UNIT 6: AUDITOR’S REGULATION AND ETHICSUNIT 8:AUDIT EVIDENCE AND SAMPLING

UNIT 7: AUDIT PLANNING

  • UNIT 7: AUDIT PLANNING

    Key unit competence: To be able to execute audit planning and risk 

    assessment

    Introductory activity

    Look the above picture, then answer the following questions:

    1. What do you understand by audit planning

    2. How do we call those activities around audit planning?

    7.1. Audit planning

    Learning activity 7.1


    Look at the above image, then answer the following questions:

    1. Why the audit work must be planned?
    2. What do you mean by audit strategy?
    3. State the general areas the auditor must consider when setting audit 

    strategy

    7.1.1. Meaning and objective of audit planning

    a) Meaning of audit planning

    Audit planning means developing a general strategy and a detailed approach for 
    the expected nature, timing and extent of the audit. The auditor plans to perform 

    the audit work in an efficient and timely manner. 

    b) The importance of audit planning 

    An effective and efficient audit relies on proper planning procedures. The 
    planning process is covered in general terms by ISA 300 states that the auditor 
    shall plan the audit so that the engagement is performed in an effective manner.

    Audits are planned to: 

    – Help the auditor devote appropriate attention to important areas of the 
    audit;

    – Help the auditor identify and resolve potential problems on a timely 
    basis;

    – Help the auditor properly organise and manage the audit so it is 
    performed in an effective manner; 

    – Assist in the selection of appropriate team members and assignment 
    of work to them; 

    – Facilitate the direction, supervision and review of work;

    – Assist in coordination of work done by auditors of components and 
    experts. 

    Audit procedures should be discussed with the client’s management, staff and/

    or audit committee in order to co-ordinate audit work, including that of internal 

    audit. However, all audit procedures remain the responsibility of the external 

    auditors. 

    A structured approach to planning: 

    Step 1: updating knowledge of the client and assessing risks

    Step 2: Ensuring that ethical requirements are met, including independence. 

    Step 3:establishing the overall audit strategy that sets the scope, timing and 

    direction of the audit and guides the development of the audit plan:

    – Idendify the characteristics of the engagement that define its scope;

    – Ascertain the reporting objectives to plan the timing of the audit and 

    nature of communications required;

    – Consider significant factors in directing the team’s efforts;

    – Consider results of preliminary engagement activities;

    – Ascertain nature, timing and extent of resources necessary to perform 

    the engagement.

    Step 4: Preparing the detailed audit approach

    Step 5: Making administrative decision such as staffing and budgets.

    7.1.2. Audit planning strategies

    a) planning strategies

    Audit strategy sets the scope, timing and the direction of the audit, and guides 
    the development of the more detailed audit plan.The audit strategy is the key 

    planning document. It considers general areas of planning such as:

    • The timetable for reporting, key dates and statutory obligations;

    • Reporting framework and scope of the audit;

    • Initial materiality levels;

    • Preliminary risk assessment.

    • Audit team members and skills required;

    • Arrangements for directing, supervising and reviewing the work of audit 

    team members;

    • Consider the need for the service of experts;

    • Location of client premises and travel/accommodation requirements.
    Any changes made during the audit engagement to the overall audit strategy 
    or audit plan, and the reasons for such changes, shall be included in the audit 

    documentation. 

    Audit needs to be planned to ensure that:

    • Appropriate attention is devoted to the important areas of the audit;

    • Potential problems are identified (and resolved) on a timely basis;

    • Work is completed effectively and efficiently;

    • Appropriate staff are engaged on the audit team and, the proper tasks 

    are assigned to the members of the audit team;

    • Assisting with the direction and supervision of the audit team and 

    review their work;

    • Assisting with the coordination of work done by experts.

    The establishment of the audit strategy involves:

    In many audit firms, the audit engagement partner would create the audit 
    strategy, with the audit managers then being responsible for using the strategy 
    and then produce the detailed audit plan. This division of roles does, however, 
    vary from firm to firm and it is not unusual for an audit manager to contribute to 

    the audit strategy document.

    b) Changes to the overall audit strategy and audit plan 

    The auditor shall update and change the overall audit strategy and the audit plan 

    where necessary during the course of the audit work. 

