Methods for Developing Risk-Based Audit Plan Methods for Developing Risk-Based Audit Plan TABLE OF CONTENTS ACKNOWLEDGMENT TABLE OF CONTENTS LIST OF ABBREVIATIONS LIST OF TABLES LIST OF FIGURES ABSTRACT PART 1 INTRODUCTION 1.1 1.2 1.3 1.4 1.5 Background of the Research Problem Statement Research Objectives and Scope Significance of the Study Summary PART 2 LITERATURE REVIEW 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Introduction Risk-Based Auditing Risk-Based Auditing Approach Risk-Based Auditing Planning Audit Risks Attributes of a Good Audit Planning Memorandum Summary PART 3 RESEARCH METHODOLOGY 3.1 3.2 3.3 3.4 3.5 3.5 Introduction Research Methodology The Descriptive Design Research Instrument Data Collection Summary PART 4 RESULTS BASED ON QUESTIONNAIRE 4.1 4.2 4.3 4.4 Introduction Descriptive Results Adoption of Risk-Based Audit Approach Preparation of the Audit Plan/Risk-Based Audit Plan Methods for Developing Risk-Based Audit Plan 4.5 4.6 Methods in Developing Risk-Based Audit Plan Summary PART 5 RESULTS BASED ON EXTENDED STUDY 5.1 5.2 5.3 5.4 5.5 Introduction Analysis of Results Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA) Extended Study on SAIs RBA Approach and Practices (Combination of RBA and Other Approaches) Summary PART 6 CONCLUSION AND IMPLICATIONS 6.1 6.2 6.3 6.4 Conclusion Implications Limitations Suggestions for Future Research REFERENCES Appendix A Appendix B Questionnaire Research Team Members Methods for Developing Risk-Based Audit Plan ACKNOWLEDGEMENTS It is with immense pleasure for the National Audit Department of Malaysia (NADM) to present this 11th ASOSAI Research Project on “Methods for Developing Risk-Based Audit Plan”. The research team led by NADM wishes to express our deep appreciation to those who have contributed in the completion of this report. A special acknowledgment should be awarded to the Auditor General of Malaysia and Chair of ASOSAI, Tan Sri Dr. Madinah Mohamad who has personally provides professional guidance in enhancing the research report. Our gratitude to NADM reviewer team who provide their expertise in improving the final report. Our appreciation also goes to the SAIs which responded to the questionnaires and the three SAIs for hosting the research meetings namely Board of Audit and Inspection of South Korea, State Audit Office of Vietnam and State Audit Bureau of Kuwait. Thank you for your support to the research project. Lastly, this research project would not have been possible without the cooperation spirit and high commitment of the Heads of participating SAIs and the research team comprising SAIs of Bangladesh, Indonesia, Iran, Iraq, Kuwait, Malaysia, Philippines, Saudi Arabia, South Korea, Russia and Vietnam. A great time and effort have been put to produce this research project. It is our hope that the results of this research provide insights for the ASOSAI members to develop ISSAIs compliant risk-based plan for the financial, performance and compliance audits. i Methods for Developing Risk-Based Audit Plan LIST OF ABBREVIATIONS ACCA AF ANAO AR ASOSAI Association of Chartered Certified Accountants Assurance Factors Australian National Audit Office Audit Risk Asian Organisation of Supreme Audit Institutions AWP Audit Work Plan BPK The Audit Board of Indonesia CAATs COA COSO Computer Assisted Audit Techniques Commission on Audit (SAI Philippines) The Committee of Sponsoring Organisations of the Treadway Commission CR Control Risk DR Detection Risk FSLI Financial Statement Line Item GRI Government Risk Identification GRM Government Risk Model GWSPA IAASB ICT IFAC INTOSAI IR IRRBA Government-wide and Sectoral Performance Audit International Auditing and Assurance Standards Board Information and Communication Technology International Federation of Accountants International Organisation of Supreme Audit Institutions Inherent Risk Integrated Results and Risk-based Audit ii Methods for Developing Risk-Based Audit Plan ISA International Standards on Auditing ISSAIs The International Standards of Supreme Audit Institutions OCAG Office of the Comptroller and Auditor General (SAI Bangladesh) PASG Performance Audit Services Group RAD Risk Assessment Document RBA Risk-based Audit RoMM SAI Risk of Material Misstatement Supreme Audit Institution iii Methods for Developing Risk-Based Audit Plan LIST OF TABLES NO. PAGE TABLE 1 ISSAI PRE-PLANNING STAGE TABLE 2 ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO CRITERIA TABLE 3 SELECTED SAIS FOR EXTENDED STUDY TABLE 4 DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE IN PARENTHESES) TABLE 5 AUDIT APPROACHES ADOPTED BY SAIS TABLE 6 PROCESS OF PREPARING A RISK-BASED AUDIT PLAN TABLE 7 CONTENTS OF PLANNING MEMORANDUM TABLE 8 BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN TABLE 9 TEMPLATES USED IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT TABLE 10 RISK ASSESSMENT TEMPLATE TABLE 11 OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE TABLE 12 OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN TABLE 13 INFORMATION INCLUDED IN THE PERFORMANCE AUDIT PLAN TABLE 14 STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER ISSAI 4100 TABLE 15 OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN TABLE 16 ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL CONTROL SYSTEM TABLE 17 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK CONSIDERED BY SAIS TABLE 18 RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN TABLE 19 AUDIT APPROACHES TABLE 20 RBA PLAN iv Methods for Developing Risk-Based Audit Plan TABLE 21 METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT TABLE 22 METHODS IN DEVELOPING RBA PLAN: PERFORMANCE AUDIT TABLE 23 METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT TABLE 24 RATIONALE FOR CONDUCTING THE AUDIT v Methods for Developing Risk-Based Audit Plan LIST OF FIGURES NO. PAGE FIGURE 1 DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT PLAN FIGURE 2 SAI THAT SUBMITTED SURVEY QUESTIONNAIRE FIGURE 3 DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT PLAN FIGURE 4 PREPARATION OF AUDIT PLANS FIGURE 5 SAIS HAVING STRUCTURED GUIDELINES PREPARING RISK-BASED AUDIT PLAN FIGURE 6 SAIS USING RISK ANALYSIS IN THE PREPARATION OF THE AUDIT PLAN FIGURE 7 SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE AND PERFORMANCE AUDITS FIGURE 8 SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF PROCEDURES IN THE AUDIT PLAN FOR FINANCIAL AUDIT FIGURE 9 SAIS WHICH PERFORM THE STEPS IN DEVELOPING AN AUDIT PLAN FOR FINANCIAL AUDIT IN FIGURE 10 STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN AS PER ISSAI FIGURE 11 INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN FIGURE 12 SAIS DETERMINING MATERIALITY IN PLANNING AND PERFORMING THE AUDIT FIGURE 13 ADOPTION OF COSO FRAMEWORK FIGURE 14 PROCESS DOCUMENTATION/WALKTHROUGH FOR THE BUSINESS PROCESS OR ACCOUNTING PROCESS FIGURE 15 TEMPLATE ON ASSESSING RISKS AND INPUT TO THE BRIDGE FIGURE 16 THE BRIDGE PROCESS FIGURE 17 KEY STEPS IN START-UP PHRASE vi Methods for Developing Risk-Based Audit Plan FIGURE 18 PEFORMANCE AUDIT PLANNING PROCESS FIGURE19 IRRBA FRAMEWORK vii Methods for Developing Risk-Based Audit Plan ABSTRACT The research study sets out to examine the methods used in developing the risk-based audit plans and to identify the practices in developing financial, performance and compliance audit plans in compliance with ISSAIs. A descriptive design is utilised to obtain information about the methods and practices on risk-based audit plan. The respondents were the 48 ASOSAI member countries. A semi-structured survey questionnaire comprising open and closed ended questions are used for the purpose of breadth and depth understanding of the risk-based audit implemented by the ASOSAI members. Specific criteria for the respondent are given to ensure the respondents provide complete and accurate information. The survey results are analysed and based on the analysis, 11 SAIs (Australia, Bangladesh, Cyprus, India, Indonesia, Iraq, Jordan, Malaysia, Nepal, Philippines and Singapore) are selected for extended study based on the determined criteria. The research study found that all respondent SAIs conduct financial audit, while compliance and performance audits are not performed by every SAI. Aside from the three main audit types, SAIs conducted other audits which have similarities with the three audits, particularly in the cases of SAIs Australia, Bangladesh, China and Japan. The primary reason for the differences in audits being conducted is the legal framework, mandate and authority of the SAI. It is revealed that not all SAIs adopted the risk-based approach either fully or partially in planning the audit. Other approaches such as system-based, results-oriented, problembased, transaction-based, fundamental and topic-based audit. This suggests the diversity in the audit methodologies adopted by the ASOSAI members. In spite of that, majority of the SAIs recognised the benefits of preparing the risk-based audit plan. On the preparation of the audit plan, the findings revealed that most of them prepared separate audit plans for the financial, performance and compliance audits. The preparation of the procedures/steps/content requirements of financial, performance and compliance audit plans is in accordance with ISSAI 1300-Planning an Audit of Financial Statements, ISSAI 3000- Standard for Performance Auditing and 4000 – Compliance Auditing Standard. Compliance to ISSAIs is highest in the financial audit, followed by performance and compliance audits. A significant number of SAIs do not use a guide or required to do so due to organisational or legislative reasons. A structured guidelines will provide guidance on the methods/procedures in developing the plans. Even though there are SAIs which do not adopt the risk-based approach, majority of them conducted risk analysis in planning the audit. This implies that viii Methods for Developing Risk-Based Audit Plan SAIs are aware of the importance of risk analysis to help them to achieve maximum value for their auditing