This blog is written Mr. Awais Mumtaz, Supervisor Audit and Assurance Services. Please read this blog and provide your valued comments.
When does audit planning take place?
Naturally, it is reasonable to assume that planning occurs towards the start of an audit engagement. However, according to ISA 300, planning should not be seen as a discrete and separate part of the overall audit. Planning often begins shortly after, or in connection with, the completion of the previous audit, for example, with a review of issues that were discussed with management, such as control deficiencies or unadjusted errors. Such matters are relevant to the next year’s audit and need to be considered when planning.
Similarly, the audit plan may be revised as the audit progresses, and should not be viewed as being fixed in place once the main planning phase has ended. For example, a significant event may take place as the audit is in progress, meaning that the audit plan needs to be changed.
The nature and extent of planning activities depends on the size and complexity of the audit client, previous experience of the audit firm with the client, and any changes in circumstance that may occur during the audit.
ISA 300 contains a requirement that the auditor shall undertake the following activities at the beginning of the current audit engagement:
- Performing procedures regarding the continuance of the client relationship and the specific audit engagement.
- Evaluating compliance with relevant ethical requirements, including independence.
- Establishing an understanding of the terms of the engagement.
These requirements are also contained in and ISA 220, Quality Control for an Audit of Financial Statementsand ISA 210, Agreeing the Terms of Audit Engagements and remind us that planning is a wider activity than just obtaining understanding of the business and performing risk assessment.
Audit strategy and audit plan
ISA 300 states that audit planning activities should:
- establish the overall audit strategy for the engagement.
- develop an audit plan.
The audit strategy sets out in general terms how the audit is to be conducted and sets the scope, timing and direction of the audit. The audit strategy then guides the development of the audit plan, which contains the detailed responses to the auditor’s risk assessment. An underpinning principle of audit planning under the Clarified ISAs is that the audit plan should contain detailed responses to the specific risks identified from obtaining an understanding of the audited entity. ISA 300 requires the auditor to consider specific matters when establishing the audit strategy, and provides a list of typical matters to be considered in its appendix. These matters are discussed below.
Identify the characteristics of the engagement that define its scope
- Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required.
- Consider the factors that are significant in directing the audit team’s efforts in the auditor’s professional judgment.
- Consider the results of preliminary engagement activities and knowledge gained on other engagements.
- Ascertain the nature, timing and extent of resources necessary to perform the engagement.
ISA 300 states that once the overall audit strategy has been established, an audit plan can be developed to address the various matters identified in the overall audit strategy, taking in to account the need to achieve the audit objectives through the efficient use of the auditor’s resources. The establishment of the overall audit strategy and the detailed audit plan are not necessarily discrete or sequential processes, but are closely interrelated since changes in one may result in consequential changes to the other.
Therefore it is not necessarily the case that the audit strategy is prepared and completed before the audit plan is devised, and in practice it is typical for the two to be developed together.
The audit plan is a detailed program giving instructions as to how each area of the audit will be conducted. In other words, the audit plan details the specific procedures to be carried out to implement the strategy and complete the audit.
ISA 300 provides guidance on what should be included in the audit plan, stating that the audit plan should describe:
- the nature, timing and extent of planned risk assessment procedures
- the nature, timing and extent of planned further audit procedures at the assertion level
- other planned audit procedures that are required to be carried out so that the engagement complies with ISAs.
Typically, an audit plan will include sections dealing with business understanding, risk assessment procedures, planned audit procedures i-e the responses to the risks identified and other mandatory audit procedures.
Planning an audit involves more than just obtaining business understanding and performing risk assessment. Planning is a dynamic process that may evolve during the audit, and should always respond to changes in the circumstances of the audited entity. Adherence to the requirements of ISA 300 should result in a well-focused audit, staffed by appropriate personnel, performing relevant and appropriate audit procedures.