    An accurate record of changes to the audit strategy must be maintained in order 
    to explain the general approach finally adopted for the audit. Any changes to the 
    audit strategy or the audit plan and the reasons for them must be included in the 

    audit documentation. 

    c) Audit programmes 

    The audit manager will typically use the audit plan as a basis for drawing up 
    checklists or similar documents for audit staff to use in gathering audit evidence 
    during the fieldwork stage of the audit. Audit programmes are schedules of 
    audit procedures to be carried out by audit staff to obtain sufficient appropriate 

    audit evidence.

    Each account area (eg non-current assets, inventory, receivables etc) will have 
    its own audit programme and each member of the team is likely to be assigned 
    responsibility for carrying out the audit procedures for one or more account 
    areas. Audit programmes may be designed with reference to specific audit 
    objectives; this ensures that audit work is focused and that sufficient appropriate 

    audit evidence is gathered and documented. 

    d) Audit matters

    Audits should be carried out by staff with appropriate skills and experience. 

    • Audit team 

    ISA 220 for Quality control for an audit of financial statements considers the 
    issue of assignment of engagement teams. The audit engagement partner 
    (sometimes called the reporting partner) must take responsibility for the quality 
    of the audit to be carried out (ISA 220: para. 8). He/she should assign staff with 

    necessary competencies to the audit team (ISA 220: para. 14). 

    Some audits are wholly carried out by a sole practitioner (an accountant who 
    practises on his/her own) or a partner.

     More commonly, however, the engagement partner will take overall responsibility 
    for the conduct of the audit and will sign the auditor’s report. The engagement 
    partner will delegate aspects of the audit work such as the detailed testing to 

    the staff of the firm. The usual hierarchy of staff on an audit assignment is:

    The engagement partner is responsible for ensuring that: 

    • An appropriate level of professional scepticism is applied by audit staff 

    in the conduct of the audit; and 

    • There is proper communication both within the audit team and with the 

    audited entity. 

    Achieving these two objectives is likely to involve holding a planning meeting with 
    the audit staff on the assignment to discuss the risks of material misstatement 
    that could arise in the financial statements and making them aware of historical 

    issues on the audit. 

    Ensuring communication between client staff and audit staff will be more difficult 
    as the audit engagement partner is unlikely to visit the client site during the audit. 
    However, given that the audit partner has a responsibility here, he/she must 
    take appropriate steps. What these should be will depend on the individual 
    circumstances of the audit. The audit engagement partner should consider the 

    following:

    – Keeping in regular contact with both audit and client staff during the 

    audit to assess the level of communication between them;

    – Attending the site during the audit to facilitate better communication 
    if he/she feels that it is necessary.Fostering lines of communication 
    between client staff and audit staff during the period between audits 

    to ensure a good working relationship is built up between them;

    – The availability of audit staff throughout the engagement (taking into 

    account conflicting audit deadlines, holidays and study leave).

    Dealing with client staff 

    An important skill that all staff chosen for the audit assignment should have 
    is the ability to deal with the client staff with whom they come into contact. 
    Discussions with staff operating the system should be conducted in a manner 
    which promotes professional relationships between auditing and operational 

    client staff. 

    Relationships with the client will be enhanced if auditors aim to provide a high 
    quality service that caters for the needs of the client. However, more specific 
    people skills will also be needed. Negotiation skills and interviewing skills are 

    particularly important. 

    Auditors should also be trying to understand what managers and staff want 
    from the audit and how hostility to the time they have to spend dealing with 
    auditors can be overcome. This does not mean agreeing with management and 
    staff on every issue, but it does mean enabling the auditors to understand why 

    difficulties have arisen and how those difficulties can be overcome. 

    7.1.3. Limitations of audit planning

    Even though the audit plan has a number of advantages, it is not free from 

    limitations. Some of the major disadvantages of audit plan are as follows:

    • Rigitity

    An audit plan follows a standard approach and set patterns. This may stifle 
    flexibility and initiative, therefore dampening professional judgement of the 
    parties involved. Rigidity also makes the process too mechanistic undermining 
    the audit staffs’liabilities, creativity and talents. This will consequently leave them 

    with less freedom in performing their task and also technically challenged.

    • Overlooking audit staffs’capabilities

    A plan will make the audit process automated and will loose the sense of 
    responsibility for the audit staff. It can potentially decrease initiative and 
    inventiveness, with less application of staff talents and abilities. They therefore 
    do not reinforce the plan with any improvements, which will lower it future 
    effectiveness. The automation also leaves the staff performing their task with 

    normality, which can cause boredom.