efforts. The research study found that majority of SAIs determine materiality in the audit planning and performance. Although not all the SAIs adopt the COSO framework formally, they considered the components of the COSO Framework in understanding or assessing the entity’s internal control. On risk assessment, most of the SAIs considered the control and inherent risks compared to the detection risks. . Based on the extended study, only 4 SAIs – Australia, Malaysia, Nepal and Philippines fully adopt the risk-based audit. The practices carried out by SAI Australia and Nepal for developing the financial and compliance audit plan, SAI Australia for the performance audit plan and SAI Indonesia for the compliance audit plan can used as a reference for the ASOSAI members. ix Methods for Developing Risk-Based Audit Plan PART 1 INTRODUCTION 1.1 Research Project Background The ASOSAI Research Project is conducted in accordance to Article II of the Asian Organization of Supreme Audit Institutions (ASOSAI) Charter and Rule 2, Section 2.2 of the ASOSAI Rules and Regulations. The objective of the research is to encourage and facilitate the sharing of knowledge and experiences among the member SAIs to enhance their audit capacities. The 11th Asian Organisation of Supreme Audit Institutions (ASOSAI) Research Project on “Methods for Developing Risk-Based Audit Plan” was approved in the 49th Governing Board Meeting held in Kuala Lumpur, Malaysia in February 2015. A total of 11 SAIs participated in the research project led by the National Audit Department of Malaysia. The SAIs are Bangladesh, Indonesia, Iran, Iraq, Korea, Kuwait, Malaysia, Philippines, Russia, Saudi Arabia and Vietnam participated in this research project. The research team members met five times over the period of November 2015 to July 2018 to discuss and monitor the progress of the research project. No. Activity Date and Venue 1. 1ST Research Meeting November 16-18, 2015 (Presentation of country papers and discussion Malaysia of research project framework) 2. 2ND Research Meeting (Finalizing Part 1 and May 2-4, 2016 outline of questionnaire) South Korea 3. 3RD Research Meeting (Discussions on Part 2 and Part 3) November 22-24, 2016 Vietnam 4. 4TH Research Meeting (Discussion on Part 4) April 24-26, 2017 Kuwait 5. 5th Research Meeting (Discussion on the overall research project) July 10-11, 2018 Malaysia During the first meeting, the research team discussed the milestones and outline of the project as well as assigned the group members into 4 groups whereby each group prepared their respective parts of the research report. During the second meeting, the research team discussed the methodology and empirical studies relating to the research topic and developed a set of questionnaires which were sent to all ASOSAI members SAI. The respective group presented the analysis of the 25 completed questionnaires in the third meeting. During the fourth meeting, the research team discussed the findings of 8 selected SAIs based on the documents submitted by them. The final meeting discussed the overall research project report in terms of the facts, data, appropriateness of the discussions. 1 Methods for Developing Risk-Based Audit Plan 1.2 Problem Statement SAIs adopt different audit methods/approaches, but based on the survey distributed by the ASOSAI Secretariat, it showed that majority of the ASOSAI members were interested to gain and share knowledge from the experienced SAIs in risk based audit planning. This was the main reason why the topic of Methods for Developing Risk-based Audit Plans was selected. 1.3 Research Objectives and Scope The objectives of the research are as follows: 1. To describe the methods used by the ASOSAI member countries in developing risk-based audit plan; 2. To identify the practices carried out in developing the risk-based audit plan for financial, performance and compliance audits in compliant with ISSAIs. This research focuses on the planning stage of the audit to determine the methods in developing the risk-based audit plans for the financial, performance and compliance audits that correspond with international auditing standards set by INTOSAI and IAASB. The target respondents are all 48 ASOSAI member countries. 1.4 Significance of the study Risk is defined as the threat that an event, action or inaction will adversely affect the agency /entity’s ability to successfully achieve its mandate and objectives and execute its strategies. Perception of risks varies from one SAI to another as it depends on several factors to influence the risk including economic interests, public perception and cultural values. In terms of compliance audit, performance audit and financial audit that involve audit risk planning and analysis, there are variety of methods to identify and evaluate risks; different SAIs may have different approach and judgment based on their own perceptions and social agenda. In this matter of fact, this paper was designed to develop a better understanding on the risk-based audit plan for financial, performance and compliance audits as well as to assist auditors to prepare Risk Based Audit Plan according to ISSAIs to ensure that the audit is conducted in an effective and efficient manner. 1.5 Summary This part has outlined and described the background of this research, its objectives and the significance of this study. This research is undertaken to examine the implementation of risk based audit in preparing audit plan for financial, compliance and performance audit. 2 Methods for Developing Risk-Based Audit Plan PART 2 LITERATURE REVIEW 2.1 Introduction This chapter discusses literature review related to risk based auditing (RBA). The reading of empirical research on RBAs is necessary to gain a deep understanding of this matter and to identify the gap in this area. By reading empirical research as well, we will be able to identify the framework to be reviewed and the expected results to be obtained. Literature reviews typically appear as detailed independent works or as brief introductions to reports of new primary data. When a literature review appears independent of new data, it can serve many different purposes (Cooper 1998). It can have numerous different focuses, goals, perspectives, coverage strategies, organisations, and audiences (Cooper, 1988). For instance, literature reviews can focus on research outcomes, research methods, theories, applications, or all these. Literature reviews can attempt to integrate what others have done and said, to criticize previous scholarly works, to build bridges between related topic areas, to identify the central issues in a field, or all these. Literature reviews combining two specific sets of focuses and goals appear most frequently in the scientific literature. The first type of literature review has been alternately called a research synthesis, integrative research review, or research review. The second kind of literature review is a theoretical review. Here, the reviewer hopes to present the theories offered to explain a particular phenomenon and to compare them in breadth, internal consistency, and the nature of their predictions (Cooper 1998). 2.2 Risk Based Auditing Risk is a complex, multidimensional phenomenon. According to Yates (2002), in an action taking setting, risk is the potential for negative consequences to occur as a result of the action taken. The dimensions of risk include i) multiple causes of potential negative consequences, ii) multiple types of negative consequences, iii) the significance of each type of negative consequence, iv) multiple stakeholders who might suffer different types of negative consequences at varying significance levels, and v) a distribution of probabilities associated with each combination of the preceding dimensions. To select an audit that will add value, it is appropriate to identify risk. Risk in the audit context is the chance of poor performance by an organization, or the possibility of error and wrongdoing. A risk-based auditing allows an organisation to understand the current risks and assess the effectiveness of existing controls. Additionally, it allows management to target resources to specific operations. As sites and corporations continue to reduce injury incidents and rates, a risk-based audit approach guides resource allocation. The basic premise of risk-based 3 Methods for Developing Risk-Based Audit Plan auditing is that auditors should devote more resources to accounts that are likely to be misstated and fewer resources to those that are less likely to be misstated (Bell et al. 2005; Rittenberg and Schwieger 2005; Knechel 2007). This approach is expected to lead to more effective and efficient audits (Bell et al. 2005; Public Company Accounting Oversight Board [PCAOB] 2007). However, if auditors do not accurately assess misstatement risk at the account level, audit resources will be misallocated, resulting in undetected misstatements (Kinney 2005; O'Donnell and Schultz 2005). Auditors could wrongly assess misstatement risk by focusing on observable non-strategic risk factors that indicate certain accounts are more likely than others to be misstated and by failing to appreciate the attendant implications for unobservable strategic risks that arise when financial reporting managers anticipate that auditors will allocate resources based on those non-strategic risk factors (Fellingham and Newman 1985). By fixating on non-strategic risk factors and by allocating resources accordingly, auditors could actually create opportunities for fraud among the ostensibly lowrisk accounts. Auditors literally start the audit process by equipping themselves with knowledge of the nature of the business of the entity and its business environment. Auditors arm themselves with sufficient information about a business and its environment so as to assess risks associated with the business. Salehi and Khatiri (2011) has explored the factors hindering the performance of risk-based auditing, including the lack of timely preparation of financial statements by auditors, lack of sufficient standards, lack of statistical methods used by auditors and lack of necessary auditing training. From perspective of the internal audit, the allocation of limited resources in the most effective way requires an assessment of risk across all the auditable areas. In this regard, the objective of risk-based planning is to ensure that the auditor examines subjects of highest risk to the achievement of the organization’s objectives. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. 2.3 Risk Based Auditing Approach Given the nature of the audit process, every audit assignment presents a different challenge, with no two audit assignments being the same. For example, no two entities are the same in terms of business sector, location, size, employees, governance issues, ethos, and complexity of operations. There is no one single approach to auditing which ensures the performance of a perfect audit. However, it is generally accepted that for most entities of size, the risk-based audit approach will minimise the possibility of audit objectives not being met. Consequently ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, compels auditors to adopt a riskbased approach to audits. In so doing, it requires auditors to make risk assessments of 4 Methods for Developing Risk-Based Audit Plan material misstatements at the financial statement and assertion levels, based on an appropriate understanding of the entity and its environment, including internal controls. Auditor should be familiar with assertions made by management, as described in ISA 500, (Audit Evidence). As the auditor is required to focus on the entity and its environment when making risk assessments, this is known as the ‘top down’ approach to identifying risks, and auditors should become familiar with this term. The word ‘top’ refers to the day-to-day operations of the entity and the environment in which it operates; ‘down’ refers to the financial statements of the entity. In summary, this approach requires auditors to identify the key day-to-day risks faced by a business, to consider the impact these risks could have on the financial statements, and then to plan their audit procedures accordingly. For this reason, the approach is often referred to as the ‘business risk approach’. When adopting this approach, in order to facilitate the identification of risks and the assessment of their effect on the financial statements, risks are categorised as: financial risks – such as cash flow risks; compliance risks – such as breaching of laws and regulations risk; and operational risks – such as loss of key employee risk and loss of data risk (Brian Pine, 2008). The ultimate objective of adopting the business risk approach is to reduce audit risk – the risk that the auditor will give an inappropriate opinion on the financial statements. Hence, auditors should therefore understand how business risk is linked to audit risk and how the business risk approach is integral to the use of the audit risk model when planning audit work. The importance of the adoption of risk-based audit approach has received great emphasis in the realm of public sector auditing. It is further emphasizes in the International Standards of Supreme Audit Institutions (ISSAI) which states the following points: The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level (ISSAI 1330); The auditor shall actively manage audit risk to avoid the development of incorrect or incomplete audit finding, conclusion, and recommendation or failing to add value (ISSAI 3000); and The auditor shall perform procedures to reduce the risk of producing incorrect conclusion to an acceptable low level (ISSAI 4000). A risk-based audit approach allows SAI to understand current risks and assess the effectiveness of existing controls. Additionally, it allows management to target resources to specific operations. As sites and corporations continue to reduce injury incidents and rates, a risk-based audit approach guides resource allocation. The aim of the risk assessment auditing standards is to improve the quality and effectiveness of audit by substantially changing audit practices. Statements on Auditing Standard provide increased rigor to the audit process in a number of key areas including the assessments of inherent and control risks and the linking of these risk assessments to further audit procedures (Ramos, 2009). 5 Methods for Developing Risk-Based Audit Plan The risk assessment standards prohibited the auditor form “defaulting to the maximum” control risk. On all audits the auditor should evaluate the design and implementation of internal control to properly identify and assess risk. Implementing and applying this standard in practices has proven to be a challenge for many firms, which have difficulty linking their internal control work to the substantive procedures and other aspects of the engagement, finding sufficient benefit to justify the increased audit costs that result from the stricter standard and determining how to evaluate the effectiveness of the internal control design. . Bowlin (2011) has studied on the risk based audit approach and found that, there are potential pitfalls in risk-based auditing if auditors do not accurately assess misstatement risk at the account level and this will result in misallocation of audit resources. ISSAI 13301 (2007) focusing on the auditor’s responses to assessed risks which includes practice note providing additional guidance for public sector auditors related to audit procedures responsive to the assessed risks of material misstatement at the assertion level. ISSAI 1330 also addresses the importance in evaluating the sufficiency and appropriateness of audit evidence as well as specific consideration for public sector auditors with a judicial role. This ISSAI derives from ISA 330 which deals with the auditor's responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with ISA 315 (Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment) in an audit of financial statements. ISSAI 30002 (2003) is a guideline for performance auditing based on INTOSAI's Auditing Standards and practical experience. This guidelines aim to assist SAI’s performance auditors in managing and conducting performance audits efficiently and effectively as well as to provide a basis for good performance audit practices and establish a framework for the further development of performance audit methodology and professional development. The guidelines take into account relevant INTOSAI auditing standards based on generally accepted principles of performance auditing, distilled from the experience of INTOSAI members. Standardisation in performance auditing is mostly a question of what to do, rather than how to do it. The guidelines consist of five main parts: a. Part 1 sets out the general framework for performance auditing; b. Part 2 defines application of auditing principles to performance auditing which refers to government’s auditing principles applied to performance auditing; c. Part 3 provides standards and guidance for planning performance audits; d. Part 4 provides standards and guidance for conducting performance audits; and 1 ISSAI 1330 – The Auditor's Responses to Assessed Risks ISSAI 3000 – Standards and guidelines for performance auditing based on INTOSAI's Auditing Standards and practical experience 2 6 Methods for Developing Risk-Based Audit Plan e. Part 5 provides standards and guidance for presenting the audit results specifically on reporting standards and guidance. The appendices contain further information on how to plan and conduct performance audits. They also include information on performance auditing in relation to information technology (IT), and on conducting performance audits with an environmental perspective. A framework of system-oriented approaches in performance auditing is also presented. The updated version of ISSAI 3000 (2016) on Standard for Performance Auditing and ISSAI 3200 Guidelines for the Performance Auditing Process refers to the following: (i) Understanding the audit topic and identifying problems in the area. As part of the planning process, there is a need to develop a sound understanding of the subject matter and of the risks and challenges in the area (ISSAI 3200.21). (ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states that the audit objectives, audit questions and scope are interrelated and need to be considered together. (iii) Designing and planning the audit engagement. The 2003 ISSAI 3000, Standards and guidelines for performance auditing based on INTOSAI’s Auditing Standards and practical experience, discusses the methodological planning and administrative planning as follows: Methodological planning - Performance audit can draw upon a large variety of data-gathering and analysis techniques, with due consideration on the validity and reliability of methods to be used. Administrative planning - It involves the selection of the audit team and team leader and the development of an activity plan including the time table and resources needed. ISSAI 40003 (2010) refers on general introduction on compliance audit guidelines and is to assist SAIs in applying the INTOSAI Auditing Standards, particularly in their work on reporting on compliance. This compliance audit guidelines are written from two main perspectives which are ISSAI 4100 that deals with compliance audit performed separately from the audit of financial statements, for example as a separate audit task or related to performance audit and ISSAI 4200 that deals with compliance audit related to the audit of financial statements. The two ISSAIs are written as consistent, stand-alone documents. IIA 2100 on Nature of Work requires that the internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk based approach. Internal audit 3 ISSAI 4000 – Compliance Audit Guidelines – General Introduction 7 Methods for Developing Risk-Based Audit Plan credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. 