Audit planning, ToC, Substantive, IT Audit, Audit sampling

Audit planning
I.

College of Accountancy
IV.

Concepts

environment (Inherent risk)

a) Develop general audit strategy

* Preliminary knowledge: Acceptance

b) Detailed audit approach to conduct

and Continuance

the audit
II.

Importance

a) Nature of entity:

important audit areas

b) Identify potential problems

Understanding the Internal Control

(Control risk)

VII.

Developing overall audit strategy

2) Review of prior year working

a) How much evidence to accumulate

(extent)
b) How and when gathering of

b) Industry, regulatory and financial

reporting framework:

PAS 315: Planning procedures

1) Inquiry procedures to finance

a) Understanding of the following:

department, legal department

1) Industry, regulatory, financial

evidences should be done (nature

and timing)

Materiality
-

2) SEC quarterly reports, annual

reporting framework

influence the decision of users

c) Objectives, strategies and related

accounting policies

business risk

3) Objectives, strategies and

of financial statements
-

1) Review of BOD minutes of

related business risks

2) Review of companys mission,

entitys performance
5) Internal Control
b) Develop audit strategy through risk

deemed to be misstated
-

Smallest amount that will

vision and management reports

misstate the financial

(current goals and objectives)

statements

3) Review of significant contracts

V.

Largest amount acceptable

before the financial statements

meeting

4) Measurement and review of the

Information is material if its

omission or misstatement could

reports

2) Nature of entity, application of

3) Analytical procedure

VI.

(Detection risk)

d) Effective and efficient audit

2) Audit risk

c) Evaluating audit evidence

1) Examination of AOI

3) Research activities

of work

1) Materiality

effectively and efficiently

papers

c) Proper assignment and coordination

based approach

b) Planning and performing audit

* Detailed knowledge: Audit planning

a) Ensure appropriate attention to

III.

Understand the entity and its

Use of information obtained

a) Importance
-

a) Assessing risk and identifying

potential misstatements

Determination of the amount

evidence to accumulate

Higher materiality; lower

evidence
Page 1 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

College of Accountancy

b) Uses of materiality
-

Prior year financial statements

Planning stage: Scope (NTE) of

(average 3 year for volatile

audit procedures

income)

Test of control: No use

Substantive: Disposal of

2) Determine tolerable

exceptions noted (Propose an

Budgeted financial statements

Complexity of transactions,
account balance

Degree of judgment
(estimates)

adjustment or Accept the

3) Perform audit procedures

misstatement)

Planning: Flux analysis

detect misstatement

Completion: Evaluate the

Substantive testing: ToD or

Control risk: Control may not

evaluation of control

uncorrected misstatements with

c) Steps to materiality

overall materiality

Audit risk

Initial control risk:

Understanding and

4) Compare aggregate amount of

misstatement)
1) Determine the overall materiality

Substantive analytics

(must be below the tolerable

Finalized control risk:

Validation of control

Detection risk: Risk that

(FS level):

a) Definitions

auditors substantive procedures

Benchmark: Driver of business,

Audit risk: Risk that the auditor

will not anymore detect

Where management look at in

gives an inappropriate opinion;

misstatement;

making decisions

5% audit risk, 95% reasonable

Profit-oriented: Net profit

o
o
o

Higher chances that audit

assurance that opinion is correct

procedures will not anymore

Inherent risk: Susceptibility of an

detect misstatement,

Not for profit: expenses and

account balance or class of

(detection risk is high) thus,

costs

transactions to a material

lower substantive testing;

Cost plus entity (BPOs):

misstatement assuming that

meaning why audit more if

Cost and expenses

there were no related internal

you already knew that your

Holding company: Total

controls;

function as to non-detection

assets

Management integrity

of misstatement is at the

Aggressive attitude towards

maximum level

before tax, Revenues

Susceptibility of account to
theft

misstatement (Account balance)

uncorrected misstatements

Annualized interim financial

statements

financial reporting
Page 2 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

o

College of Accountancy

Little chances that audit

b) Steps

procedures will not anymore

1) Independent expectation

detect misstatement,

2) Set desired threshold

(detection risk is low) thus,

3) Compute for the difference

governance, management and other

higher substantive testing;