    The strategies and pocedures adopted from an audit may not be in accordance 
    with a client’s standards. An auditor will likely need to prepare a new procedural 
    plan that meets the need of the client: in some cases, this backtracking may
    cause the client to loose faith and /or trust in the auditor. Staff may also feel 
    manipulated since they will have to participate in the preparation of the new 

    plan, which can very significantly from the audit standards..

    • Constant update

    An audit plan needs to change regularly, usually each year to keep it current with 
    the changing economic environment and business structures. If this change is 
    not done, the plan may turn out to be too rigid in nature and its application in an 
    audit process may be in-effective and out-dated. This updating requires more 
    time and resource devotion to the plan, which would be better used in another 

    productive activities.

    Application activity 7.1

    1. Explain the difference between the audit strategy and the audit plan 
    2. Identify seven key items of information likely to be contained in an 

    audit strategy document.

    7.2. Materiality in Auditing

    Learning activity 7.2

    Observe the above picture, then answer the following questons:

    1. What do you mean by a material misstatement?
    2. Explain the difference between the overall materiality and performance 

    materiality.

    7.2.1. Meaning and methods of calculating materiality inauditing

    a) Meaning of materiality

    Materiality in Auditing is defined as the benchmark used to obtain 
    reasonableassurance that an audit does not detectany material misstatementthat 

    can significantlyimpact the usability of financial statements.

    The auditor is required to determine the materiality level for the financial 
    statements as a whole, as well as performance materiality, at the planning stage. 
    The calculation or estimation of materiality should be based on the auditor’s 
    experience and judgment. The materiality chosen should be reviewed throughout 

    the audit. 

    Materiality relates to the level of misstatement that affects the decisions of users 

    of the accounts. 

    Misstatements are considered to be material if they, individually or in aggregate, 

    could reasonably be expected to influence the economic decisions of users. 

    Judgments about materiality are made in the light of surrounding circumstances, 
    and are affected by the size and nature of a misstatement or a combination of 
    both. Judgments about matters that are material to users of financial statements 
    are based on a consideration of the common financial information needed users 

    as a group. 

    The practical implication of this is that the auditor must be concerned with 
    identifying ‘material’ errors, omissions and misstatements of transactions, 
    account balances and disclosures. Both the amount (quantity) and nature 
    (quality) of misstatements need to be considered (e.g., lack of disclosure 

    regarding ongoing litigation is likely to be considered material). 

    Materiality provides a threshold or cut-off point rather than being a primary 

    qualitative characteristic which information must have to be useful. 

    E.g. If a company has a profit of FRW 100Millions, a misstatement of FRW1Million 
    is unlikely to be significant. If a company has a profit of FRW 10Millions, a 
    misstatement of FRW 1Million will have a more significant impact on the readers 

    of the accounts. 

    During planning, the auditor must establish materiality for the financial statements 

    as a whole, but must also set performance materiality levels. 

    The concept of materiality is applied by the auditor both in planning and 
    performing the audit, and in evaluating the effect of identified misstatements on 
    the audit and of uncorrected misstatements, if any, on the financial statements 

    and in forming the opinion in the auditor’s report. 

    Materiality considerations during audit planning are extremely important. The 
    assessment of materiality at this stage should be based on the most recent and 
    reliable financial information and will help to determine an effective and efficient 

    audit approach. Materiality assessment will help the auditors to decide: 

    • How many and what items to examine;
    • Whether to use sampling techniques;

    • What level of error is likely to lead to a modified audit opinion. 

    The resulting combination of audit procedures should help to reduce detection 

    risk to an appropriately low level. 

    b) Determining materiality for the financial statements as a whole 

    Determining materiality for the financial statements as a whole involves the 
    exercise of professional judgment. Because many users of financial statements 
    are primarily interested in the profitability of the company, materiality is often 

    thought in terms of a value associated with the level of profit before tax. 

    For example, if profit before tax was FRW 40,000,000, auditors might consider 
    that all matters in the financial statements equal to 5% of FRW 40,000,000 (i.e. 

    FRW 2,000,000) will be important to users. 

    However, auditors should avoid thinking of materiality solely in these terms. For 
    example, some users might be more concerned with asset values or specific 
    matters in the financial statements rather than ‘value’ at all. Consequently, 
    auditors may have a monetary guide to what is important to users, but they 
    should also use their professional judgment at all times to consider what is 

    important to users. 

    In addition, certain types of errors should be investigated even if they are small in 

    monetary terms, because, as stated above, they are important for other reasons. 