2.4 Risk Based Auditing Planning Pickett (2003) defines planning as a response to demands and new challenges posed for audit, and as means of expectation and focusing resources to achieve effective results. Pickett (2003) also provided three alternative approaches in planning: a. The traditional planning-cyclical audit model which involves looking at everything on cyclical basis over three years and evaluate. In the absence of risk register, the auditor should identify a list of risks the client is facing. Other factors such as impact on reputation, materiality, and state of controls are used to assess the risk universe and prioritize the risky areas; b. An advanced approach is the emphasis on the corporate governance framework. Audit resources are focused on board managements and accountability, control framework in use, communication across the organization and the role and impact of audit committee; and c. Risk-based audit planning which is ‘an approach to audit work that focuses on strategic, regulatory, financial and business risk that confront the organization and which uses these risks to steer the audit process in a way that maximizes the impact of audit assurance and consulting work’. Risk based audit planning emphasises the importance and the impact that an effective audit strategy and audit plan for the achievement of the goals, objectives and the mission of the internal audit unit. Planning provides for a systematic approach to audit work and requires knowledge covering a wide range of issues in public management, including risk assessment and internal control. Another reference provided that risk-based audit planning is an approach that focuses on analysing risk and develop an audit program that is suitable for risk that have been identified (Arun District Council, 2009). During the planning stage, the auditor gains an understanding of the client, the client’s internal controls, the client’s information technology (IT) environment, the client’s corporate governance environment and the client’s closing procedures. The process of understanding the client involves consideration of issues at the entity level, the industry level, and the broader economic level. The auditor will also assess the likelihood that their client’s financial statements are misstated due to limitations in its IT system. Governance structures are used to assess the level of risk faced and to design controls to reduce identified risks. Lastly, there is also a risk that the client’s closing procedures are inadequate (Moroney, Campbell, Hamilton & Warren 2015). Furthermore, Moroney et. al (2015) also explained that the auditor will identify any related parties, factors that may affect their client’s going concern status, and significant accounts 8 Methods for Developing Risk-Based Audit Plan and classes of transactions that will require close audit attention to gauge the risk of material misstatement. Related party transactions require some specific consideration throughout the audit and specific procedures should be performed and documented. The auditor also assesses fraud risk and performs procedures to support the assessment. The auditor will also consider the appropriateness of the going concern assumption during the planning stage and then throughout the audit. Pickett (2006) also has discussed the importance of audit planning and the issues on the risk of expressing an inappropriate opinion due to the following which may be addressed through an effective audit planning: Performing the wrong audit; Employing the wrong audit approach; Using the wrong staff; Breaching professional standards; Performing work at the wrong time; and Issuing the wrong reports and delivering the wrong underlying assurances. In the context of internal audit, it is discussed that the allocation of limited resources in the most effective way requires an assessment of risk across all the auditable areas (Internal Audit Community of Practice (IA COP), 2014). In this regard, the objective of risk-based planning is to ensure that the auditor examines subjects of highest risk to the achievement of the organization’s objectives. Also in this material, some examples were provided for the concepts discussed such as the common risk factors used by internal audit units. Certain illustrations of activities were also provided, such as scoring impact criteria, scoring risk factors and weighing risk factors. Nonetheless, it is worth emphasising that such reference pertains only to internal audit. Study done by Laudato (2016) which focus on the audit firms has found that certain provisions of International Standards in Auditing (ISAs) pertaining to risk-based audit planning, particularly in the identification and assessment of risks, responses to assessed risks, and materiality. An example was provided on how to prepare the corresponding audit strategy memorandum based on the discussions. Jakovac, Domokos, & Nemeth (2016) states that SAI planning is a complex, multi-phase process which forms a hierarchic system from strategic planning through resource plans and the creation of operative audit plans all the way to feedback. The key steps of planning are the following: a. Strategic planning sets out the key tasks of the institution as well as its ethical requirements, values, priorities, and the directions and main objectives of the given period. Strategic planning defines audit topics and audit criteria. The 9 Methods for Developing Risk-Based Audit Plan b. c. objectives of selection criteria vary depending on what type of audit they serve as basis for. Annual planning lists and presents the audits to be carried out in the given period. It is prepared in harmony with the audit priorities set out in the strategy as well as with macro and risk analyses and the requirements stipulated by legal regulations, while also taking into account “anticipated demand” for audit reports. The objective is to select eh areas, programs and organizations to be audited in the coming period, and to determine the order of audits depending on capacity. Audit planning comprises the formulation of the specific audit strategy and the preparation of the audit plan. It is in this phase that the objectives, scope, method and criteria of the given audit must be formulated in detail, were audit questions must be drafted and the sample to be audited is to be defined and where the documents supporting the audit must be prepared. Furthermore, Jakavoc et al. (2016) also explained that the INTOSAI standards require the foundation of the planning work processes of supreme audit institutions must be laid down by risk analyses. Normally, the state audit office conduct risk analysis during: a. The selection of audit priorities and areas. The goal of risk analysis depends on the audit directions set out in the aforementioned SAI strategy. b. The analysis of the controls and measures of the audited entities. The state audit office seeks to identify the organizational processes where significant residual risk threatens the accomplishment of organizational goals. c. The definition of the issues and scope of the audit. Risk analysis supports the establishment of audit procedures, including sampling and the planning of control tests. The International Standards of Supreme Audit Institutions (ISSAIs) 13004, 40005 and 30006 require the development of audit plans for financial, performance and compliance audits, respectively. ISSAI 1300, Planning an Audit of Financial Statements, requires the auditors to develop an audit plan in order to perform the audit in an effective manner that includes a description of: i. ii. Nature, timing and extent of planned risk assessment procedures (as required by ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its’ Environment); Nature, timing and extent of planned further (substantive) audit procedures at the assertion level (as required by ISSAI 1330, The Auditor’s Responses to Assessed Risks); and 4 ISSAI 1300, Planning and Audit of Financial Statements ISSAI 4000, Compliance Audit Standard 6 ISSAI 3000, Standard for Performance Auditing 5 10 Methods for Developing Risk-Based Audit Plan iii. Other planned audit procedures that are required to be carried out in compliance with other ISSAIs. The proper planning helps in a timely commissioning of the team members and facilitates the guidance of the members and supervise their work also it helps when that is applicable to coordinating work between auditors and experts. A general auditing guidelines on planning an audit of financial statements is specified in ISSAI 1300 (2007). This standard supports and explains ISSAI 1300 with respect to the public sector. This guideline deals with the auditor's responsibility to plan an audit of financial statements in the context of recurring audits. ISSAI has also issued guidelines for the pre-planning stage. The pre-planning stage consists of the main two activities governed by a set of standards as shown in the following table: TABLE 1 ISSAI PRE-PLANNING STAGE PRE-PLANNING ACTIVITIES AUDIT STANDARDS Adhere to codes of ethical behaviour and core audit principles Efficiency of audit team Code of ethical conduct of the International Federation of Accountants IFAC Code of ethical conduct INTOSAI • • • • ISSAI 100, 200, 300, 400 ISSAI 3000 ISA 220 ISSAI 1220 ISA 210 Source: SAI Iraq’s Country Paper The actual planning phase consists according to the quality assurance manual’s draft of the following activities which are governed by a set of standards as: PLANNING ACTIVITIES AUDIT STANDARDS Understanding of the entity subject to audit and its environment ISA 315 Set a goal and scope of the audit task ISA 200 Identify materiality ISA 320 Identify and assess the risks of substantial misstatement ISA 330 ISSAI 1315 ISSAI 1330 11 Methods for Developing Risk-Based Audit Plan Prepare a detailed audit plan ISA 315 ISA 300 ISSAI 1330 Design audit procedures for risks that have been evaluated ISA 300 ISSAI 1330 Source: SAI Iraq’s Country Paper On the other hand, the evaluation of internal