4) Investigation of variance

personnel

meaning you need to audit

noted

more since you already

c) Use of analytical procedures

knew that your function as

1) Planning: Scope of audit

to non-detection of

(Nature, timing and extent

misstatement is only at the

of audit)

minimum level

2) Substantive: To detect

b) Effects of audit risk: IR, CR and

misstatement, corroborate

DR to substantive testing

Information and Related

evidences
3) Completion: Identification of

Technology)
b) Effected by those charged with

1) CWG: Oversight and integrity of

management in implementing
internal controls
2) Management: Establish internal
control
3) Staff personnel: Execution of
internal control
c) Providing reasonable assurance:

Nature

Timing

unusual fluctuations, if any

2) Override of management

Extent

and confirm conclusions

3) Routinary

reached

4) Errors (Human errors)

Analytical procedures:
Risk assessment procedure based

VIII.

Documenting audit plan

on ISA 240:

a) Audit plan (Flux analysis)

Inquiries of management

b) Audit program (Detailed audit

Analytical procedures

Observation and inspection

procedures)

5) Collusion among employees

d) Designed to help achieve entitys
objectives
1) Effectiveness and efficiencies of
operations

a) Definition

Consideration of Internal Control

I.

Analysis of plausible

1) Cost-benefit constraint

Nature of Internal Control

relationships among data that

ISA 315 Definition:

are expected to exist and

a) Process: COSO Framework

continue in the absence of

(SSAE16: Comfort memo testing),

known conditions to the contrary

CObIT (Control Objectives for

2) Compliance with laws and

regulations
3) Reliability of financial reporting

Page 3 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

II.

Components of internal control

College of Accountancy
2) Analysis of budget versus

a) Control environment: Attitudes,

level control), Flux analysis,

actual:

Analysis of AR aging reports

awareness and actions of

Investigation of differences and

(Top 10, Bottom 10 customers)

management

formulating action plans

1) Commitment to competence
trainings and seminars
2) Active participation of CWG

2) Information processing

c) Information and communication

(Automated application controls,

system

Validity check, self-checking

1) Operating and financial

digit, Completeness

examination of BOD minutes of

reporting application system that

check/Control totals, Limit

meetings

can:

check)

3) Management philosophy and

style mission and vision of the

company, short-term objectives

through management reports

and meetings

procedures HR policies
6) Organizational structure
b) Risk assessment
1) Business risk - Risk that entitys

and external factors:

-

Technological developments

Changes in customer demand

considerations, Vaults, security

Describe on a timely basis the

cards, kensigton locks)

4) Manual application controls (3

Measure the value of

way matching, review of POs)

5) Segregation of duties (Process-

Determine the time period which

wide considerations:

transactions occurred

Authorization

Present properly the

Execution

transactions and related

Recording

disclosures in the financial

Custody

statements

e) Monitoring of controls:

2) Communication of financial

business objectives will not be

attained coming from internal

transactions

transactions

among employees
5) Personnel policies and

3) Physical controls (Process-wide

transactions

4) Integrity and ethical values

code of ethics communicated

Identify and record valid

1) Ongoing (managers and

information:
-

supervisors)

Financial reporting process and

2) Separate evaluations ( Internal

policies in cascading information

d) Control activities
1) Performance reviews (Business
process reviews Direct entity-

audit department)
III.

Phases of Controls Testing

a) Obtain understanding and perform
evaluation of internal control
Page 4 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

1) Design effectiveness
2) Implementation and existence of

College of Accountancy
1) Objective
-

control
3) Walkthrough procedures (Test of

Operating effectiveness

Low SR: 5%, Moderate

SR: 10%, High 15%

(Validation of controls)

2) Procedures

Determine sample selection

method

one):

Inquiry

Procedures of WT

Observation

Inquiry

Inspection

Observation

Reperformance

Inspection

Random

Systematic

Haphazard
(voided/cancelled

3) Documentation of Test of Control

Uses of WT

Test objective

document replacing a

Identify potential misstatements

Results of Test of 1

sample; Missing

(Where could go wrong?: using

Extent of samples and its

documents deviation)

or probing questions, Deviation

rationale (Using attribute

questions)

sampling; occurrences)