    • Recurring errors as these may indicate weaknesses in the accounting 
    system 
    • Errors that would mean breaches of statutory requirements 
    • Critical point errors, for example, those that change a loss into profit 
    • Conceptual errors, errors that involve breaches in the accounting 

    requirements

    At the planning stage, auditors will set a ‘value level’ for planning materiality 
    based on draft financial information available to them. However, this should be 
    reviewed as the audit progresses and as any changes are made to the financial 

    information. 

    Generally, a percentage is applied to a chosen benchmark as a starting point 
    for determining materiality for the financial statements as a whole. The following 

    factors may affect the identification of an appropriate benchmark: 

    • Elements of the financial statements (e.g. assets, liabilities, equity, 
    revenue, expenses) 
    • Whether there are items on which users tend to focus 
    • Nature of the entity, industry and economic environment
    • Entity’s ownership structure and financing
    • Relative volatility of the benchmark 
    • The following benchmarks and percentages may be appropriate in the 

    calculation of materiality for the financial statements as a whole. 

    c) Determining performance materiality 

    Consider what would happen if this materiality for the financial statements as a 
    whole was applied directly to, for example, different accounts balances (such as 
    receivables, inventory etc.). It could be that a number of balances (or elements 
    making up those balances) are untested or dismissed on the grounds they are 
    immaterial. However, a number of errors or misstatements could exist in those 

    untested balances, and these could aggregate to a material misstatement. 

    For this reason, the auditor is required to set performance materiality levels, 
    which are lower than the materiality for the financial statements as a whole and 
    this means a lower is applied during testing. The risk of misstatements which 
    could add up to a material misstatement is therefore reduced. As we can see in 

    the key terms below, performance materiality really has two definitions 

    Performance materiality is the amount or amounts set by the auditor at less than 
    materiality for the financial statements as a whole to reduce an appropriately 
    low level of the probability that the aggregate of uncorrected and undetected 

    misstatements exceeds materiality for the financial statements as a whole.

    Performance materiality also refers to the amount or amounts set by the auditor 
    at less than the materiality level or levels for particular classes of transactions, 

    account balances or disclosures. 

    This indicates the auditor sets a level or levels of materiality lower than overall 
    materiality for the purposes of performing procedures in general (for example on 

    a low risk area) and this is just to account for aggregation. 

    However, an even lower level is set for certain balances, transactions or 
    disclosures where there is an increased risk (for example, the auditor will set 
    a lower performance materiality level for bank balances if he/she considers 
    bank balances to be a sensitive area). Lower levels are also set if qualitative 

    considerations (discussed below) necessitate it. 

     Determining performance materiality is very much dependent on the auditor’s 
    professional judgment. In summary it is affected by: 
    • The nature and extent of misstatements identified in prior audits;
    • The auditor’s understanding of the entity;

    • Result of risk assessment procedures.

    7.2.2. Difference between materiality in government and 

    in private sector

    Materiality in governmental audit is different from materiality in private sector 

    auditing for several reasons.

    Most importantly, due to the format of state and local government financial 
    statements under GAAP (general accepted accounting principles), the AICPA 
    (American institute of certified public accountant) audit guide for state and 
    local governments requires auditors to consider materiality by “opinion unit” 
    rather than for the financial statements taken as a whole. The guide defines 

    opinion unit as follows:

    Government-wide level
    • Government activities;
    • Business activity( nature of business); 

    • Discretely presented component units in the aggregate.

    Fund levels: 
    • General fund (always a major fund)
    • Other major funds determined for government funds or enterprise 
    funds. Each major fund is an opinion unit. If there are no major funds, 
    then there will be only two opinion units. The general fund and then 

    remaining fund information; and 

    • Remaining fund information, consisting of all other non-major 
    governmental and enterprise funds, internal service fund type, and 
    fiduciary fund type. (this will generally always be present, although 
    the individual components and size will change between governmental 

    entities.)

    This functionally decreases materiality for state and local government financial 
    statements by an order of magnitude compared to materiality for private 
    company financial statements. Due to the unique concept of materiality, the 

    auditor’s report expresses an opinion in relation to each opinion unit.

    Moreover, the primary users of government financial statements are different: 
    the citizens and the parliament in the public sector versus investors in the private 
    sector. It is important to identify the primary users since materiality reflects the 
    auditors judgment of the needs of users in relation to the information in the 

    financial statements.

    Finally, in government auditing, the political sensitivity to adverse media exposure 
    often concerns the nature rather than the size of an amount, such as illegal acts, 

    bribery, corruption and related-party transactions. 

