Uploaded by Thilak Pathirage

Method for Developing Risk Based Audit Plan

Methods for Developing Risk-Based Audit Plan
Methods for Developing Risk-Based Audit Plan
TABLE OF CONTENTS
ACKNOWLEDGMENT
TABLE OF CONTENTS
LIST OF ABBREVIATIONS
LIST OF TABLES
LIST OF FIGURES
ABSTRACT
PART 1
INTRODUCTION
1.1
1.2
1.3
1.4
1.5
Background of the Research
Problem Statement
Research Objectives and Scope
Significance of the Study
Summary
PART 2
LITERATURE REVIEW
2.1
2.2
2.3
2.4
2.5
2.6
2.7
Introduction
Risk-Based Auditing
Risk-Based Auditing Approach
Risk-Based Auditing Planning
Audit Risks
Attributes of a Good Audit Planning Memorandum
Summary
PART 3
RESEARCH METHODOLOGY
3.1
3.2
3.3
3.4
3.5
3.5
Introduction
Research Methodology
The Descriptive Design
Research Instrument
Data Collection
Summary
PART 4
RESULTS BASED ON QUESTIONNAIRE
4.1
4.2
4.3
4.4
Introduction
Descriptive Results
Adoption of Risk-Based Audit Approach
Preparation of the Audit Plan/Risk-Based Audit Plan
Methods for Developing Risk-Based Audit Plan
4.5
4.6
Methods in Developing Risk-Based Audit Plan
Summary
PART 5
RESULTS BASED ON EXTENDED STUDY
5.1
5.2
5.3
5.4
5.5
Introduction
Analysis of Results
Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA)
Extended Study on SAIs RBA Approach and Practices (Combination of
RBA and Other Approaches)
Summary
PART 6
CONCLUSION AND IMPLICATIONS
6.1
6.2
6.3
6.4
Conclusion
Implications
Limitations
Suggestions for Future Research
REFERENCES
Appendix A
Appendix B
Questionnaire
Research Team Members
Methods for Developing Risk-Based Audit Plan
ACKNOWLEDGEMENTS
It is with immense pleasure for the National Audit Department of Malaysia (NADM) to
present this 11th ASOSAI Research Project on “Methods for Developing Risk-Based Audit
Plan”. The research team led by NADM wishes to express our deep appreciation to those
who have contributed in the completion of this report.
A special acknowledgment should be awarded to the Auditor General of Malaysia and Chair
of ASOSAI, Tan Sri Dr. Madinah Mohamad who has personally provides professional
guidance in enhancing the research report. Our gratitude to NADM reviewer team who
provide their expertise in improving the final report.
Our appreciation also goes to the SAIs which responded to the questionnaires and the three
SAIs for hosting the research meetings namely Board of Audit and Inspection of South
Korea, State Audit Office of Vietnam and State Audit Bureau of Kuwait. Thank you for your
support to the research project.
Lastly, this research project would not have been possible without the cooperation spirit and
high commitment of the Heads of participating SAIs and the research team comprising SAIs
of Bangladesh, Indonesia, Iran, Iraq, Kuwait, Malaysia, Philippines, Saudi Arabia, South
Korea, Russia and Vietnam. A great time and effort have been put to produce this research
project.
It is our hope that the results of this research provide insights for the ASOSAI members to
develop ISSAIs compliant risk-based plan for the financial, performance and compliance
audits.
i
Methods for Developing Risk-Based Audit Plan
LIST OF ABBREVIATIONS
ACCA
AF
ANAO
AR
ASOSAI
Association of Chartered Certified Accountants
Assurance Factors
Australian National Audit Office
Audit Risk
Asian Organisation of Supreme Audit Institutions
AWP
Audit Work Plan
BPK
The Audit Board of Indonesia
CAATs
COA
COSO
Computer Assisted Audit Techniques
Commission on Audit (SAI Philippines)
The Committee of Sponsoring Organisations of the Treadway
Commission
CR
Control Risk
DR
Detection Risk
FSLI
Financial Statement Line Item
GRI
Government Risk Identification
GRM
Government Risk Model
GWSPA
IAASB
ICT
IFAC
INTOSAI
IR
IRRBA
Government-wide and Sectoral Performance Audit
International Auditing and Assurance Standards Board
Information and Communication Technology
International Federation of Accountants
International Organisation of Supreme Audit Institutions
Inherent Risk
Integrated Results and Risk-based Audit
ii
Methods for Developing Risk-Based Audit Plan
ISA
International Standards on Auditing
ISSAIs
The International Standards of Supreme Audit Institutions
OCAG
Office of the Comptroller and Auditor General (SAI Bangladesh)
PASG
Performance Audit Services Group
RAD
Risk Assessment Document
RBA
Risk-based Audit
RoMM
SAI
Risk of Material Misstatement
Supreme Audit Institution
iii
Methods for Developing Risk-Based Audit Plan
LIST OF TABLES
NO.
PAGE
TABLE 1
ISSAI PRE-PLANNING STAGE
TABLE 2
ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO
CRITERIA
TABLE 3
SELECTED SAIS FOR EXTENDED STUDY
TABLE 4
DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE
IN PARENTHESES)
TABLE 5
AUDIT APPROACHES ADOPTED BY SAIS
TABLE 6
PROCESS OF PREPARING A RISK-BASED AUDIT PLAN
TABLE 7
CONTENTS OF PLANNING MEMORANDUM
TABLE 8
BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN
TABLE 9
TEMPLATES USED IN UNDERSTANDING THE ENTITY
AND ITS ENVIRONMENT
TABLE 10
RISK ASSESSMENT TEMPLATE
TABLE 11
OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE
TABLE 12
OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT
PLAN
TABLE 13
INFORMATION INCLUDED IN THE PERFORMANCE AUDIT
PLAN
TABLE 14
STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER
ISSAI 4100
TABLE 15
OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN
TABLE 16
ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL
CONTROL SYSTEM
TABLE 17
COMPONENTS OF COSO INTERNAL CONTROL
FRAMEWORK CONSIDERED BY SAIS
TABLE 18
RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN
TABLE 19
AUDIT APPROACHES
TABLE 20
RBA PLAN
iv
Methods for Developing Risk-Based Audit Plan
TABLE 21
METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT
TABLE 22
METHODS IN DEVELOPING RBA PLAN: PERFORMANCE
AUDIT
TABLE 23
METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT
TABLE 24
RATIONALE FOR CONDUCTING THE AUDIT
v
Methods for Developing Risk-Based Audit Plan
LIST OF FIGURES
NO.
PAGE
FIGURE 1
DATA COLLECTION FOR DESCRIBING METHODS USED BY
THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT
PLAN
FIGURE 2
SAI THAT SUBMITTED SURVEY QUESTIONNAIRE
FIGURE 3
DATA COLLECTION FOR DESCRIBING METHODS USED BY
THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT
PLAN
FIGURE 4
PREPARATION OF AUDIT PLANS
FIGURE 5
SAIS
HAVING
STRUCTURED
GUIDELINES
PREPARING RISK-BASED AUDIT PLAN
FIGURE 6
SAIS USING RISK ANALYSIS IN THE PREPARATION OF
THE AUDIT PLAN
FIGURE 7
SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE
AND PERFORMANCE AUDITS
FIGURE 8
SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF
PROCEDURES IN THE AUDIT PLAN FOR FINANCIAL AUDIT
FIGURE 9
SAIS WHICH PERFORM THE STEPS IN DEVELOPING
AN AUDIT PLAN FOR FINANCIAL AUDIT
IN
FIGURE 10
STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN
AS PER ISSAI
FIGURE 11
INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN
FIGURE 12
SAIS DETERMINING MATERIALITY IN PLANNING AND
PERFORMING THE AUDIT
FIGURE 13
ADOPTION OF COSO FRAMEWORK
FIGURE 14
PROCESS DOCUMENTATION/WALKTHROUGH FOR THE
BUSINESS PROCESS OR ACCOUNTING PROCESS
FIGURE 15
TEMPLATE ON ASSESSING RISKS AND INPUT TO THE
BRIDGE
FIGURE 16
THE BRIDGE PROCESS
FIGURE 17
KEY STEPS IN START-UP PHRASE
vi
Methods for Developing Risk-Based Audit Plan
FIGURE 18
PEFORMANCE AUDIT PLANNING PROCESS
FIGURE19
IRRBA FRAMEWORK
vii
Methods for Developing Risk-Based Audit Plan
ABSTRACT
The research study sets out to examine the methods used in developing the risk-based audit
plans and to identify the practices in developing financial, performance and compliance audit
plans in compliance with ISSAIs. A descriptive design is utilised to obtain information about
the methods and practices on risk-based audit plan. The respondents were the 48 ASOSAI
member countries.
A semi-structured survey questionnaire comprising open and closed ended questions are
used for the purpose of breadth and depth understanding of the risk-based audit
implemented by the ASOSAI members. Specific criteria for the respondent are given to
ensure the respondents provide complete and accurate information. The survey results are
analysed and based on the analysis, 11 SAIs (Australia, Bangladesh, Cyprus, India,
Indonesia, Iraq, Jordan, Malaysia, Nepal, Philippines and Singapore) are selected for
extended study based on the determined criteria.
The research study found that all respondent SAIs conduct financial audit, while compliance
and performance audits are not performed by every SAI. Aside from the three main audit
types, SAIs conducted other audits which have similarities with the three audits, particularly
in the cases of SAIs Australia, Bangladesh, China and Japan. The primary reason for the
differences in audits being conducted is the legal framework, mandate and authority of the
SAI.
It is revealed that not all SAIs adopted the risk-based approach either fully or partially in
planning the audit. Other approaches such as system-based, results-oriented, problembased, transaction-based, fundamental and topic-based audit. This suggests the diversity in
the audit methodologies adopted by the ASOSAI members. In spite of that, majority of the
SAIs recognised the benefits of preparing the risk-based audit plan.
On the preparation of the audit plan, the findings revealed that most of them prepared
separate audit plans for the financial, performance and compliance audits. The preparation
of the procedures/steps/content requirements of financial, performance and compliance
audit plans is in accordance with ISSAI 1300-Planning an Audit of Financial Statements,
ISSAI 3000- Standard for Performance Auditing and 4000 – Compliance Auditing Standard.
Compliance to ISSAIs is highest in the financial audit, followed by performance and
compliance audits.
A significant number of SAIs do not use a guide or required to do so due to organisational or
legislative reasons. A structured guidelines will provide guidance on the methods/procedures
in developing the plans. Even though there are SAIs which do not adopt the risk-based
approach, majority of them conducted risk analysis in planning the audit. This implies that
viii
Methods for Developing Risk-Based Audit Plan
SAIs are aware of the importance of risk analysis to help them to achieve maximum value for
their auditing efforts.
The research study found that majority of SAIs determine materiality in the audit planning
and performance. Although not all the SAIs adopt the COSO framework formally, they
considered the components of the COSO Framework in understanding or assessing the
entity’s internal control. On risk assessment, most of the SAIs considered the control and
inherent risks compared to the detection risks. .
Based on the extended study, only 4 SAIs – Australia, Malaysia, Nepal and Philippines fully
adopt the risk-based audit. The practices carried out by SAI Australia and Nepal for
developing the financial and compliance audit plan, SAI Australia for the performance audit
plan and SAI Indonesia for the compliance audit plan can used as a reference for the
ASOSAI members.
ix
Methods for Developing Risk-Based Audit Plan
PART 1
INTRODUCTION
1.1
Research Project Background
The ASOSAI Research Project is conducted in accordance to Article II of the Asian
Organization of Supreme Audit Institutions (ASOSAI) Charter and Rule 2, Section 2.2 of the
ASOSAI Rules and Regulations. The objective of the research is to encourage and facilitate
the sharing of knowledge and experiences among the member SAIs to enhance their audit
capacities. The 11th Asian Organisation of Supreme Audit Institutions (ASOSAI) Research
Project on “Methods for Developing Risk-Based Audit Plan” was approved in the 49th
Governing Board Meeting held in Kuala Lumpur, Malaysia in February 2015.
A total of 11 SAIs participated in the research project led by the National Audit Department
of Malaysia. The SAIs are Bangladesh, Indonesia, Iran, Iraq, Korea, Kuwait, Malaysia,
Philippines, Russia, Saudi Arabia and Vietnam participated in this research project. The
research team members met five times over the period of November 2015 to July 2018 to
discuss and monitor the progress of the research project.
No.
Activity
Date and Venue
1.
1ST Research Meeting
November 16-18, 2015
(Presentation of country papers and discussion Malaysia
of research project framework)
2.
2ND Research Meeting (Finalizing Part 1 and May 2-4, 2016
outline of questionnaire)
South Korea
3.
3RD Research Meeting
(Discussions on Part 2 and Part 3)
November 22-24, 2016
Vietnam
4.
4TH Research Meeting
(Discussion on Part 4)
April 24-26, 2017
Kuwait
5.
5th Research Meeting
(Discussion on the overall research project)
July 10-11, 2018
Malaysia
During the first meeting, the research team discussed the milestones and outline of the
project as well as assigned the group members into 4 groups whereby each group prepared
their respective parts of the research report. During the second meeting, the research team
discussed the methodology and empirical studies relating to the research topic and
developed a set of questionnaires which were sent to all ASOSAI members SAI.
The respective group presented the analysis of the 25 completed questionnaires in the third
meeting. During the fourth meeting, the research team discussed the findings of 8 selected
SAIs based on the documents submitted by them. The final meeting discussed the overall
research project report in terms of the facts, data, appropriateness of the discussions.
1
Methods for Developing Risk-Based Audit Plan
1.2
Problem Statement
SAIs adopt different audit methods/approaches, but based on the survey distributed by
the ASOSAI Secretariat, it showed that majority of the ASOSAI members were interested
to gain and share knowledge from the experienced SAIs in risk based audit planning.
This was the main reason why the topic of Methods for Developing Risk-based Audit
Plans was selected.
1.3
Research Objectives and Scope
The objectives of the research are as follows:
1.
To describe the methods used by the ASOSAI member countries in developing
risk-based audit plan;
2.
To identify the practices carried out in developing the risk-based audit plan for
financial, performance and compliance audits in compliant with ISSAIs.
This research focuses on the planning stage of the audit to determine the methods in
developing the risk-based audit plans for the financial, performance and compliance audits
that correspond with international auditing standards set by INTOSAI and IAASB. The target
respondents are all 48 ASOSAI member countries.
1.4
Significance of the study
Risk is defined as the threat that an event, action or inaction will adversely affect the agency
/entity’s ability to successfully achieve its mandate and objectives and execute its strategies.
Perception of risks varies from one SAI to another as it depends on several factors to
influence the risk including economic interests, public perception and cultural values. In
terms of compliance audit, performance audit and financial audit that involve audit risk
planning and analysis, there are variety of methods to identify and evaluate risks; different
SAIs may have different approach and judgment based on their own perceptions and social
agenda. In this matter of fact, this paper was designed to develop a better understanding on
the risk-based audit plan for financial, performance and compliance audits as well as to
assist auditors to prepare Risk Based Audit Plan according to ISSAIs to ensure that the audit
is conducted in an effective and efficient manner.
1.5 Summary
This part has outlined and described the background of this research, its objectives and the
significance of this study. This research is undertaken to examine the implementation of risk
based audit in preparing audit plan for financial, compliance and performance audit.
2
Methods for Developing Risk-Based Audit Plan
PART 2
LITERATURE REVIEW
2.1
Introduction
This chapter discusses literature review related to risk based auditing (RBA). The reading of
empirical research on RBAs is necessary to gain a deep understanding of this matter and to
identify the gap in this area. By reading empirical research as well, we will be able to identify
the framework to be reviewed and the expected results to be obtained.
Literature reviews typically appear as detailed independent works or as brief introductions to
reports of new primary data. When a literature review appears independent of new data, it
can serve many different purposes (Cooper 1998). It can have numerous different focuses,
goals, perspectives, coverage strategies, organisations, and audiences (Cooper, 1988). For
instance, literature reviews can focus on research outcomes, research methods, theories,
applications, or all these. Literature reviews can attempt to integrate what others have done
and said, to criticize previous scholarly works, to build bridges between related topic areas,
to identify the central issues in a field, or all these. Literature reviews combining two specific
sets of focuses and goals appear most frequently in the scientific literature. The first type of
literature review has been alternately called a research synthesis, integrative research
review, or research review. The second kind of literature review is a theoretical review. Here,
the reviewer hopes to present the theories offered to explain a particular phenomenon and to
compare them in breadth, internal consistency, and the nature of their predictions (Cooper
1998).
2.2
Risk Based Auditing
Risk is a complex, multidimensional phenomenon. According to Yates (2002), in an action
taking setting, risk is the potential for negative consequences to occur as a result of the
action taken. The dimensions of risk include i) multiple causes of potential negative
consequences, ii) multiple types of negative consequences, iii) the significance of each type
of negative consequence, iv) multiple stakeholders who might suffer different types of
negative consequences at varying significance levels, and v) a distribution of probabilities
associated with each combination of the preceding dimensions. To select an audit that will
add value, it is appropriate to identify risk. Risk in the audit context is the chance of poor
performance by an organization, or the possibility of error and wrongdoing.
A risk-based auditing allows an organisation to understand the current risks and assess the
effectiveness of existing controls. Additionally, it allows management to target resources to
specific operations. As sites and corporations continue to reduce injury incidents and rates, a
risk-based audit approach guides resource allocation. The basic premise of risk-based
3
Methods for Developing Risk-Based Audit Plan
auditing is that auditors should devote more resources to accounts that are likely to be
misstated and fewer resources to those that are less likely to be misstated (Bell et al. 2005;
Rittenberg and Schwieger 2005; Knechel 2007). This approach is expected to lead to more
effective and efficient audits (Bell et al. 2005; Public Company Accounting Oversight Board
[PCAOB] 2007). However, if auditors do not accurately assess misstatement risk at the
account level, audit resources will be misallocated, resulting in undetected misstatements
(Kinney 2005; O'Donnell and Schultz 2005). Auditors could wrongly assess misstatement
risk by focusing on observable non-strategic risk factors that indicate certain accounts are
more likely than others to be misstated and by failing to appreciate the attendant implications
for unobservable strategic risks that arise when financial reporting managers anticipate that
auditors will allocate resources based on those non-strategic risk factors (Fellingham and
Newman 1985). By fixating on non-strategic risk factors and by allocating resources
accordingly, auditors could actually create opportunities for fraud among the ostensibly lowrisk accounts.
Auditors literally start the audit process by equipping themselves with knowledge of the
nature of the business of the entity and its business environment. Auditors arm themselves
with sufficient information about a business and its environment so as to assess risks
associated with the business. Salehi and Khatiri (2011) has explored the factors hindering
the performance of risk-based auditing, including the lack of timely preparation of financial
statements by auditors, lack of sufficient standards, lack of statistical methods used by
auditors and lack of necessary auditing training. From perspective of the internal audit, the
allocation of limited resources in the most effective way requires an assessment of risk
across all the auditable areas. In this regard, the objective of risk-based planning is to
ensure that the auditor examines subjects of highest risk to the achievement of the
organization’s objectives. The internal audit activity may gather the information to support
this assessment during multiple engagements. The results of these engagements, when
viewed together, provide an understanding of the organization’s risk management processes
and their effectiveness. Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.
2.3
Risk Based Auditing Approach
Given the nature of the audit process, every audit assignment presents a different challenge,
with no two audit assignments being the same. For example, no two entities are the same in
terms of business sector, location, size, employees, governance issues, ethos, and
complexity of operations. There is no one single approach to auditing which ensures the
performance of a perfect audit. However, it is generally accepted that for most entities of
size, the risk-based audit approach will minimise the possibility of audit objectives not being
met. Consequently ISA 315, Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment, compels auditors to adopt a riskbased approach to audits. In so doing, it requires auditors to make risk assessments of
4
Methods for Developing Risk-Based Audit Plan
material misstatements at the financial statement and assertion levels, based on an
appropriate understanding of the entity and its environment, including internal controls.
Auditor should be familiar with assertions made by management, as described in ISA 500,
(Audit Evidence). As the auditor is required to focus on the entity and its environment when
making risk assessments, this is known as the ‘top down’ approach to identifying risks, and
auditors should become familiar with this term. The word ‘top’ refers to the day-to-day
operations of the entity and the environment in which it operates; ‘down’ refers to the
financial statements of the entity. In summary, this approach requires auditors to identify the
key day-to-day risks faced by a business, to consider the impact these risks could have on
the financial statements, and then to plan their audit procedures accordingly. For this reason,
the approach is often referred to as the ‘business risk approach’. When adopting this
approach, in order to facilitate the identification of risks and the assessment of their effect on
the financial statements, risks are categorised as: financial risks – such as cash flow risks;
compliance risks – such as breaching of laws and regulations risk; and operational risks –
such as loss of key employee risk and loss of data risk (Brian Pine, 2008). The ultimate
objective of adopting the business risk approach is to reduce audit risk – the risk that the
auditor will give an inappropriate opinion on the financial statements. Hence, auditors should
therefore understand how business risk is linked to audit risk and how the business risk
approach is integral to the use of the audit risk model when planning audit work.
The importance of the adoption of risk-based audit approach has received great emphasis in
the realm of public sector auditing. It is further emphasizes in the International Standards of
Supreme Audit Institutions (ISSAI) which states the following points:

The auditor shall design and implement overall responses to address the
assessed risks of material misstatement at the financial statement level (ISSAI
1330);

The auditor shall actively manage audit risk to avoid the development of
incorrect or incomplete audit finding, conclusion, and recommendation or failing
to add value (ISSAI 3000); and

The auditor shall perform procedures to reduce the risk of producing incorrect
conclusion to an acceptable low level (ISSAI 4000).
A risk-based audit approach allows SAI to understand current risks and assess the
effectiveness of existing controls. Additionally, it allows management to target resources to
specific operations. As sites and corporations continue to reduce injury incidents and rates, a
risk-based audit approach guides resource allocation. The aim of the risk assessment
auditing standards is to improve the quality and effectiveness of audit by substantially
changing audit practices. Statements on Auditing Standard provide increased rigor to the
audit process in a number of key areas including the assessments of inherent and control
risks and the linking of these risk assessments to further audit procedures (Ramos, 2009).
5
Methods for Developing Risk-Based Audit Plan
The risk assessment standards prohibited the auditor form “defaulting to the maximum”
control risk. On all audits the auditor should evaluate the design and implementation of
internal control to properly identify and assess risk. Implementing and applying this standard
in practices has proven to be a challenge for many firms, which have difficulty linking their
internal control work to the substantive procedures and other aspects of the engagement,
finding sufficient benefit to justify the increased audit costs that result from the stricter
standard and determining how to evaluate the effectiveness of the internal control design. .
Bowlin (2011) has studied on the risk based audit approach and found that, there are
potential pitfalls in risk-based auditing if auditors do not accurately assess misstatement risk
at the account level and this will result in misallocation of audit resources.
ISSAI 13301 (2007) focusing on the auditor’s responses to assessed risks which includes
practice note providing additional guidance for public sector auditors related to audit
procedures responsive to the assessed risks of material misstatement at the assertion level.
ISSAI 1330 also addresses the importance in evaluating the sufficiency and appropriateness
of audit evidence as well as specific consideration for public sector auditors with a judicial
role. This ISSAI derives from ISA 330 which deals with the auditor's responsibility to design
and implement responses to the risks of material misstatement identified and assessed by
the auditor in accordance with ISA 315 (Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its Environment) in an audit of financial
statements.
ISSAI 30002 (2003) is a guideline for performance auditing based on INTOSAI's Auditing
Standards and practical experience. This guidelines aim to assist SAI’s performance
auditors in managing and conducting performance audits efficiently and effectively as well as
to provide a basis for good performance audit practices and establish a framework for the
further development of performance audit methodology and professional development. The
guidelines take into account relevant INTOSAI auditing standards based on generally
accepted principles of performance auditing, distilled from the experience of INTOSAI
members. Standardisation in performance auditing is mostly a question of what to do, rather
than how to do it. The guidelines consist of five main parts:
a. Part 1 sets out the general framework for performance auditing;
b. Part 2 defines application of auditing principles to performance auditing which
refers to government’s auditing principles applied to performance auditing;
c. Part 3 provides standards and guidance for planning performance audits;
d. Part 4 provides standards and guidance for conducting performance audits;
and
1
ISSAI 1330 – The Auditor's Responses to Assessed Risks
ISSAI 3000 – Standards and guidelines for performance auditing based on INTOSAI's Auditing
Standards and practical experience
2
6
Methods for Developing Risk-Based Audit Plan
e. Part 5 provides standards and guidance for presenting the audit results
specifically on reporting standards and guidance.
The appendices contain further information on how to plan and conduct performance audits.
They also include information on performance auditing in relation to information technology
(IT), and on conducting performance audits with an environmental perspective. A framework
of system-oriented approaches in performance auditing is also presented.
The updated version of ISSAI 3000 (2016) on Standard for Performance Auditing and ISSAI
3200 Guidelines for the Performance Auditing Process refers to the following:
(i) Understanding the audit topic and identifying problems in the area. As part of
the planning process, there is a need to develop a sound understanding of the
subject matter and of the risks and challenges in the area (ISSAI 3200.21).
(ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states
that the audit objectives, audit questions and scope are interrelated and need to be
considered together.
(iii) Designing and planning the audit engagement.
The 2003 ISSAI 3000,
Standards and guidelines for performance auditing based on INTOSAI’s Auditing
Standards and practical experience, discusses the methodological planning and
administrative planning as follows:

Methodological planning - Performance audit can draw upon a large variety of
data-gathering and analysis techniques, with due consideration on the validity
and reliability of methods to be used.