audit system also has a key position in the planning stage, according to the criterion of INTOSAI 9100. ISSAIs 3000 and 3200 states that the SAIs are also expected to include the following information in their audit plan for performance audit: i. ii. iii. iv. v. vi. Background knowledge and information needed to understand the entity to be audited; Initial assessment of the problem risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit; Audit objective, questions or hypothesis, criteria, scope and period to be covered by the audit; Methodology, including techniques to be used for gathering evidence and conducting the audit analysis; Overall activity plan which includes staffing requirements (i.e. sufficient competencies, human resources, and possible external expertise required for the audit); and Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit. ISSAI 4100 on Compliance Audit Guidelines—For Audits Performed Separately from the Audit of Financial Statements list the following as the process for the audit work: i. ii. iii. iv. v. vi. vii. Determine the subject matter, criteria and scope of compliance audit; Understand the entity; Understand the control environment and internal control system; Risk assessment of the subject matter/audited entity; Consideration of risks of fraud; Determine reliance on internal controls; and Link identified risks to audit strategy (audit procedures). In line with the requirements pertaining to compliance audit, SAIs are also expected to include in their audit plan for compliance audit the following information: 12 Methods for Developing Risk-Based Audit Plan i. ii. iii. Description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework; Description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria; and Description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments. The research results show that the common actual process in preparing the plan among participated survey SAIs covers the following steps: a. Understanding the Entity and Its Business Process (including previous audit reports); b. Conducting Initial Analytical Procedures; c. Understanding the Internal Control System; d. Initial Risk Identification and Risk Analysis e. Risk Assessment: IR, CR, DR f. Determining the Audit Materiality, Criteria g. Preparing Audit Plan Memorandum Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement), ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning and Performing an Audit). 13 Methods for Developing Risk-Based Audit Plan Similar to ISSAI 1300, the research also show that the auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. The documentation of the overall audit strategy is a record of the key decisions considered necessary to properly plan the audit and to communicate significant matters to the engagement team. For example, the auditor may summarize the overall audit strategy in the form of a memorandum that contains key decisions regarding the overall scope, timing and conduct of the audit. Planning memorandum is one form of this kind of documentation. The common approach in preparing the planning memorandum includes the following information: a. Basic information of the entity (including related parties and significant events); b. Audit objective and scope; c. Audit methodology (including understanding the internal control system, risk assessment, materiality, and sampling); d. Audit resources (team, budget, timeline/timeframe); e. Targeted area (significant risks); and f. Audit Program. 2.5 Audit Risks The ISSAIs identify three risks—inherent risk, control risk and detection risk. ISSAI 1003, Glossary of Terms to INTOSAI Financial Audit Guidelines, defines the said risks as follows: Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Control risk is defined as the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected, on a timely basis by the entity’s internal control. Detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. ISSAI 1330 on Auditor’s Response to Assessed Risks, requires the auditor to design and perform further audit procedures whose nature, timing and extent are based on and are 14 Methods for Developing Risk-Based Audit Plan responsive to the assessed risks of material misstatement (a function of inherent and control risks) at the assertion level. The risk of material misstatement (inherent and control risks) and detection risk constitute the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of Financial Auditing, requires the auditor to reduce audit risk to an acceptably low level in the circumstances of the audit. All the information on the evaluation of audit risk or the auditor’s assessment of risks, taking into account their opinion of the control environment together with the controls in place for each of the areas being reviewed should be discussed in the Audit Planning Memorandum. 2.6 Attributes of a good Audit Planning Memorandum Audit Planning Memorandum (APM) is prepared to set out the objectives of the audit, to spell out how the auditor aims to achieve these objectives. It is also a tool to monitor the progress of the audit and promotes high quality and professional audit work. Normally, APM will be prepared during the planning stage. The purposes of the audit plan are, first, to contribute to the effectiveness of the audit and, second, to contribute to the audit efficiency. This memorandum should be completed and approved as part of initial audit planning. In completing this document there may be occasions when matters already documented in other work papers are relevant. There is no need to re-write such material if a specific reference can be made. This memorandum is structured so that planning documentation common to all projects is presented. All items should be read and considered on every project. When a section is not applicable, indicate "N/A", with a brief explanation why it is not applicable. The planning memorandum is divided into four sections: i. ii. iii. iv. v. 2.7 Introduction / Background Management Concerns & Issues Administration and job set up; Risk assessment; and Nature and Scope of Audit Conclusions The risk-focused description and definition of organisations’ operating environment and operations has gained increasing prominence over recent decades. A risk-based auditing allows an organization to understand the current risks and assess the effectiveness of existing controls. Additionally, it also allows management of the audit organization to target 15 Methods for Developing Risk-Based Audit Plan resources to specific operations. Normally, risk based approach required auditor to have proper audit planning. Audit Planning is an important phase during the audit proses. During the planning stage, the auditor gains an understanding of the client, the client’s internal controls, the client’s information technology (IT) environment, the client’s corporate governance environment and the client’s closing procedures. In the context of internal audit, it is discussed that the allocation of limited resources in the most effective way requires an assessment of risk across all the auditable areas (Internal Audit Community of Practice (IA COP), 2014). In this regard, the objective of risk-based planning is to ensure that the auditor examines subjects of highest risk to the achievement of the organization’s objectives. Within the planning of audits also, the selection process and analysis of audit subjects’ risk that supports sampling procedures can be distinguished logically from the enumeration of risks to the conduct of the audit. Risks are analysed by the audit organisation, but the risks themselves can arise in the audited organisations in the former, and in the auditing organisation in the latter case; the analyst and the party at risk are therefore separated from each other. As conclusion, risk based audit approach is approach that need auditor analyse the risk by gathering necessary, relevant and reliable information, possible threats identified and analysed the impact and probability, then evaluated. 16 Methods for Developing Risk-Based Audit Plan PART 3 RESEARCH METHODOLOGY 3.1 Introduction Research design provides a framework for the collection and analysis of data (Bryman and Bell, 2007). Therefore, this part provided details of research design in relation to qualitative, quantitative and mixed methods research as three major approaches to research in social sciences. This part also explained the methodology employed in this research and methods of collecting and analysing data. 3.2 Research Methodology In research, methodology refers to the ‘general logic and theoretical perspective’ of a study, whereas methods refer to techniques, procedures or strategies analysing and interpreting data (Bogdan and Biklen, 2007 cited by Long, 2014). Generally there are three research methodologies; quantitative, qualitative and mixed methods (Creswell, 2014. Quantitative methods emphasize objective measurements and are either descriptive (subjects usually measured once) or experimental (subjects measured before and after treatment). While, qualitative studies assume social reality exists independent of the knower and knowledge is subjective and personal. Qualitative methods involve close, personal contacts that use the researcher as the ‘instrument’ for recording observations. It emphasizes on open ended information that researcher usually gathers through interviews, focus groups and observations. Quantitative methods emphasize objective measurements and the statistical, mathematical or numerical analysis of data collected through questionnaires or by manipulating preexisting statistical data using computational techniques It is used to quantify attitudes, opinions, behaviour and other defined variables; and generalise results from a larger sample population. Mixed methods refer to an emergent methodology of research that advances the systematic integration of ‘mixing’ quantitative and qualitative data within a single investigation or sustained program of inquiry. This method is used in this research because of time, logistics and resources constraints. 