    Qualitative considerations of materiality are therefore different in private 
    sector auditing, in which qualitative consideration are focused on the effect on 
    earnings per share, executive bonuses or other risks that are not applicable to 

    governments. 

    Qualitative materiality refers to the nature of a transaction or amount and includes 
    many financial and non financial items that, independent of the amount, may 

    influence the decisions of users of the financial statements.

    While rules of thumb mentioned in the section above are commonly applied 
    to state and local government financial statements, government auditors may 
    also use different means to quantify materiality such as total cost or net cost 
    ( expenses less revenues or expenditure less receipts). In a cash accounting 

    environment, total expenditures is often used as a benchmark.

    7.2.3. Roles of materiality of an error in auditing

    The importance of materiality of an error in auditing is that:
    • It influnces the auditor’s time budget on specific items;
    • It dictates the auditor’s plan;
    • It influences the auditor’s plan;
    • It determines the amount of audit evidence to be gathered;
    • It is required by the professional body ICPAR (Institute of Certified 

    Public Accountants of Rwanda) as an incidental objective.

    Application activity 7.2

    1. Which measures of a client’s business is an auditor likely to use when 
    setting a level of materiality: 

    a) For a client that has a stable asset base and steady revenue over 
    the last few years but has only made a small pre-tax profit this 
    year owing to a large one-off expense? 
    b) For a client where the outside shareholders have expressed 

    concern over declining profits over the last few years? 

    2. Profit before tax at Rilla Ltd is FRW10, 000,000. 
    Which one of the following balances are the auditors unlikely to plan 
    to test in detail? 
    a) Receivable FRW 5, 000,000 
    b) Bank FRW 450,000 
    c) Dirctor’s bonus of FRW 400,000

    d) Addition to non-current assets FRW 2,000,000

    7.3. The entity and its environment

    Learning activity 7.3

    Observe the above image then answer the following questions:

    1. What does the above image show?
    2. What information do you think the auditor wants to know when he/

    she asks himself/herself the questions in the image?

    7.3.1. The entity and its environment

    The auditor is required to obtain an understanding of the entity and its environment 
    in order to be able to assess the risks of material misstatement and direct his/

    her audit approach accordingly. 

    ISA 315 states that ‘the auditor shall perform risk assessment procedures 
    to provide a basis for the identification and assessment of risks of material 

    misstatement at the financial statement and assertion levels. 

    a) Why? 
    The reasons the auditor is to obtain the understanding of the entity and its 
    environment are very much bound up with assessing risks and exercising audit 
    judgment. We shall look at these aspects more in the next two topics of this 

    Unit. 

    b) What? 
    ISA 315 sets out a number of requirements about what the auditors must 

    consider in relation to obtaining an understanding of the business. 

    c) How? 
    ISA 315 sets out the risk assessment procedures that the auditor must use 
    to obtain the understanding. The auditor does not have to use all of these for 
    each area, but the ISA requires that risk assessment procedures should, as a 

    minimum,comprise a combination of these procedures. 

    • Inquiries of management and others within the entity 
    • Analytical procedures

    • Observation and inspection 

    The audit team and the engagement partner are also required by ISA 315 to 
    discuss the susceptibility of the financial statements to material misstatement. 
    Judgment must be exercised in determining which members of the team should 
    be involved in which parts of the discussion, but all team members should be 
    involved in the discussion relevant to the parts of the audit they will be involved 

    in. 

    Lastly, if it is a recurring audit, the auditors may have obtained a great deal of 
    knowledge about the entity and the environment in the course of prior year 
    audits. The auditor is entitled to use this information in the current year audit, 
    but he/she must determine whether any changes in the year have affected the 

    relevance of information obtained in previous years. 

    Inquiries of management and others within the entity 

    The auditors will usually obtain most of the information they require from staff in the 
    accounts department, but may also need to make enquiries of other personnel, 
    for example, internal audit, production staff or those charged with governance. 
    Those charged with governance may give insight into the environment in which 
    the financial statements are prepared. In-house legal counsel may help with 
    understanding matters such as outstanding litigation, or compliance with laws 
    and regulations. Sales and marketing personnel may give information about 

    marketing strategies and sales trends.

    Analytical procedures 

    Analytical procedures are a useful tool in risk assessment. ISA 315 and ISA 520 
    Analytical procedures provide guidance in this area. ISA 315 requires auditors 

    to use analytical procedures during the risk assessment phase of the audit. 