Administrative planning - It involves the selection of the audit team and team
leader and the development of an activity plan including the time table and
resources needed.
ISSAI 40003 (2010) refers on general introduction on compliance audit guidelines and is to
assist SAIs in applying the INTOSAI Auditing Standards, particularly in their work on
reporting on compliance. This compliance audit guidelines are written from two main
perspectives which are ISSAI 4100 that deals with compliance audit performed separately
from the audit of financial statements, for example as a separate audit task or related to
performance audit and ISSAI 4200 that deals with compliance audit related to the audit of
financial statements. The two ISSAIs are written as consistent, stand-alone documents.
IIA 2100 on Nature of Work requires that the internal audit activity must evaluate and
contribute to the improvement of the organization’s governance, risk management, and
control processes using a systematic, disciplined, and risk based approach. Internal audit
3
ISSAI 4000 – Compliance Audit Guidelines – General Introduction
7
Methods for Developing Risk-Based Audit Plan
credibility and value are enhanced when auditors are proactive and their evaluations offer
new insights and consider future impact.
2.4
Risk Based Auditing Planning
Pickett (2003) defines planning as a response to demands and new challenges posed for
audit, and as means of expectation and focusing resources to achieve effective results.
Pickett (2003) also provided three alternative approaches in planning:
a. The traditional planning-cyclical audit model which involves looking at everything
on cyclical basis over three years and evaluate. In the absence of risk register,
the auditor should identify a list of risks the client is facing. Other factors such as
impact on reputation, materiality, and state of controls are used to assess the risk
universe and prioritize the risky areas;
b. An advanced approach is the emphasis on the corporate governance framework.
Audit resources are focused on board managements and accountability, control
framework in use, communication across the organization and the role and
impact of audit committee; and
c. Risk-based audit planning which is ‘an approach to audit work that focuses on
strategic, regulatory, financial and business risk that confront the organization
and which uses these risks to steer the audit process in a way that maximizes the
impact of audit assurance and consulting work’.
Risk based audit planning emphasises the importance and the impact that an effective audit
strategy and audit plan for the achievement of the goals, objectives and the mission of the
internal audit unit. Planning provides for a systematic approach to audit work and requires
knowledge covering a wide range of issues in public management, including risk
assessment and internal control. Another reference provided that risk-based audit planning
is an approach that focuses on analysing risk and develop an audit program that is suitable
for risk that have been identified (Arun District Council, 2009). During the planning stage, the
auditor gains an understanding of the client, the client’s internal controls, the client’s
information technology (IT) environment, the client’s corporate governance environment and
the client’s closing procedures.
The process of understanding the client involves
consideration of issues at the entity level, the industry level, and the broader economic level.
The auditor will also assess the likelihood that their client’s financial statements are
misstated due to limitations in its IT system. Governance structures are used to assess the
level of risk faced and to design controls to reduce identified risks. Lastly, there is also a risk
that the client’s closing procedures are inadequate (Moroney, Campbell, Hamilton & Warren
2015).
Furthermore, Moroney et. al (2015) also explained that the auditor will identify any related
parties, factors that may affect their client’s going concern status, and significant accounts
8
Methods for Developing Risk-Based Audit Plan
and classes of transactions that will require close audit attention to gauge the risk of material
misstatement. Related party transactions require some specific consideration throughout
the audit and specific procedures should be performed and documented. The auditor also
assesses fraud risk and performs procedures to support the assessment. The auditor will
also consider the appropriateness of the going concern assumption during the planning
stage and then throughout the audit.
Pickett (2006) also has discussed the importance of audit planning and the issues on the
risk of expressing an inappropriate opinion due to the following which may be addressed
through an effective audit planning:

Performing the wrong audit;

Employing the wrong audit approach;

Using the wrong staff;

Breaching professional standards;

Performing work at the wrong time; and

Issuing the wrong reports and delivering the wrong underlying assurances.
In the context of internal audit, it is discussed that the allocation of limited resources in the
most effective way requires an assessment of risk across all the auditable areas (Internal
Audit Community of Practice (IA COP), 2014). In this regard, the objective of risk-based
planning is to ensure that the auditor examines subjects of highest risk to the achievement of
the organization’s objectives. Also in this material, some examples were provided for the
concepts discussed such as the common risk factors used by internal audit units. Certain
illustrations of activities were also provided, such as scoring impact criteria, scoring risk
factors and weighing risk factors. Nonetheless, it is worth emphasising that such reference
pertains only to internal audit.
Study done by Laudato (2016) which focus on the audit firms has found that certain
provisions of International Standards in Auditing (ISAs) pertaining to risk-based audit
planning, particularly in the identification and assessment of risks, responses to assessed
risks, and materiality. An example was provided on how to prepare the corresponding audit
strategy memorandum based on the discussions.
Jakovac, Domokos, & Nemeth (2016) states that SAI planning is a complex, multi-phase
process which forms a hierarchic system from strategic planning through resource plans and
the creation of operative audit plans all the way to feedback. The key steps of planning are
the following:
a.
Strategic planning sets out the key tasks of the institution as well as its ethical
requirements, values, priorities, and the directions and main objectives of the
given period. Strategic planning defines audit topics and audit criteria. The
9
Methods for Developing Risk-Based Audit Plan
b.
c.
objectives of selection criteria vary depending on what type of audit they serve as
basis for.
Annual planning lists and presents the audits to be carried out in the given period.
It is prepared in harmony with the audit priorities set out in the strategy as well as
with macro and risk analyses and the requirements stipulated by legal
regulations, while also taking into account “anticipated demand” for audit reports.
The objective is to select eh areas, programs and organizations to be audited in
the coming period, and to determine the order of audits depending on capacity.
Audit planning comprises the formulation of the specific audit strategy and the
preparation of the audit plan. It is in this phase that the objectives, scope,
method and criteria of the given audit must be formulated in detail, were audit
questions must be drafted and the sample to be audited is to be defined and
where the documents supporting the audit must be prepared.
Furthermore, Jakavoc et al. (2016) also explained that the INTOSAI standards require
the foundation of the planning work processes of supreme audit institutions must be laid
down by risk analyses. Normally, the state audit office conduct risk analysis during:
a. The selection of audit priorities and areas. The goal of risk analysis depends on
the audit directions set out in the aforementioned SAI strategy.
b. The analysis of the controls and measures of the audited entities. The state audit
office seeks to identify the organizational processes where significant residual
risk threatens the accomplishment of organizational goals.
c. The definition of the issues and scope of the audit. Risk analysis supports the
establishment of audit procedures, including sampling and the planning of control
tests.
The International Standards of Supreme Audit Institutions (ISSAIs) 13004, 40005 and 30006
require the development of audit plans for financial, performance and compliance audits,
respectively. ISSAI 1300, Planning an Audit of Financial Statements, requires the auditors to
develop an audit plan in order to perform the audit in an effective manner that includes a
description of:
i.
ii.
Nature, timing and extent of planned risk assessment procedures (as required by
ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its’ Environment);
Nature, timing and extent of planned further (substantive) audit procedures at the
assertion level (as required by ISSAI 1330, The Auditor’s Responses to
Assessed Risks); and
4
ISSAI 1300, Planning and Audit of Financial Statements
ISSAI 4000, Compliance Audit Standard
6
ISSAI 3000, Standard for Performance Auditing
5
10
Methods for Developing Risk-Based Audit Plan
iii.
Other planned audit procedures that are required to be carried out in compliance
with other ISSAIs.
The proper planning helps in a timely commissioning of the team members and facilitates
the guidance of the members and supervise their work also it helps when that is applicable
to coordinating work between auditors and experts.
A general auditing guidelines on planning an audit of financial statements is specified in
ISSAI 1300 (2007). This standard supports and explains ISSAI 1300 with respect to the
public sector. This guideline deals with the auditor's responsibility to plan an audit of financial
statements in the context of recurring audits.
ISSAI has also issued guidelines for the pre-planning stage. The pre-planning stage consists
of the main two activities governed by a set of standards as shown in the following table:
TABLE 1
ISSAI PRE-PLANNING STAGE
PRE-PLANNING ACTIVITIES
AUDIT STANDARDS
Adhere to codes of ethical behaviour and 
core audit principles
Efficiency of audit team
Code of ethical conduct of the International
Federation of Accountants IFAC

Code of ethical conduct INTOSAI
•
•
•
•
ISSAI 100, 200, 300, 400
ISSAI 3000
ISA 220
ISSAI 1220

ISA 210
Source: SAI Iraq’s Country Paper
The actual planning phase consists according to the quality assurance manual’s draft of the
following activities which are governed by a set of standards as:
PLANNING ACTIVITIES
AUDIT STANDARDS
Understanding of the entity subject to audit 
and its environment

ISA 315
Set a goal and scope of the audit task

ISA 200
Identify materiality

ISA 320
Identify and assess the risks of substantial 
misstatement

ISA 330
ISSAI 1315
ISSAI 1330
11
Methods for Developing Risk-Based Audit Plan
Prepare a detailed audit plan

ISA 315

ISA 300

ISSAI 1330
Design audit procedures for risks that have 
been evaluated

ISA 300
ISSAI 1330
Source: SAI Iraq’s Country Paper
On the other hand, the evaluation of internal audit system also has a key position in the
planning stage, according to the criterion of INTOSAI 9100.
ISSAIs 3000 and 3200 states that the SAIs are also expected to include the following
information in their audit plan for performance audit:
i.
ii.
iii.
iv.
v.
vi.
Background knowledge and information needed to understand the entity to be
audited;
Initial assessment of the problem risk, possible sources of evidence, auditability
and the materiality or significance of the area considered for audit;
Audit objective, questions or hypothesis, criteria, scope and period to be covered
by the audit;
Methodology, including techniques to be used for gathering evidence and
conducting the audit analysis;
Overall activity plan which includes staffing requirements (i.e. sufficient
competencies, human resources, and possible external expertise required for the
audit); and
Estimated cost of the audit, key project timeframes, milestones and the main
control points of the audit.
ISSAI 4100 on Compliance Audit Guidelines—For Audits Performed Separately from the
Audit of Financial Statements list the following as the process for the audit work:
i.
ii.
iii.
iv.
v.
vi.
vii.
Determine the subject matter, criteria and scope of compliance audit;
Understand the entity;
Understand the control environment and internal control system;
Risk assessment of the subject matter/audited entity;
Consideration of risks of fraud;
Determine reliance on internal controls; and
Link identified risks to audit strategy (audit procedures).
In line with the requirements pertaining to compliance audit, SAIs are also expected to
include in their audit plan for compliance audit the following information:
12
Methods for Developing Risk-Based Audit Plan
i.
ii.
iii.
Description of identified criteria related to the scope and characteristics of the
compliance audit and to the legal, regulatory or appropriations framework;
Description of the nature, timing and extent of risk assessment procedures
sufficient to assess the risks of non-compliance, related to the various audit
criteria; and
Description of the nature, timing and extent of planned audit procedures related
to the various compliance audit criteria and risk assessments.
The research results show that the common actual process in preparing the plan among
participated survey SAIs covers the following steps:
a. Understanding the Entity and Its Business Process (including previous audit
reports);
b. Conducting Initial Analytical Procedures;
c. Understanding the Internal Control System;
d. Initial Risk Identification and Risk Analysis
e. Risk Assessment: IR, CR, DR
f. Determining the Audit Materiality, Criteria
g. Preparing Audit Plan Memorandum
Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement),
ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning
and Performing an Audit).
13
Methods for Developing Risk-Based Audit Plan
Similar to ISSAI 1300, the research also show that the auditor shall include in the audit
documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant
changes made during the audit engagement to the overall audit strategy or the audit
plan, and the reasons for such changes. The documentation of the overall audit strategy
is a record of the key decisions considered necessary to properly plan the audit and to
communicate significant matters to the engagement team. For example, the auditor may
summarize the overall audit strategy in the form of a memorandum that contains key
decisions regarding the overall scope, timing and conduct of the audit. Planning
memorandum is one form of this kind of documentation.
The common approach in preparing the planning memorandum includes the following
information:
a. Basic information of the entity (including related parties and significant events);
b. Audit objective and scope;
c. Audit methodology (including understanding the internal control system, risk
assessment, materiality, and sampling);
d. Audit resources (team, budget, timeline/timeframe);
e. Targeted area (significant risks); and
f. Audit Program.
2.5
Audit Risks
The ISSAIs identify three risks—inherent risk, control risk and detection risk. ISSAI 1003,
Glossary of Terms to INTOSAI Financial Audit Guidelines, defines the said risks as follows:

Inherent risk is the susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements, before consideration
of any related controls.

Control risk is defined as the risk that a misstatement could occur in an
assertion about a class of transaction, account balance or disclosure, and that
could be material, either individually or when aggregated with other
misstatements, will not be prevented or detected and corrected, on a timely basis
by the entity’s internal control.

Detection risk is the risk that the procedures performed by the auditor will not
detect a misstatement that exists and that could be material, either individually or
when aggregated with other misstatements.
ISSAI 1330 on Auditor’s Response to Assessed Risks, requires the auditor to design and
perform further audit procedures whose nature, timing and extent are based on and are
14
Methods for Developing Risk-Based Audit Plan
responsive to the assessed risks of material misstatement (a function of inherent and control
risks) at the assertion level.
The risk of material misstatement (inherent and control risks) and detection risk constitute
the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion
if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of
Financial Auditing, requires the auditor to reduce audit risk to an acceptably low level in the
circumstances of the audit.
All the information on the evaluation of audit risk or the auditor’s assessment of risks, taking
into account their opinion of the control environment together with the controls in place for
each of the areas being reviewed should be discussed in the Audit Planning Memorandum.
2.6
Attributes of a good Audit Planning Memorandum
Audit Planning Memorandum (APM) is prepared to set out the objectives of the audit, to spell
out how the auditor aims to achieve these objectives. It is also a tool to monitor the progress
of the audit and promotes high quality and professional audit work. Normally, APM will be
prepared during the planning stage. The purposes of the audit plan are, first, to contribute to
the effectiveness of the audit and, second, to contribute to the audit efficiency. This
memorandum should be completed and approved as part of initial audit planning. In
completing this document there may be occasions when matters already documented in
other work papers are relevant. There is no need to re-write such material if a specific
reference can be made.
This memorandum is structured so that planning documentation common to all projects is
presented. All items should be read and considered on every project. When a section is not
applicable, indicate "N/A", with a brief explanation why it is not applicable. The planning
memorandum is divided into four sections:
i.
ii.
iii.
iv.
v.
2.7
Introduction / Background
Management Concerns & Issues
Administration and job set up;
Risk assessment; and
Nature and Scope of Audit
Conclusions
The risk-focused description and definition of organisations’ operating environment and
operations has gained increasing prominence over recent decades. A risk-based auditing
allows an organization to understand the current risks and assess the effectiveness of
existing controls. Additionally, it also allows management of the audit organization to target
15
Methods for Developing Risk-Based Audit Plan
resources to specific operations. Normally, risk based approach required auditor to have
proper audit planning. Audit Planning is an important phase during the audit proses. During
the planning stage, the auditor gains an understanding of the client, the client’s internal
controls, the client’s information technology (IT) environment, the client’s corporate
governance environment and the client’s closing procedures. In the context of internal audit,
it is discussed that the allocation of limited resources in the most effective way requires an
assessment of risk across all the auditable areas (Internal Audit Community of Practice (IA
COP), 2014). In this regard, the objective of risk-based planning is to ensure that the auditor
examines subjects of highest risk to the achievement of the organization’s objectives. Within
the planning of audits also, the selection process and analysis of audit subjects’ risk that
supports sampling procedures can be distinguished logically from the enumeration of risks to
the conduct of the audit. Risks are analysed by the audit organisation, but the risks
themselves can arise in the audited organisations in the former, and in the auditing
organisation in the latter case; the analyst and the party at risk are therefore separated from
each other. As conclusion, risk based audit approach is approach that need auditor analyse
the risk by gathering necessary, relevant and reliable information, possible threats identified
and analysed the impact and probability, then evaluated.
16
Methods for Developing Risk-Based Audit Plan
PART 3
RESEARCH METHODOLOGY
3.1
Introduction
Research design provides a framework for the collection and analysis of data (Bryman and
Bell, 2007). Therefore, this part provided details of research design in relation to qualitative,
quantitative and mixed methods research as three major approaches to research in social
sciences. This part also explained the methodology employed in this research and methods
of collecting and analysing data.
3.2
Research Methodology
In research, methodology refers to the ‘general logic and theoretical perspective’ of a study,
whereas methods refer to techniques, procedures or strategies analysing and interpreting
data (Bogdan and Biklen, 2007 cited by Long, 2014). Generally there are three research
methodologies; quantitative, qualitative and mixed methods (Creswell, 2014. Quantitative
methods emphasize objective measurements and are either descriptive (subjects usually
measured once) or experimental (subjects measured before and after treatment). While,
qualitative studies assume social reality exists independent of the knower and knowledge is
subjective and personal.
Qualitative methods involve close, personal contacts that use the researcher as the
‘instrument’ for recording observations. It emphasizes on open ended information that
researcher usually gathers through interviews, focus groups and observations.
Quantitative methods emphasize objective measurements and the statistical, mathematical
or numerical analysis of data collected through questionnaires or by manipulating preexisting statistical data using computational techniques It is used to quantify attitudes,
opinions, behaviour and other defined variables; and generalise results from a larger sample
population.
Mixed methods refer to an emergent methodology of research that advances the systematic
integration of ‘mixing’ quantitative and qualitative data within a single investigation or
sustained program of inquiry. This method is used in this research because of time, logistics
and resources constraints.
3.3
Research Method
This research used a descriptive approach that requires the use of mixed methods to
provide insight of the topic under study. This approach gives an opportunity to the
researcher to investigate the issue of risk based audit plan within public sector organisation
17
Methods for Developing Risk-Based Audit Plan
or SAIs in a comprehensive way. However, this method could be influenced by SAIs
respective mandate, law and regulation, procedures and the nature of audit. Typically,
descriptive research is aimed at casting light on current issues or problems through a
process of data collection that enables them to describe the situation more completely than
was possible without employing this method (Fox, W.&Bayat,M.S:2007). Descriptive
research is used to describe characteristics and/or behaviour of sample population. The
main purposes of this study can be explained as describing, explaining and validating
research findings on methods for developing RBA plan among the respondent SAIs.
Consistent with this view, the data for this research were gathered from survey
questionnaires and extended study.
In this research, the survey questionnaire was used to gain information to present risk-based
audit planning methodologies to serve as a reference for the auditors in the preparation of a
Risk-Based Audit Plan. Based on the survey results, the extended study was conducted on
selected SAIs through email to submit their guidelines or manuals which provide a detailed
walkthrough of their risk-based audit planning procedures, as well as the corresponding
documentation therefor (i.e., templates and sample working papers).
3.4. Research Instrument
In order to fulfil the study objective, survey questionnaires and reviewing documents were
involved. A survey research was used as a preliminary study to obtain information to the
extent of risk based audit that has been performed by SAI members. This includes current
knowledge and understanding of risk based audit approach, practices and processes of risk
assessment in accordance to ISSAI or related best practices in each SAI. This information
gave input to the research from the theoretical and practical perspective and to explore the
possible issues regarding the adoption of risk-based audit planning in audit works. Based on
the survey analysis, the researchers performed extended study to explore more on the riskbased audit planning process adopted by selected ASOSAI members. The sources of data
were obtained from the audit planning documents submitted by the selected SAIs.
3.4.1
Primary Data
Primary data are information collected by a researcher specifically for a research
assignment. The information need to be gathered because no one has compiled and
published the information in a forum or platform accessible to the public. Primary data are
original in nature and directly related to the issue or problem and current data.
In this research, the primary data were collected from 25 ASOSAI members through
questionnaire. The questionnaires consisted of SAI characteristic related to types of audit,
audit approach and the processes involved in audit planning for each type of audit.
18
Methods for Developing Risk-Based Audit Plan
3.4.2
Secondary Data
Secondary data are the data available in written, typed or in electronic forms. Secondary
data is also used to gain initial insight into the research problem. In this research, the
secondary data were collected from country papers, publications, articles of the 25 selected
SAIs that develop a Risk Based Audit Plan in conducting their audit works.
3.4.3
Survey Questionnaire
In this research, the survey questionnaire was designed in semi-structured; it consisted of
close-ended and open-ended questions. Majority of the close-ended questions were
answerable by Yes, No and Not Applicable. The open-ended questions, on the other hand,
were provided in cases where (1) the answers of the respondents are not among the given
options, thus, the need to identify and describe others; and (2) there is a need to obtain the
particulars and evidence supporting the Yes answers.
The survey were distributed through postal mail, email or fax addressed to the Heads of the
48 ASOSAI members SAIs, as per consensus during the 2nd ASOSAI Research Project
meeting on 2-4 May 2016. The selection of the particular person who would answer the
questionnaire was left upon the judgment of the SAI Head, with the assumption that the SAI
Head will choose someone who can give reliable information as far as the topic of the
research project is concerned. The purpose of the survey was to determine:

Which among the target SAIs adopt the risk-based audit approach;

Which among the target SAIs have a structured guideline in preparing a
risk-based audit plan;

The contents of planning memorandum of target SAIs, if any;

Which among the target SAIs prepare an audit plan for financial,
performance and compliance audits;

The steps adopted by target SAIs in the preparation of an audit plan for
financial, performance and compliance audits;

The perception of target SAIs on the achievement of benefits in preparing
a Risk-Based Audit Plan; and,

The contents/elements of the audit plan.
The questionnaire in this research was based on the literature review (see Part 2) and other
instruments based on ISSAI requirements on audit planning. This questionnaire was
customised pertaining to the preparation of the Risk Based Audit plan that was used in this
study. The content, criteria and scope of the questionnaires had been discussed excessively
and through brainstorming among members of this group. The discussion was led by Group
2 comprised of representatives from SAI Philippines, Iran and Bangladesh. Templates
19
Methods for Developing Risk-Based Audit Plan
questionnaire from SAI Philippines, SAI Iran and SAI Bangladesh were being used as
reference in designing the final questionnaire.
In this research, the survey questionnaire was designed and divided into four main parts:
3.4.4

Basic Information of SAI;

Preparation of audit plan (or risk-based audit plan);

Internal control system and Risk Assessment; and

Documentation in the preparation of Risk-Based audit plan.
Extended Study
In line with the research objectives of describing the methods used by the ASOSAI members
in developing risk based audit plan, the extended study was conducted among selected SAI
to identify the practices of ASOSAI members in developing audit plan for financial,
performance and compliance audits in accordance with ISSAIs.
The set of criteria that must be satisfied for the selection were as follows:
a. The SAI adopted the risk-based audit approach or both risk-based and systemsbased audit approaches (should have a yes answer in Item II.1.c.i of the survey
questionnaire);
b. The SAI has a structured guideline in preparing a risk-based audit plan (should
have a yes answer in Item II.1.d of the survey questionnaire); and
c. The SAI prepared a planning memorandum for financial, compliance and
performance audits, whichever were being performed by the SAI (should have a
yes answer in Item II.1.f of the survey questionnaire).
3.5
Data Collection
3.5.1
The survey questionnaire
The deadline of the survey was September, 11, 2016. Out of 48 copies of the questionnaire
distributed, only 25 successfully completed and returned. The 25 SAIs who answered the
questionnaires were shown in Figure 1.
20
Methods for Developing Risk-Based Audit Plan
FIGURE 1
SAI THAT SUBMITTED SURVEY QUESTIONNAIRE
14. Kuwait
15. Bahrain
16. Lao PDR
17. Malaysia
18. Mongolia
19. Myanmar
20. Nepal
21. Philippines
22. Saudi Arabia
23. Singapore
24. Tajikistan
25. Vietnam
1. Australia
2. Azerbaijan
3. Bahrain
4. Cambodia
5. China
6. Cyprus
7. India
8. Indonesia
9. Iran
10. Iraq
11. Japan
12. Jordan
13. Korea
A descriptive analysis was conducted on 25 SAIs to obtain information on the following;
a) The adoption on risk-based audit approach;
b) The availability of risk-based audit guidelines ; and
c) The preparation of audit plan memorandum for financial, performance and compliance
audits.
Details of the descriptive analysis of the 25 SAIs were depicted in Table 2.
TABLE 2
ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO CRITERIA
SAI
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Australia
Azerbaijan
Bahrain
Bangladesh
Cambodia
China
Cyprus
India
Indonesia
Iran
Iraq
Japan
Adopts
RiskBased
Audit
Approach

No ans.










Has a
structured
guideline in
preparing a
risk-based
audit plan









Prepares a planning
memorandum for
financial, compliance
and performance audits
Not applicable












Not applicable
No ans.
To be
included in
the
extended
studies












21
Methods for Developing Risk-Based Audit Plan
Adopts
RiskBased
Audit
Approach
SAI
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.













Jordan
Korea
Kuwait
Laos
Malaysia
Mongolia
Myanmar
Nepal
Philippines
Saudi Arabia
Singapore
Tajikistan
Vietnam
Has a
structured
guideline in
preparing a
risk-based
audit plan


Prepares a planning
memorandum for
financial, compliance
and performance audits
Not applicable









Not applicable


No ans.


Not applicable

Not applicable



Not applicable
Not applicable
To be
included in
the
extended
studies













Note: SAI Bahrain is not included in the extended study since it adopts risk-based audit
approach together with an approach called “coverage range.”
3.5.2
The extended study
Based on the results of the survey, 11 SAIs out of 25 respondents SAIs were selected as the
subject for the extended studies. Among the 11 selected SAIs, five (5) adopt only risk-based
audit approach while six (6) adopt both risk- and systems-based audit approaches. (Table 3).
TABLE 3
SELECTED SAIS FOR EXTENDED STUDY
SAI
Adopts Risk-Based Audit
Approach
1.
Australia

2.
Indonesia

3.
Jordan

4.
Nepal

5.
Philippines

Adopts Systems-Based
Audit Approach
22
Methods for Developing Risk-Based Audit Plan
SAI
Adopts Risk-Based Audit
Approach
Adopts Systems-Based
Audit Approach
6.
Bangladesh


7.
Cyprus


8.
India


9.
Singapore


10.
Malaysia


11.
Iraq


From the 11 selected SAIs, seven (7) SAIs submitted sufficient documents which were used
for extended studies. SAIs Australia, Iraq, Malaysia and Nepal had submitted references for
its financial and performance audit planning procedures. SAI Bangladesh submitted
references for its financial and compliance audit procedures. SAI Indonesia submitted
references for its planning procedures on all three audits. Finally, SAI Philippines submitted
references for the comprehensive audit (financial, compliance and performance audits
performed together by an engagement team) it conducts.
3.6
SUMMARY
This research was conducted based on survey questionnaire and extended study. Data were
collected from both methodology through analysing questionnaires and reviewing
documents. In this research, data collection framework could be described below;
FIGURE 2
DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS
IN DEVELOPING RISK-BASED AUDIT PLAN
• CLOSE ENDED
• OPEN ENDED
EXTENDED STUDY
•ANALYSIS OF RISK BASED AUDIT
IN FINANCIAL, COMPLIANCE,
PERFORMANCE AUDITS IN 11
SELECTED SAIs
SURVEY
QUESTIONNAIRES
23
Methods for Developing Risk-Based Audit Plan
This part has outlined and described the methodological and theoretical approach
undertaken to examine the implementation of risk based audit in selected SAIs. This
research applied a descriptive approach to gather information from the respondents SAIs
pertaining to the preparation of the audit plan in 3 types of Audit; Financial, Compliance and
Performance, ISSAI compliance among the respondents and adoption of RBA in planning
the audit. Research finding and analysis will be discussed in Part 4 based on questionnaires
and Part 5 based on extended study.
24
Methods for Developing Risk-Based Audit Plan
PART 4
RESEARCH RESULTS BASED ON QUESTIONNAIRES
4.1
Introduction
This part describes and discusses the research findings based on questionnaires. It relates
to the first research objective of identifying the methods used by SAIs to develop risk-based
audit plans. The research findings and discussion will be presented under three topics:
descriptive analysis based on basic information given by the SAIs, information pertaining to
preparation of Audit Plan/Risk-Based Audit Plan well as internal control system and risk
assessment.
4.2
Descriptive Analysis
The questionnaires were sent to all members of the ASOSAI and 25 SAIs responded (52%).
The 25 responses were from SAI Australia, Azerbaijan, Bahrain, Bangladesh, Cambodia,
China, Cyprus, India, Indonesia, Iran, Iraq, Japan, Jordan, Korea, Kuwait, Laos, Malaysia,
Mongolia, Myanmar, Nepal, Philippines, Saudi Arabia, Singapore, Tajikistan and Vietnam.
The descriptive analysis (Table 4) of the respondent SAIs indicated that 6 SAIs (Australia,
India, Iran, Japan, Malaysia and Philippines) have been existed for more than 100 years. 9
SAIs (Cyprus, Indonesia, Iraq, Jordan, Korea, Kuwait, Myanmar, Nepal and Singapore) fall
under the category between 50 – 100 years of existence. 10 SAIs (Azerbaijan, Bahrain,
Bangladesh, Cambodia, China, Lao PDR, Mongolia, Saudi Arabia, Tajikistan and Vietnam)
have been in existence less than 50 years.
It is found that 17 (68%) out 25 SAIs were established by their respective constitutions or
laws. The 17 SAIs are Australia, Azerbaijan, Bangladesh, Cambodia, India, Indonesia, Iran,
Japan, Jordan, Korea, Lao PDR, Malaysia, Myanmar, Nepal, Philippines and Singapore). All
SAIs have mandates/functions/responsibilities to conduct the audits. Half of the respondents
followed the Westminster model which is intrinsically linked to the system of parliamentary
accountability. 6 SAIs (Azerbaijan, Indonesia, Japan, Korea, Philippines and Tajikistan)
followed the Board or Collegiate model where a number of members form its governing
board or college and make decisions jointly.
25
Methods for Developing Risk-Based Audit Plan
TABLE 4
DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE IN PARENTHESES)
Basic Information
Respondents
n = 25
Establishment
<100 years
50-100 years
<50 years
6 (24%)
9 (36%)
10 (40%)
Constitutional/Legal
Status
Constitution
Law/Act
Others
Not stated
12 (48%)
5 (20%)
3 (12%)
5 (20%)
Mandate
Yes
25 (100%)
Types of SAI
Westminster
Judicial
Board/Collegiate
Others
Not stated
13 (52%)
1 (4%)
6 (24%)
1 (4%)
4 (16%)
It can be concluded that there are differences in the characteristics of responding SAIs in
terms of the legal status or mandate depending on the institutional models.
4.3
Information Pertaining to the Preparation of the Audit Plan/Risk-Based Audit
Plan
4.3.1 Types of Audits Conducted
All of the 25 SAIs conducted financial audits, 22 SAIs (88%) conducted compliance
audits and 21 SAIs (84%) conducted performance audit. Other types of auditing
performed by SAIs are audit of performance statements, audit of appropriateness of
performance measures, performance audits of commonwealth partners, forensic
audit, special purpose audit, management audit of Government Linked Companies,
assurance review or other audits which have similarities with either financial,
compliance or performance audits.
4.3.2
Preparation of Audit Plans
The International Standards of Supreme Audit Institutions (ISSAIs) 1300: Planning
and Audit of Financial Statements, ISSAI 3000: Standard for Performance Auditing
and ISSAI 4000: Compliance Auditing Standard require SAIs to develop audit plans
26
Methods for Developing Risk-Based Audit Plan
for financial, performance and compliance audits. The survey results (Figure 3)
indicated that most of the SAIs prepare separate audit plans for financial,
performance and compliance.
FIGURE 3
PREPARATION OF AUDIT PLANS
1
4%
3
12%
Preparing separate
Audit Plans
Not preparing separate
Audit Plans
Not applicable
21
84%
Note:
SAI Myanmar answered “Not applicable”.
The survey results showed that 84% of the 25 SAIs prepare separate audit plans.
Three SAIs (Cyprus, Japan and Philippines) prepare one audit plan for all types of
audits. SAI China, Vietnam and Nepal prepare combined audit plans for compliance
and financial audits together.
4.3.3
Adoption of Risk-Based Audit Approach
The importance on the consideration of risks is mentioned in the following ISSAIs:
 The auditor shall design and implement overall responses to address the
assessed risks of material misstatement at the financial statement level
(ISSAI 1330);
 The auditor shall actively manage audit risk to avoid the development of
incorrect or incomplete audit finding, conclusion and recommendation or
failing to add value (ISSAI 3000); and
 The auditor shall perform procedures to reduce the risk of producing
incorrect conclusion to an acceptable low level (ISSAI 4000).
Based on their responses, 7 SAIs (Australia, Cambodia, Indonesia, Jordan,
Mongolia, Nepal and Philippines) fully adopted risk-based audit approach. SAIs of
China, Cyprus, Iraq and Singapore adopted risk-based and system based audit
approaches. SAIs of Bahrain and Lao PDR adopted risk-based and other audit
27
Methods for Developing Risk-Based Audit Plan
approaches and 4 SAIs (Bangladesh, India, Korea and Malaysia) utilised risk-based,
system-based and other audit approaches. SAI Kuwait and SAI Iran utilised systembased audit approach. Other approaches include results-oriented, problem-based,
transaction-based, fundamental and topic-based.
TABLE 5
AUDIT APPROACHES ADOPTED BY SAIS
AUDIT APPROACH
4.3.4
NO. OF SAIS
Risk-based only
7
Risk-based and system-based
4
Risk-based and others
2
Risk-based, system-based and others
4
System-based only
2
Others
5
System-based and others
1
Structured Guideline in Preparing Risk-Based Audit Plan
The development of structured guidelines will assist the auditor to conduct an
effective risk-based audit plan. The results illustrated in Figure 4 showed that 15 out
of 25 SAIs have structured guidelines to prepare the plans. The 15 SAIs are
Australia, Bahrain, Bangladesh, Cambodia, China, Cyprus, India, Indonesia, Iraq,
Jordan, Malaysia, Mongolia, Nepal, Philippines and Singapore.
FIGURE 4
SAIS HAVING STRUCTURED GUIDELINES IN PREPARING RISK-BASED
AUDIT PLAN
N
Has a structured
guideline in preparing a
risk -based audit plan
32%
8
60%
8%
15
2
Has no structured
guideline in preparing a
risk -based audit plan
Not applicable (not
adopting risk- based
approach)
Note:
SAIs Lao PDR and Korea answered “No”
28
Methods for Developing Risk-Based Audit Plan
The survey results revealed that 14 out of 15 SAIs which have structured guidelines
enumerated the processes of preparing a Risk-Based Audit Plan as shown in Table
6.
TABLE 6
PROCESS OF PREPARING A RISK-BASED AUDIT PLAN
SAI
PROCESS OF PREPARING A RISK-BASED AUDIT PLAN
Australia
A risk-based audit approach for financial statements audit entails:
1. A systematic approach to planning focussing on high risk areas;
2. The evaluation of internal control systems; and
3. The use of analytical procedures to form an opinion that is within the
desired level of assurance.
The audit strategy is communicated to the client including a snapshot of the
risk assessment followed by a detailed assessment and planned response to
the key areas of audit focus, as well as information on the audit approach to all
material processes.
Bahrain
The process involves:
1. Understand all related business processes.
2. Prepare documents and information flowcharts for business processes.
3. Identify all probable and expected risks.
4. Classify identified risks (High, medium, low).
5. Identify risky areas and prepare the audit plan and work program based on
that.
Bangladesh
A risk assessment matrix is developed from the lessons learned by conducting
ISSAI compliant for financial and compliance audits. Risks are assessed using
the matrix and then the plan is developed based on the risks assessed.
Cambodia
The audit teams gather the information about the audited entity and perform
analytical procedures, calculate overall materiality, performance materiality in
order to identify the accounts for doing the risk assessment. Auditors assess
the inherent risk, control risk, fraud risk and compliance risk of the account and
the audit procedures to uncover the risks identified.
China
The process involves comprehensively analysing the risk and understanding
the basic situation of the audited entities, confirming the factors that affect
audit objectives, testing and evaluating the inherent risk and risk control of
audited entities, determine the acceptable level of audit risk, determining
corresponding countermeasures of audit and appropriate audit procedures.
Cyprus
The Internal Auditing Guidelines outline the steps to be followed in preparing
an audit plan. The Guidelines include templates for the assessment of audit
risk, calculating materiality levels and determining the main audit areas based
on the risk assessment performed.
Indonesia
The general process of risk-based audit planning is as follows:
 Understanding the Audit Objectives and Engagement Expectation;
 Understanding the Entity and Its Business Process;
 Understanding Previous Audit Reports;
 Conducting Initial Analytical Procedures;
 Understanding the Internal Control System;
 Initial Risk Identification and Risk Assessment;
29
Methods for Developing Risk-Based Audit Plan
SAI
PROCESS OF PREPARING A RISK-BASED AUDIT PLAN




