S7: Audit S7: Audit PlanningPlanning

Session ObjectivesSession Objectives

To explain the need for planningTo explain the need for planning To outline the essential elements of To outline the essential elements of

planning processplanning process To finalise the audit approachTo finalise the audit approach To lay down specific audit proceduresTo lay down specific audit procedures To communicate audit plan to the To communicate audit plan to the

auditee auditee

Why Planning?Why Planning? Planning for financial (attest) audits helps to Planning for financial (attest) audits helps to

develop an audit approach that will ensure develop an audit approach that will ensure that that sufficient appropriate evidencesufficient appropriate evidence is is gathered to support the audit opinion in the gathered to support the audit opinion in the most cost-effective manner, i.e. in an most cost-effective manner, i.e. in an economic, efficient and effective way and in a economic, efficient and effective way and in a timely manner. timely manner.

The Audit Plan should be The Audit Plan should be documenteddocumented and and kept as a part of audit working papers.kept as a part of audit working papers.

The planning process encompasses several The planning process encompasses several steps and it should be carefully noted that the steps and it should be carefully noted that the steps are all steps are all inter-relatedinter-related and not considered and not considered as ends in themselves. as ends in themselves.

Basis for audit planningBasis for audit planning Audit planning should be based on a thorough Audit planning should be based on a thorough

understanding of the auditee entity and its understanding of the auditee entity and its operations and the knowledge should be used to:operations and the knowledge should be used to: determining the materiality i.e. the magnitude of determining the materiality i.e. the magnitude of

misstatements which might reasonably influence the misstatements which might reasonably influence the users of the C&AG's certificate on the financial users of the C&AG's certificate on the financial statements; statements;

identifying those factors that might lead to an increased identifying those factors that might lead to an increased risk of material misstatement or irregularity. risk of material misstatement or irregularity. risks are first identified at the entity level and then to pinpoint risks are first identified at the entity level and then to pinpoint

them in terms of their effect on particular account areas and them in terms of their effect on particular account areas and audit objectives; audit objectives;

preparing an audit approach which focuses on testing of preparing an audit approach which focuses on testing of the specific risk factors while providing an acceptable the specific risk factors while providing an acceptable level of assurance across the financial statements as a level of assurance across the financial statements as a whole. whole.

Planning ProcessPlanning Process1.1. Understanding the EntityUnderstanding the Entity

2.2. Determination of Materiality LevelsDetermination of Materiality Levels

3.3. Assessment of RiskAssessment of Risk

4.4. Controls Testing and EvaluationControls Testing and Evaluation

5.5. Determination of the Sampling Frame Determination of the Sampling Frame

6.6. Deciding on the Audit Approach and Deciding on the Audit Approach and proceduresprocedures

7.7. Drawing of the Audit planDrawing of the Audit plan

8.8. Communication of the Plan to the Communication of the Plan to the AuditeeAuditee

1. Understanding the 1. Understanding the EntityEntityTo study, analyse, record and To study, analyse, record and

comprehendcomprehend Operations and organisation Operations and organisation Financial reporting requirements Financial reporting requirements Regularity and legal framework Regularity and legal framework Parliamentary and legislative interestParliamentary and legislative interest Public interest Public interest Accounting processes and formations Accounting processes and formations

e.g DDOs, PAOs, Treasuries, Works & Forest e.g DDOs, PAOs, Treasuries, Works & Forest Divisions for Government Accounts etc.Divisions for Government Accounts etc.

Computer involvement Computer involvement Control environment Control environment Analytical review Analytical review AccountAccount areas areas

2. Determination of 2. Determination of MaterialityMateriality

Materiality is the Tolerable Error LevelMateriality is the Tolerable Error Level One essential step in planning is to determine One essential step in planning is to determine

materiality by value, nature and context materiality by value, nature and context Materiality should take into account the Materiality should take into account the

concerns of the users of audit certificateconcerns of the users of audit certificate The reasons and bases on which the The reasons and bases on which the

materiality is calculated should be materiality is calculated should be documented.documented.

At the planning stage, the audit team is At the planning stage, the audit team is concerned primarily with materiality by concerned primarily with materiality by value.value.

‘‘Planning materiality’ may be set at a lower Planning materiality’ may be set at a lower level than ‘Reporting materiality’level than ‘Reporting materiality’

3. Assessment of Risk 3. Assessment of Risk

Purpose of risk assessment Purpose of risk assessment to identify the factors that lead to an to identify the factors that lead to an

increased risk of misstatement or increased risk of misstatement or irregularity irregularity

to identify the controls which mitigate to identify the controls which mitigate those risksthose risks

Types of RiskTypes of Risk Entity risks Entity risks Account area risks Account area risks

Assessment of Risk Assessment of Risk (Contd.)(Contd.)