Consider factors that affect risk

Determine the acceptable

of material misstatements

sampling risk

Design nature, timing and extent

of audit procedures

High/5% (10%)

1) Narrative
2) Flowchart

Determine the tolerable

3) Internal control questionnaire

deviation rate, net of

4) Controls diagram

expected deviation rate

c) Initial assessment of control risk

1) Based on WT results (Design
effectiveness)

Worksheet of ToC

Evaluate results
o

Determine the sample

deviation rate

Low/5% (30%),
Moderate/10% (20%),

b) Documentation of WT

Compare actual sample

deviation rate to tolerable
deviation rate
- Sample dev > Tolerable
dev: control is not operating

Maximum deviations

effectively

auditors willing to

- Sample dev < Tolerable

accept

dev:

2) Prior year results of ToCs

d) Performing test of controls
Page 5 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

College of Accountancy

- Allowance for

2) Underlysing accounting data

sampling risk, difference

(TB, Schedules, Listings)

between tolerable dev and

sample dev
- Allowance for sampling
riks > sampling risk, operating

3) Corroborating evidences

Performing Substantive Test

I.

risk < sampling risk, deviated

II.

Conclusions/Assessment of

2) BS accounts with large amounts

Prepayments
b) Test of details of balances:

minimum level

1) BS accounts with small amounts

Basis that control risk is at low

of voluminous transactions:

level (Results of PY, and

2) Control risk is at maximum level:

-

Document that control risk is at

maximum level

Cash, Receivables, Inventory

III.

Audit evidence
a) Concept:
1) Information obtained in arriving
conclusions where audit opinion
is based

Competence

Materiality

Risk

Prior year audit experience

gathered evidence)

transactions: PPE, Loans, SHE,

Document that control risk is at

2) Appropriateness (reliability of

but minimal number of

1) Control risk is at minimum level:

Current year ToCs)

Test of details

1) PL accounts

e) Final assessment of control risk

of evidence)

a) Test of details of transactions

control tested

1) Sufficiency of evidence (amount

b) Analytical procedures

control
-

b) Qualities of evidence

Procedures:
a) Test of details

effectively
- Allowance for sampling

(external party documents)

Auditors obtained evidence

External party documents

Written evidence over oral

representations

IV.

Audit documentation/Working papers

a) Functions of working papers
-

Support auditors opinion

Support auditors representation

Assist auditor in planning,

performance, supervision and
review of the engagement

Page 6 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

-

Planning future audit

College of Accountancy
f)

Confidentiality of working papers

2) Making an independent estimate

Provides information to other

1) Required by law

3) Subsequent events testing

services (Tax, MAS)

2) Personal right of auditor

Defense against litigation

g) Retention of working papers (5

b) Form and content: An experience

auditor would understand:
-

NTE of audit procedures

Results of audit procedures and

types/nature of audit evidences
obtained

Significant matters

c) Required documentation:
1) Significant matters
2) Departure from basic principle
or an essential procedure
3) Nature, timing and extent of
audit
d) Classification of working papers

years)
V.

Auditing accounting estimates

a) Managements responsibility
1) Establish controls over accounting
estimates
2) Estimates are valid and considered
reasonable
b) Auditors responsibility
1) Estimates are properly accounted
and disclosed
2) Estimates are reasonable
c) Approaches
1) Review and test process
managements procedures in

1) Permanent file

arriving the estmates

2) Current file

e) Ownership of working papers

-

Evaluate data and management

Related parties
a) Managements responsibility
1) Identification and disclosure of
related parties
b) Auditors responsibility
1) Obtain and review information
provided by management
regarding its related party and
its transactions
c) Procedures to identify related
parties
1) Review of prior year working
papers
2) Review of entitys procedure in
identifying related parties
3) Inquire as to affiliation of
directors

assumptions

4) Review of shareholders records

5) Review of minutes of meeting

Property of auditor, and not

Testing calculations

considered as a substitute for

Comparing prior periods

the clients records

VI.