Setting the Initial Materiality Threshold;
Determining the Sampling Method;
Determining the Audit Criteria; and
Preparing the Audit Program.
Iraq
The process starts from the initial survey and the evaluation of the internal
auditing system and determining the potential and auditing risks for all kinds of
accounts and calculating the percentage of every one and then calculate and
determine the size of the required sample for auditing in such a way that it will
represent all of them and sufficient to reach to a technical and neutral opinion
about accurately and appropriateness of the financial statements. This is still
in the initial stages and includes 25% of work plan prepared to implement
tasks.
Jordan
The process includes problem analysis, audit objectives, audit scope, audit
problem and audit criteria.
Malaysia
The audit planning process includes:
1. Understanding the entity and its environment;
2. Identifying and assessing the risks of material misstatement for classes of
transactions, account balances, and disclosures;
3. Audit planning memorandum;
4. The auditor’s responsibilities relating to fraud;
5. Review of the internal auditor’s report;
6. Communication with those charged with governance;
7. Audit considerations relating to an entity;
8. Using a service organization;
9. The auditor's responsibilities relating to other information in documents
containing audited financial statements; and
10. Review of financial statements opening balances.
Mongolia
General process for audit planning is as follows:
1. Identifying weaknesses;
2. Identifying risks by inherent and internal control based on weaknesses
and evaluate auditors’ risks by account;
3. Determining materiality;
4. Developing audit questions, audit procedures criteria;
5. Developing audit programme; and
6. Finalise and approve audit plan.
Nepal
All the audited entities are graded into Grade A, B and C based on defined
evaluation criteria. All Grade A entities and 50% of Grade B and 1/3rd of Grade
E entities are audited by adopting detailed audit procedures. Others are
audited using simplified procedure. The rest of 50% of Grade B and 2/3rd of
the Grade C entities are audited in two and three years interval respectively.
Philippines
The process starts with strategic planning and risk identification and the
agency audit planning and risk assessment as per the Integrated Results and
Risk Based Audit Manual (IRRBAM) that considers the following processes:
1. Preparing the agency audit work step;
2. Understanding the agency;
3. Identifying significant agency risks;
4. Understanding and assessing agency level controls;
5. Understanding the process; and
6. Conducting audit risk assessment and planning
30
Methods for Developing Risk-Based Audit Plan
4.3.5
SAI
PROCESS OF PREPARING A RISK-BASED AUDIT PLAN
Singapore
The process involves acquiring an understanding of the entity being audited
and its environment, identifying and analysing key risks, considering the
internal controls in place and designing the audit approach /strategy.
Risk Analysis in Preparing the Audit Plan
Analysing or assessing risks is part of planning to ensure that the scarce resources
are addressed to the audit of areas of highest risks. Auditors must have a thorough
understanding of risks facing the audited entity and their potential impact and
probability. Then, they have to apply realistic judgments on the importance and
probability of risks identified.
The survey results revealed that majority of the SAIs analyse risks in preparing the
audit plan (Figure 5). Even though 17 SAIs explicitly reported that they adopt riskbased auditing either fully or partially, another 5 SAIs (Azerbaijan, Iran, Myanmar,
Tajikistan and Vietnam) which did not adopt risk-based auditing also conduct risk
analysis in preparing the audit plan.
FIGURE 5
SAIS USING RISK ANALYSIS IN THE PREPARATION OF THE AUDIT PLAN
1
4%
1
4%
Using risk analysis in the
preparation of Audit Plan
23
92%
Not using risk analysis in
the preparation of Audit
Plan
Not applicable
Note:
SAI Saudi Arabia answered “Not applicable,” while SAI Japan answered
“No”.
4.3.6
Preparation of Audit Planning Memorandum
In order to ensure a high standard of performance, it is important that the auditor
prepare adequately for his/her work. Planning for an audit is essential for the smooth
performance of the audit work and its successful completion. It will not only
guarantee a valid audit opinion but ensure that the objective is achieved, the audit is
31
Methods for Developing Risk-Based Audit Plan
properly directed and control as well as the high risks audit areas are given due
attention.
The survey results (Figure 6) indicated that slightly more than half of the 25
respondent SAIs (Australia, Bahrain, Bangladesh, Cyprus, Indonesia, Iraq, Jordan,
Korea, Lao PDR, Malaysia, Nepal, Singapore and Vietnam) prepared the Audit
Planning Memorandum (APM) for financial, compliance and performance audits.
Nine SAIs (Azerbaijan, Cambodia, China, Iran, Kuwait, Mongolia, Philippines and
Tajikistan did not prepare the APM.
FIGURE 6
SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE AND
PERFORMANCE AUDITS
1
4%
2
8%
Preparing planning
memorandum
9
36%
13
52%
Not preparing planning
memorandum
Not applicable
No answer
Note:
SAI Saudi Arabia answered “Not applicable,” while SAIs Japan and
Myanmar have answered “No”.
10 SAIs (Australia, Bahrain, Cyprus, Indonesia, Jordan, Lao PDR, Malaysia, Nepal,
Singapore and Vietnam) mentioned the contents of the APM as presented in Table 7.
TABLE 7
CONTENTS OF PLANNING MEMORANDUM
SAI
CONTENTS OF PLANNING MEMORANDUM
Australia
Financial statement audit: For each material process, the affected financial
statement line items, a description/overview of the items, the relevant control
activities/information systems, key IT systems, information systems, the audit
team’s intended control reliance and rotation considerations, a link to the
relevant audit work and a summary of elevated and significant risks.
Bahrain
1. Introduction (Bases and purpose of the plan);
32
Methods for Developing Risk-Based Audit Plan
SAI
CONTENTS OF PLANNING MEMORANDUM
2. Background about the entity to be audit (Duties and responsibilities,
organisational structure, goals, important related statistics …etc.);
3. Related parties and concerned organizational units;
4. Audit goals, scope, and methodology;
5. Audit standards, guidelines and all related criteria (Decrees, ministerial
decisions, policies and procedures manuals, etc.);
6. Strengths and weaknesses;
7. Timelines and schedules of the audit assignment;
8. Details of team members; and
9. Risk analysis document and audit work program.
Cyprus
1. Audited entity background: Mission, legal framework, organizational
structure, budget and staff.
2. Risk assessment: Template document to be completed.
3. Materiality calculation document: Template document to be completed.
4. Audit budget (available man days), timeframe and audit team members.
5. Audit team meeting minutes, determining the areas on which the audit
will focus.
6. Audit steps to be followed, including available man days for each step
and the member(s) of staff to which steps are assigned.
[A detailed audit programme including steps to be followed in each audit area
has so far been adopted for central government entities and municipalities. A
similar programme has been prepared for the audit of statutory bodies;
however, it is yet to be adopted.]
Indonesia
1. The legal basis for the audit;
2. Audit standard;
3. Audit objective;
4. General information about the entity;
5. Audit scope;
6. The result of understanding the entity’s internal control system;
7. Targeted audit;
8. Audit criteria;
9. The rationale/reasons of the audit;
10. Audit methodology;
11. The audit period;
12. The composition of the team and the detailed audit fee;
13. The audit report framework; and
14. The distribution of report.
Jordan
1.
2.
3.
4.
5.
6.
The legal framework of the entity;
The mandate of the entity;
The objectives of the entity;
The Internal audit system;
The problem/s; and
Auditing process.
Lao PDR
1.
2.
3.
4.
5.
6.
Background information of the entity;
Audit objective and scope;
Audit Methodology;
Audit risk area;
Assessing whether of priority; and
The timing and staffing
33
Methods for Developing Risk-Based Audit Plan
SAI
CONTENTS OF PLANNING MEMORANDUM
Malaysia
1. Introduction;
i. Background (Establishment of Entity – Establishment Act); and
ii. Activity/Main Operation.
2. Organisational Structure;
3. Accounting System;
4. Accounting Policy;
5. Main and Key Activity;
6. Audit Objective, Scope and Methodology;
7. Setting the Materiality Level;
8. Audit Approach;
i.
Examine the system and determine the existence of internal
control which is supported by the chart to express an audit
opinion:
ii.
Specify the sample size and methods of selection and the
branches visited;
iii.
Auditing in computerised environment. Evaluate the integrity of
the system in producing financial statements and critical
information; and
iv.
Pending matters from previous year.
9. Risk Assessment;
10. Audit Programme;
11. Grade and Number of Employees;
12. Audit Time Frame;
13. Audit Fee;
14. Contact Person;
15. Audit Report of the Private Auditor to the Auditor General;
16. Other Significant Matters;
Nepal
1. Description about entity to be audited; introduction, establishment year,
objectives, functions, legal, institutional and policy arrangements, staff
positions, annual and periodical programmes and progress statements,
financial transactions, financial Statements etc.;
2. Audit Objectives, Scopes, Methodology;
3. Audit Programme;
4. Audit Team and Responsibility;
5. Ethical Requirements and Consideration of Competency Required; and
6. Supervision Arrangements
Singapore The APM for financial or compliance audit include:
1. Audit Mandate;
2. Audit Objective and Scope;
3. Significant Events and Developments;
4. Financial Highlights;
5. Risk Assessment; and
6. Audit Approach and Strategy.
Vietnam
Financial and performance audits shall be planned separately but compliance
audit normally is planned, as well as conducted in conjunction with a
financial/performance audit.
34
Methods for Developing Risk-Based Audit Plan
From the table above, there are seven common contents of the APM encompassing the
followings:
1. Basic information of the unit and subject matter of the audit;
2. Audit objectives and scope;
3. Audit methodology;
4. Areas of audit risk;
5. Assessing the priorities; and
6. Timing and assignment of audit areas.
4.3.7
Benefits of Risk-Based Audit Plan
ISSAI 1300 paragraph 2 stated the following five benefits of preparing a Risk-Based
Audit Plan:
i.
ii.
iii.
iv.
v.
Helping the auditor to devote appropriate attention to important areas of the audit.
Helping the auditor in identifying and resolving potential problems on a timely
basis.
Helping the auditor properly to organise and manage the audit engagement so
that it is performed in an effective and efficient manner.
Assisting in the selection of engagement team members with appropriate level of
capabilities and competence to respond to anticipated risks, and the proper
assignment of work to them.
Facilitating the direction and supervision of engagement team members and the
review of their work.
Survey results showed that more than 80% of the respondents agree on all the
benefits of preparing a risk-based audit plan as per ISSAI 1300. Details are depicted
in Table 8.
TABLE 8
BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN
RESPONDENTS
NO.
BENEFITS
AGREE
DISAGREE
NOT
APPLICABLE
NO
%
NO
%
NO
%
1
Helping the auditor to devote
appropriate attention to important
areas of the audit.
23
92
0
0
2
4
2
Helping the auditor in identifying and
resolving potential problems on a
timely basis.
22
88
1
4
2
4
3
Helping
22
88
1
4
2
4
the
auditor
properly
to
35
Methods for Developing Risk-Based Audit Plan
RESPONDENTS
NO.
BENEFITS
AGREE
DISAGREE
NOT
APPLICABLE
NO
%
NO
%
NO
%
4
Assisting
in
the
selection
of
engagement team members with
appropriate level of capabilities and
competence
to respond to
anticipated risks, and the proper
assignment of work to them.
22
88
1
4
2
4
5
Facilitating
the
direction
and
supervision of engagement team
members and the review of their work.
23
88
0
0
2
4
organize and manage the audit
engagement so that it is performed in
an effective and efficient manner.
The survey results showed that although 8 SAIs are not adopting risk-based auditing either
fully or partially, 5 of them recognised the benefits of preparing a risk-based audit plan.
4.3.8
Preparing Audit Plan for Financial Audit
ISSAI 1300 on Planning an Audit of Financial Statements requires the auditors to
develop an audit plan which includes a description of:
(i)
Nature, timing and extent of planned risk assessment procedures (as required
by ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its’ Environment);
(ii) Nature, timing and extent of planned further (substantive) audit procedures at
the assertion level (as required by ISSAI 1330, The Auditor’s Responses to
Assessed Risks); and
(iii) Other planned audit procedures that are required to be carried out in compliance
with other ISSAIs.
The survey results showed that 80% of 25 SAIs included description (i) and (ii) above
in the financial audit whilst 64% of 25 SAIs described other planned audit procedures
that are required to be carried out in compliance with other ISSAIs. Details of the
results are depicted in Figure 7.
36
Methods for Developing Risk-Based Audit Plan
FIGURE 7
SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF PROCEDURES
IN THE AUDIT PLAN FOR FINANCIAL AUDIT
25
20
20
20
16
15
10
7
4
5
4
1
1
2
0
(i) Nature, timing and extent of (ii) Nature, timing and extent of
(iii) Other planned audit
planned risk assessment
planned further (substantive) procedures that are required to
procedures
audit procedures at the
be carried out in compliance
assertion level
with other ISSAIs
Included in the audit plan for financial audit
Not included in the audit plan for financial audit
Not applicable
Note:
1.
SAI Japan answered ‘Not Applicable’ to all items.
2.
SAI Singapore answered (iii) as ‘Not Applicable’.
SAI Japan answered ‘Not Applicable’ to the three requirements of ISSAIs on financial
audit because the SAI conducts direct reporting engagements under the provisions of
the laws and ordinances and has no legal grounds to conduct attestation
engagements, which makes the adoption of ISSAIs on financial audits difficult. For
other planned audit procedures that are required to be carried out in compliance with
other ISSAIs, SAI Singapore answered ‘Not Applicable’ as the SAI is guided by the
Singapore Standards on Auditing issued by the Institute of Singapore Chartered
Accountants for financial auditing.
ISSAI 1315 on Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment) and ISSAI 1330 on The Auditor’s
Responses to Assessed Risks listed the steps in developing the financial audit plan:
i.
ii.
iii.
Obtaining an understanding of the entity and its environment, including the entity’s
internal control (as required by ISSAI 1315,
Using the understanding of the entity to identify and assess the risks of material
misstatement at the financial statement and assertion levels (as required by ISSAI
1315);
Designing and implementing responses to these assessed risks of material
misstatements (as required by ISSAI 1315);
37
Methods for Developing Risk-Based Audit Plan
iv.
v.
Identifying specific procedures required for material financial statement areas
(ISSAI 1330); and
Determining what audit procedures and the extent of testing required (ISSAI 1330).
The survey results (Figure 8) showed that 72-88% of the SAIs followed the steps stated
in ISSAI 1315 and ISSAI1330.
FIGURE 8
SAIS WHICH PERFORM THE STEPS IN DEVELOPING
AN AUDIT PLAN FOR FINANCIAL AUDIT
0
(i) Obtaining an understanding of the entity
and its environment, including the entity’s
internal control
(ii) Using the understanding of the entity to
identify and assess the risks of material
misstatement at the financial statement and
assertion levels
(iii) Designing and implementing responses
to these assessed risks of material
misstatements
(iv) Identifying specific procedures required
for material financial statement areas
(v) Determining what audit procedures and
the extent of testing required
5
10
15
20
25
22
1
2
20
3
2
18
5
2
18
5
2
20
3
2
Performing the step in developing an audit plan for financial audit
Not performing the step in developing an audit plan for financial audit
Not applicable
Notes:
1. SAI Japan answered “Not applicable” for all five aspects because of limited on
legal grounds to conduct attestation engagements.
2. SAI Saudi Arabia answered “Not applicable” for all questions because the officer
who answered the questionnaire works at the performance auditing department
of the SAI.
Further questions were asked on each of the five steps in developing the financial audit plan.
For the first step, in obtaining an understanding of the entity and its environment, including
the entity’s internal control, the 17 SAIs use various templates such as model or programme
38
Methods for Developing Risk-Based Audit Plan
to understand the client; standardised forms or guides; audit guide and ISSAIs; and SAIs’
own standards. Details are shown in Table 9.
TABLE 9
TEMPLATES USED IN UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT
TEMPLATE
i.
SAI
Use a model or program for understanding the
client
Australia,
Cambodia
Lao PDR
Vietnam
Use standardised forms or guides
Vietnam
Singapore
Malaysia
Nepal
Korea
Iraq
Bahrain
Use audit guides and International Standards for
Supreme Audit Institutions
Bangladesh
Cyprus
India
Indonesia
Jordan
Iran
Own standards
China
In identifying and assessing the risks of material misstatement at the financial
statement and assertion levels (Step 2), the 17 SAIs use various templates such as
programme on evaluation of the audit risks; table or matrix of risk assessment;
models or guides and ISSAIs. Details are depicted on Table 10.
TABLE 10
RISK ASSESSMENT TEMPLATE
TEMPLATE
SAI
Program on evaluation of the audit risks
Australia
Korea
Jordan
Bahrain
Cyprus
Table or matrix of risk assessment
Singapore
Philippines
Iraq
Indonesia
India
Models or guides
Laos
39
Methods for Developing Risk-Based Audit Plan
TEMPLATE
SAI
Vietnam
Nepal
Malaysia
Korea
Identify and assess the risks of
misstatement of the financial statements
material China
ISSAI
Bangladesh
Thirteen SAIs reported their methods and techniques in designing and implementing
responses to the assessed risks of material misstatements (Step 3). SAIs of Bahrain,
Bangladesh, Cyprus, Nepal, Philippines and Vietnam design an audit programme.
SAIs of Australia, Cambodia, India, Korea, Malaysia and Singapore design an
objective testing model. SAI Lao PDR designs an audit program as well as an
objective testing model.
Step 4 is about identifying specific procedures required for material financial
statement areas. SAIs of Australia, Cambodia, Indonesia, India, Iraq, Korea, Laos,
Singapore and Malaysia have models for linking the detailed audit procedures with
audit risks. For example in the case of Australia National Audit Office, the ‘Bridge’
details the line items and disclosures covered for each material process, the testing
performed (control and/or substantive) and the assertions addressed by each
procedure.
SAIs were also required to explain their methods on determining audit procedures
and the extent of testing required (Step 5). SAI Australia uses an objective control
and substantive testing to determine sample selections. The audit procedures and
the extent of testing for SAIs of Cambodia, India, Indonesia, Iraq, Korea, Lao PDR,
Malaysia and Singapore are in accordance to their audit programmes.
Apart from the five steps, 3 SAIs (Australia, Bangladesh and India) described other
steps included in the planning stage of the financial audit as per Table 11.
TABLE 11
OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE
SAI
Australia
STEPS







Establish engagement team and independence;
Determine the need to appoint a Quality Review Executive (EQCR);
Consider whether to engage IT Audit;
Hold an engagement team planning meeting;
Document the legislative basis for the engagement;
Prepare for and conduct client and internal audit planning meeting;
Determine materiality;
40
Methods for Developing Risk-Based Audit Plan
SAI
STEPS


Perform risk assessment analytical procedures;
Consider using the work of internal audit, experts, other
auditors/service organisations
Consider the need to use external confirmations and solicitor’s
representation letters;
Review opening balances for initial audits; and
Prepare a budget and develop a monitoring plan.
The auditor also assesses and responds to fraud risks and
communicates the audit strategy to the client.




Bangladesh


India
Deciding documentation and requirements
Materiality level calculation matrix.
Materiality assessment for selection of significant audit areas.
4.3.9 Preparing Audit Plan for Performance Audit
ISSAI 3000 on Standard for Performance Auditing and ISSAI 3200 (Draft
endorsement version 2016) on Guidelines for the Performance Auditing Process
mentioned the following steps in developing the performance audit plan:
(i) Understanding the audit topic and identifying problems in the area. As part of the
planning process, there is a need to develop a sound understanding of the
subject matter and of the risks and challenges in the area (ISSAI 3200.21).
(ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states that
the audit objectives, audit questions and scope are interrelated and need to be
considered together.
(iii) Designing and planning the audit engagement. ISSAI 3000 (2003) on standards
and guidelines for performance auditing based on INTOSAI’s Auditing Standards
and practical experience, discusses the methodological planning and
administrative planning as follows:

Methodological planning - Performance audit can draw upon a large
variety of data-gathering and analysis techniques, with due consideration
on the validity and reliability of methods to be used.

Administrative planning - It involves the selection of the audit team and
team leader and the development of an activity plan including the time
table and resources needed.
The survey results showed that 21 out of 25 SAIs comply to step (i) and (ii) above and 20
SAIs comply to step 3 in developing the performance audit plan. Details are as per
Figure 9.
41
Methods for Developing Risk-Based Audit Plan
FIGURE 9
STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN AS PER ISSAI
25
21
21
20
20
15
10
4
5
0
4
0
1
4
0
(i) Understanding the audit (ii) Selecting a focus for the
topic and identifying problems audit or the “audit problem”
in the area.
(iii) Designing and
implementing responses to
these assessed risks of
material misstatements
SAIs Performing the step in developing an audit plan for performance audit
SAIs not performing the step in developing an audit plan for performance audit
Not applicable
Apart from the three steps as per ISSAI 3100, SAIs of Australia, Bangladesh, India,
Indonesia and Nepal enumerated other steps in developing performance audit plan as
shown in Table 12:
TABLE 12
OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN
SAI
Australia
CONTENTS OF PLANNING MEMORANDUM
The ‘Audit Work Plan’ documents include:
 Audit objective and criteria;
 Audit scope;
 Rationale for undertaking the audit and likely impacts;
 Background for the audit;
 Audit method;
 Audit team;
 Pre-audit work including consultation;
 Assessment of performance audit engagement and operational risk;
 Significant risks/issues;
 Estimated project hours and costs; and
 Milestones and target dates
Bangladesh



Conduct entry meeting
Conduct pre-study
Submit a report for approval
India



Assess audit team skills and whether external expertise is to be
augmented.
Preparation of Audit Design Matrix
Establishing time table and resources




Understanding the entity
Selecting audit scope & objective
Developing criteria
Developing Audit Design Matrix.
Indonesia
42
Methods for Developing Risk-Based Audit Plan
SAI
Nepal
CONTENTS OF PLANNING MEMORANDUM



Engaging Civil Society Organisations in the audit process.
Formation of the Steering Committee to oversee CSOs engagement
in audit.
The Audit Advisory Committee provides suggestions regarding areas
to be covered in the performance audit.
In accordance to ISSAIs, the performance audit plan must contain the following
information:
vii.
viii.
ix.
x.
xi.
xii.
Background knowledge and information needed to understand the entity to be
audited;
Initial assessment of the problem risk, possible sources of evidence, auditability
and the materiality or significance of the area considered for audit;
Audit objective, questions or hypothesis, criteria, scope and period to be covered
by the audit;
Methodology, including techniques to be used for gathering evidence and
conducting the audit analysis;
Overall activity plan which includes staffing requirements (i.e. sufficient
competencies, human resources, and possible external expertise required for the
audit); and
Estimated cost of the audit, key project timeframes, milestones and the main
control points of the audit.
The survey results revealed that 18 out of 25 SAIs provide the background knowledge
and information of the entity (item i), 19 SAIs include information pertaining to items (ii)(iv), 16 SAIs include information on staffing requirements and only 12 SAIs include
information on estimated cost of the audit, key project timeframes, milestones and the
main control points of the audit in the performance audit plan (item vi). Details are shown
in Table 13.
TABLE 13
INFORMATION INCLUDED IN THE PERFORMANCE AUDIT PLAN
RESPONDENTS
NO.
1.
INFORMATION IN THE
AUDIT PLAN
Background knowledge
and
information needed to
understand the entity to
INCLUDED IN
THE AUDIT
PLAN FOR
PERFORMANCE
AUDIT
NOT INCLUDED
IN THE AUDIT
PLAN FOR
PERFORMANCE
AUDIT
NOT
APPLICABLE
NO ANSWER
TOTAL
%
TOTAL
%
TOTAL
%
TOTAL
%
18
72
2
8
4
16
1
4
43
Methods for Developing Risk-Based Audit Plan
RESPONDENTS
NO.
INFORMATION IN THE
AUDIT PLAN
INCLUDED IN
THE AUDIT
PLAN FOR
PERFORMANCE
AUDIT
NOT INCLUDED
IN THE AUDIT
PLAN FOR
PERFORMANCE
AUDIT
NOT
APPLICABLE
NO ANSWER
TOTAL
%
TOTAL
%
TOTAL
%
TOTAL
%
19
76
1
8
4
16
1
4
Audit
objective,
questions or
hypothesis,
criteria,
scope and period to be
covered by the audit
19
76
1
8
4
16
1
4
Methodology, including
techniques to be used for
gathering evidence and
conducting the audit
analysis
19
76
1
8
4
16
1
4
Overall
activity
plan
which
Includes
staffing
requirements
(i.e.
sufficient competencies,
human resources, and
possible
external
expertise required for the
audit)
16
64
4
16
4
16
1
4
Estimated cost of the
audit,
key
project
timeframes, milestones
and the main control
points of the audit
12
48
7
28
4
16
2
8
be audited
2.
3.
4.
5.
6.
Initial assessment of the
problem risk, possible
sources of evidence,
auditability
and
the
materiality or significance
of the area considered
for audit
44
Methods for Developing Risk-Based Audit Plan
4.3.10 Preparing Audit Plan for Compliance Audit
ISSAI 4100 on Compliance Audit Guidelines - For Audits Performed Separately from
the Audit of Financial Statements stated the following steps in developing compliance
audit plan:
i.
ii.
iii.
iv.
v.
vi.
vii.
Determine the subject matter, criteria and scope of compliance audit;
Understand the entity;
Understand the control environment and internal control system;
Risk assessment of the subject matter/audited entity;
Consideration of risks of fraud;
Determine reliance on internal controls; and
Link identified risks to audit strategy (audit procedures).
Survey results revealed that a range of 13 to 18 SAIs perform the above steps in
developing the compliance audit plan. Although 18 out of 25 SAIs (72%) understand the
entity, only 13 SAIs (52%) link the identified risks to audit strategy. Details are illustrated in
Table 14.
TABLE 14
STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER ISSAI 4100
RESPONDENTS
PERFORMING
THE STEPS
NOT
PERFORMING
THE STEPS
NOT
APPLICABLE
TOTAL
%
TOTAL
%
TOTAL
%
TOTAL
%
Determine
the
subject
matter, criteria and scope of
compliance audit
17
68
2
8
3
12
3
12
2.
Understand the entity
18
72
1
4
3
12
3
12
3.
Understand
the
environment and
control system
17
68
2
8
3
12
3
12
NO.
1.
STEPS
control
internal
NO
ANSWER
4.
Risk assessment of the
subject matter/audited entity
14
56
5
20
3
12
3
12
5.
Consideration of risks of
fraud
14
56
5
20
3
12
3
12
6.
Determine
reliance
internal controls
15
60
4
16
3
12
3
12
7.
Link identified risks to audit
strategy (audit procedures)
13
52
5
20
3
12
4
16
on
45
Methods for Developing Risk-Based Audit Plan
It is noted that SAI Japan did not provide their responses because specific information in
their audit plan is confidential. SAIs Nepal and Vietnam conducted compliance audit with the
financial audit or performance audit and therefore, there are no responses from them. SAIs
of Bahrain, Bangladesh, India, Indonesia, Jordan and Singapore reported other steps
performed by them besides the steps detailed in ISSAI 4100 (Table 15).
TABLE 15
OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN
SAI
Bahrain
CONTENTS OF PLANNING MEMORANDUM