3.3 Research Method This research used a descriptive approach that requires the use of mixed methods to provide insight of the topic under study. This approach gives an opportunity to the researcher to investigate the issue of risk based audit plan within public sector organisation 17 Methods for Developing Risk-Based Audit Plan or SAIs in a comprehensive way. However, this method could be influenced by SAIs respective mandate, law and regulation, procedures and the nature of audit. Typically, descriptive research is aimed at casting light on current issues or problems through a process of data collection that enables them to describe the situation more completely than was possible without employing this method (Fox, W.&Bayat,M.S:2007). Descriptive research is used to describe characteristics and/or behaviour of sample population. The main purposes of this study can be explained as describing, explaining and validating research findings on methods for developing RBA plan among the respondent SAIs. Consistent with this view, the data for this research were gathered from survey questionnaires and extended study. In this research, the survey questionnaire was used to gain information to present risk-based audit planning methodologies to serve as a reference for the auditors in the preparation of a Risk-Based Audit Plan. Based on the survey results, the extended study was conducted on selected SAIs through email to submit their guidelines or manuals which provide a detailed walkthrough of their risk-based audit planning procedures, as well as the corresponding documentation therefor (i.e., templates and sample working papers). 3.4. Research Instrument In order to fulfil the study objective, survey questionnaires and reviewing documents were involved. A survey research was used as a preliminary study to obtain information to the extent of risk based audit that has been performed by SAI members. This includes current knowledge and understanding of risk based audit approach, practices and processes of risk assessment in accordance to ISSAI or related best practices in each SAI. This information gave input to the research from the theoretical and practical perspective and to explore the possible issues regarding the adoption of risk-based audit planning in audit works. Based on the survey analysis, the researchers performed extended study to explore more on the riskbased audit planning process adopted by selected ASOSAI members. The sources of data were obtained from the audit planning documents submitted by the selected SAIs. 3.4.1 Primary Data Primary data are information collected by a researcher specifically for a research assignment. The information need to be gathered because no one has compiled and published the information in a forum or platform accessible to the public. Primary data are original in nature and directly related to the issue or problem and current data. In this research, the primary data were collected from 25 ASOSAI members through questionnaire. The questionnaires consisted of SAI characteristic related to types of audit, audit approach and the processes involved in audit planning for each type of audit. 18 Methods for Developing Risk-Based Audit Plan 3.4.2 Secondary Data Secondary data are the data available in written, typed or in electronic forms. Secondary data is also used to gain initial insight into the research problem. In this research, the secondary data were collected from country papers, publications, articles of the 25 selected SAIs that develop a Risk Based Audit Plan in conducting their audit works. 3.4.3 Survey Questionnaire In this research, the survey questionnaire was designed in semi-structured; it consisted of close-ended and open-ended questions. Majority of the close-ended questions were answerable by Yes, No and Not Applicable. The open-ended questions, on the other hand, were provided in cases where (1) the answers of the respondents are not among the given options, thus, the need to identify and describe others; and (2) there is a need to obtain the particulars and evidence supporting the Yes answers. The survey were distributed through postal mail, email or fax addressed to the Heads of the 48 ASOSAI members SAIs, as per consensus during the 2nd ASOSAI Research Project meeting on 2-4 May 2016. The selection of the particular person who would answer the questionnaire was left upon the judgment of the SAI Head, with the assumption that the SAI Head will choose someone who can give reliable information as far as the topic of the research project is concerned. The purpose of the survey was to determine: Which among the target SAIs adopt the risk-based audit approach; Which among the target SAIs have a structured guideline in preparing a risk-based audit plan; The contents of planning memorandum of target SAIs, if any; Which among the target SAIs prepare an audit plan for financial, performance and compliance audits; The steps adopted by target SAIs in the preparation of an audit plan for financial, performance and compliance audits; The perception of target SAIs on the achievement of benefits in preparing a Risk-Based Audit Plan; and, The contents/elements of the audit plan. The questionnaire in this research was based on the literature review (see Part 2) and other instruments based on ISSAI requirements on audit planning. This questionnaire was customised pertaining to the preparation of the Risk Based Audit plan that was used in this study. The content, criteria and scope of the questionnaires had been discussed excessively and through brainstorming among members of this group. The discussion was led by Group 2 comprised of representatives from SAI Philippines, Iran and Bangladesh. Templates 19 Methods for Developing Risk-Based Audit Plan questionnaire from SAI Philippines, SAI Iran and SAI Bangladesh were being used as reference in designing the final questionnaire. In this research, the survey questionnaire was designed and divided into four main parts: 3.4.4 Basic Information of SAI; Preparation of audit plan (or risk-based audit plan); Internal control system and Risk Assessment; and Documentation in the preparation of Risk-Based audit plan. Extended Study In line with the research objectives of describing the methods used by the ASOSAI members in developing risk based audit plan, the extended study was conducted among selected SAI to identify the practices of ASOSAI members in developing audit plan for financial, performance and compliance audits in accordance with ISSAIs. The set of criteria that must be satisfied for the selection were as follows: a. The SAI adopted the risk-based audit approach or both risk-based and systemsbased audit approaches (should have a yes answer in Item II.1.c.i of the survey questionnaire); b. The SAI has a structured guideline in preparing a risk-based audit plan (should have a yes answer in Item II.1.d of the survey questionnaire); and c. The SAI prepared a planning memorandum for financial, compliance and performance audits, whichever were being performed by the SAI (should have a yes answer in Item II.1.f of the survey questionnaire). 3.5 Data Collection 3.5.1 The survey questionnaire The deadline of the survey was September, 11, 2016. Out of 48 copies of the questionnaire distributed, only 25 successfully completed and returned. The 25 SAIs who answered the questionnaires were shown in Figure 1. 20 Methods for Developing Risk-Based Audit Plan FIGURE 1 SAI THAT SUBMITTED SURVEY QUESTIONNAIRE 14. Kuwait 15. Bahrain 16. Lao PDR 17. Malaysia 18. Mongolia 19. Myanmar 20. Nepal 21. Philippines 22. Saudi Arabia 23. Singapore 24. Tajikistan 25. Vietnam 1. Australia 2. Azerbaijan 3. Bahrain 4. Cambodia 5. China 6. Cyprus 7. India 8. Indonesia 9. Iran 10. Iraq 11. Japan 12. Jordan 13. Korea A descriptive analysis was conducted on 25 SAIs to obtain information on the following; a) The adoption on risk-based audit approach; b) The availability of risk-based audit guidelines ; and c) The preparation of audit plan memorandum for financial, performance and compliance audits. Details of the descriptive analysis of the 25 SAIs were depicted in Table 2. TABLE 2 ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO CRITERIA SAI 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Australia Azerbaijan Bahrain Bangladesh Cambodia China Cyprus India Indonesia Iran Iraq Japan Adopts RiskBased Audit Approach No ans. Has a structured guideline in preparing a risk-based audit plan Prepares a planning memorandum for financial, compliance and performance audits Not applicable Not applicable No ans. To be included in the extended studies 21 Methods for Developing Risk-Based Audit Plan Adopts RiskBased Audit Approach SAI 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. Jordan Korea Kuwait Laos Malaysia Mongolia Myanmar Nepal Philippines Saudi Arabia Singapore Tajikistan Vietnam Has a structured guideline in preparing a risk-based audit plan Prepares a planning memorandum for financial, compliance and performance audits Not applicable Not applicable No ans. Not applicable Not applicable Not applicable Not applicable To be included in the extended studies Note: SAI Bahrain is not included in the extended study since it adopts risk-based audit approach together with an approach called “coverage range.” 3.5.2 The extended study Based on the results of the survey, 11 SAIs out of 25 respondents SAIs were selected as the subject for the extended studies. Among the 11 selected SAIs, five (5) adopt only risk-based audit approach while six (6) adopt both risk- and systems-based audit approaches. (Table 3). TABLE 3 SELECTED SAIS FOR EXTENDED STUDY SAI Adopts Risk-Based Audit Approach 1. Australia 2. Indonesia 3. Jordan 4. Nepal 5. Philippines Adopts Systems-Based Audit Approach 22 Methods for Developing Risk-Based Audit Plan SAI Adopts Risk-Based Audit Approach Adopts Systems-Based Audit Approach 6. Bangladesh 7. Cyprus 8. India 9. Singapore 10. Malaysia 11. Iraq From the 11 selected SAIs, seven (7) SAIs submitted sufficient documents which were used for extended studies. SAIs Australia, Iraq, Malaysia and Nepal had submitted references for its financial and performance audit planning procedures. SAI Bangladesh submitted references for its financial and compliance audit procedures. SAI Indonesia submitted references for its planning procedures on all three audits. Finally, SAI Philippines submitted references for the comprehensive audit (financial, compliance and performance audits performed together by an engagement team) it conducts. 