    Analytical procedures consist of the evaluations of financial information made by 
    a study of plausible relationships among both financial and non-financial data. 
    Analytical procedures also encompass the investigation of identified fluctuations 
    and relationships that are inconsistent with other relevant information, or deviate 

    significantly from predicted amounts. 

    There are many sources of information available to the auditor at this stage 
    including interim financial information, budgets, management accounts, 

    information for prior periods and industry information. 

    All of this information can be used by auditors to help them understand areas 
    of risk. For example, ratios (such as the receivables days, inventory turnover 
    and the current ratio) can be calculated using information from the financial 
    statements. The financial statements can also be compared to prior years, or 

    similar firms in the same industry. 

    Budgets are helpful in indicating the expectations of the organization, and 
    management accounting information is useful for variance analysis. Variance 
    analysis involves looking at actual income and expenditure against the expected 

    figures and determining the reasons for any variances between the two.

    Analytical procedures such as these can be extremely helpful at the risk 
    assessment and planning stages of an audit and help the auditor to identify the 
    areas of greatest risk, and therefore the areas where the risk of misstatement 
    in the accounts is highest. These are the areas where the most work will be 

    required during the audit. 

    Observation and inspection 

    These techniques are likely to confirm the answers made to inquiries made of 
    management. They will include observing the normal operations of a company, 
    reading documents or manuals relating to the client’s operations or visiting 

    premises and meeting staff. 

    The ISA gives guidance on performing these risk assessment procedures in 

    order to obtain the required understanding of the business. 

    The table below summarizes some of the key points.

    Application activity 7.3

    1. What auditors need to know in understanding the entity and its 
    environment?

    2. Why do auditors needs to be familiar with the organization business 
    model?

    3. What are the factors the auditor must valuate to understand the entity 
    and its environment?

    4. What is the most important thing that an auditor does when 

    understanding the entity?

    7.4. Audit risk

    Learning activity 7.4

    Observe the above picture then answer the following questions:

    1. Is it possible that an auditor can give an inappropriate audit opinion 

    on financial statements?

    2. How do we call the case in which an auditor can give an inappropriate 

    audit opinion on financial statements ?

    7.4.1. Meaning and types of audit risks

    a) Meaning of audit risk 

    In an audit of financial statements, audit risk is the risk that the auditor 
    expresses an inappropriate audit opinion when the financial statements 
    are materially misstated,     i.e., the financial statements are not presented fairly 

    in conformity with the applicable financial reporting framework.

    b) Types of audit risk

    Audit risk 

     Audit risk is the risk that the auditors give an inappropriate audit opinion when 
    the financial statements are materially misstated. It has two elements: the risk 
    that the financial statements contain a material misstatement (inherent risk 
    and control risk) and the risk that the auditors will fail to detect any material 

    misstatements (detection risk). 

    In order to obtain assurance about whether the financial statements are free 
    from material misstatement, the auditor needs to consider how and where 

    misstatements are most likely to arise. 

    Carrying out a financial statement risk assessment helps the auditor ensure 
    that the key areas more susceptible to material misstatement are adequately 
    investigated and tested during the audit. It also helps the auditor identify low risk 
    areas where reduced testing may be appropriate, ensuring time is not wasted 

    by over-testing these areas. 

    In this way, auditors follow a risk-based approach to auditing. In the risk-based 
    approach, auditors analyze the risks associated with the client’s business, 
    transactions and systems, which could lead to misstatements in the financial 
    statements, and direct their testing to risky areas. Audits conducted in 

    accordance with ISAs must follow the risk-based approach. 

    Auditors are therefore not concerned with individual routine transactions, 

    although they will still be concerned with material, non-routine transactions. 

    As you can see from the above diagram, audit risk has two major components: 

    • The risk of material misstatement arising in the financial statements 
    is dependent on the entity, and cannot be influenced by the auditors. 

    It is a product of inherent risk and control risk. (ISA 200: para. 13No)

    Detection risk 
    Detection risk is dependent on the auditor, and is the risk that the auditor will 
    not detect material misstatements in the financial statements. (ISA 200: para. 

    13(e)) 

    Inherent risk
    Inherent risk is the risk that items will be misstated due to characteristics of 
    those items, such as the fact they are estimates or that they are important items 
    in the accounts. The auditors must use their professional judgment and all 
    available knowledge to assess inherent risk. If no such information or knowledge 

    is available, then the inherent risk is high. 