Understand all related business processes.
Prepare documents and information flowcharts for business processes.
Identify all probable and expected risks.
Classify identified risks (High, medium, low).
Identify risky areas and prepare the audit plan and work program based
on the areas.
Bangladesh Special compliance audits and pilot ISSAI compliant compliance audit plans
must be approved.
India
Allocation of audit resources for the audits to be undertaken
Indonesia
Understanding expectation and objective of the assignment of compliance
audit
Jordan
Size of job, mandate, time, implementation
Singapore
Identify and assess the risks of material misstatement in the financial
statements through understanding the entity and its environment, including
the entity’s internal control (Singapore Standards on Auditing 315 issued by
the Institute of Singapore Chartered Accountants)
In line with the requirements pertaining to compliance audit, SAIs are also expected to
include in their compliance audit plans the following information:
i.
ii.
iii.
Description of identified criteria related to the scope and characteristics of the
compliance audit and to the legal, regulatory or appropriations framework;
Description of the nature, timing and extent of risk assessment procedures sufficient
to assess the risks of non-compliance, related to the various audit criteria; and
Description of the nature, timing and extent of planned audit procedures related to
the various compliance audit criteria and risk assessments.
The survey results revealed that 60% out of 25 SAIs included information on item (i), 48%
of the SAIs included the information on item (ii) and 56% of the SAIs included information
on item (Figure 10).
46
Methods for Developing Risk-Based Audit Plan
FIGURE 10
INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN
25
20
15
14
15
12
10
6
5
4
3
4
5
3
0
(i) Determine the subject (ii) Description of the nature, (iii) Description of the nature,
matter, criteria and scope of
timing and extent of risk timing and extent of planned
compliance audit
assessment procedures
audit procedures related to
sufficient to assess the risks the various compliance audit
of non-compliance, related to criteria and risk assessments
the various audit criteria
Included in the audit plan for compliance audit
Not included in the audit plan for compliance
audit
Not applicable
4.3.11 Determining Materiality at the Planning Stage
Materiality is a key element in risk-based auditing as it is an important consideration
in defining audit objectives and criteria, defining the extent of audit procedures and
forming conclusions. ISSAI 1320 on Materiality in Planning and Performing the Audit
requires SAIs to apply the concept of materiality in planning and execution phases
and in evaluating the effect of identified misstatements on the audit and uncorrected
misstatements in the financial audit. For compliance audit, ISSAI 4000 requires the
auditor to determine materiality to form a basis for the design of the audit and for
performance audit, the auditor is required by ISSAI 3000 to consider materiality at all
stages of the audit process, including the financial, social and political aspects of the
subject matter.
In the survey conducted, it is revealed that most of the SAIs determined materiality in audit
planning and performance for the financial audit. On the other hand, there are only 15 SAIs
47
Methods for Developing Risk-Based Audit Plan
(Australia, Bahrain, Bangladesh, China, India, Indonesia, Iran, Iraq, Jordan, Korea, Kuwait,
Malaysia, Mongolia, Nepal and Vietnam) which determined materiality for performance
audits and 14 SAIs (56%) determined materiality for compliance audits. Details are shown in
Figure 11.
FIGURE 11
SAIS DETERMINING MATERIALITY IN PLANNING AND PERFORMING THE AUDIT
25
21
20
15
14
15
10
5
5
3
5
4
3
0
0
Financial audit Performance
audit
Compliance
audit
SAIs determining materiality
SAIs not determining materiality
Not applicable
4.4
Internal Control System and Risk Assessment
4.4.1 Internal Control System
The evaluation of internal control system and risk analysis and identification is an essential
procedure for audit planning as per ISSAI 1315 "Identifying and Assessing the Risks of
Material Misstatement through Understanding the Entity and its Environment". Since 2004,
INTOSAI has incorporated the Committee of Sponsoring Organisations (COSO) framework
in its internal control standard guidelines (INTOSAI.GOV 9100 and 9120). The COSO
Framework is a tool for auditors to use to evaluate the internal control system with the
purpose of identifying and analysing risk during the audit process. In this framework, there
are five components of internal control—Control Environment, Risk Assessment, Control
Activities, Information and Communication, and Monitoring Activities.
48
Methods for Developing Risk-Based Audit Plan
Based on survey results (Figure 12), only 12 (Australia, Bahrain, Bangladesh, Cambodia,
China, Indonesia, Iran, Kuwait, Malaysia, Mongolia, Philippines and Vietnam) out of 25 SAIs
adopted the COSO Framework in understanding the entity’s internal control.
FIGURE 12
ADOPTION OF COSO FRAMEWORK
SAIs adopting the
COSO Framework
13
52%
12
48%
SAIs not adopting the
COSO Framework
Not applicable
Several SAIs which did not adopt COSO Framework i.e SAI Bangladesh, Cyprus, Japan,
Jordan, Korea and Nepal described alternative methods as per Table 16.
TABLE 16
ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL CONTROL SYSTEM
SAI
EXPLANATION
Bangladesh
The internal control questionnaire included in the Entity Wide Audit
Manual has been developed using the COSO Framework.
Cyprus
No explicit assessment of the internal controls of audited entities is usually
performed. Understanding of the internal control environment and its
effectiveness normally arises during the audit or from previous audit
experience.
Japan
When conducting audits, the BOA takes into consideration effectiveness
of internal control in auditees’ organizations. On the other hand, in Japan,
many government organizations, such as the State, are not required to
adopt internal control framework such as COSO framework. However,
some organizations including independent administrative agencies adopt
the idea correspond to COSO Framework.
Jordan
We have Internal Control Regulation with mandatory application.
Korea
Although COSO Framework is not stated in the BAI’s financial audit
manual, a standard internal control system, including COSO, is used.
Nepal
We do not specifically spell out the COSO, however, our procedure
49
Methods for Developing Risk-Based Audit Plan
SAI
EXPLANATION
covers components of internal controls discussed by COSO framework.
Please refer to Financial Audit manual for detail.
In spite of the significant number of SAIs which did not adopt COSO Framework, majority of
respondent SAIs consider the components of COSO Framework in understanding or
assessing the entity’s internal control. Details are as per Table 17.
TABLE 17
COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK CONSIDERED BY SAIs
COMPONENT
RESPONDENTS
CONSIDERING TO USE
NOT CONSIDERING TO
USE
TOTAL
%
TOTAL
%
Control Environment
22
88
3
12
Risk Assessment
22
88
3
12
Control Activities
24
96
1
4
Information and Communication
21
84
4
16
Monitoring Activities
23
92
2
8
4.4.2
Risk Assessment
ISSAI 1003 on Glossary of Terms to INTOSAI Financial Audit Guidelines mentioned three
types of risk- inherent, control and detection. Definitions of the three risks are as follows:

Inherent risk is the susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements, before consideration
of any related controls.

Control risk is defined as the risk that a misstatement could occur in an
assertion about a class of transaction, account balance or disclosure, and that
could be material, either individually or when aggregated with other
misstatements, will not be prevented or detected and corrected, on a timely basis
by the entity’s internal control.

Detection risk is the risk that the procedures performed by the auditor will not
detect a misstatement that exists and that could be material, either individually or
when aggregated with other misstatements.
50
Methods for Developing Risk-Based Audit Plan
ISSAI 1330 on Auditor’s Response to Assessed Risks requires the auditor to design and
perform further audit procedures whose nature, timing and extent are based on and are
responsive to the assessed risks of material misstatement (a function of inherent and control
risks) at the assertion level.
The risk of material misstatement (inherent and control risks) and detection risk constitute
the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion
if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of
Financial Auditing requires the auditor to reduce audit risk to an acceptably low level in the
circumstances of the audit.
The survey results showed that while control risk is being considered in the preparation of
the audit plan by 22 out of 25 SAIs (88%), detection risk is only considered by 17 SAIs
(68%). Details are as shown in Table 18.
TABLE 18
RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN
RESPONDENTS
RISK
ASSESSING THE
RELEVANT RISK
DO NOT ACCESS THE RISK
INVOLVED
TOTAL
%
TOTAL
%
Inherent risk
21
84
4
16
Control risk
22
88
3
12
Detection risk
17
68
8
32
4.5
Summary
This part reported the findings based on the questionnaire in relation to the research
objective on determining the methods used by the ASOSAI members in developing riskbased audit plan. Descriptive analysis is used for analysing the results. The research study
found that the methods used by the ASOSAI members in developing the financial,
performance and compliance audit plans are in accordance to ISSAI 1300, ISSAI 3000 and
ISSAI 4000. Risk assessment and analysis as well as materiality are considered in
developing the audit plans. The research study also found that half of the SAIs adopt the
COSO framework to establish, assess and enhance their internal controls.
51
Methods for Developing Risk-Based Audit Plan
PART 5
RESULTS BASED ON EXTENDED STUDY
5.1
Introduction
This part discusses the results of the extended studies of 7 SAIs whereby 4 SAIs fully
adopted risk-based audit approach and the remainder adopted combination of approaches.
5.2
5.2.1
Analysis of the Results
Analysis on 7 Selected SAI’s Practices
As mentioned earlier on in Part 3, survey questionnaire prepared to obtain information for
developing risk-based audit plan from all ASOSAI members was distributed among
members. According to information from those received questionnaires, all participating SAIs
in this 11th ASOSAI Research Project agreed that good practices from several selected SAIs
will be beneficial as the reference for further analyses.
Initially, there were 11 SAIs (Australia, Bangladesh, Cyprus, India, Indonesia, Iraq, Jordan,
Malaysia, Nepal and The Philippines) selected for extended study based on their responses
to the questionnaire. However, only 7 SAIs (Australia, Bangladesh, Indonesia, Iraq,
Malaysia, Nepal and Philippines) submitted their audit planning documents.
The documents received from 7 SAIs are:
i.
Australia – Financial Audit Guide – Bridge, Financial Audit Guide – Risk Assessment
Documents (RAD), Materiality Template, PAAM 70.1 Engagement Risk Rating,
Performance Audit Manual, Performance Audit Work Plan Template, Risk
Assessment Template and Summary Planning Memorandum Template.
ii.
Bangladesh – Fraud Audit Manual, Financial and Compliance Audit Manual,
Procurement Manual, Investigation Manual, Audit Plan (Sample), Environment Audit
Report and Experience Sharing on Financial Audit.
iii.
Indonesia – Financial Audit Guidelines, Performance Audit Guidelines and Special
Purpose Audit Guidelines
iv.
Iraq – Guide on Performance Evaluation for Programs and Policies and Audit
Approach on Risk Method.
v.
Malaysia – Guidelines on Auditing Based on ISSAI, Guidelines – 200 Identifying and
Assessing the Risks of Material Misstatement and Guidelines – 300 Audit Planning
Memorandum.
52
Methods for Developing Risk-Based Audit Plan
vi.
Nepal – Financial Audit Manual and Performance Audit Guide.
vii.
Philippines – Integrated Results and RBA Manual and IRRBAM – Forms and
Templates.
5.2.2
Findings on Extended Study
5.2.2.1 Analysis on Audit Approaches
Analysis on both questionnaires and documents submitted by the 7 selected SAIs found that
only 3 out of 7 SAIs solely adopt Risk-based Audit in all types of audit. The remaining 4 SAIs
use both RBA and system-based approach in their audit works. The summary of the audit
approaches adopted by 7 SAIs are as follows:
TABLE 19
AUDIT APPROACHES
Fully RBA
Australia


Bangladesh
Indonesia
RBA & System-based
or other approaches

Iraq

Malaysia

Nepal
Philippines


The 4 SAIs that have fully adopted RBA is Australia, Indonesia Nepal and Philippines. While
the other SAIs use both RBA and other approaches. It is also found that there are different
approaches other than the aforementioned method. This indicates the diversity in the
methodologies adopted by ASOSAI members. Other approaches include results-oriented,
problem-based, transaction-based, fundamental and topic-based audit. This research will
focus only on RBA approach in the planning stage. This study is conducted in order to foster
the adoption of risk-based auditing, especially in the audit planning, as a tool to gain
effective audit in the long run.
Even though there are SAIs which do not fully adopt RBA, majority of respondents take into
account risks in their audit planning. This means they might unconsciously already
implement few aspects of RBA approach, but not in a very structured way.
53
Methods for Developing Risk-Based Audit Plan
5.2.2.2
Risk Based Audit Planning
Similar to ISSAI 1300, 3000, and 4000 that require the development of audit plans for
financial, performance and compliance audits, respectively, not all respondent SAIs prepare
separate audit plans. The research findings indicate that almost SAIs follows ISSAI 1300 to
prepare audit plan separately among: Compliance audit, Financial Audit and Performance
Audit except SAI Philippines. The summary of methods in developing RBA Plan by the 7
selected SAIs is as follows:
TABLE 20
RBA PLAN
Separate RBA Audit Plan Combine RBA Audit Plan
Australia

Bangladesh

Indonesia

Iraq

Malaysia

Nepal


Philippines
Based on the analysis, it is believe that each types of audit have a different objective, scope
and methodologies so a separate guideline for each types of audit may facilitate auditor to
conduct the audit effectively. Further analysis on the SAIs document also found that almost
SAIs follow the ISSAI during the audit planning for all type of audit. In developing the RBA
Plan for financial audit, the understand the entity and its environment is the first step in
planning the audit. After that, SAIs will understand the entity’s internal control, conduct risk
assessment, determine materiality and establishing audit strategy and audit plan. Details
information on the financial audit plan is as Table 21.
TABLE 21
METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT
Understanding
entity and its
environment
Understanding
the entity’s
internal control
Determining
materiality

Conducting
risk
assessment
procedures


Establishing
audit
strategy and
audit plan

Australia

Bangladesh





Indonesia





Iraq




54
Methods for Developing Risk-Based Audit Plan
Malaysia





Nepal










Philippines
Source: RBA Documents from the 8 selected SAIs
Based on the RBA documents on performance audit, the research found that only 4 SAIs
that has follows all the requirement under the ISSAI 3000 on the performance audit plan.
Nepal and Philippines only follows few requirement such as understanding the entity and
subject matter; defining the scope of audit and choosing audit methodology. However,
Bangladesh does not used RBA on the performance audit plan. The detail steps follows by
the SAI on the RBA performance audit plan are as Table 22.
The study also shows that only Bangladesh and Indonesia use the RBA in planning the
compliance audit. While, Iraq, Malaysia and Nepal do not use RBA for compliance audit. SAI
Philippines only follows few steps on the RBA for the compliance audit as their approach is
an integrated audit plan for all kinds of audit. The detail steps follows by the SAI on the RBA
compliance audit plan are as Table 23.
55
Methods for Developing Risk-Based Audit Plan
TABLE 22
METHODS IN DEVELOPING RBA PLAN: PERFORMANCE AUDIT
Assessing
Choosing
Estimating
Selecting
potential
audit
cost of the
Understanding Defining
audit topics
Defining Setting methodology,
audit
Selecting
the entity and
the audit
Determining audit, key
that
are
the
the
topics in
including
project
an audit
the subject
objectives
overall
auditable
scope
audit techniques to
terms of
timeframes
topic
matter (what is and audit
activity plan
(assessing
of audit criteria
risks,
be used for
and the
audited)
questions
materiality auditability)
gathering
main
and
evidence and
control
problems
conducting
points









 of
Australia
identified
the audit
the audit
Bangladesh
analysis










Indonesia










Iraq










Malaysia







Nepal




Philippines
Identifying
intended users
and
responsible
party

TABLE 23
METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT
Defining the subject Understanding Understanding Assessing
matter and the
the entity and
the entity’s
risk
corresponding audit its environment
internal
criteria
control
Australia


Bangladesh



Indonesia
Iraq
Malaysia
Nepal

Philippines
*Philippines use Integrated Results and Risk-based Audit for all types of audit
Establishing
materiality for
planning
purpose
Developing
audit
strategy and
audit plan












