BUS 347

Chapter 10 – Risk Response: Audit Strategy, Overall Approach, and Audit

Program

Overall Audit Strategy

We have assessed the risk – now we need to figure out how to respond to that risk,
That brings us to the next phase of the audit – Risk Response. This consists of the
overall risk response and risk response at the assertion level.

When developing the overall audit strategy, CAS300 explains that the auditor
should:

• Identify the characteristics of the engagement that define its scope.

• Determine the reporting requirements.
• Consider the factors that are significant in directing the audit team’s efforts.
• Consider the results of preliminary engagement activities.
• Determine the nature, timing, and extent of resources necessary to perform
the engagement.

Overall audit strategy—the scope, timing, and direction of the audit, which guides
the development of the audit plan. Think of it as a roadmap to the detailed audit
plan.

Audit Plan and Audit Procedures

The audit plan is more detailed, and includes nature, timing and extent of audit
procedures to be performed by the engagement team members.

Remember from Ch 5:

Nature: Which audit procedures to use (the “nature”)

Timing: When to perform the procedures (the “timing”)
Extent: Which items to select for testing (the “extent”)

The audit plan includes the following:

1. The nature, timing, and extent of the risk assessment procedures;

2. The nature, timing, and extent of further audit procedures at the
assertion level.

Note that ALL audits require procedures related to the financial statement closing
process and to assess fraud risks (such as management override).
Risk Assessment Procedures

We covered Risk Assessment procedures in Ch 7-9. As a reminder, the purpose of

performing risk assessment procedures is to:

• understand the entity and its environment as well, identify inherent risk
factors, and assess inherent risk;
• understand and evaluate the system of control and to assess control risk
at the assertion level.

Once these evaluations of inherent risk and the control system have been made,
auditors will be able to assess risk of misstatement at the overall financial statement
level and assess risk of material misstatement at the assertion level.

Further Audit Procedures

The risk of misstatement at the assertion level guides the development of further
audit procedures.

Further audit procedures (which are “further” to risk assessment procedures

performed) can be any of substantive procedures (including tests of details and
substantive analytical procedures) and/or tests of controls (when relying on
controls). This is essentially all the procedures to be performed to make up the
audit evidence required.
 Some general considerations for Planning
Procedure Description Further Audit Procedures
Tests of controls • Identify relevant internal • Tests of controls are required for highly
controls that, if tested, would automated processes that do not have an
reduce the need/scope for audit trail.
other substantive procedures. • As a general rule, the sample size for
• There is no requirement to control tests is often significantly less
test effectiveness of controls than substantive tests for a transaction
unless it is not possible to stream. Assuming that the relevant
perform substantive tests. (As controls operate consistently and control
in the case of highly automated deviations are unlikely, the use of tests of
transactions—See Chapter 9 controls can often result in less work being
for more discussion.) performed.

Substantive procedure • Includes examining the details • If the assessed risk of material
- Tests of details of a sample (or all) of the misstatement at the assertion level
underlying transactions or indicates that a significant risk exists, and
balance for an account or the planned audit response consists only
group of accounts. of substantive procedures, then the
procedures must include a test of details.

Substantive procedure • The total amount of a • In some cases, if inherent risk for a
- analytical procedures transaction stream or account particular assertion
balance can be reliably
predicted and then compared
to actual amounts

Specific procedures • Management override– • In all audits, auditors are required to

Specific procedures to address develop specific audit procedures for
the risk of management management override and risk of
override. revenue recognition fraud.
• Revenue Recognition–Auditors • Auditors cannot perform only
are required to presume that substantive analytical procedures for
the risk of revenue recognition significant risks.
fraud is high. • Matters that have a higher risk of material
• Significant risks–Specific misstatement are significant risks.
procedures to address Complexity, subjectivity, change,
“significant risks” that have uncertainty and management bias or
been identified through other fraud risk factors increase inherent
performing risk assessment risk (see Chapter 7). If controls are
procedures ineffective for those significant inherent
risks, the risk of material misstatement is
high.
Classroom Chair Example:
Assume we are asked to perform an inventory count of classroom chairs. One student from the
class is asked to key the results of the count from the count sheet into an Excel spreadsheet. A
second student is then asked to review if the entry was made accurately and signs their name
on the count sheet to confirm the review was completed and that an authorization has been
granted for the Excel spreadsheet to be merged with accounting records.
How do we design a procedure to test this control? Note the differences between a procedure
designed to test internal controls (to verify the presence of an authorizing signature) and a
substantive procedure used to test the existence (or completeness) of chair inventory.