The audit team should use understanding of the The audit team should use understanding of the entity and its operations to identify specific risk entity and its operations to identify specific risk factors taking into account factors relevant at factors taking into account factors relevant at both the entity level and to specific areas as both the entity level and to specific areas as well as the audit objectives.well as the audit objectives.

The audit approach of CAG seeks to reduce to The audit approach of CAG seeks to reduce to an acceptable level the risk that audit work will an acceptable level the risk that audit work will not detect material error or irregularity. not detect material error or irregularity.

Decisions on the nature, extent and direction of Decisions on the nature, extent and direction of audit tests depend upon assessment of the risk audit tests depend upon assessment of the risk of material error or irregularity (inherent risk) of material error or irregularity (inherent risk) and the risk that the entity’s controls will not and the risk that the entity’s controls will not detect such errors or irregularities in a timely detect such errors or irregularities in a timely manner (control risk).manner (control risk).

Entity risksEntity risks

Entity Risks are risks that identified from Entity Risks are risks that identified from top down review of entities that may affect top down review of entities that may affect a number of different account areasa number of different account areas

Entity Risks are to be measured in the Entity Risks are to be measured in the context of :context of :

Overall control environmentOverall control environment External pressures on the entityExternal pressures on the entity Experience and competence of staffExperience and competence of staff Reliability of accounting systemsReliability of accounting systems Stability of the entityStability of the entity

Account area risksAccount area risks Account area risks are the risks identified Account area risks are the risks identified

from more detailed review of each account from more detailed review of each account area and that may arise as a result of area and that may arise as a result of particular characteristics of the associated particular characteristics of the associated transaction streams.transaction streams.

Account area risks mainly arise from:Account area risks mainly arise from: Transactions governed by complex regulationsTransactions governed by complex regulations Services and programmes delivered through third Services and programmes delivered through third

partiesparties Payments and receipts made on the basis of claims Payments and receipts made on the basis of claims

or declarations rather than in exchange for goods or declarations rather than in exchange for goods and servicesand services

Transactions not in the normal course of business Transactions not in the normal course of business or operationsor operations

Transactions recording estimatesTransactions recording estimates Multiple sources of fundsMultiple sources of funds

4. Controls Testing and 4. Controls Testing and EvaluationEvaluation

After identifying specific risk factors, After identifying specific risk factors, the next step is to identify controls the next step is to identify controls which effectively mitigate those risk which effectively mitigate those risk factors.factors.

Audit should identify specific risk Audit should identify specific risk factors that increase the risk of factors that increase the risk of material misstatement and relate material misstatement and relate them to account areas and them to account areas and objectives.objectives.

Controls Testing and Controls Testing and Evaluation (Contd.)Evaluation (Contd.)

For each specific risk factor, it should be seen For each specific risk factor, it should be seen whether management have mitigating controls in whether management have mitigating controls in place.place.

For example:For example: in the area of complex regulations, management may in the area of complex regulations, management may

ensure that the regulations are translated into clear desk ensure that the regulations are translated into clear desk instructions for all staff concerned; instructions for all staff concerned;

for services delivered by third parties, management may for services delivered by third parties, management may require independent verification by external or internal require independent verification by external or internal inspectors or auditors; inspectors or auditors;

All the cases where the audit team identifies All the cases where the audit team identifies specific risk factors without corresponding specific risk factors without corresponding mitigating controls should be specially kept in view mitigating controls should be specially kept in view in deciding the audit approach. in deciding the audit approach.

Such cases should also be brought to the notice of Such cases should also be brought to the notice of the entity’s management for possible introduction the entity’s management for possible introduction of mitigating controls.of mitigating controls.

Controls Testing and Evaluation Controls Testing and Evaluation (Contd.)(Contd.)

Steps in identifying material risk factorsSteps in identifying material risk factors Establish Entity ObjectivesEstablish Entity Objectives Detail business / operations characteristicsDetail business / operations characteristics Identify risksIdentify risks Risks screening and prioritisationRisks screening and prioritisation Assess implications for financial statementsAssess implications for financial statements Determine entity management response to Determine entity management response to

riskrisk

5. Determination of the 5. Determination of the Sampling FrameSampling Frame

For each objective in each account area, For each objective in each account area, the auditor should select methods for the auditor should select methods for collecting audit evidence and a suitable collecting audit evidence and a suitable sampling method.sampling method.

For testing the completeness of say For testing the completeness of say either income or expenditure sampling either income or expenditure sampling may not be appropriate. In such a case may not be appropriate. In such a case careful application of analytical careful application of analytical procedures in combination with other procedures in combination with other audit procedures can provide a better audit procedures can provide a better result.result.