56
Methods for Developing Risk-Based Audit Plan
5.3
Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA)
Further analysis was done on the 7 SAIs that adopt solely RBA or together with other
approaches in their audit planning. Three out of 7 SAIs have fully adopted the risk based
audit plan. ANO prepared the most comprehensive and detailed guidelines for both financial
and performance audit, while SAI Indonesia prepared detailed guideline for compliance
audit. The details processes and procedures related to the RBA on three types of auditing;
financial, performance and compliance audit that were received from the SAI Australia,
Indonesia and Nepal are explain as bellows:
5.3.1 Financial Audit
5.3.1.1 Australian National Audit Office (ANAO)
As required by the ISSAIs, for the first step on the planning stages, the auditor must gain an
understanding of our client’s organization and complete the following documents:
•
•
•
•
Business Understanding and Risk Identification (BURI);
Entity’s Internal Control;
Fraud Work Program; and
Process Documentation/Walkthrough for the business process or accounting process.
After understand the entity, the auditors need to commencing the Risk Assessment
Document (RAD). ANAO uses the RAD as their template to document their risk
assessments for all significant business or accounting processes. The RAD documents
consist of:
i.
ii.
The identified inherent risks of material misstatement (ROMM) for each material
financial statement line item (FSLI) within each significant business or accounting
process at an assertion level; and
Their assessment of each identified inherent ROMM.
The risks documented in the RAD are an input to the Bridge, in which they design and
document the audit procedures they plan to undertake to address the assessed risks. They
complete a RAD for each significant business and accounting process. In the RAD, they
identify, by financial statement line item, the inherent risks of material misstatement and
assess the level of that risk. The Engagement Executive must review all RADs where a
significant or elevated risk has been identified. The Manager must review all RADs. These
reviews are undertaken prior to the commencement of the audit fieldwork.
57
Methods for Developing Risk-Based Audit Plan
FIGURE 13
PROCESS DOCUMENTATION/WALKTHROUGH FOR THE BUSINESS PROCESS OR
ACCOUNTING PROCESS
Fraud
Assessment
Internal
Control
Process
documentation
and
walkthrough
Understanding FSLI
Bridge
RAD
(assertion
level)
BURI
Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD)
Through the completion of these documents, they are able to identify risk factors that may
affect one or more assertions for the material Financial Statement Line Item (FSLI). The
ROMM must be considered for each FSLI within the business or accounting process. It
should be clear within the RAD which risks relate to which FSLI.
Below is guidance on how to complete the template. The following figure provides an
overview of the process.
FIGURE 14
TEMPLATE ON ASSESSING RISKS AND INPUT TO THE BRIDGE
• Identify the set of
assertions relevant to the
FSLI or disclosure
• Identify risks
• Document the associated
accounting process
Identify Inherent
Risk by FSLI
Assess Impact
on FSLI
• Determine likelihood
• Determine consequence
• Determine overall risk
rating
• Document justifiation
• Populate Bridge with
Significant and Elevated
risk
• Link all Normal risk to
specific audit procedures
in the Bridge that address
that assertion
Populate the
Bridge
Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD)
58
Methods for Developing Risk-Based Audit Plan
All significant risks are required to be transposed to the Bridge. One way to ensure this is to
link all the risks from the RAD to the Bridge. The Bridge is an ANAO template used to
document our planned audit approach and the outcome of that plan. They use it to
document:
ii.
The identified and assessed risk of material misstatement (ROMM) at the financial
report level and the assertion level; and
iii.
Their audit response to the assessed ROMM, including the nature, timing and
extent of their audit procedures and the link of those audit procedures to the
relevant assertions.
The Bridge is central to their audit approach. A Bridge is completed for each significant
business/accounting process/or financial statement line item (FSLI) every year. Each Bridge
details their response to significant, elevated and normal risks of material misstatement. In
order to identify and assess the ROMM as required by standard, they determine materiality
for the audit and perform risk assessment procedures as required by standard.
Risk assessment procedures include completing the BURI, the Laws and Regulations
template, process documentation and other planning procedures. The identified ROMMs are
documented in the RAD and Bridge for the relevant Process/Account Balance/or FSLI. Once
the risks and assertions are identified, audit procedures to address the risks are designed
and recorded in the Bridge. The objective is to reduce to an acceptable level, our risk that a
material misstatement remains undetected.
FIGURE 15
THE BRIDGE PROCESS
Identify
Significant
Bus /Acc
Processes
Risk
Assessment
Procedures
(incl BURI)
Update
for
Results of
testing
Bridge
Design
Audit
Response
RAD
Source: ANAO Financial Audit Guide – Bridge
59
Methods for Developing Risk-Based Audit Plan
Before completion of planning, the Engagement Executive must review and sign-off all
Bridges which include significant risk(s) and/or critical areas of judgment, especially those
relating to difficult or contentious matters, and a sample of Bridges which include Elevated
and/or Normal risks. The Audit Manager must review and sign-off all Bridges.
The Bridge is initially completed at the planning stage and is required to be updated during
the audit to reflect the results of the audit procedures or changes that affect the audit
approach. Each successive change to a Bridge must be reviewed at an appropriate level.
The completed Materiality Template or Summary Planning Document is used as a reference
to ensure that all material FSLIs (whether material by nature or quantum) are identified in a
Bridge. FSLIs are used as the basis of our audit approach because they are required to
assess the ROMM at the assertion level and the assertions describe qualities of financial
information, not the qualities of processes. Only significant and elevated ROMM are
recorded individually on the Bridge. Normal ROMM may be documented in the RAD and are
addressed in the Bridge with sufficient coverage over all assertions for the FSLI. Risks are
described (for significant and elevated risks) with reference to a specific assertion. This will
target the work required and will focus audit effort on specific risk. For each Significant and
Elevated Risk, the Auditors are required to document management’s key control(s),
regardless of whether they intend to rely on the operating effectiveness of the control. No
matter what level of assurance they obtain from tests of controls, some substantive
procedures will always need to be performed for each material balance, class of transactions
or disclosure.
5.3.1.2 Indonesia
Based on the BPKRI documentation, the audit planning is conducted to prepare Audit
Program which will be used as the basis for audit engagement, so the audit can proceed
efficiently and effectively. Audit planning stage consists of ten (10) activity steps, which are:
i.
Understanding Audit Objectives and Engagement Expectation
Understanding audit objectives and engagement expectation are conducted to find
out what final result and audit objectives are expected by the Signing Officer as well
as to determine the criteria to measure engagement performance obtained through
communication between Auditors and the Signing Officer. Steps in understanding
audit objectives and engagement expectation include:
a.
Discussing and communicating with the Signing Officer
Together with the Signing Officer, Auditors build a clear understanding,
which can be used as a basis to define, prioritize, and measure the Auditors’
performance in audit engagement.
60
Methods for Developing Risk-Based Audit Plan
b.
Submitting audit objectives and engagement expectation
Auditors carry out the step by reviewing (initial assessment) the entity and
update their knowledge on the entity’s scope of work. Initial consideration of
such information enables Auditors to prepare for discussion with the Signing
Officer and to determine areas to be further explored.
c.
Setting audit objectives and engagement expectation
The formulated audit objectives and engagement expectation are
documented in writing and signed by the Team Leader, Supervisor, Audit
Manager, or Signing Officer.
ii.
Understanding the Entity and Its Business Process
Understanding the entity and its business process is intended to gain in-depth and
sufficient understanding of the general work processes and risks associated with
each specific work process of the audited entity, as well as to identify and understand
issues important to the entity in achieving its objectives.
iii.
Understanding Previous Audit Reports
The objectives of this step are:
iv.
a.
Obtain deeper understanding of the entity’s work processes and associated
risks based on follow-up implementations on BPK’s recommendations;
b.
Assess follow-up implementations on BPK’s recommendations; and
c.
Analyse the impact of follow-up implementations on the audited financial
statements.
Conducting Initial Analytical Procedures
The purpose of this procedure is to help Auditors plan the nature, timeline, and scope
of other procedures for the next stage, or audit procedures to be used to obtain audit
evidence for account balances or specific transaction classes.
Initial Analytical Procedure Techniques commonly involve comparing recorded
balances with other data (such as previous year’s balances, balances in related
accounts, or similar posts in the previous year), using ratios or other related matters,
and analysis of the industry/entity’s activities.
61
Methods for Developing Risk-Based Audit Plan
v.
Understanding Internal Control System
Understanding the internal control system is intended to assess internal
undertaken by the entity to conduct its activities effectively and efficiently,
assess the possibility of misstatement and fraud. In this step, Auditors also
the possibility of misstatement caused by matters related to internal
environmental risks.
vi.
control
and to
assess
control
Initial Risk Identification and Assessment
The objective of this step is to assess audit risks, so the prepared audit procedures
can be focused on high-risk areas caused by misstatements or fraud, therefore
making the audit process more effective and efficient. Inputs required in this step are:
vii.
a.
Previous audit working papers (if this is a second-year audit or later),
especially on risk assessment;
b.
General review of the entity;
c.
Results of fraud risk assessment;
d.
Previously conducted discussion with the entity’s leader/management or its
audit committee;
e.
Previous discussions with personnel of the internal supervision work unit
and reviewing internal supervision reports; and
f.
Understanding of internal control.
Setting Initial Materiality Threshold
Auditors set materiality threshold for the financial audit. In developing audit strategy,
Auditors classify materiality into two (2) groups:
a. Planning Materiality (PM) is related with the financial statements as a whole;
and
b. Tolerable Misstatement (TM) is related with individual accounts or financial
posts
viii.
Determining Sampling Method
Auditors determine the sampling method based on professional judgment. Sampling
is a test element conducted by Auditors to provide assurance on the quality of
information presented and disclosed in the financial statements. The sampling
method utilized can be statistical or non-statistical.
62
Methods for Developing Risk-Based Audit Plan
a. Sampling by statistical method in control testing is conducted with attribute
sampling method, while substantive testing is conducted with variable
sampling method.
b. Sampling by non-statistical method is determined using the Auditors’
professional judgment by taking into account the scope of audit, risk and
materiality levels, the accounting system used by the audited entity, and the
cost and benefit principle.
ix.
Fulfilling the Needs for Auditors;
This step is carried out with the objectives of:
x.
a.
Forming an Audit Team with the appropriate expertise composition as
required by the audit engagement;
b.
Informing Audit Team Members about the forthcoming engagement, which
covers audit objectives, audit scope, the Signing Officer’s expectations, and
audit performance measures; and
c.
Dividing audit tasks in line with their respective expertise and obtaining Audit
Team Members’ commitment on their roles in completing the engagement
and fulfilling the Signing Officer’s expectations, so the audit can be
conducted effectively and efficiently.
Preparing Audit Program and Individual Audit Program
The objective of preparing audit program is to summarize all planning steps into a
formal documentation to be approved. Audit Program explains in detail the type,
timeline, and scope of audit procedures.
5.3.1.3
Nepal
The Planning process for SAI Nepal on the financial and compliance audit consists of the
following steps:
i. Understanding the Planning Process
The Strategic Plan, The annual audit plan-Tier I, The Ministry level (or, Directorate
level) plan-Tier II, The entity level plan (or, detailed audit plan or audit program)-Tier
III;
63
Methods for Developing Risk-Based Audit Plan
ii. Understanding the Entity Level Strategic Plan
The entity level strategic plan is the first activity in the audit process. It may be
defined as the process that sets the direction of the audit and links the understanding
of the entity’s operations to the focus of the audit work.
iii. Overall Audit Strategy
The overall audit strategy must set the scope, timing and direction of the audit. It
should also guide the development of the detailed audit plan. The establishment of
the overall audit strategy involves the summary of the audit work completed during
the strategic planning phase of the audit.
iv. The Audit Plan
The audit plan is more detailed than the overall audit strategy in that it includes the
nature, timing and extent of audit procedures to be performed by the team members.
The basic purpose of detailed planning is to provide guidance on determining overall
conclusions to date and designing and performing further audit procedures. This is
done in order to respond to the identified risks of material misstatement at the
financial statement and assertion levels done at the preliminary planning stage.
v.
Planning Documentation (The Working Papers)
The auditors should document the operations of each audited component of the
entity and the nature and type of audit tests to be completed. This documentation is
to be kept in the relevant Working papers, which an audit team is required to
maintain. The system description is the first step to the detailed planning and should
be completed for all components. It starts with the identification of key activities in the
transaction life cycle. After this, inherent and control risks and management controls
to mitigate these risks should be documented. The auditor should determine the
responses to address the risks of material misstatement at the financial statement
level.
vi.
Understanding the Entity’s Business and Environment
In the entity level strategic planning phase, the auditor shall gather information to
obtain an understanding of the following:
a. Overall understanding of the entity;
b. The entity’s accounting policies;
c. The entity’s control environment, and internal controls;
64
Methods for Developing Risk-Based Audit Plan
d. The measurement and review of the entity’s financial performance.
vii.
Materiality
The objective of the auditor is to apply the concept of materiality appropriately
throughout the audit, especially when:
a.
Identifying the components to be audited (strategic planning);
b.
Determining the nature, timing and extent of audit procedures (detailed
planning); and
c.
Evaluating the effect of misstatements (reporting).
During planning, the auditor should establish an acceptable materiality for the
financial statements as a whole so as to plan to detect quantitative material
misstatements. The auditor should calculate the quantitative materiality level as a
numerical value based on professional judgment.
viii.
Risk Assessment
Risk assessment procedures assist the auditor in obtaining an understanding of the
entity and its environment. The procedures should be sufficient to identify and assess
the risks of material misstatement both on the financial statements as a whole and for
each relevant assertion relating to account balances.
ix.
Planning Analytical Procedures
Analytical procedures are performed to assist in planning the audit and to enhance
the overall understanding of the entity’s operations. To the extent that it has not been
covered during the development of audit strategy and planning, the auditors should
use analytical procedures to:
a. Analyse relevant information;
b. Discuss results with management.
x.
Assessment of Internal and IT Controls
The auditor shall obtain an understanding of internal and IT controls relevant to the
audit. Although most controls relevant to the audit are likely to relate to financial
reporting, not all controls that relate to financial reporting are relevant to the audit.
65
Methods for Developing Risk-Based Audit Plan
xi.
Consideration of Fraud
There are two types of frauds: fraudulent financial reporting and misstatement of
assets. Although the auditor may suspect or, in rare cases, identify the occurrence of
fraud, the auditor does not make legal determinations of whether fraud has actually
occurred.
xii.
Using the Work of Others
Due to technicalities of audit work, involving experts may also be necessary to obtain
sufficient and appropriate audit evidence and to draw conclusion on a specific issue.
xiii.
Identification of Significant Financial Statement Accounts and Assertions
Using the information already collected during the planning analytical procedures, the
analysis of relevant information and discussions with management, the auditor
should identify the significant financial statement account balances and classes of
transactions.
xiv.
Audit Procedures Responsive to Risks of Material Misstatement
In designing further audit procedures, the auditor considers such matters as the
following:
a. The significance of the risk;
b. The likelihood that a material misstatement will occur;
c. The characteristics of the class of transactions, account balance, or
disclosure involved;
d. The nature of the specific controls used by the entity and in particular whether
they are manual or automated;
e. Whether the auditor expects to obtain audit evidence which will be used to
determine if the entity’s controls are effective in preventing, or detecting and
correcting, material misstatements. The nature of the audit procedures is of
most importance in responding to the assessed risks.
xv.
Routine and Non-Routine Transactions
Routine transactions record the entity’s day-to-day operations transactions with the
outside world. Non-routine transactions are transactions that are unusual either due
to size or nature, or that occur infrequently.
66
Methods for Developing Risk-Based Audit Plan
xvi.
Risks Assessment Process
Risks are the set of circumstances that hinder achievement of objectives. There are
three components of risk which include: Risk Event, Probability of the Risk Event,
and Impact of Risk Event (Risk Event Value). Risk Event is a discrete occurrence
that may affect the project for better or for worse.
xvii.
Risk of Significant Misstatement
The risk of significant misstatements on the financial statements when they are
received by the auditor is the combination of inherent risk and control risk. While
developing the audit strategy and planning, the auditor should consider the entitywide conditions or events that may increase the risk of significant misstatements. The
risks facing the entity’s operations need to be considered, and whether these risks
are likely to affect the financial statements and therefore have audit implications.
xviii.
Critical Audit Objectives
Critical audit objectives often involve a high risk of significant misstatements and
subjectivity in the evaluation of audit evidence. Audit objectives relating to nonroutine transactions may also involve higher risk of significant misstatements or
subjectivity in the evaluation of audit evidence.
xix.
Audit Planning Memorandum
The Audit Planning Memorandum usually includes the following items as a minimum:
a. Technical aspects:
b. Background
information,
a
brief
history
of
(ministry/department/project) and current financial position;
the
entity,
c. Recent developments, performance during the year, changes in entity’s
operations, acquisitions, and dispositions/auctions;
d. Objectives and duties of the operations (ministries) highlighting analysis of
key areas of the development plan and long-term plans;
e. Incorporation and analysis of the operation’s (Ministry’s) budget and work
plan for the year and comparison of budget against the actual results of the
entity;
f.
A summary of the approach to obtaining an understanding of internal control;
g. A summary of the nature, timing and extent of audit procedures for critical
audit objectives; and
67
Methods for Developing Risk-Based Audit Plan
h. A summary of work to be performed by internal auditors and/or specialists.
i.
Audit Logistic Aspects:
j.
Staffing, including details of the audit team members and other auditors
k. Key people in the entity’s organization to be contacted
l.
The required type and timing of report on the audit of the financial statements
and other reports to the entity; and
m. Timetable.
xx.
Audit Program
As part of the planning stage and before any fieldwork can be performed, the auditor
need to create the audit program which will identify the test and the procedures
required to meet the audit objectives identified in the audit planning memorandum.
5.3.2 Performance Audit
5.3.2.1
Australia National Audit Office (ANAO)
The two primary components of the start-up phase of an individual performance audit are:
i.
Initial planning, including the collection of information about the entity and
activity to be audited; and
ii.
The preparation of an audit plan that will provide the basis for the conduct of
the audit.
Key steps in the start-up phase are as follow:
68
Methods for Developing Risk-Based Audit Plan
FIGURE 17
KEY STEPS IN START-UP PHRASE
Source: ANAO Performance Audit Manual
Prior to the preparation of the Audit Work Plan, agreement is required from the
Executive before resources are expended preparing an Audit Work Plan. The
estimate of the hours and cost of the planning phase for each audit must be
approved by the responsible Group Executive Director.
Planning involves developing an overall plan for the scope, emphasis, timing and
conduct of the audit. The audit plan should set out the approach for the nature, timing
and extent of evidence-gathering procedures. Formal approval should be sought for
any change significant enough to impact on the audit objective, scope, budget or
timeframes.
Obtaining an understanding of the activity and its context is an essential part of
planning and conducting a performance audit. It includes gaining a knowledge of the
entity(s) that is responsible for the activity, and where relevant, the broader program
of which the activity is part of it.
69
Methods for Developing Risk-Based Audit Plan
5.3.2.2.1
Audit Work Plan (AWP)
The AWP shall include: a rationale for undertaking the audit; background for the audit; the
audit objective(s), scope and criteria; audit method; likely impacts; identification and
consultation with internal and external stakeholders; the audit's budget, milestones and
target dates; and an overall performance audit engagement risk and operational risk rating.
Prior to developing the AWP, the audit team should set up a project in Change point so that
costs, including staff time costs, can be allocated to the audit. A Change point project is
established by request made to the Performance Audit Service Group (PASG) Business
Unit. Change point will generate and assign a unique project code (PAR code) and provides
for a budgeting tool for estimating the audit budget and timeline.
a. Rationale for Undertaking the Audit
The AWP outlines the rationale for conducting the audit.
The following table illustrates examples that should be incorporated in a rationale:
TABLE 24
RATIONALE FOR CONDUCTING THE AUDIT
Materiality
High value of assets, annual expenditure or annual
revenue of the entity or the program, activity or
function.
Sensitivity
High public visibility of the program; importance of
the program to particular client groups; strong
Parliamentary or community interest in the
performance of the program.
Impact
Significant impact of the activity, even when it is
undertaken by a small unit within an entity with low
materiality.
Key area/issue presenting
risks or challenges to
Commonwealth
administration
The program or activity being a government
initiative that is directly to a key area/issue
presenting risks or challenges to Commonwealth
public administration.
Potential benefits from the More efficient business processes; greater accuracy
audit
in claims processing; better management of
contracts; closer adherence to Commonwealth
policies; greater accountability through accurate
performance reporting; earlier detection of risks to
good management or prevention of fraud.
70
Methods for Developing Risk-Based Audit Plan
Previous coverage
No previous ANAO performance audit coverage;
very limited internal review of a significant program;
possibility of a follow-up audit foreshadowed in a
previous ANAO audit; a follow-up audit requested
by a Parliamentary committee.
Value for money
Multiple factors need to be taken into account when
determining value of money. Refer to the
Supplementary Guidance for details on applying a
value for money perspective.
Source: ANAO Performance Audit Manual
b. Background to the Audit
Each AWP includes background information regarding the entity, program or function
to be audited. This background information reflects and generally builds on the
material for the particular audit that was included in the planned Audit Work Program.
c. Audit Objective
The audit objective is a key statement that is intended to define the intention of the
audit and must be expressed in terms that can be concluded against, such as
statements like ‘the audit reviewed the administration of program xyz’. The objective
of a performance audit is to provide an assessment of specified elements of an
entity's operations. The assessment should address one or more of the following:
administrative effectiveness; efficiency; or compliance. These terms are defined as
follows:
The audit objective and the audit scope are interrelated and should be considered
together. The audit objective needs to be realistic and achievable and give sufficient
understanding to the entity and other relevant parties about the focus of the audit.
The audit objective also provides the basis for developing the audit criteria and the
audit approach.
d. Audit Criteria
Suitable criteria shall be established to enable an assessment of the matters subject
to audit. They shall be expressed in the form of a question that will be subsequently
answered in the findings and conclusion of the audit. Audit criteria are reasonable
and attainable standards of performance against which the extent of administrative
effectiveness, efficiency or compliance aspects of an entity’s programs or activities
can be assessed. They reflect a desirable (normative) model for the subject matter
being reviewed. They represent good practice, a reasonable expectation of what
71
Methods for Developing Risk-Based Audit Plan
should be. Criteria may range from general to specific. Suitable criteria must be
identified for each audit. Suitable criteria are those that are relevant to the subject
matters being audited and appropriate to the circumstances.
e. Audit Scope
The audit scope defines the boundary of the audit. Determining the scope of the audit
is a critical part of the planning process as it directly affects the procedures and
resources that will be required to complete the audit and the matters that will be
reported. The scope is usually established based on information obtained in previous
audits and information gathered during the planning phase or through the conduct of
a scoping study.
Materiality and risk are generally considered together and assist to identify that part
of the entity, program or function that is material and/or high-risk and, therefore,
within scope. In assessing materiality and risk, a team would consider both
quantitative and qualitative factors. Auditability refers to assessing whether particular
matters can be included within the scope, that is, whether suitable criteria and audit
approaches are available or can be established within the timeframes proposed.
In defining the scope of the audit, it can also be useful to specify any associated
matters that are not within the scope of the audit and the reasons for their proposed
exclusion from the audit. The audit method sets out the means to be used to collect
information relating to the audit criteria. The method explains the intended use of
specific data collection tools such as sample surveys, case studies, interviews,
document reviews, compliance and/or system control analysis and testing. The audit
method also specifies where and why particular fieldwork is to be carried out and lists
the involvement of any external stakeholders.
f.
Likely Impacts
The likely impacts describe the expected benefits of conducting the audit. Audit
teams may find it useful to consider the interests of relevant stakeholders, such as
Parliament, Commonwealth entities or the public, when assessing the likely impacts
of the audit. Performance audits should result in a lasting benefit to the entity (or
entities) audited, the Parliament or taxpayer, for example, through improved service
delivery, financial savings or improved governance.
g. Stakeholders
i.
Internal stakeholders: engaging the IT Audit Branch
ii.
External stakeholders
72
Methods for Developing Risk-Based Audit Plan
iii.
Citizen contribution
The Audits in Progress section of the ANAO website has a feature that allows
members of the public to contribute information during the evidence collection stage
for all performance audits. The facility enables and promotes closer public
engagement with the audit process and aligns with broader Australian Government
initiatives to promote the use of technology to encourage more open and transparent
government, to have the public inform policy, and to provide better access to
government information.
h. Budget, Milestones and Target Dates
The estimated tabling date for each audit specified in the AWP shall take into
account the Parliamentary Calendar and the spread of tabling dates throughout the
year. Each AWP should include the key milestones and target dates for the audit.
These are the dates for:
i.
i.
The proposed commencement of the audit;
ii.
Key points of PASG executive and the executive consultation (where
required);
iii.
Reporting milestones; and
iv.
The proposed tabling of the report.
Duration of Audit
If there is likely to be a significant delay between the date the AWP is approved and
the conduct of the entry interview (or commencement of the actual audit where an
entry interview is not practical), an explanation of the reasons for this should be
included in the AWP for Executive consideration and decision.
j.
Cost of an Audit
This includes the estimated costs of staff resources and the employment of
contractors and experts, and the estimated costs of travel and report publication. The
costs of the initial planning phase of the audit and scoping study, where undertaken,
are also to be included.
k. The Audit Team
The audit team shall have the appropriate level of skills, competence and knowledge
to conduct a performance audit. The planning of an audit includes an assessment of
73
Methods for Developing Risk-Based Audit Plan
whether the team has adequate skills, competence and knowledge to undertake the
particular audit.
In determining the composition of the audit team, it would be expected that the
following factors will be taken into consideration:
i.
The experience of the Audit Manager;
ii.
The number, level and experience of other team members;
iii.
The benefit of utilizing the IT Audit Branch to assist in conducting elements
of the audit;
iv.
The benefit of engaging specialists and/or experts to support the in-house
team in addressing complex and/or technical issues; and
v.
The complexity and expected impact of the audit.
The work of the audit team should be carefully directed and supervised throughout
the audit to ensure that the work will meet the ANAO Auditing Standards.
l.
Engaging Contractors, Specialists or Experts
The Auditor-General, or delegate, may at any time engage the services of a person
under contract, with agreed terms of engagement, to assist with a performance audit.
The AWP should specify the reasons why contract resources are required, the
proposed involvement of the contractor, specialist or expert, and the estimated costs.
m. Materiality, Risk Assessment and Management Plan
The AWP for each audit shall briefly identify any significant risks or issues
confronting the audit. A detailed risk assessment and management plan is completed
and attached to the AWP that addresses each risk and its corresponding mitigation
strategy.
The audit team considers materiality and performance engagement risk when
planning and conducting an audit so that performance audit risk is reduced to an
acceptable level. Performance engagement risk means the risk that the auditor
expresses an inappropriate conclusion when the performance of an audited activity is
not materially effective, efficient or economic. This would arise where the conclusion
is based on evidence that is not soundly based or that is improper or incomplete as
the result of inadequacies in the evidence-gathering process, misrepresentation or
fraud.
74
Methods for Developing Risk-Based Audit Plan
Performance audit operational risk refers to the risk that an audit will not be
completed in accordance with the approved budget and timeframe and to the
required quality. Areas of possible operational risk can include:
i.
The reputation of the ANAO arising, for example, from potential conflicts
with the results of previous audit coverage;
ii.
The complexity of the audit itself; that is, the subject matter, the approach
being used and the proposed analytical techniques;
iii.
The potential delays in obtaining access, documentation and/or being able
to hold discussions with relevant entity staff;
iv.
The availability of appropriate audit resources;
v.
Unexpected changes to the audit team;
vi.
Changes to staff or administrative arrangements in the entity or program
subject to audit;
vii.
Timely availability and reliability of entity information and data; and
viii.
The quality of relations with the entity.
Each identified operational risk needs to be analysed by the degree of its likelihood of
occurring and impact and consequence on the audit if it occurs. Because this process
is often qualitative, i.e. based on stakeholders’ subjective judgements about the risk,
it is best to keep the range of descriptions simple.
i.
Evaluating operational risks involves assessing both likelihood and impact to
determine the overall level of risk to the audit. The level of risk will determine
the governance level required in managing it - high level risks require higher
levels of governance input and approval; low level risks can be managed by
the lowest governance level, such as an audit team member; and
ii.
In selecting treatments for operational risks there are a number of
approaches that decision-makers may take. Whatever approach is taken, it
will be necessary to determine if any residual operational risk remains and to
re-evaluate it.
5.3.2.2 Indonesia
The purpose of the audit planning in performance audit is to design the Audit Work Plan and
Audit Program of a detailed audit. These documents will be used as basis for the detailed
audit, so it can be conducted efficiently and effectively. The audit planning activities consists
of 7 stages:
75
Methods for Developing Risk-Based Audit Plan
a. Determining Audit Potential Topics;
The preliminary step in a performance audit planning is to determine the audit
potential topic. Each of audit working unit must prepare a potential topic. The main
purposes of the determining audit potential topics are:
i.
In order to enable the performance audit to improve the government
performance in providing the public service;
ii.
In order to enable the audit to be more focused, so that the audit can be
conducted efficiently and effectively; and
iii.
In order to enable the limited audit resources to be allocated in the proper
audit topics.
iv.
The inputs which are required for this activity cover:
v.
Strategic plan and the board’s policy on the performance audit;
b. Designing Preliminary Audit Program
Several information which can be stated in the Preliminary audit program are as
follows:
i.
Basis of audit;
ii.
Standard of audit;
iii.
Audited organization/program;
iv.
Audited fiscal year;
v.
Identity and general information of the audited entity;
This Preliminary Audit Program will be used by the auditor as guidelines in the
operation planning stage to identify:
i.
Issues/problems related to the audited entity/program;
ii.
Key area which becomes the focus in the implementation of the detailed
performance audit;
iii.
Objective and scope of performance audit;
iv.
Criteria of audit to be used, and
v.
Type of evidence and procedures of audit.
76
Methods for Developing Risk-Based Audit Plan
c. Entity Understanding and Issues Identification
The auditor requires entity understanding in order to understand the main activity,
business process, encountered issues and problems, regulations related to the
audited entity/activity/program.
In order to identify significant issues of the entity, there are two main approaches
which can be used, namely result-oriented approach and process-oriented
approach.
d. Determining the Key Area
The key area is an area, division, program or activity which is the focus of an audit in
the audited entity. The determination of a key area is very important so that the audit
can be more focused on the audit objective and the use of more efficient and
effective audit resources is feasible. In order to determine the key area priority, the
selection factors approach will be used.
e. Determining the Objective and Scope of Audit
The performance audit objective must be seriously considered and clearly stated.
The objective must be defined clearly in order to help the audit team in taking the
final conclusion at the end of the audit. If the audit objective has been correctly and
clearly stated, the audit will be more directed to the activities to respond the
questions arising from the audit objective. Therefore, the Performance Audit objective
must be defined accurately, in order to avoid unnecessary audit procedures. The
benefits of the determination of the objective and scope of audit are:
i.
To assist in identifying issues to be audited and reported;
ii.
To assist in focusing the audit evidence collection activities;
iii.
To prepare the parameter or measurement of the audit limits such as the
audited period or location of the site audit to be chosen; and
iv.
To help the audit team in making the decision at the end of audit.
The necessary inputs in the determination of audit scope and objectives activity are
the outputs of the entity understanding and issues identification activities and the
outputs of the key area determination activity. The steps required for determining the
objective and scope of audit are determining audit objective and determining the
audit scope.
77
Methods for Developing Risk-Based Audit Plan
f.
Determining the Audit Criteria
Criteria are standards of performance that makes sense and can be achieved to
evaluate the economic, efficiency and effectiveness aspects of an activities
performed by the audited entity. The criteria reflect a normative model of control of
the issues which are being reviewed. The criteria represent good practices, namely a
reasonable expectation of ‘what is supposed to be’. If the conditions meet or exceed
the criteria, this indicates that the entity has implemented the best practices. On the
other hand, if the condition does not meet the criteria, this indicates that an
improvement is necessary.
g. Drafting of Audit Work Plan and detailed Audit Program
After the auditor conducts a preliminary audit and decides to do a detailed audit, the
next level to do is to set up the Audit Work Plan and audit program of the detailed
audit. The Audit Work Plan for the detailed audit is a BPK detailed audit activity plan
in one year covering the topic of audit, audit type, human resources requirements
and audit budget. The main objectives of the drafting detailed audit work plan are to
determine the detailed audit topics to be carried out in one year; and determine the
resources allocation, either in the form of human resources, timing and budget
required for each audit topic.
An adequate audit program is able to identify the significant aspects of the audit;
prepared based on the clear and accurate supporting information; provide guidance
in implementing effective evaluation; assist in collection of audit evidence which is
sufficient, reliable, and relevant to support the opinions/statements of opinion or the
audit conclusions and achieve the audit objectives.
5.3.2.3 Nepal
The process and procedures of the RBA plan for performance audit are almost same as
financial audit. In general, the planning process for performance audit can be shown in this
figure.
78
Methods for Developing Risk-Based Audit Plan
FIGURE 18
PEFORMANCE AUDIT PLANNING PROCESS
Review Background Information
of the Entity
Review Operational Objectives,
Strategy and Mandates
Prepare Segment
Operation Model
Perform Operational
Process Analysis
Perform Risk
Assessment
Determine Audit Objectives, Scope
and Methodology Audit Questions
Specify Audit
Criteria
Prepare Audit
Planning Memorandum
Source: Nepal Performance Auditing Guide
Generally, RBA approaches for performance audit in Nepal is almost same as financial
and compliance audit. The summary of the RBA process for the performance audit can
be express as Table 5. .
5.3.3 Compliance Audit
Based on the document received, SAI Australia and Nepal do not have specific compliance
audit. The compliance audit will be part of the financial audit. Only Indonesia has the specific
risk based audit plan for compliance audit.
79
Methods for Developing Risk-Based Audit Plan
5.3.3.1 Indonesia
Based on the document received by the SAI Indonesia, audit planning for compliance audit
consists of 5 stages, which are:
a. Understanding the Audit Objectives and Engagement Expectation
Understanding the audit objectives and engagement expectation is carried out to reduce
the risk of misinterpreting the requested task or the expectations of other parties, both by
the Auditors as well as the Signing Officer.
Such understanding is obtained through communication between the Auditors and the
signing officer, taking into account the following inputs:
i.
Previous year’s financial statements, performance, and special purpose audit
reports.
ii.
Monitoring reports of follow-up on financial statements, performance, and
special purpose audits.
iii.
Government internal audit reports.
iv.
The entity’s database.
v.
Communication with the previous Auditors.
The Auditors should properly communicate verbally or in writing with the signing officer,
the result of which must be documented in the audit objectives and engagement
expectation form. The form should be signed by the signing officer and the Auditors to
ensure uniform perception of the engagement. The form is used as one of the basis for
preparing an audit plan.
b. Understanding the Entity
Understanding the audited entity is intended to obtain data and information on:
i.
The entity’s objectives;
ii.
The entity’s main programs/activities;
iii.
Objectives of the programs/activities;
iv.
The entity’s accounting system;
v.
Procedures to implement and supervise activities;
vi.
Resources used to carry out activities; and
vii.
Previous audit results and other studies associated with the audited matter.
80
Methods for Developing Risk-Based Audit Plan
Comprehensive understanding of the entity’s objectives, goals, strategies, and activities
helps the Auditors in identifying:
i.
How the management can achieve the entity’s objectives and goals,
ii.
The risks associated with achieving these goals, and
iii.
How the management manages risks to achieve the entity’s objectives and
goals.
c. Assessing Risk and Internal Control
Steps in assessing risks are as follow:
i.
Identify risks face by the entity and the impacts of such risks to the attainment
of the entity’s objectives. The step is documented in the form of a risk
identification working paper.
ii.
Take into consideration the impacts of laws and regulations, and the possible
risk of fraud.
iii.
Ensure whether the entity has a sufficient control system to identify and
mitigate such risks. If the entity is found to have a weak control system, the
Auditors can: (1) stop internal control testing and write a conclusion on it, or
(2) carry out a substantive testing by expanding the scope of audit and
evidence gathering.
iv.
Set the audit to focus on areas with high risk potential for further audit after
taking into account point i, ii and iii above, which can affect the organization
activities, programs, and/or its public service functions to be audited. To
determine these key areas, the auditors assess the internal control system
(through understanding and testing) against risk potentials of the entity by
sampling based on risk level.
d. Setting Audit Criteria
When planning compliance audit, the auditors need to set criteria:
i.
As a basis for communication between the Auditor and the audited entity’s
management regarding the form of the audit. The Auditors will make an
agreement with the specific entity regarding the criteria and the acceptability
or unacceptability of findings based on the criteria.
ii.
As a tool to link the objectives with the audit program during evidence
gathering and analysis.
81
Methods for Developing Risk-Based Audit Plan
iii.
As a basis for evidence gathering and the foundation for establishing
evidence gathering procedure.
iv.
As a basis to establish findings, and to add structure and the form of audit
observation.
Once the sources of criteria have been obtained, the Auditors should check the suitability
of such criteria for use. The proper criteria should be reasonable and attainable.
Reasonable criteria should be relevant and reliable, while attainable criteria are those
that can be achieved with sufficient effort.
e. Preparing Audit Program and Individual Audit Program
The purpose of preparing Audit Program and Individual Work Program is to make it
easier and smoother for the Auditors to carry out their tasks so the audit implementation
will be in line with the specified audit objectives. The prepared Audit Program contains
information on legal basis, audit standards, audit objectives, audited entity, audit scope,
results from understanding the internal control system, audit goals, audit criteria and
others.
5.3.4
Integrated Results and Risk-Based Audit Plan (Philippines)
The Commission on Audit (SAI Philippines) primarily uses the Integrated Results and RiskBased Audit (IRRBA) Manual in conducting an integrated comprehensive audit and
government-wide and sectoral performance audit. Comprehensive audit comprises of
financial audit, compliance audit, and agency-based performance audit.
IRRBA is composed of five main phases: (1) Strategic Planning and Risk Identification, (2)
Agency Audit Planning and Risk Assessment, (3) Execution, (4) Conclusion and Reporting,
and (5) Monitoring (see Figure 4.2). Audit planning occurs in two levels: government level
(Strategic Planning and Risk Identification) and agency level (Agency Audit Planning and
Risk Assessment).
82
Methods for Developing Risk-Based Audit Plan
FIGURE 19
IRRBA FRAMEWORK
Source: IRRBA Manual, Commission on Audit (2011)
5.3.4.1 Strategic Planning and Risk Identification
i.
Perform Government Risk Identification
In this activity at the strategic level, SAI Philippines identifies the risks that the Philippine
Government as a whole may face in achieving its objectives.
a. Develop/Update the Government Risk Model (GRM)
The Government Risk Model (GRM) (Form 01-01) is a framework consisting of risks
categorized into groups that could threaten the government as a whole or the specific
processes of the government. The GRM includes a definition of each risk to have a
common understanding or risks. Risks are categorized as strategic risk, operations
risk, financial risk and compliance risk.
b. Identify Government Risks
In this activity, the SAI identifies risks which may hinder the government as a whole to
achieve its objectives. The sources of risk identification include the State of the Nation
Address of the President of the Philippines, the Medium Term Philippine Development
Plan, previous annual audit reports, media reports and the knowledge of the auditors.
This activity is documented using the Government Risk Identification Template (GRIT)
(Form 01-02) which plots the key government risks and the affected agencies including
processes, programs, activities or projects.
83
Methods for Developing Risk-Based Audit Plan
c. Report the results of GRI
The results of the GRI is cascaded down to the concerned audit groups through the
SAI Strategic Planning.
5.3.4.2 Agency Audit Planning and Risk Assessment
i.
Prepare Agency Audit Work step
The Agency Audit Work step Template (Form 02-01) is accomplished by the Audit Team
Leader for each audited entity. It contains a phase by phase detail of the IRRBA showing
the estimated time to complete each phase and the audit team member assigned to
complete each activity.
ii.
Understand the Agency
This activity involves the identification of risks applicable to the agency (agency risks). In
identifying the agency’s risks, the auditor obtains sufficient understanding of the agency
including its purpose, operations and environment. This may be done through the review of
relevant information of the agency and its environment, inquiry to the management and
others within the agency, and analytical procedures on financial and non-financial
information. This is documented using the Understanding the Agency (UTA) Template
(Form 02-02).
iii.
Identify Significant Agency Risks
In this activity, the auditors of a particular agency convenes to update the Agency Risk
Model and to identify and prioritize agency risks. At this level, they may also identify Key
Fraud Risks which shall be evaluated and assessed through the Fraud Brainstorming and
Fraud Risk Assessment.
a. Update the Agency Risk Model
The Agency Risk Model (Form 02-03) is a framework consisting of a list of agency risks
which is customized per Agency by obtaining information from the UTA template. It
serves as the guide in identifying agency risks. Agency risks are also categorized as
strategic risk, operations risk, financial risk and compliance risk.
84
Methods for Developing Risk-Based Audit Plan
b. Assess Agency Risks
In this activity, the auditor identifies agency risks based on the UTA and GRIT.
Identification of risks could be done through workshop, survey or interview. This is
documented using the Agency Risk Identification Matrix (Form 02-04).
c. Prioritize Significant Agency Risks
After the identification of agency risks, the auditors prioritize risks which are significant
based on the risk rating provided. Significant risks will be the audit team’s focus for
their audit.
iv.
Understand and Assess Agency-level Controls
The auditor obtains an understanding of agency-level controls through inquiry and
observation due to the nature of agency-level controls and because audit evidence may not
exist or be available in documentary form. In this activity, the five components of internal
control are considered: control environment, risk assessment, monitoring, information and
communication, and control activities. This is documented using the Agency-Level Controls
(ALC) Checklist (Form 02-05).
v.
Understand the Process
Significant processes where significant agency risks reside are the subject of understanding
the process.
a. Identify critical path of the process
In this activity, the auditor obtains an understanding of the critical path of significant
processes by understanding each of the following stages:
● Initiation – the point where the transaction first enters the agency’s process and is
prepared and submitted for recording
● Recording – the point where the transaction is first recorded in the books and
records of the agency
● Processing – any chances, manipulation or transfers of data in the books and
records of the agency
● Reporting – the point where the transaction is reported (i.e., posted) in the
general ledger
85
Methods for Developing Risk-Based Audit Plan
b. Identify process risks
Process risks refer to points where risks of material misstatement or risks to the
Agency Program/Activity/Project (PAP) objectives, due to error or fraud, can occur in
the significant process. Not all process risks are identified, but only those that could
have a material effect on the objectives of the process or PAPs. Professional judgment
is used in identifying the appropriate level of detail.
c. Identify Impact
The auditor determines the impact of the process risk by identifying the affected
accounts, including assertions, and its impact on the attainment of the objectives of an
agency’s PAPs.
d. Identify Existing Controls
In this activity, the auditor identifies the existing controls that address the identified
process risks and determines whether the design of these controls mitigate the
identified process risks. Any identified process risk with no controls in place or with
inadequate controls are communicated to management to provide them time to
address and resolve the control deficiency.
The auditor performs a walkthrough to obtain a preliminary assessment of the
effectiveness of controls. The process mapping flowchart including the identification of
process risks, controls and impact are documented using the Process-Risk-Control
(PRC) Matrix (Form 02-06).
vi.
Conduct Audit Risk Assessment
The information obtained in UTA, ALC and PRC will be the basis in evaluating and
quantifying risks in the audit. The auditor assesses risk for financial, compliance and
agency-based performance audit.
a. Financial and Compliance Audits
In conducting risk assessment for financial and compliance audits, the auditor
assesses risk for each relevant assertion for each significant account.
i.
Identify significant and material financial statement accounts
Significant accounts are the affected accounts identified in the understanding
the process using the PRC Matrix. Material accounts are those which fall
86
Methods for Developing Risk-Based Audit Plan
above the materiality threshold and are considered material based on
qualitative factors. Financial statement accounts that will be assessed are
those that are significant and material.
ii.
Assess inherent risk
Inherent risk is assessed as either high or low. If the auditor believes that there
is a higher likelihood that a material misstatement could occur, inherent risk is
assessed as High. If the auditor believes that it is less likely that a material
misstatement could occur, inherent risk is assessed as Low.
iii.
Preliminary Assess Control Risk
The preliminary evaluation is made after understanding the significant
processes, risks and controls and after performing walkthroughs, but before any
test of controls is performed. Control risk is assessed as Low if controls have
been designed and are operating effectively throughout the period of reliance.
On the other hand, control risk is assessed as High if:
● It is believed that the controls have not been designed appropriately,
implemented effectively, or are unlikely to operate effectively throughout
the period of reliance
● Substantive procedures are identified which are believed to provide the
necessary evidence to support the related account balances or disclosure
● It is believed that testing controls would be inefficient
iv.
Make Combined Risk Assessment (CRA)
Assessme
Low
High
Minimal
Moderate
Low
High
nt
High
Risk
Inherent
The auditor combines the assessments on inherent and control risks into one
CRA:
Low
Control Risk Assessment
v.
Other Material Accounts (OMA)
Other Material Accounts (OMA) refer to material financial statement accounts
that were not considered as significant based on the results of Agency Risk
Assessment and Understanding the Process. The auditor uses high precision
87
Methods for Developing Risk-Based Audit Plan
analytical procedures for OMAs (but this procedure should not be redundant
with the Analytic Review procedures done in the UTA Template).
b. Performance Audit
In conducting assessment for Performance Audit, the auditor considers the following
factors in evaluating each of the agency’s PAPs:
Quantitative Factor: Budget
Qualitative Factors:
a. Risk to good management
b. Significance
c. Visibility
d. Previous Audit Coverage
The risk assessments for Financial, Compliance and Performance Audits is
documented using the Audit Risk Assessment and Planning Tool (ARAPT) (Form
02-07).
i.
Determine Audit Scope and Timing
The auditor defines the audit scope or the boundaries and limitations of the audit.
ii. Determine the need for specialized skills
The auditor determines whether to use the work of an appropriate expert.
The details of the work plan (i.e., scope, audit strategy, timing) as part of the ARAPT.
5.4
Extended Study on SAIs RBA Approach and Practices (Combination of RBA
and Other Approaches)
The research results show that the common actual process in preparing the plan among the
SAIs covers the following steps:
a.
Understanding the Entity and Its Business Process (including previous audit
reports);
b.
Conducting Initial Analytical Procedures;
c.
Understanding the Internal Control System;
d.
Initial Risk Identification and Risk Analysis
e.
Risk Assessment: IR, CR, DR
88
Methods for Developing Risk-Based Audit Plan
f.
Determining the Audit Materiality, Criteria
g.
Preparing Audit Plan Memorandum
Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement),
ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning and
Performing an Audit).
Similar to ISSAI 1300, the research also show that the auditor shall include in the audit
documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant
changes made during the audit engagement to the overall audit strategy or the audit plan,
and the reasons for such changes. The documentation of the overall audit strategy is a
record of the key decisions considered necessary to properly plan the audit and to
communicate significant matters to the engagement team. For example, the auditor may
summarize the overall audit strategy in the form of a memorandum that contains key
decisions regarding the overall scope, timing and conduct of the audit. Planning
memorandum is one form of this kind of documentation. The common approaches in
preparing the planning memorandum include the following information:
a.
Basic information of the entity (including related parties and significant
events);
b.
Audit objective and scope;
c.
Audit methodology (including understanding the internal control system, risk
assessment, materiality, and sampling);
d.
Audit resources (team, budget, timeline/timeframe);
e.
Targeted area (significant risks); and
f.
Audit Program.
Meanwhile, the different approach covers information about audit standard and audit criteria.
5.4.1
Risk Based Audit Plan for Financial Audit
The extended study found that most of the respondents have already implemented them in
the real audit practice. In the perspective of principle-based standard, how to do the
procedure might be different from one SAI to another. But the most important thing is that
each SAI has made appropriate efforts through its own manuals and templates, to comply
with the requirements of ISSAIs. From the analysis, it has been found that there are no
different approaches on all the particular steps (5 steps). The common approached uses
templates, matrix, checklist, or using audit program based on their standards, manuals, and
guidelines.
89
Methods for Developing Risk-Based Audit Plan
Based on the research results, we may conclude that the Audit plan for financial audit should
include description of the nature, timing and extent of planned risk assessment procedures;
the nature, timing and extent of planned further (substantive) audit procedures at the
assertion level; and other planned audit procedures that are required to be carried out in
compliance with other ISSAIs. It means the majority has performed the steps required by
ISSAIs 1315 and 1330 in preparing an audit plan for financial audit.
5.4.2
Risk-based Audit Plan for Performance Audit
In line with requirement of ISSAIs 3000, 3100, and 3200, the research findings also indicate
that, in preparing an audit plan for performance audit, SAIs should implement the following
steps:
a. Understanding the audit topic and identifying problems in the area;
b. Selecting a focus for the audit or the "audit problem";
c. Designing and implementing responses to these assessed risks of material
misstatements;
d. Developing audit memorandum (and/or audit plan).
The majority of the audit plan for performance audit contains the following information:
b. Background knowledge and information needed to understand the entity to be
audited.
c. Initial assessment of the problem and risk, possible sources of evidence, auditability
and the materiality or significance of the area considered for audit.
d. Audit objective, questions or hypotheses, criteria, scope and period to be covered by
the audit.
e. Methodology, including techniques to be used for gathering evidence and conducting
the audit analysis.
f.
Overall activity plan which includes staffing requirements, i.e.
Sufficient
