F8 – Chapter 2- Planning and risk assessment
Key Highlights on Chapter 2
Introduction to Risk in Auditing:
- Overview of the risk management process within the organization being audited.
- Understanding how risks are identified, assessed, and managed by the organization’s management and internal control systems.
Materiality in Auditing:
- Significance of errors, misstatements, or omissions in financial statements influencing economic decisions.
- Consideration when planning and performing audit procedures to focus on areas with potential significant impact.
Purpose of Assessing Risks of Material Misstatement:
- Developing audit procedures and responses tailored to address specific risks identified.
- Ensuring effective and efficient audit engagements by focusing efforts on areas of higher risk.
Auditor’s Response to Identified Risks:
- Conducting additional audit procedures to obtain sufficient appropriate audit evidence.
- Enhancing the reliability and effectiveness of audit conclusions and reporting.
Risk Assessment in Auditing:
- Identification and assessment of risks of material misstatement in the organization’s financial statements.
- Developing a risk-based audit plan to address areas of higher risk.
Role of Legal Compliance and Regulations in Risk Assessment:
- External factors influencing risk by imposing legal obligations, standards, and requirements.
- Guiding the audit approach and procedures to ensure adherence to applicable laws and regulations.
Importance of Documentation of Risk Assessment:
- Providing evidence of the audit work performed, including identification, assessment, and response to risks.
- Ensuring transparency, accountability, and quality of the audit engagement.
Primary Objective of Legal Compliance and Regulations:
- Ensuring the organization’s adherence to applicable laws, regulations, and standards governing financial reporting and internal controls.
- Mitigating risks associated with non-compliance, such as financial penalties and reputational damage.
Tolerable Misstatement:
- Acceptable level of error or misstatement in financial statements without affecting the audit opinion.
- Benchmark for assessing sufficiency and appropriateness of audit evidence obtained.
Outcome of a Well-Documented Risk Assessment Process:
- Improved audit efficiency by providing a clear understanding of the organization’s risk profile.
- Development of a risk-based audit plan to address areas of higher risk effectively and allocate audit resources efficiently.
Audit and Assurance (AA) – Chapter: Planning and Risk Assessment
Topic 1. Obtaining, Accepting and Continuing Audit Engagements
1.a Professional Ethics and ISA 210 Requirements
Ethical Framework
- Integrity and Objectivity: Under ACCA’s Code and ISA 200, auditors must safeguard against self-interest and familiarity threats before taking on clients.
- Independence in Appearance and Mind: Required by ISA 220; evaluators must confirm no conflicting relationships.
- Competence: Firms must possess technical expertise (ISA 220).
- Quality Control Policies: Per International Standard on Quality Management (ISQM 1), firms implement policies to evaluate new and continuing clients.
Illustration 1.1: Decision Tree for evaluating ethics threats: Identify → Classify threat → Apply safeguards → Accept or Decline.
1.b Preconditions for an Audit (ISA 210)
- Acceptable Framework: Both parties agree on recognition and measurement criteria (e.g., IFRS, GAAP).
- Management Responsibility: Management acknowledges responsibility for financial statements and internal control.
- Access to Information: Auditor must have unrestricted rights to documents, personnel, and premises.
1.c Engagement Acquisition Process
- Client Prospectus & Marketing: Firms document services, areas of specialty, and fee structures.
- Pre-Acceptance Evaluation: Background checks on management integrity, reputation, and financial stability.
- Initial Risk Screening: Preliminary review of industry risks, regulatory environment, and prior audit issues.
- Client Proposal & Negotiation: Scope, timing, fee estimates, and resource requirements are negotiated.
- Engagement Letter Issuance (See 1.d).
Case Study 1.1: A mid-market manufacturing firm—risks identified: complex inventory valuation, foreign operations. Decision: allocate senior staff and inventory specialist.
1.d Engagement Letters: Purpose, Content and Extensions
Purpose: Mitigate misunderstandings by defining clear terms and responsibilities.