Determination of the Determination of the Sampling Frame (contd)Sampling Frame (contd)

Overall, the auditor needs to use audit Overall, the auditor needs to use audit judgement and experience to decide which judgement and experience to decide which combination of techniques is likely to combination of techniques is likely to provide the total required assurance in the provide the total required assurance in the most cost-effective way.most cost-effective way.

The sampling efficiency can be improved by The sampling efficiency can be improved by applying knowledge, experience and applying knowledge, experience and judgement, especially for transactions which judgement, especially for transactions which carry higher levels of risk or sensitivity. carry higher levels of risk or sensitivity.

By using such knowledge, experience and By using such knowledge, experience and judgement at the planning stage of the judgement at the planning stage of the audit, a more efficient sampling approach audit, a more efficient sampling approach can be developed.can be developed.

Determination of the Determination of the Sampling Frame (Contd.)Sampling Frame (Contd.)

Steps in finalising a sampling frame are:Steps in finalising a sampling frame are: Determine materialityDetermine materiality Assess Risk and Evaluate Mitigating ControlsAssess Risk and Evaluate Mitigating Controls Determine the extent and nature of Determine the extent and nature of

substantive testssubstantive tests Determine Sample Size, i.e. extent of Determine Sample Size, i.e. extent of

substantive testingsubstantive testing Identify sampling methods to be applied Identify sampling methods to be applied

depending on the nature of substantive testsdepending on the nature of substantive tests

6. Deciding on the Audit 6. Deciding on the Audit Approach and Audit Approach and Audit

ProceduresProcedures Audit approach should focus on specific risk Audit approach should focus on specific risk

factors while providing an acceptable level factors while providing an acceptable level of assurance across the financial statements of assurance across the financial statements as a whole.as a whole.

The audit approach chosen will:The audit approach chosen will: reflect understanding of the auditee entity and reflect understanding of the auditee entity and

its business; its business; take account of audit judgement on ‘Planning take account of audit judgement on ‘Planning

materiality’; and materiality’; and respond to the specific risk factors identified in respond to the specific risk factors identified in

the course of risk assessment. the course of risk assessment.

Audit approach (Contd)Audit approach (Contd)

A cost-effective audit approach is one that is A cost-effective audit approach is one that is an optimum mix of the following objectives:an optimum mix of the following objectives:

minimising sampling risk - the risk that audit minimising sampling risk - the risk that audit procedures will fail to detect material procedures will fail to detect material misstatement or irregularity due to drawing a misstatement or irregularity due to drawing a non-representative sample; non-representative sample;

minimising audit cost - by achieving the most minimising audit cost - by achieving the most efficient deployment of audit resources taking efficient deployment of audit resources taking account the overall timetable and minimising account the overall timetable and minimising potential disruption to the normal functioning of potential disruption to the normal functioning of the auditee; the auditee;

maximising assurance on the audit objectivesmaximising assurance on the audit objectives

Audit proceduresAudit procedures

Testing of control by the audit teamTesting of control by the audit team Using the work of internal auditUsing the work of internal audit Applying direct substantive proceduresApplying direct substantive procedures

direct tests based on statistical or non-direct tests based on statistical or non-statistical samples statistical samples

100% testing or less?100% testing or less? Applying predictive analytical proceduresApplying predictive analytical procedures Using the work of other auditorsUsing the work of other auditors Consulting third party expertsConsulting third party experts

Level of substantive Level of substantive proceduresprocedures

The substantive procedures can be The substantive procedures can be performed at one of three levels, performed at one of three levels, depending on the amount of assurance depending on the amount of assurance required. In decreasing order of assurance, required. In decreasing order of assurance, they are:they are: Focused Focused Standard Standard MinimumMinimum

The lower the level of assurance required, The lower the level of assurance required, the lesser will be the extent of audit the lesser will be the extent of audit proceduresprocedures. .

7. 7. Drawing of the Audit Drawing of the Audit planplan

An Audit Plan in the form of Audit An Audit Plan in the form of Audit Planning Memorandum detailing the Planning Memorandum detailing the results of all the processes discussed results of all the processes discussed so far is then prepared. so far is then prepared.

This documents all the processes and This documents all the processes and analyses through which the final plan analyses through which the final plan has been drawn. has been drawn.

8. Communication with 8. Communication with auditeeauditee The audit planning memorandum is The audit planning memorandum is

then communicated by the audit then communicated by the audit team to the auditee. Their team to the auditee. Their suggestion may be taken before suggestion may be taken before execution of the plan.execution of the plan.