competencies, human resources, and possible external expertise required for the
audit.
g. Estimated cost of the audit, key project timeframes, milestones and the main control
points of the audit.
5.4.3
Risk-based Audit Plan for Compliance Audit
In line with the requirement of ISSAIs 4000, 4100, research findings indicate that, in
preparing an audit plan for compliance audit, SAIs should implement the following steps:
a. Determine subject matter, criteria and scope of compliance audit;
90
Methods for Developing Risk-Based Audit Plan
b. Understand the entity;
c. Understand the control environment and internal control system;
d. Risk assessment of the subject matter/audited entity;
e. Consideration of risks of fraud;
f.
Determine reliance on internal controls; and
g. Link identified risks to audit strategy (audit procedures).
The steps related to risk assessment and responses to assessed risks are the ones that still
need to be performed by ASOSAI Members (below 60% conduct these steps) so as to
comply with ISSAI.
The majority of the audit plan for compliance audit contains the following information:
i.
The subject matter, criteria and scope of compliance audit;
ii.
Description of the nature, timing and extent of risk assessment procedures sufficient
to assess the risks of non-compliance, related to the various audit criteria;
iii.
Description of the nature, timing and extent of planned audit procedures related to
the various compliance audit criteria and risk assessments.
5.5
Summary
Based on the evaluation of documents from those 7 selected SAIs, a general
structured of risk-based audit approaches were accordance to ISSAIs and includes
these following steps:
STEPS
FINANCIAL AUDIT
PERFORMANCE AUDIT
COMPLIANCE AUDIT
1
Understanding the entity Selecting an audit topic as part of the
and its environment
strategic planning process
Identifying intended
user(s) and responsible
party
2
Understanding the
entity’s internal control
Assessing potential audit topics in terms of
risks, materiality and problems identified
Defining the subject matter
and the corresponding
audit criteria
3
Conducting risk
assessment procedures
Selecting audit topics that are auditable
(assessing auditability)
Understanding the entity
and its environment
4
Determining materiality
Understanding the entity and the subject Understanding the entity’s
matter (what is audited)
internal control
5
Establishing audit
strategy and audit plan
Defining the audit objective(s) and audit
questions
Assess risk
91
Methods for Developing Risk-Based Audit Plan
STEPS
FINANCIAL AUDIT
PERFORMANCE AUDIT
COMPLIANCE AUDIT
6
-
Defining the scope of the audit
Establishing materiality for
planning purpose
7
-
Setting the audit criteria
Developing audit strategy
and audit plan
8
-
Choosing audit methodology, including
techniques to be used for gathering evidence
and conducting the audit analysis.
-
9
-
Determining overall activity plan which
includes staffing requirements, i.e. sufficient
competencies, human resources, and
possible external expertise required for the
audit
-
10
-
Estimating cost of the audit, key project
timeframes, milestones and the main control
points of the audit
-
Source: RBA Documents from the 7 selected SAIs
Even though there are differences of audit approach among participants but the
majority of SAIs agreed that RBA Plan benefits the auditors.
92
Methods for Developing Risk-Based Audit Plan
PART 6
CONCLUSION AND IMPLICATIONS
6.1
Introduction
This part discusses the conclusion in relation to the research objectives, implications and
limitations of the research. It proposes some suggestions for future research.
6.2
Conclusion of Research
This study explores the methods used by the ASOSAI members in developing risk-based
audit plans for financial, performance and compliance audits in compliant with ISSAIs. It also
identifies the practices of the members in developing the plans for the three types of audits.
The study stems from the survey of ASOSAI members’ preferences on the topic for the 11th
research project. It focuses on the risk-based audit planning and data are collected using
survey questionnaires and documentation reviews.
6.2.1 Adoption of Risk-Based Audit Approach
The conclusion that can be drawn is that not all SAIs adopted the risk-based approach either
fully or partially in planning the audit. This suggests that the differences in their legal status,
mandates and authorities influence their adoption of the approach. Further analysis showed
that although the percentage of adoption is slightly than half of the respondents, majority of
the SAIs recognised that risk analysis is important in improving their audit effectiveness as
well as improving risk management and governance processes by reporting its assessment
of the risks of the audited entity. This is also supported by the results showing that most of
them agreed on the benefits of preparing the risk-based audit plan.
Slightly half of the SAIs whether they adopted the risk-based audit approach fully or partially
has structured guidelines for preparing the audit plans. In terms of the audit plan, most of the
SAIs prepare a separate audit plan for each type of audit.
6.2.2 Methods for Developing Risk-Based Audit Plan
It can be concluded that the methods in developing risk-based audit plan in terms of the
audit procedures and steps as well as the information of the plan for the financial,
performance and compliance audits generally comply with ISSAIs 1300, 4000 and 3000.
SAIs’ compliance to ISSAIs varies according to their mandates and regulatory requirements.
Some SAIs use their own standards in carrying out the audits.
i.
Financial Risk-Based Audit Plan
Most of the SAIs comply with ISSAI 1315 (Identifying and assessing the risks of material
misstatement through understanding the entity and its environment) and ISSAI 1330 (The
93
Methods for Developing Risk-Based Audit Plan
auditor’s responses to assessed risks) on the inclusion of the nature, timing and extent of
planned risk assessment as well as substantive audit procedures in the audit plan. More
than 70% of the SAIs performed ISSAIs five steps in developing the financial audit plans
which include understanding the entity and its environment; identifying and assessing the
risks; designing and implementing responses, identifying specific procedures and
determining the audit procedures and extent of testing. The SAIs used models/ programmes/
forms/ tables/matrices/guides for all the steps in developing the audit plan.
ii.
Performance Risk-Based Audit Plan
It can be concluded that most of the SAIs comply with the ISSAIs 3 steps for developing the
performance audit risk-based audit plan. The three steps are understanding the audit topic
and identifying problems; selecting the focus area or the audit problem; and designing and
implementing responses to the assessed risks.
Most of the SAIs’ audit plan contained the background knowledge and information regarding
the audited entity; initial assessment of the problem risks, sources of evidence, auditability
and materiality/significance audit area; objective, questions/hypothesis, criteria, scope and
duration of audit; and methodology including audit gathering techniques and audit analysis.
The information on staffing requirements, estimated cost of audit, key project timeframes
and milestone is only included by some SAIs.
iii.
Compliance Risk-Based Audit Plan
As compared to the financial and performance audits, SAIs’ compliance to the steps outlined
in ISSAI 4100 for developing an audit plan for compliance audit is lower i.e 13-17 SAIs. The
steps required are determining the subject matter, criteria and scope; understanding the
entity; understanding the control environment and internal control system; risk assessment,
consideration of fraud risks; extent of reliance on internal control; and linking the identified
risks to audit procedures. The study showed that that only 13 SAIs linked the identified risks
to audit procedures.
Analysis on the information included by the SAIs in the audit plan revealed that slightly half
of the SAIs described the subject matter, criteria, scope, nature of the timing and extent of
planned audit procedures to the audit criteria and risk assessment. Only some SAIs
described the nature of the timing and extent of risk assessment procedures.
6.2.3 Assessing Risk, Materiality and Internal controls
It can be concluded that materiality in planning and performing the audit is very much
emphasised in the financial audit, followed by the performance and compliance audits. The
COSO framework on internal control is used by less than half of the SAIs. Even though other
SAIs did not formally adopt the framework, they considered the components of the COSO
framework to understand or assess the entity’s internal control. The components include
control environment, risk assessment, control activities, information and communication and
94
Methods for Developing Risk-Based Audit Plan
monitoring activities. The survey research showed that most of the SAIs considered the
control and inherent risks rather than the detection risk in preparing the audit plan.
6.2.4 Practices in Developing Risk-Based Audit Plan
Based on the extended study by reviewing the documents submitted by the respondent, it
can be concluded that majority of the SAIs do not fully adopt the risk-based audit approach.
Only SAI of Australia, SAI of Indonesia, SAI of Philippines and SAI of Nepal adopted the
approach fully. The four SAIs have structured and detailed risk-based audit planning
guidelines. The financial risk-based audit plans for SAI Australia and SAI Nepal include the
compliance audit. SAI Indonesia has a specific risk-based plan for compliance audit. SAI
Philippines has an integrated audit plan for financial, performance and compliance audits.
i.
Financial Risk-Based Audit Plan
The practices in developing the risk-based audit plan for the financial audit are in
accordance to ISSAI 1300. In developing the financial risk-based audit plan, the common
practices conducted by the SAIs which fully or partially adopted the risk-based audit
approach involve firstly, the auditor must thoroughly understand the audited entity in terms of
the business, associated risks and internal control. This can be done by reviewing the
documents or walk through the business/accounting process or discussion with the audited
entity. Secondly, the auditor must perform risk identification and assessment so that the
audit procedures will be focused on high risk areas caused by misstatements or fraud.
Thirdly, in developing the audit strategy, the auditor must consider the materiality threshold
to identify the topics/areas to be audited and to determine the nature, timing and extent of
audit procedures. Lastly, the auditor develops the risk-based plan including the audit
programmes.
ii.
Performance Risk-Based Audit Plan
The practices carried out by the SAIs who fully and partially adopt the risk-based audits in
developing the risk-based performance audit plan are in accordance to ISSAI 3000. Based
on ANAO practices, the steps involve are:
a. The auditor must gain an in-depth understanding of the programme/activity/project and
its context. The appropriate information to be gathered which include objectives of the
entity; external and internal accountability relationships, resources, management
processes, performance goals, methods of programme delivery, external environment
and other publicly available information on the programme.
b. The auditor must consider materiality and risk so that the risk is reduced to an
acceptable level. Materiality must be considered in the context of qualitative and
quantitative factors. The auditor must assess the performance engagement risk and
the performance audit operational risk.
95
Methods for Developing Risk-Based Audit Plan
c. Lastly, the auditor develops the audit planning memorandum. The content includes the
rationale for undertaking the audit, background for the audit, the audit objective (s),
scope and criteria, audit method, likely impacts, identification and consultation with
internal and external stakeholders, audit budget, milestones, target dates and overall
performance audit engagement risk and operational risk rating.
iii.
Compliance Risk-Based Audit Plan
The practices carried out by the SAIs who fully and partially adopt the risk-based audits in
developing the risk-based plan for the compliance audit are in accordance to ISSAI 4000.
The five stage practices in developing risk-based plan for compliance audit include
understanding the audit objectives and engagement expectation, understanding the entity,
assessing risk and internal control, setting audit criteria and preparing audit programme and
individual audit programme (Indonesia).
6.3
Implications of Research
i.
ASOSAI
ASOSAI should promote all the members to adopt/follow the risk-based audit approach. The
implementation of risk-based audit methodology in accordance with ISSAIs will enable the
auditors to perform the audits more efficiently and effectively. ASOSAI could conduct training
programmes or workshops on risk-based audit approach. SAIs with in-depth knowledge of
the facet of risk may contribute to the implementation of risk-based audit plans at the
regional or sub regional levels. ASEAN Supreme Audit Institutions (ASEANSAI) has recently
completed the long term training programme on ISSAIs implementation (2013 – 2018) on
financial risk-based audit which resulted in a creation of a pool of experts/trainers.
ii.
SAI
The support and commitment of the Heads of SAIs are critical for the adoption of the riskbased audit approach at the SAI level. To implement the approach, SAIs need to revise or
align their auditing guidelines or manuals. There should be a structured and detailed
guidelines or manuals on risk-based audit planning. The SAIs should conduct their training
programmes on ISSAIs risk-based auditing. The exchange of knowledge and experiences
on the approaches of risk-based audit planning is useful for the auditors.
6.4
Limitations of Research
Some limitations should be considered when interpreting the results of this study. Firstly, the
results are based on 25 SAIs respondents and thus limit the generalizability of the results to
the 48 ASOSAI members SAI. Secondly, there is insufficient empirical study on the riskbased audit planning practised in the public sector as compared to the private sector. This
limits the discussion of the findings. Thirdly, this study’s research method uses samples of
audit engagement among ASOSAI member countries in developing the risk-based audit
96
Methods for Developing Risk-Based Audit Plan
plans. Comparison with the private sector practices is not made due to time constraint.
Lastly, the accuracy of the responses given by the SAIs also affect the validity and reliability
of the study results.
6.5
Suggestions for Future Research
In spite of the limitations, this study’s findings provide evidence of the methods and practices
conducted by the SAIs in developing the risk-based audit plan for the financial, performance
and compliance audits. Future research is warranted to look into private sector practices in
developing the risk-based audit plan which can be emulated by ASOSAI members SAI. The
research scope could be expanded to include the execution and implementation stages
besides the planning stage. Comparison with the practices of the internal auditors will assist
the public sector auditors to understand the risk-based audit approach and prepare the audit
plan.
97
Methods for Developing Risk-Based Audit Plan
REFERENCES
Arun District Council (2009). Risk-Based Auditing. Retrieved April 29, 2009
Arens A, Elder RJ, Beasley (2012). Auditing and Assurance Services: An Integrated
Approach. 14thed. Pearson Prentice Hall.
Bell, T. B., M. E. Peecher, and I. Solomon. 2005.The 21st Century Public Company Audit.
Conceptual Elements of KPMG’s Global Audit Methodology. University of Illinois at Urbana–
Champaign, IL:
Bowlin, K. 2011. Risk-Based Auditing, Strategic Prompts and Auditor Sensitivity to the
Strategic Risk. The Accounting Review. Vol.86,No.4.pp.1231-1253.
Burk,J.A., & Hendry, J.A. 2014. Risk-Based Auditing Developing a Comprehensive View of
Risk. www.asse.org
Cooper, H.M. 1998. Synthesizing Research: A Guide for Literature Reviews. Sage
Publications, Inc.
Domokos, L., Nyeki,M., Jakovac, K., Nemeth, E., Hatvani, C. 2015. Risk Analysis and Risk
Management in the Public Sector and in Public Auditing. Public Finance (Quarterly)
Etikan, I., Musa, S., & Alkassim, R. (2015, December 22). Comparison of Convenience
Sampling and Purposive Sampling. American Journal of Theoretical and Applied Statistics,
1-4.
Retrieved
December
1,
2016,
from
http://article.sciencepublishinggroup.com/pdf/10.11648.j.ajtas.20160501.11.pdf.
Fellingham, J. C., and D. P. Newman. 1985. Strategic considerations in auditing.The
Accounting Review60
IFAC. (2011b, November 09). Guide to Using ISAs in the Audits of Small- and Medium-Sized
Entities, Vol. 2 - Practical Guidance. Retrieved April 2016, from International Federation of
Accountants:
https://www.ifac.org/system/files/publications/files/SMP-ISA-Audit-GuideVolume-2-3e_0.pdf
Internal Audit Community of Practice. (2014, April). Risk Assessment in Audit Planning: A
guide for auditors on how best to assess risks when planning audit work. Retrieved January
17, 2017, from Public Expenditure Management Peer Assisted Learning:
https://www.pempal.org/sites/pempal/files/event/attachments/cross_day-2_4_pempal-iacoprisk-assessment-in-audit-planning_eng.pdf
Knechel, W. R. 2007. The business risk audit: Origins,
opportunities.Accounting, Organizations and Society32 (4–5): 383–408
obstacles
and
Kinney, W. R. 2005. Twenty-five years of audit deregulation and re-regulations: What does it
mean for 2005 and beyond? Auditing: A Journal of Practice & Theory24: 89–109.
Laudato, M. (2016, November 16). Performing effective (and efficient) audits - the
importance of planning and materiality. Retrieved January 17, 2017, from Association of
Chartered Certified Accountants: http://www.accaglobal.com/an/ en/member/discover/cpdarticles/audit-assurance/effective-audits.html
98
Methods for Developing Risk-Based Audit Plan
Lord. A.T. (1992). Pressure: a methodological consideration for behavioral research in
auditing. Auditing: A Journal o f Theory and Practice(11)2: 90-108.
McNamee, D. (1997) Risk-based Auditing. The Internal Auditor; Aug 1997; 54, 4; 22-27
Michael, R. 2009. Risk-Based Audit Best Practices. Journal of Accountancy; Dec 2009; 208,
6; ABI/INFORM Collection. pg. 32.
O’Donnell, E., and J. J. Schultz. 2005. The halo effect in business risk audits: Can strategic
risk assessment bias auditor judgment about accounting details? The Accounting Review 80
(3):
Peecher, M.E. (1996) The influence o f auditor's justification processes on their decisions: a
cognitive model and experimental evidence. Journal o f Accounting Research(34)1: 125140.
Pickett, S. (2003). Internal Auditing Handbook. New Jersey: Wiley.
Pickett, S. (2006). Audit Planning: A Risk-Based Approach. New Jersey: John Wiley & Sons,
Inc.
Quilliam, W.C. (1993). Examining the effects o f accountability on auditors’ valuation
decisions. Working Paper, University o f South Florida.
Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing
Environment, 5e. Mason,
Salehi, M., & Khatiri, M. (2011, May 18). A study of risk based auditing barriers: Some
Iranian evidence. African Journal of Business Management, 5(10), 3923-3934. Retrieved
January 18, 2017, from http://www.academicjournals.org/journal/AJBM/article-full-textpdf/AE4412739929
Zacchea, N.M. 2003. Risk-based audit target selection can increase the probability of
conducting value-added audits. The Journal of Government Financial Management; Spring
2003; 52, 1; ABI/INFORM Collection
Rittenberg and Schwieger 2005; Knechel 2007 (4): 634–650.
Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing
Environment, 5e. Mason, OH: Thomson South-Western.
Yates, J.F. (1992). Risk-Taking Behavior. New York: John Wiley & Sons.921–939.
99
Methods for Developing Risk-Based Audit Plan
Appendix 1
11th ASOSAI Research Project Survey Questionnaire
[The questionnaire is prepared to obtain information for developing Risk Based audit plan
under ARP]
Background: As per ASOSAI Strategic Plan 2016 – 2021, the ASOSAI Secretariat on the
basis of survey among SAIs of the region has taken the topic “Methods for developing
Risk-Based Audit Plan” as 11th ASOSAI Research Project (ARP) as selected at the 49th
Governing Board meeting held in Kuala Lumpur, Malaysia in February 2015.
In this regard, you are humbly requested to provide the following information:
I. Basic Information of your SAI;
II. Information pertaining to the preparation of audit plan (or risk-based audit
plan);
III. How the internal control system and risk are being assessed; and
IV.Documentation in the preparation of Risk-Based audit plan
The information will be used in the research project that can be used by the auditors as
reference in the preparation of a Risk-Based Audit Plan which may sufficiently increase the
audit qualities given the low level or scarce resources.
Please submit the filled-in questionnaire to ___________ at_________ by________ (should
be typewritten in English and prepared in Microsoft Word format).
Country of your SAI:
Name and Position of respondent:
I. Basic Information of your SAI
a) Establishment year:
b) Constitutional/Legal
status:
c) Mandate (functions/
responsibilities)
(d) Type of SAI
(Westminster, Judicial, or
Board/Collegiate):
100
Methods for Developing Risk-Based Audit Plan
II. Information pertaining to the preparation of Audit Plan or RiskBased Audit Plan (please tick in the answer boxes)
Answers
Questions
Yes
No
Not
Applicable
1. Types of Audit Conducted and Audit
Approach/Methodology
(a) What are the types of audit conducted by your SAI?
(i)
Financial Audit
(ii)
Performance Audit
(iii)
Compliance Audit
(iv) Others (Please specify)
_________________________
_________________________
(b) Do you prepare separate Audit Plan for each type of audit
conducted?
(c) What is the audit approach/methodology being adopted by
your SAI?
(i)
Risk-Based Audit Approach
(ii) Systems-Based Audit Approach
(iii) Others (Please specify)
_________________________
(d) If you adopt risk- based audit approach, do you have a
structured guideline in preparing a risk-based audit plan?
If yes, please describe the process briefly
(e) Do you use risk analysis for the preparation of the Audit
Plan?
(f) Do you prepare a Planning memorandum for financial,
compliance and performance audit?
If yes, please enumerate and describe briefly the contents of
your planning memorandum
101
Methods for Developing Risk-Based Audit Plan
(g) Do you think the following benefits were achieved in
preparing a Risk-Based Audit Plan? (As Per paragraph 2 of
ISSAI 1300)
(i) Helping the auditor to devote appropriate attention to
important areas of the audit
(ii) Helping the auditor in identifying and resolving potential
problems on a timely basis
(iii) Helping the auditor properly to organize and manage the
audit engagement so that it is performed in an effective
and efficient manner
(iv) Assisting in the selection of engagement team members
with appropriate level of capabilities and competence to
respond to anticipated risks, and the proper assignment of
work to them
(v) Facilitating the direction and supervision of engagement
team members and the review of their work
2. Preparing Audit Plan for Financial Audit
(a) Does your Audit Plan for financial audit includes description of
the following:
(i) Nature, timing and extent of planned risk assessment
procedures (ISSAI 1315)
(ii) Nature, timing and extent of planned further
(substantive) audit procedures at the assertion level
(ISSAI 1330)
(iii) Other planned audit procedures that are required to be
carried out in compliance with other ISSAIs
(b)
Do you perform the following steps in developing an audit
plan for financial audit?
(i) Obtain an understanding of the entity and its
environment, including the entity’s internal control
If the answer is Yes, please indicate the name and
contents of the template/s used (You may use separate
sheet of paper for description).
___________________
___________________
102
Methods for Developing Risk-Based Audit Plan
(ii) Using the understanding of the entity to identify and
assess the risks of material misstatement at the financial
statement and assertion levels (Risk Assessment)
If the answer is Yes, please indicate the name and
contents of the template/s used (You may use separate
sheet of paper for description if needed).
___________________
(iii) Designing and implementing responses to these
assessed risks of material misstatements
If the answer is Yes, please indicate the name and
contents of the template/s used (You may use separate
sheet of paper for description if needed).
___________________
___________________
___________________
(iv) Identify specific procedures required for material financial
statement areas
If the answer is Yes, please indicate the name and
contents of the template/s used (You may use separate
sheet of paper for description if needed).
___________________
___________________
(v) Determine what audit procedures and the extent of
testing required
If the answer is Yes, please indicate the name and
contents of the template/s used (You may use separate
sheet of paper for description if needed).
___________________
___________________
Please specify other steps not enumerated above (You
may use separate sheet of paper for description if
needed).
(vi)
____________________
_____________________
_____________________
103
Methods for Developing Risk-Based Audit Plan
3. Preparing Audit Plan for Performance Audit
(a) Do you perform the following steps in developing an audit
plan for performance audit?
i. Understanding the audit topic and identifying problems in
the area
ii. Selecting a focus for the audit – “the audit problem”
iii. Designing and planning the audit engagement
-
Methodological planning (audit design)
-
Administrative planning
iv. Please specify other steps not enumerated above (You
may use separate sheet of paper for description if needed).
______________________________
_______________________________
(b) Does your Audit Plan for performance audit contain the
following information:?
i. Background knowledge and information needed to
understand the entity to be audited.
ii. Initial assessment of the problem and risk, possible
sources of evidence, auditability and the materiality or
significance of the area considered for audit.
iii. Audit objective, questions or hypotheses, criteria, scope
and period to be covered by the audit.
iv. Methodology, including techniques to be used for
gathering evidence and conducting the audit analysis.
v. Overall activity plan which includes staffing requirements,
i.e. sufficient competencies, human resources, and
possible external expertise required for the audit
vi. Estimated cost of the audit, key project timeframes,
milestones and the main control points of the audit
104
Methods for Developing Risk-Based Audit Plan
4. Preparing Audit Plan for Compliance Audit
(a) Do you perform the following steps in developing an audit
plan for compliance audit?
i. Determine subject matter, criteria and scope of compliance
audit
ii. Understand the entity
iii. Understand the control environment and internal control
system
iv. Risk assessment of the subject matter/audited entity
v. Consideration of risks of fraud
vi. Determine reliance on internal controls
vii. Link identified risks to audit strategy (audit procedures
viii.Please specify other steps not enumerated above (You
may use separate sheet of paper for description if needed).
____________________
_____________________
(b) Does your Audit Plan for compliance audit contain the
following information:?
i. A description of identified criteria related to the scope and
characteristics of the compliance audit and to the legal,
regulatory or appropriations framework
ii. Description of the nature, timing and extent of risk
assessment procedures sufficient to assess the risks of
non-compliance, related to the various audit criteria
iii. Description of the nature, timing and extent of planned
audit procedures related to the various compliance audit
criteria and risk assessments
5. Determining Materiality at Planning Stage
(a) Do you determine materiality in planning and performing the
audit for:
i. Financial Audit
ii. Performance Audit
iii. Compliance Audit
105
Methods for Developing Risk-Based Audit Plan
III. Internal Control System and Risk Assessment
Answers
Questions
Yes
a)
No
Remarks
Do you use the COSO Framework in understanding the
entity’s internal control?
i.
If the answer is No, please indicate the
framework followed? (You may use separate
sheet of paper for description if needed).
____________________________
b)
Do you consider the following components in
understanding/assessing the entity’s internal control?
(i) Control Environment
(ii) Risk Assessment
(iii) Control Activities
(iv) Information and Communication
(v) Monitoring Activities
c)
Do you consider the assessment of the following risks in the
preparation of the Audit Plan?
(i) Inherent Risk
(ii) Control Risk
(iii) Detection Risk
106
Methods for Developing Risk-Based Audit Plan
IV. Documentation (Contents/Elements of the Audit Plan)
[Audit planning documents contain an overall activity plan which includes staffing
requirements i.e. sufficient competencies, human resources and possible external
expertise required for the audit, an indication of the sound knowledge of the auditors
according to the type of audit, background information of the auditee organization etc.]
1. Please enumerate the elements/contents of your Audit Plan for Financial Audit giving brief
description of each element:
Your answer: (You may use separate sheet of paper for description if needed).
2. Please enumerate the elements/contents of your Audit Plan for Performance Audit giving
brief description of each element:
Your answer: (You may use separate sheet of paper for description if needed).
3. Please enumerate the elements/contents of your Audit Plan for Compliance Audit giving
brief description of each element:
Your answer: (You may use separate sheet of paper for description if needed).
4. If you have any other relevant comments regarding the whole issue, please specify below
(You may use separate sheet of paper for description if needed).
107
Methods for Developing Risk-Based Audit Plan
Appendix 2
RESEARCH TEAM MEMBERS
NO.
1.
2.
3.
4.
5.
6.
COUNTRY
Bangladesh
Indonesia
Iran
7.
8.
TEAM MEMBERS
Mr. Anisur Rahman
Mr. Gour Chandra Roy
Mr. Endra Noviandy Sujadi
Mr. Dedi Suprianto
Mr. Hadi Favachi
Mr. Abbas Ghaderiazad
Mr. Khalid Hussein Ali
Iraq
Ms. Najah Suhail Abed
9.
Mrs. Israa Ezziddeen Ali
10.
Ms. Eman E Kh A Alhuwaidi
11.
Kuwait
Mr. Abdullah Ahmed AlSubaie
12.
Mr. Talal Tareq Alwaheeb
13.
Ms. Patimah Ramuji
14.
Malaysia (Chair)
15.
16.
17.
Ms. Ivy K Yon
Philippines
18.
19.
20.
23.
24.
Russia
27.
Ms. Abigael Jamille Paraiso Julao
Mr. Vladimir Kuleshov
Mr. Mikhail Karev
Mrs. Ekaterina Nikitina
Saudi Arabia
South Korea
25.
26.
Ms. Sofia Cabides Gemora
Mr. Vadim Dubinkin
21.
22.
Ms. Jannaatu ‘Adnin Maslan
Mr. Abdulrahman Mohammed
Mr. Mohammad Falah Al Wahby
Ms. Joo Yean Cho
Mr. Soowan Hong
Vietnam
Mr. Nam Hoai Le
Mr. Bach Xuan Do
108