Essential Contents:
- Objective & Scope: Defines audited periods, financial statements, and applicable framework.
- Management Responsibilities: Preparation of records, internal controls, provision of representations.
- Auditor Responsibilities: Conduct audit per ISAs, provide opinion.
- Reporting Format: Form and content of audit report (emphasis on emphasis-of-matter paragraphs if needed).
- Fees, Billing Terms and Limits of Liability.
- Timetable & Deliverables: Key deliverable dates (planning, fieldwork, reporting).
- Use of Specialists: If IT, valuation or actuarial experts are engaged.
Illustration 1.2: Annotated Engagement Letter highlighting mandatory clauses and optional extensions (e.g., use of data analytics).
Topic 2. Objective and General Principles
2.a Auditor’s Overall Objective (ISA 200)
To obtain reasonable assurance that the financial statements as a whole are free of material misstatement, enabling the auditor to express an opinion that adds credibility and confidence for intended users.
Sub-Objectives:
- Identify and assess risks of material misstatement due to fraud or error.
- Design and perform responses to assessed risks.
- Obtain sufficient appropriate evidence to support the opinion.
2.b Professional Skepticism, Judgment and Planning
- Professional Skepticism: A continuous mindset of questioning and critical assessment of audit evidence and contradictory information.
- Professional Judgment: Applied in areas like sample selection, estimates evaluation, and materiality determination.
- Planning: Documented strategy (ISA 300) covering scope, resources, timing, materiality, risk assessment, and involvement of experts.
Illustration 2.1: Mind Map linking planning inputs (e.g., industry data, prior audits, preliminary risk assessment) to outputs (audit strategy, plan, materiality thresholds).
Topic 3. Assessing Audit Risks
3.a Components of Audit Risk
AR=IR×CR×DRAR = IR × CR × DR
- Inherent Risk (IR): Nature of client’s business or complexity of transactions.
- Control Risk (CR): Effectiveness of internal controls in preventing/detecting misstatements.
- Detection Risk (DR): Auditor’s procedures failing to detect misstatements.
3.b Risk of Material Misstatement and Audit Responses
Risk Assessment Procedures (ISA 315):
- Inquiry: Discussions with management and those charged with governance.
- Observation & Inspection: Touring facilities, examining documents.
- Analytical Procedures: Ratio analysis and trend evaluation.
Response to RMM:
- Test of Controls: Evaluate design and operating effectiveness.
- Substantive Procedures: Tests of details and substantive analytical procedures.
Illustration 3.1: Matrix mapping assertions (existence, completeness, valuation) to typical risks and corresponding audit procedures.
3.c Materiality and Performance Materiality
- Materiality: Set for overall financial statements, guided by quantitative benchmarks and qualitative considerations (e.g., fraud risk).
- Performance Materiality: A lower threshold for specific account balances or classes of transactions to reduce the risk that aggregate misstatements exceed materiality.
3.d Calculating Materiality Levels
- Determine Benchmark (e.g., 5% PBT, 1% revenue).
- Consider Qualitative Factors: Volatility, user sensitivity.
- Compute Materiality: Benchmark × percentage.
- Set Performance Materiality: Typically 50–75% of materiality.
Example 3.1:
- Profit before tax of 8 million → materiality = 5% × 8m = 400,000.
- Performance materiality = 75% × 400,000 = 300,000.
Topic 4. Understanding the Entity, Environment, and Financial Reporting Framework
4.a Initial Understanding (ISA 315)
- Industry & Regulatory Factors: Competition, technology, economic conditions, legislation.
- Nature of the Entity: Ownership, governance, operational structure, products and services.
- Objectives & Strategies: Business models, performance indicators, key processes.
- Measurement & Review: Management information systems and internal reporting.
Illustration 4.1: Entity Profile Template capturing key information areas (e.g., mission, structure, markets, key performance metrics).
4.b Analytical Procedures in Planning
- Trend Analysis: Year-on-year changes in revenues, expenses, margins.