Further Audit Procedures: Control Tests and Tests of Details

Although auditors can perform tests of controls separately from all other tests, it’s
often more efficient to perform the test of control and test of detail on the same
transaction at the same time. These are referred to as dual purpose tests.

• Dual purpose tests—auditing procedures that are both tests of

controls and substantive procedures on the same sample of
transactions or account balances for efficiency.

Appropriate Mix of Audit Procedures and Audit Approach

Some of the matters the auditor should consider when planning the appropriate mix
of audit procedures to respond to identified risks include the following:

• Overall audit strategy and approach

• Audit timetable
• Audit team discussions, including possible fraud and key audit matters if
applied
• Planned risk assessment procedures

The auditor has three choices when developing an appropriate risk response at the
assertion level:

1. Perform control tests only— Where the system is highly automated and
substantive procedures are not possible. Testing done is 100% test of
controls.
2. Combined audit approach— When the auditor plans to test the operating
effectiveness (in other words, rely upon controls) and the auditor will perform
a combination of tests of controls and substantive procedures.
 3. Substantive audit approach—In this approach, the auditor does not plan to
rely upon controls—either because the controls are ineffective or it is not
efficient to test controls. Testing done is 100% substantive procedures.

Examples of Audit Approaches:

Audit 1 - Large company, Sophisticated Internal Controls

A large company with sophisticated internal controls would justify a combined

audit approach. The auditor performs extensive tests of controls and relies heavily
on the client’s internal controls to reduce tests of details. Because controls are
effective, the auditor can perform extensive substantive analytical procedures and
perform less tests of details.

Audit 2—Medium-sized company, Some Controls

A medium-sized company with some effective controls (for which the auditor can
perform tests of controls) would justify using a combined audit approach. The
auditor has decided to do a medium amount of testing for all types of tests except
substantive analytical procedures, which will be done extensively. More extensive
testing will be done if specific inherent risk factors are discovered.

Audit 3— Medium-sized company, Few Controls

A medium-sized company with few effective controls and significant risk of

material misstatement. Management has decided that it is not cost-effective to
implement better internal controls. This results in a substantive approach: no tests
of controls are done because reliance on internal control is inappropriate when
controls are insufficient. The emphasis is on tests of details, but some substantive
analytical procedures are also done; however, limited substantive analytical
procedures are performed because it is not sufficient appropriate evidence to
identify misstatements. The cost of the audit is likely to be relatively high because
of the amount of detailed substantive testing.

Audit 4—Medium, Ineffective Controls

The original plan on this audit was to follow the approach used in Audit 2 (a
combined audit approach). However, the auditor finds extensive control test
deviations and significant misstatements using dual-purpose tests and substantive
analytical procedures. Therefore, the auditor concludes that the internal controls
are not effective and reverts to a wholly substantive approach. Extensive
substantive tests of details are performed to offset the unacceptable results of the
other tests. The costs of this audit are higher because tests of controls and dual-
purpose tests are performed but cannot be used to reduce substantive tests of
details.

It is important to note that if the situation like Audit 4 occurred in an organization

like that depicted in Audit 1 (a large organization with numerous transactions and a
high degree of automation), and the auditor concluded that controls were
ineffective, it is likely that the auditor is unable to conduct an audit. It will be almost
impossible to do a substantive audit of an organization that processes hundreds of
thousands of transactions (or more) daily.

Design Effective Further Audit Procedures

An effective risk response at the assertion level requires:

• An understanding of the assessed risks (which comes from performing risk

assessment procedures), and
• The selection of procedures that appropriately respond to those assessed
risks.

Performance Materiality and Risk Assessment

Performance materiality is used by the auditor to determine which accounts are “in
scope.” (meaning they are considered material and substantive procedures must be
performed.)