    Inherent risk is affected by many factors, including: 
    • The nature of the entity, for example, the industry it is in and the 
    regulations it falls under 
    • The attitudes and experience of management
    • The geographic spread of the operations
    • The future business strategy of the entity 
    • The presence of complex wage structures, for example, a bonus- or 

    commission-based salary structure 

    The information system, for example, computer-based accounting systems 
    Inherent risk can also vary from account to account. Balances made up of 
    complex items, such as inventory in a manufacturing company, portable assets 
    in an engineering company and cash balances are generally more prone to high 

    levels of inherent risk. 

    Control risk 

    Control risk is the risk that a misstatement that could occur in an assertion and 
    that could be material, individually or when aggregated with other misstatements, 
    will not be prevented or detected and corrected on a timely basis by the entity’s 

    internal control. 

    7.4.2. Model and calculation of audit risk

    This aspect of audit risk is known as detection risk. 

    Detection risk is the risk that the auditor’s procedures will not detect a 
    misstatement that exists in an assertion that could be material, individually or 

    when aggregated with other misstatements. (ISA 200) 

    Detection risk is the component of audit risk that the auditors have a degree of 
    control over, because, if risk is too high to be tolerated, the auditors can carry 
    out more work to reduce this aspect of audit risk, and therefore audit risk as a 

    whole. 

    ISA 200 Overall objectives of the independent auditor and the conduct of an 
    audit in accordance with international standards on auditing (ISA 200) states 
    that ‘the auditor shall obtain sufficient appropriate audit evidence to reduce 
    audit risk to an acceptably low level and thereby enable the auditor to draw 
    reasonable conclusions on which to base the auditor’s opinion’, that is, giving 

    reasonable assurance on the truth and fairness of the financial statements. 

    Looking at audit risk as a whole, we can see that it can be represented by the 

    audit risk model as follows:

    The implication of this for the auditor is that if inherent risk and control risk are 
    relatively high, then the amount of work carried out to reduce detection risk will 

    have to increase to reduce audit risk as a whole to an acceptably low level. 

    For example, let us assume that an auditor is prepared to accept a 5% chance 
    that he may give an inappropriate audit opinion on the financial statements. In 

    other words, the auditor sets the acceptable level of audit risk at 5%. 

    From his assessment of the client’s risk environment, the auditor has determined 
    the inherent risk factor to be 80% and the control risk factor for a given area of 

    the financial statements to be 25%. 

    By re-arranging the audit risk model [Audit risk (AR) = Inherent risk (IR) * Control 
    risk (CR) * Detection risk (DR)] we can find the level of detection risk required: 
    DR= AR/ IR*CR
    DR = 0.05/ 0.8*0.25
    DR= 0.05/0.2

    DR= 0.25*100= 25%

    So, the level of detection risk would need to be set at 25%. 

    However, let us now assume that for a different area of the client’s financial 
    statements, the auditor has assessed control risk at 12½%. How does this 

    affect the level of detection risk?

    AR= 0.05

    DR= AR/ IR*CR

    DR= 0.05/ 0.8*0.125

    DR= 0.05/ 0.1

    DR= 0.5 *100= 50%

    Now the level of detection risk should be set at 50%. 

    These examples illustrate a very important point: that detection risk has an inverse 
    relationship with risk of material misstatement (inherent risk u control risk). The 
    lower the risk of material misstatement, the higher the level of detection risk 
    which can be accepted, and therefore the lower the level of detailed testing 

    required. 

    Conversely, if the auditor feels a company has a high risk of material misstatement, 
    then the acceptable level of detection risk will need to be reduced to compensate 
    for this, and consequently the auditor will need to increase the level of detailed 

    testing required. 

    Remember that the level of detection risk represents the risk that the auditors 
    will not find a material misstatement. Consequently, there is also an inverse 
    relationship between the level of detection risk and the level of substantive 
    testing required: the higher the acceptable level of detection risk, the lower the 

    amount of substantive testing required, and vice versa. 

    7.4.3. Assessing the risk of material misstatement and 

    responding to risk assessment

    a) Assessing the risk of material misstatement

    The ISA 315) says that the auditor shall identify and assess the risks of material 
    mistatement at the financial statement level and assertion level. It requires the 

    auditor to take the following steps:

    • Identify risks throughout the process of obtaining an understanding of 
    the entity’ 
    • Relate the risks to what can go wrong at the assertion level;
    • Consider whether the risks are of a magnitude that could result in a 
    material misstatement;

    • Consider the likelihood of the risks causing a material misstatement.

    b) responding to risk assessment

    The auditors must formulate an approach to the identified risks of material 
    misstatement. They must formulate overall responses and detailed further audit 
    procedures, which will comprise tests of controls and substantive procedures 

    or substantive procedures only. 