3.6 SUMMARY This research was conducted based on survey questionnaire and extended study. Data were collected from both methodology through analysing questionnaires and reviewing documents. In this research, data collection framework could be described below; FIGURE 2 DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT PLAN • CLOSE ENDED • OPEN ENDED EXTENDED STUDY •ANALYSIS OF RISK BASED AUDIT IN FINANCIAL, COMPLIANCE, PERFORMANCE AUDITS IN 11 SELECTED SAIs SURVEY QUESTIONNAIRES 23 Methods for Developing Risk-Based Audit Plan This part has outlined and described the methodological and theoretical approach undertaken to examine the implementation of risk based audit in selected SAIs. This research applied a descriptive approach to gather information from the respondents SAIs pertaining to the preparation of the audit plan in 3 types of Audit; Financial, Compliance and Performance, ISSAI compliance among the respondents and adoption of RBA in planning the audit. Research finding and analysis will be discussed in Part 4 based on questionnaires and Part 5 based on extended study. 24 Methods for Developing Risk-Based Audit Plan PART 4 RESEARCH RESULTS BASED ON QUESTIONNAIRES 4.1 Introduction This part describes and discusses the research findings based on questionnaires. It relates to the first research objective of identifying the methods used by SAIs to develop risk-based audit plans. The research findings and discussion will be presented under three topics: descriptive analysis based on basic information given by the SAIs, information pertaining to preparation of Audit Plan/Risk-Based Audit Plan well as internal control system and risk assessment. 4.2 Descriptive Analysis The questionnaires were sent to all members of the ASOSAI and 25 SAIs responded (52%). The 25 responses were from SAI Australia, Azerbaijan, Bahrain, Bangladesh, Cambodia, China, Cyprus, India, Indonesia, Iran, Iraq, Japan, Jordan, Korea, Kuwait, Laos, Malaysia, Mongolia, Myanmar, Nepal, Philippines, Saudi Arabia, Singapore, Tajikistan and Vietnam. The descriptive analysis (Table 4) of the respondent SAIs indicated that 6 SAIs (Australia, India, Iran, Japan, Malaysia and Philippines) have been existed for more than 100 years. 9 SAIs (Cyprus, Indonesia, Iraq, Jordan, Korea, Kuwait, Myanmar, Nepal and Singapore) fall under the category between 50 – 100 years of existence. 10 SAIs (Azerbaijan, Bahrain, Bangladesh, Cambodia, China, Lao PDR, Mongolia, Saudi Arabia, Tajikistan and Vietnam) have been in existence less than 50 years. It is found that 17 (68%) out 25 SAIs were established by their respective constitutions or laws. The 17 SAIs are Australia, Azerbaijan, Bangladesh, Cambodia, India, Indonesia, Iran, Japan, Jordan, Korea, Lao PDR, Malaysia, Myanmar, Nepal, Philippines and Singapore). All SAIs have mandates/functions/responsibilities to conduct the audits. Half of the respondents followed the Westminster model which is intrinsically linked to the system of parliamentary accountability. 6 SAIs (Azerbaijan, Indonesia, Japan, Korea, Philippines and Tajikistan) followed the Board or Collegiate model where a number of members form its governing board or college and make decisions jointly. 25 Methods for Developing Risk-Based Audit Plan TABLE 4 DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE IN PARENTHESES) Basic Information Respondents n = 25 Establishment <100 years 50-100 years <50 years 6 (24%) 9 (36%) 10 (40%) Constitutional/Legal Status Constitution Law/Act Others Not stated 12 (48%) 5 (20%) 3 (12%) 5 (20%) Mandate Yes 25 (100%) Types of SAI Westminster Judicial Board/Collegiate Others Not stated 13 (52%) 1 (4%) 6 (24%) 1 (4%) 4 (16%) It can be concluded that there are differences in the characteristics of responding SAIs in terms of the legal status or mandate depending on the institutional models. 4.3 Information Pertaining to the Preparation of the Audit Plan/Risk-Based Audit Plan 4.3.1 Types of Audits Conducted All of the 25 SAIs conducted financial audits, 22 SAIs (88%) conducted compliance audits and 21 SAIs (84%) conducted performance audit. Other types of auditing performed by SAIs are audit of performance statements, audit of appropriateness of performance measures, performance audits of commonwealth partners, forensic audit, special purpose audit, management audit of Government Linked Companies, assurance review or other audits which have similarities with either financial, compliance or performance audits. 4.3.2 Preparation of Audit Plans The International Standards of Supreme Audit Institutions (ISSAIs) 1300: Planning and Audit of Financial Statements, ISSAI 3000: Standard for Performance Auditing and ISSAI 4000: Compliance Auditing Standard require SAIs to develop audit plans 26 Methods for Developing Risk-Based Audit Plan for financial, performance and compliance audits. The survey results (Figure 3) indicated that most of the SAIs prepare separate audit plans for financial, performance and compliance. FIGURE 3 PREPARATION OF AUDIT PLANS 1 4% 3 12% Preparing separate Audit Plans Not preparing separate Audit Plans Not applicable 21 84% Note: SAI Myanmar answered “Not applicable”. The survey results showed that 84% of the 25 SAIs prepare separate audit plans. Three SAIs (Cyprus, Japan and Philippines) prepare one audit plan for all types of audits. SAI China, Vietnam and Nepal prepare combined audit plans for compliance and financial audits together. 4.3.3 Adoption of Risk-Based Audit Approach The importance on the consideration of risks is mentioned in the following ISSAIs: The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level (ISSAI 1330); The auditor shall actively manage audit risk to avoid the development of incorrect or incomplete audit finding, conclusion and recommendation or failing to add value (ISSAI 3000); and The auditor shall perform procedures to reduce the risk of producing incorrect conclusion to an acceptable low level (ISSAI 4000). Based on their responses, 7 SAIs (Australia, Cambodia, Indonesia, Jordan, Mongolia, Nepal and Philippines) fully adopted risk-based audit approach. SAIs of China, Cyprus, Iraq and Singapore adopted risk-based and system based audit approaches. SAIs of Bahrain and Lao PDR adopted risk-based and other audit 27 Methods for Developing Risk-Based Audit Plan approaches and 4 SAIs (Bangladesh, India, Korea and Malaysia) utilised risk-based, system-based and other audit approaches. SAI Kuwait and SAI Iran utilised systembased audit approach. Other approaches include results-oriented, problem-based, transaction-based, fundamental and topic-based. TABLE 5 AUDIT APPROACHES ADOPTED BY SAIS AUDIT APPROACH 4.3.4 NO. OF SAIS Risk-based only 7 Risk-based and system-based 4 Risk-based and others 2 Risk-based, system-based and others 4 System-based only 2 Others 5 System-based and others 1 Structured Guideline in Preparing Risk-Based Audit Plan The development of structured guidelines will assist the auditor to conduct an effective risk-based audit plan. The results illustrated in Figure 4 showed that 15 out of 25 SAIs have structured guidelines to prepare the plans. The 15 SAIs are Australia, Bahrain, Bangladesh, Cambodia, China, Cyprus, India, Indonesia, Iraq, Jordan, Malaysia, Mongolia, Nepal, Philippines and Singapore. FIGURE 4 SAIS HAVING STRUCTURED GUIDELINES IN PREPARING RISK-BASED AUDIT PLAN N Has a structured guideline in preparing a risk -based audit plan 32% 8 60% 8% 15 2 Has no structured guideline in preparing a risk -based audit plan Not applicable (not adopting risk- based approach) Note: SAIs Lao PDR and Korea answered “No” 28 Methods for Developing Risk-Based Audit Plan The survey results revealed that 14 out of 15 SAIs which have structured guidelines enumerated the processes of preparing a Risk-Based Audit Plan as shown in Table 6. TABLE 6 PROCESS OF PREPARING A RISK-BASED AUDIT PLAN SAI PROCESS OF PREPARING A RISK-BASED AUDIT PLAN Australia A risk-based audit approach for financial statements audit entails: 1. A systematic approach to planning focussing on high risk areas; 2. The evaluation of internal control systems; and 3. The use of analytical procedures to form an opinion that is within the desired level of assurance. The audit strategy is communicated to the client including a snapshot of the risk assessment followed by a detailed assessment and planned response to the key areas of audit focus, as well as information on the audit approach to all material processes. Bahrain The process involves: 1. Understand all related business processes. 2. Prepare documents and information flowcharts for business processes. 3. Identify all probable and expected risks. 4. Classify identified risks (High, medium, low). 