Auditors have a choice of performing tests of details or substantive analytical

procedures depending upon the nature of the account and assertion.

The inherent risk and control risk assessment highlight which classes of
transactions, balances, and disclosures are significant.

Nature of Audit Procedures

The nature of an audit procedure refers to its purpose (test of controls vs

substantive procedure) and its type (CIIROAR).

Procedures are matched to Assertions. An audit procedure is effective if the

evidence is relevant and reliable in testing the audit assertion.
 • Relevance refers to the logical connection between the evidence and the
assertion being tested.
• Reliability is the degree to which evidence can be believable or worthy of
trust. Reliability is influenced by its source, nature, and circumstances
under which it is obtained

Relative Costs

The costs of audit procedures is a practical consideration all auditors incorporate

into the development of an audit plan. Taking into consideration the costs of the
procedures also helps to understand why one audit approach may be more efficient
than another.

The following types of further audit procedures are listed in order of least costly to
most expensive:

o Substantive analytical procedures: least costly because of the

relative ease of making calculations and comparisons.
o Tests of controls: lower in cost because the auditor is making inquiries
and observations, examining such things as initials on documents and
outward indications of other control procedures, and conducting
reperformances, recalculations, and tracings.
o Tests of Details: often considerably more costly than any of the other
types of procedures because they often involve more auditor time and
effort.

Timing of Audit Tests

Audit tests can be conducted throughout the year, or, for a small audit, may be
conducted in a concentrated period of time.

For clients with highly sophisticated computerized accounting systems, auditors

often perform tests of controls and substantive tests of transactions throughout
the year to identify significant or unusual transactions and determine whether any
changes have been made to the client’s computer system. This approach is often
called continuous auditing.

When clients want to issue statements soon after the balance sheet date, however,
the more time-consuming tests of details of balances will be done at interim audit
dates prior to year-end, with additional work being done to roll forward the audited
interim date balances to year-end. (ie: For a Dec 31 YE, interim testing done in
 September will test transactions that occurred from January- August; Then in
January, Auditor will test the transactions that occurred from September –
December)

Extent of Audit Procedures

This refers to the number of items to select.

For test of controls, extent is determined by expected deviation rate, and how often
the control is performed (daily, monthly, quarterly, etc)

For substantive tests, the RMM for the particular assertion is the basis for extent of
testing (more risk = more extensive testing = more items tested)

Design Audit Programs

An audit program identifies the audit steps that are in response to the identified
risks. There will likely be a separate set of audit programs for each transaction cycle.

Example: Substantive Tests of Details of Balances Audit Program for Accounts

Receivable
Items Assertion Being Test
Tests of Details of Balances Sample size to Timing R/ A A
E C V P
select O c l
1. Obtain an aged list of receivables: Trace Trace 20 Random INT X
open items to supporting invoice detail, foot items; foot
schedule, and trace to general ledger. pages and
subtotals
2. Obtain an analysis of the allowance for All All YE X X X X X
doubtful accounts and bad-debt expense:
test accuracy, examine authorization for write-
offs, and trace to general ledger
3. Obtain direct confirmation of accounts 100 30 INT X X X X X X
receivable and perform alternative procedures largest;
for nonresponses. 70
Random
4. Review accounts receivable control N/A N/A YE X X X X X
account for the period. Investigate the nature
of, and review support for, any large or unusual
entries or any entries not arising from normal
journal sources. Also investigate any
significant increases or decreases in sales
towards year-end.
5. Review receivables for any that have been All All YE X X
assigned or discounted
6. Investigate collectability of account N/A N/A YE X
balances.
7. Review lists of balances for amounts due All All YE X X
from related parties or employees, credit
balances, and unusual items, as well as notes
receivable due after one year.
8. Determine that proper cutoff procedures 30 trx for 50% YE X
were applied at the balance sheet date to sales and before
ensure that sales, cash receipts, and credit cash receipts; YE and
memos have been recorded in the correct 10 for credit 50%
period. memos after YE
YE = Year end INT = Interim N/A= Not applicable trx = transactions