    The objective of ISA 330 The auditor’s responses to assessed risks is ‘to obtain 
    sufficient appropriate audit evidence regarding to the assessed risks of material 
    misstatement, through designing and implementing appropriate responses to 

    those risks’. 

    In other words, having assessed the risks of material misstatements in the 
    financial statements, the auditor has to plan the work that will be carried out to 
    ensure that he/she can give an opinion that the financial statements give a true 
    and fair view, that is, that any material misstatements have been identified and 

    amended if necessary.

    Overall responses 

    Overall responses to risks of material misstatement will be changes to the 
    general audit strategy or re-affirmations to staff of the general audit strategy. 
    For example (ISA 330): 
    • Emphasizing to audit staff the need to maintain professional scepticism;
    • Assigning additional or more experienced staff to the audit team;
    • Using experts;
    • Providing more supervision on the audit; 
    • Incorporating more unpredictability into the audit procedures;
    • Making general changes to the nature, timing and extent of audit 

    procedures. 

    Responses to the risks of material misstatement at the assertion level 

    The ISA says that ‘the auditor shall design and perform further audit procedures 
    whose nature, timing and extent are based upon and are responsive to the 
    assessed risks of material misstatement at the assertion level. Nature refers 
    to the purpose and the type of test that is carried out. ISA 330 requires that 

    auditors should carry out tests of controls and substantive procedures. 

    Test of controls is an audit procedure designed to evaluate the operating 
    effectiveness of controls in preventing, or detecting and correcting material 

    misstatements at the assertion level. 

    Substantive procedure is an audit procedure designed to detect material 
    misstatements at the assertion level. Substantive procedures comprise tests of 

    details and substantive analytical procedures. 

    Application activity 7.4

    You are involved with the audit of Kigali Solutions Ltd, a small company. You 
    have been carrying out procedures to gain an understanding of the entity. 

    The following matters came to your attention: 

    The company offers standard credit terms to its customers of 60 days 
    from the date of invoice. Statements are sent to customers on a monthly 
    basis. However, Kigali Solutions Ltd does not employ a credit controller, 
    the company sends statements to clients on a monthly basis, it does not 
    communicate with them on a systematic basis (regular basis). On certain 
    days, the receivables ledger clerk may call a customer if the company has 
    not received a payment. Some clients pay regularly according to the credit 
    terms offered to them, but others pay on a very haphazard basis and do not 
    provide a remittance advice. Receivables ledger receipts are entered into 
    the receivables ledger but not matched to invoices remitted. The company 

    does not produce an aged list of balances. 

    Required 

    From the above information, assess the risks of material misstatement arising 
    in the financial statements. Outline the potential materiality of the risks and 

    discuss factors in the likelihood of the risks arising. 

    Skills lab activity 7

    Under the guidance of the teacher, the students can visit the school 
    accountant, headteacher and other school staffs, to ask them different 
    questions about organization policy, management framework and financial 
    informations that can help them to obtain useful information that can be 

    used in the audit work. 

    End unit 7 assessment

    1. Which of the following would not increae inherent risk
    A. Revenue is derived from sales of high-tech products
    B. Sales order are not authorised prior to sales being executed
    C. A number of customers have significatly old debt
    D. Some recent sales have resulted in legal claims against the 

    company

    2. Which of the following statement does not illustrate an inherent risk?
    A. The organization is seeking to rise finance to diversity
    B. The auditor uses samples when carrying out audit testing
    C. Directors participate in a profit-related bonus scheme

    D. The financial statements contain complex transactions

    3. Can an audit partner delegate responsibility for the audit opinion to 

    his staff?

    4. What procedures might an auditor use in gaining an understanding 

    of the entity?

    5. What information does an audit plan usually contain?

    6. The audit partner has set the overall level of audit risk for a client as 

    10%. 

    Your risk assessment of the client has indicated that inherent risk is 

    60% and control risk is 60%. 

    What level of detection risk should be prescribed for this client? 

    UNIT 6: AUDITOR’S REGULATION AND ETHICSUNIT 8:AUDIT EVIDENCE AND SAMPLING