- Ratio Analysis: Liquidity, solvency, efficiency.
- Reasonableness Tests: Comparing financial data to budgets, forecasts, industry norms.
4.c Key Ratio Computations and Interpretations
| Ratio | Formula | Interpretation |
| Current Ratio | Current Assets / Current Liabilities | >1 indicates short-term liquidity; declining trend is warning |
| Gross Profit Margin | (Revenue − COGS) / Revenue | Lower margin may signal cost control issues |
| Debt-to-Equity Ratio | Total Liabilities / Total Equity | >1 suggests higher leverage risk |
Illustration 4.2: Line Chart of key ratios over three fiscal years, with annotations highlighting significant deviations and their possible causes.
Topic 5. Fraud, Laws and Regulations
5.a Fraud Impact on Strategy and Procedures
Under ISA 240:
- Fraud Risk Assessment: Brainstorming sessions, risk factor identification (e.g., pressure, opportunity, rationalization).
- Specific Responses: Extended journal entry testing, unexpected audit procedures (e.g., surprise inventory counts).
Illustration 5.1: Fraud Triangle Diagram marked with audit procedures at each vertex.
5.b Responsibilities for Fraud Prevention and Detection
- Internal Auditors: Evaluate and recommend improvements to internal controls; ongoing risk monitoring.
- External Auditors: Obtain reasonable assurance; communicate fraud findings; issue management letters.
5.c Laws and Regulations (ISA 250)
- Direct-Effect Laws: Tax, pension regulations; auditor tests compliance as part of FS audit.
- Indirect-Effect Laws: Health and safety, environmental laws; auditor remains alert to possible non-compliance.
Illustration 5.2: Flowchart showing process of identifying relevant laws, assessing impact on financial statements, and testing compliance.
Topic 6. Audit Planning and Documentation
6.a Need and Benefits of Planning
- Efficient Audit: Focus on high-risk areas, allocate staff appropriately.
- Communication: Clarify roles, responsibilities, and timelines.
- Supervision and Review: Basis for oversight and timely issue resolution.
6.b Overall Audit Strategy vs. Audit Plan
| Audit Strategy | Audit Plan |
| High-level scope, timing, resource needs | Detailed procedures, sample sizes, schedules |
| Materiality and risk assessment | Nature, timing, extent of substantive and control tests |
6.c Relationship Between Strategy and Plan
The strategy outlines the audit’s scope and approach; the plan operationalizes it with specific steps. A change in risk assessment prompts updates to the plan.
6.d Interim Audit vs. Final Audit
- Interim: Early tests of controls, substantive procedures on predictable areas, inventory observation.
- Final: Focus on year-end transactions, account balances, disclosures, subsequent events.
6.e Interim Audit: Purpose and Procedures
- Purpose: Identify control deficiencies, spread workload, refine risk assessment.
- Procedures: Walkthroughs, test controls, interim inventory counts, IT system tests.
6.f Impact of Interim Work on Final Audit
Positive control test results may reduce year-end substantive testing. Interim findings recalibrate risk assessments and materiality judgments.
6.g Importance of Documentation
Per ISA 230:
- Evidence of Compliance: Demonstrates adherence to ISAs.
- Support for Conclusions: Links evidence to audit findings.
- Continuity: Assists future audits and external inspections.
6.h Working Papers: Forms and Contents
Permanent Files: Organizational charts, system manuals, prior-year issues.
Current Files: Risk assessments, planning memos, audit programs, lead schedules.
Supporting Schedules: Detailed test results, confirmations, reconciliations.
Illustration 6.1: Sample Working Paper Index showing cross-references between audit area, evidence, and conclusions.
6.i Safe Custody and Retention of Working Papers
- Electronic Controls: Encrypted document management systems, user access logs.
- Retention Policy: Minimum five-year retention; longer if required by regulation.
- Disposal: Secure shredding or deletion protocols after retention period.