estimates with actual results

d) Procedures to identify related party

transactions

Page 7 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

1) Perform detailed substantive
test of transactions
2) Review of minutes of meetings

College of Accountancy
1) Valuation or precious stones
2) Actuarial computations

large and/or unusual

Methods used

requirements (such as legal

Intended use of experts work

title)

Form and content of the experts

b) Experts may be:

report

4) Review confirmations

1) Engaged by the entity

5) Review investment transactions

2) Engaged by the auditor

3) Assess work of the expert

e) Conditions for which related party

transactions exist:
1) Abnormal terms transactions
2) Lack of apparent logical

3) Employed by the entity

3) Quality and quantity of evidence

manner

transactions with certain

available
d) Using work of an expert
1) Assessing competence and

customers or suppliers as
compared with others
6) Unrecorded transactions
(No charge transactions)
Using work of an expert
a) Experts:

Due professional care, NTE of audit

account tested

4) Not processed in an unbiased

Considering the work of internal auditing

auditing (Competence, Objectivity,

1) Significance/ (How material)

2) Risk of misstatement

Experts relationship to client

1) Preliminary assessment of internal

c) Determining the need for an expert

3) Substance differs from form

5) High volume or significant

VIII.

4) Employed by the auditor

business reason

VII.

Objectives and scope of

experts work

3) Interpretation of legal

3) Review accounting records for

transactions

performed)
2) Evaluating and testing work of
internal auditor
IX.

Special audit procedures

a) Accounts receivable
1) Confirmations

objectivity

Positive

Professional certification,

Negative

experience and reputation

2) Alternative procedures

2) Evaluate the scope of experts

work

Subsequent collections

Test of shipping documents and

sales invoice

Page 8 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

College of Accountancy
4)

b) Observation of inventory count

-

Required unless impracticable

to do so

5)

Data recovery controls cold site;

Test data: Auditors test data

usual operations; hot site; data

separate from clients data, valid

recovery is stored

and invalid transactions

Monitoring of controls IA

Program: Clients program

Comparison of output: Output of

b)

IT Audit
I.

Characteristics of CIS Environment

a)

Lack of visible transaction trails System

generated POs, scanned invoices, efps
documents (bank statements)

b)

Consistence of performance

c)

Ease of access to data and computer

Application controls (Automated) Controls

Test data to auditors expected

over input, processing and output of

data

transaction

Disadvantage: Limited to certain

1)

Controls over input/processing

transactions only and does not

cover the whole year

entered twice)
-

programs (Vulnerability of data) can be

accessed and altered leaving to visible
evidence
d)

Concentration of duties recording cash

disbursements, reconciling disbursements

e)

System generated transactions interest

expense computation, depreciation

II.

Internal Control in a CIS Environment

a)

General controls Overall controls on CIS

Organizational controls Segregation
of CIS department and user
department; and Segregation of duties
within CIS environment:
Programmers/analyst different from

III.

management
3)

Access controls passwords

(required field format, username,

Test data: Auditors test data

numbers/amounts only are

combined with clients data

required)

Program: Clients program

Self-checking digit (ATM account

Comparison of output:

numbers, Cheque numbers;

Output of test data to auditors

detection of transpositional errors

expected output

Limit check/reasonableness check

Disadvantage: Reversal of test

(Amount limits/ date)

data within clients program

Control totals (Hash totals sum

-

Parallel simulation

sum of input documents, financial

TD: none, clients data only

totals sum of the values of

Program: Auditors simulated

documents)

program and Clients program

a)

Auditing around the computer focusing

program to output of clients

solely on input and output of the system

program

Black box approach tracing back forth the

Disadvantage: Costly

transactions, no direct assessment of actual

documentation controls software

approved by appropriate level of

Integrated Test Facility

Comparison: Output from auditors

System development and

development must be reviewed and

Test of controls in a CIS environment

computer operator
2)

Field check/Validity check

of control numbers; record count

environment
1)

Key verification check (data

processing of transactions
b)

Computer Aided Auditing Tools / Computer

Assisted Auditing Techniques
-

Test data:

Page 9 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

College of Accountancy
III.

