gross profit etc), or of particularly relevant classes of transactions, account balances or disclosures, that should be corroborated by the exercise of professional judgement in arriving at suitable level(s) of materiality.

As well as requiring the determination of materiality for the financial statements as a whole, and for particular classes of transactions, account balances or disclosures, as the thresholds at which misstatement or omission of an item is expected to influence the economic decisions of the users of the accounts, ISA 320 also includes the requirement to set a ‘performance materiality’ level in respect of the overall financial statements and specific items.

Performance materiality is an amount lower than materiality that is used in assessing the risks of material misstatement and in designing audit procedures in response to such risks, so that the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality is reduced to an appropriately low level. Performance materiality is effectively a reduced level of materiality that should prevent the aggregate of individually immaterial misstatements and possible undetected misstatements to cause the financial statements to be materially misstated. How much lower than materiality should performance materiality be, is not prescribed by ISA 320, which stresses that a simple mechanical calculation is not appropriate and that the auditor should exercise professional judgement and base the determination on his/her understanding of the entity, on misstatements identified in previous audits and on expectations in relation to misstatements in the current period. A simple rule-of-thumb percentage of materiality is unlikely to constitute a suitable level of performance materiality.

The illustrative example of an audit strategy memorandum for a small entity, at the end of the article, includes a section that deals with the determination of materiality and performance materiality that may be helpful for the comprehension of the practical application of the concepts.

Involvement of audit engagement partner and key audit team members in planning

As discussed above, effective audit planning requires a systematic approach to risk identification and assessment that moves from acquiring a wider picture of the client to dealing with specific significant risks of misstatement with tailored responses. 

In order to draft an audit plan that is capable of addressing successfully the risks of the engagement, direct involvement of the audit partner and key staff in the planning process and effective communication between the team members is also essential. A two-way communication approach, especially exercised at the team planning meeting, can be the key. In fact such meeting, as well as featuring the partner and key staff informing the members of the audit team about the strategy, the specific approach to certain areas and what each member is required to do, should foster the involvement and the application of professional judgement by all staff in identifying areas that require better responses and those where low risk would allow fewer procedures to be performed.  

Example 1 – Audit strategy memorandum

This example has been adapted from the examples published in Practice Note 26, Guidance on smaller entity audit documentation (revised), issued by the Financial Reporting Council in UK and Ireland.

Client:          Bulls Restaurant and Hotel Limited

Year end:     31 January 20X1

Characteristics of the engagement

  • Small private company registered in Malta.
  • Family company with two non-family shareholders and a number of related party transactions during the year.
  • Accounts are prepared under FRSSE.
  • Accounting services, including payroll, provided by the part-time bookkeeper.

The permanent file documentation provides further information on understanding the business, the control environment and internal controls.

Timing of reporting

  • Year end is 31st January.
  • Audit fieldwork during May.
  • Partner to meet with directors to discuss results and accounts signed in mid-June.

Significant factors


Materiality for the financial statements as a whole

Materiality for the financial statements as a whole has been set at €13,500. This is based on 5% of an estimated profit before tax figure of €270,000, which is a consistent basis to that used in previous audits. An unadjusted profit before tax figure is appropriate as there are no exceptional items affecting profit before tax and the levels of directors’ remuneration are not abnormally high.

Lower levels of materiality for specific items

Users of the accounts are the shareholders and the bank. A lower level of materiality has been set in respect of the following classes of transactions, account balances and disclosures:

  • Transactions between the company and individual family owners (relevant to the non-family shareholders) - €6,000

Performance materiality

In assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures performance materiality has been set at €10,000 (and €5,000 for transactions between the company and individual family owners). This is judged to be sufficient as, on the basis of past audit errors (which have been primarily of a cut-off nature), there is a low probability that the aggregate of uncorrected and undetected misstatements will exceed the overall materiality.

Internal control

  • No past history of management override of controls. Audit staff will be briefed to remain alert to this risk.
  • Management’s attitude towards internal control is very positive
  • There are particular internal controls that we can plan to rely on.
  • These are documented in the systems information (Ref: C43).

Results of previous audit

No matters were identified during the previous audit to suggest a significant change in audit approach is needed.

Developments in the business

The audit manager held a preliminary meeting with management on 18th January. The purpose of this meeting was to:

  • Discuss the nature, timing and extent of the audit work; and
  • Enquire whether there have been any developments in the business since the last audit that may impact the audit of the current period.

There have been no significant changes in the business activities since the last audit and no changes in the client’s staff. The current poor economic climate has led to a downturn in trading (turnover reduced by 10% to €2.7m), but the directors believe the company is still performing relatively well given the circumstances and are confident that the ability to continue as a going concern is not threatened.

The Freehold property was re-valued last year. However, in light of general falls in property values since then the client believes that a significant reduction in value should be recognised in the accounts this year.

Risk assessment procedures performed

A preliminary analytical review of the December 20X0 management accounts was carried out (ref B34). The figures reflect a downturn in the current year’s trading levels (consistent with fall in occupancy levels). No unusual relationships were identified in gross profit figures and business appears to be continuing as normal.

The significant risks are:

  • Property valuation;
  • Incomplete sales recording due to high volume of cash transactions.

Further details on these risks and other matters giving rise to significant risks and how they will be addressed are documented in the Understanding of the Entity (Ref: AB2).

Nature, timing and extent of resources allocated

Paul Cox has been the audit engagement partner for the past eight years. Sarah Cole has been the audit manager since the audit for the year ended 20W7. The main audit work this year will be carried out by a student in their final year of training.

Swipe to view table

The audit timetable is as follows:

  • Amend audit strategy
  • Update permanent file information
  • Prepare audit programs
2 days January 20X1
Stock-count Junior member of staff to attend 1 day 1 February 20X1
Final audit

This will commence with the audit team planning meeting in the office before transferring to the client’s premises

Manager review

Partner review

2 weeks

Commencing 10 May 20X1

19 May 20X1

21 May 20X1


Final meeting with client for approval of the accounts and signature



Signing the audit report


Provisional date –

2 June 20X1


Mid-June 20X1

Prepared by Sarah Cole - Date 18th January 20X1

Approved by Paul Cox - Date 20th January 20X1

No revisions to these items were found to be necessary during the course of the audit.

Sarah Cole - Date 19th May 20X1

Paul Cox - Date 21st May 20X1

This article is part of a suite of audit articles that highlight some of the common audit problems encountered by practitioners. Future articles will address other audit areas where common problems are reported and will look at ways of improving the efficiency of the audit process.