Non-sampling risk

c)

Determine sample size

Human error, application of in appropriate audit

d)

Select the sample

procedures, failure to recognize errors in the

e)

Apply the procedures

f)

Evaluate the results

samples tested and misinterpretation of evidence

Audit sampling
I.

II.

obtained

Extent of testing:

IV.

Controlling the risk

VIII.

Sampling for test of controls

a)

Determination of sample size

a)

100% testing

Sampling risk:

b)

Sampling

a)

Increasing the sample size

Importance of controls

b)

Using an appropriate sample selection

Risk of misstatements on

Risks in sampling
Sampling may not be truly

1)

Acceptable sampling risk:

method

assertions associated with the

representative of a population

Non-sampling risk:

control (control risk, planned

a)

Alpha risk (audit efficiency/disposal of

a)

Proper planning

reliance)

deviations/exceptions)

b)

Adequate direction, review and supervision of

1)

Test of controls: Risk of underreliance

Risk that samples selected would conclude

V.

that controls are not reliable; but actually

Qualitative or quantatively
assessed

General approaches to audit sampling

a)

Low/5% (30% of pop),

Statistical sampling; use of law of probability,

Moderate/10% (20% of pop),

deemed to be reliable

standard deviation; design an efficient

High/5% (10% pop)

2)

sample, measure sufficiency of evidence

Substantive testing: Risk of incorrect

rejection

obtained, objectively evaluate sample results

Risk that samples selected would conclude

b)

judgment: estimating sampling risks,

but actually deemed reasonable and fair

determining sample size and evaluating

Beta risk (audit effectiveness)

a)

Test of controls: Risk of overreliance

rate of deviations

to be not reliable

b)

Expected deviation rate:

-

occurrence as the population, use when

performing test of controls to estimate the

Low SR: 5%, Moderate SR: 10%,

High 15%

3)

Attribute sampling: estimate frequency of

that controls are reliable; but actually deemed

Maximum deviations auditors

willing to accept

Audit sampling plan

Risk that samples selected would conclude

2)

Tolerable deviation rate:

sample results
VI.

1)

2)

Non-statistical sampling; use of auditors

that account balance/transaction is misstated;

balance/transaction
b)

the audit team

Depending on the pilot sample

10 - 20% of tolerable deviation
rate

b)

Sample selection method

Variable sampling; estimate numerical

1)

Random number selection

Substantive testing: Risk of incorrect

measurement/value as the population, use in

2)

Systematic selection (sampling interval)

acceptance

performing substantive tests to estimate the

3)

Haphazard selection (voided/cancelled

Risk that samples selected would conclude

that account balance/transaction is

amount of misstatements
VII.

document replacing a sample; Missing

Steps for audit sampling

reasonable and fair, but actually deemed

a)

Define audit objective

misstated

b)

Determine audit procedures

documents deviation)
c)

Evaluation of results
1)

Determine the sample deviation rate

Page 10 of 11

Audit planning, ToC, Substantive, IT Audit, Audit sampling

2)

College of Accountancy

Compare sample deviation rate to

> Examine additional units

tolerable deviation rate

> Perform suitable alternative

Sample dev > Tolerable dev:

procedure

control is not operating effectively

> Request the client to adjust the

Sample dev < Tolerable dev:

account balance

Allowance for sampling risk,

difference between tolerable dev
and sample dev
Allowance for sampling riks >
sampling risk, operating effectively
Allowance for sampling risk <
sampling risk, deviated control
IX.

Sampling for substantive tests

a)

Determination of sample size

1)

Acceptable sampling risk

2)

Tolerable misstatement

3)

Expected misstatement

4)

Variation in population (high variablity,

high number of samples

b)

Sample selection ( High value items, risk

based)

c)

Evaluating the results

1)

Project misstatement:
-

Ratio: Values

Difference: Number of
transactions

2)

Compare projected misstatements to

tolerable misstatements
-

Projected misstatement <

tolerable misstatement: no
misstatement

Projected misstatement >

tolerable misstatement:

Page 11 of 11