5. Identify risky areas and prepare the audit plan and work program based on that. Bangladesh A risk assessment matrix is developed from the lessons learned by conducting ISSAI compliant for financial and compliance audits. Risks are assessed using the matrix and then the plan is developed based on the risks assessed. Cambodia The audit teams gather the information about the audited entity and perform analytical procedures, calculate overall materiality, performance materiality in order to identify the accounts for doing the risk assessment. Auditors assess the inherent risk, control risk, fraud risk and compliance risk of the account and the audit procedures to uncover the risks identified. China The process involves comprehensively analysing the risk and understanding the basic situation of the audited entities, confirming the factors that affect audit objectives, testing and evaluating the inherent risk and risk control of audited entities, determine the acceptable level of audit risk, determining corresponding countermeasures of audit and appropriate audit procedures. Cyprus The Internal Auditing Guidelines outline the steps to be followed in preparing an audit plan. The Guidelines include templates for the assessment of audit risk, calculating materiality levels and determining the main audit areas based on the risk assessment performed. Indonesia The general process of risk-based audit planning is as follows: Understanding the Audit Objectives and Engagement Expectation; Understanding the Entity and Its Business Process; Understanding Previous Audit Reports; Conducting Initial Analytical Procedures; Understanding the Internal Control System; Initial Risk Identification and Risk Assessment; 29 Methods for Developing Risk-Based Audit Plan SAI PROCESS OF PREPARING A RISK-BASED AUDIT PLAN Setting the Initial Materiality Threshold; Determining the Sampling Method; Determining the Audit Criteria; and Preparing the Audit Program. Iraq The process starts from the initial survey and the evaluation of the internal auditing system and determining the potential and auditing risks for all kinds of accounts and calculating the percentage of every one and then calculate and determine the size of the required sample for auditing in such a way that it will represent all of them and sufficient to reach to a technical and neutral opinion about accurately and appropriateness of the financial statements. This is still in the initial stages and includes 25% of work plan prepared to implement tasks. Jordan The process includes problem analysis, audit objectives, audit scope, audit problem and audit criteria. Malaysia The audit planning process includes: 1. Understanding the entity and its environment; 2. Identifying and assessing the risks of material misstatement for classes of transactions, account balances, and disclosures; 3. Audit planning memorandum; 4. The auditor’s responsibilities relating to fraud; 5. Review of the internal auditor’s report; 6. Communication with those charged with governance; 7. Audit considerations relating to an entity; 8. Using a service organization; 9. The auditor's responsibilities relating to other information in documents containing audited financial statements; and 10. Review of financial statements opening balances. Mongolia General process for audit planning is as follows: 1. Identifying weaknesses; 2. Identifying risks by inherent and internal control based on weaknesses and evaluate auditors’ risks by account; 3. Determining materiality; 4. Developing audit questions, audit procedures criteria; 5. Developing audit programme; and 6. Finalise and approve audit plan. Nepal All the audited entities are graded into Grade A, B and C based on defined evaluation criteria. All Grade A entities and 50% of Grade B and 1/3rd of Grade E entities are audited by adopting detailed audit procedures. Others are audited using simplified procedure. The rest of 50% of Grade B and 2/3rd of the Grade C entities are audited in two and three years interval respectively. Philippines The process starts with strategic planning and risk identification and the agency audit planning and risk assessment as per the Integrated Results and Risk Based Audit Manual (IRRBAM) that considers the following processes: 1. Preparing the agency audit work step; 2. Understanding the agency; 3. Identifying significant agency risks; 4. Understanding and assessing agency level controls; 5. Understanding the process; and 6. Conducting audit risk assessment and planning 30 Methods for Developing Risk-Based Audit Plan 4.3.5 SAI PROCESS OF PREPARING A RISK-BASED AUDIT PLAN Singapore The process involves acquiring an understanding of the entity being audited and its environment, identifying and analysing key risks, considering the internal controls in place and designing the audit approach /strategy. Risk Analysis in Preparing the Audit Plan Analysing or assessing risks is part of planning to ensure that the scarce resources are addressed to the audit of areas of highest risks. Auditors must have a thorough understanding of risks facing the audited entity and their potential impact and probability. Then, they have to apply realistic judgments on the importance and probability of risks identified. The survey results revealed that majority of the SAIs analyse risks in preparing the audit plan (Figure 5). Even though 17 SAIs explicitly reported that they adopt riskbased auditing either fully or partially, another 5 SAIs (Azerbaijan, Iran, Myanmar, Tajikistan and Vietnam) which did not adopt risk-based auditing also conduct risk analysis in preparing the audit plan. FIGURE 5 SAIS USING RISK ANALYSIS IN THE PREPARATION OF THE AUDIT PLAN 1 4% 1 4% Using risk analysis in the preparation of Audit Plan 23 92% Not using risk analysis in the preparation of Audit Plan Not applicable Note: SAI Saudi Arabia answered “Not applicable,” while SAI Japan answered “No”. 4.3.6 Preparation of Audit Planning Memorandum In order to ensure a high standard of performance, it is important that the auditor prepare adequately for his/her work. Planning for an audit is essential for the smooth performance of the audit work and its successful completion. It will not only guarantee a valid audit opinion but ensure that the objective is achieved, the audit is 31 Methods for Developing Risk-Based Audit Plan properly directed and control as well as the high risks audit areas are given due attention. The survey results (Figure 6) indicated that slightly more than half of the 25 respondent SAIs (Australia, Bahrain, Bangladesh, Cyprus, Indonesia, Iraq, Jordan, Korea, Lao PDR, Malaysia, Nepal, Singapore and Vietnam) prepared the Audit Planning Memorandum (APM) for financial, compliance and performance audits. Nine SAIs (Azerbaijan, Cambodia, China, Iran, Kuwait, Mongolia, Philippines and Tajikistan did not prepare the APM. FIGURE 6 SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE AND PERFORMANCE AUDITS 1 4% 2 8% Preparing planning memorandum 9 36% 13 52% Not preparing planning memorandum Not applicable No answer Note: SAI Saudi Arabia answered “Not applicable,” while SAIs Japan and Myanmar have answered “No”. 10 SAIs (Australia, Bahrain, Cyprus, Indonesia, Jordan, Lao PDR, Malaysia, Nepal, Singapore and Vietnam) mentioned the contents of the APM as presented in Table 7. TABLE 7 CONTENTS OF PLANNING MEMORANDUM SAI CONTENTS OF PLANNING MEMORANDUM Australia Financial statement audit: For each material process, the affected financial statement line items, a description/overview of the items, the relevant control activities/information systems, key IT systems, information systems, the audit team’s intended control reliance and rotation considerations, a link to the relevant audit work and a summary of elevated and significant risks. Bahrain 1. Introduction (Bases and purpose of the plan); 32 Methods for Developing Risk-Based Audit Plan SAI CONTENTS OF PLANNING MEMORANDUM 2. Background about the entity to be audit (Duties and responsibilities, organisational structure, goals, important related statistics …etc.); 3. Related parties and concerned organizational units; 4. Audit goals, scope, and methodology; 5. Audit standards, guidelines and all related criteria (Decrees, ministerial decisions, policies and procedures manuals, etc.); 6. Strengths and weaknesses; 7. Timelines and schedules of the audit assignment; 8. Details of team members; and 9. Risk analysis document and audit work program. Cyprus 1. Audited entity background: Mission, legal framework, organizational structure, budget and staff. 2. Risk assessment: Template document to be completed. 3. Materiality calculation document: Template document to be completed. 4. Audit budget (available man days), timeframe and audit team members. 5. Audit team meeting minutes, determining the areas on which the audit will focus. 6. Audit steps to be followed, including available man days for each step and the member(s) of staff to which steps are assigned. [A detailed audit programme including steps to be followed in each audit area has so far been adopted for central government entities and municipalities. A similar programme has been prepared for the audit of statutory bodies; however, it is yet to be adopted.] Indonesia 1. The legal basis for the audit; 2. Audit standard; 3. Audit objective; 4. General information about the entity; 5. Audit scope; 6. The result of understanding the entity’s internal control system; 7. Targeted audit; 8. Audit criteria; 9. The rationale/reasons of the audit; 10. Audit methodology; 11. The audit period; 12. The composition of the team and the detailed audit fee; 13. The audit report framework; and 14. The distribution of report. Jordan 1. 2. 3. 4. 5. 6. The legal framework of the entity; The mandate of the entity; The objectives of the entity; The Internal audit system; The problem/s; and Auditing process. Lao PDR 1. 2. 3. 4. 5. 6. Background information of the entity; Audit objective and scope; Audit Methodology; Audit risk area; Assessing whether of priority; and The timing and staffing 33 Methods for Developing Risk-Based Audit Plan SAI CONTENTS OF PLANNING MEMORANDUM Malaysia 1. Introduction; i. Background (Establishment of Entity – Establishment Act); and ii. Activity/Main Operation. 2. Organisational Structure; 3. Accounting System; 4. Accounting Policy; 5. Main and Key Activity; 6. Audit Objective, Scope and Methodology; 7. Setting the Materiality Level; 8. Audit Approach; i. Examine the system and determine the existence of internal control which is supported by the chart to express an audit opinion: ii. Specify the sample size and methods of selection and the branches visited; iii. Auditing in computerised environment. Evaluate the integrity of the system in producing financial statements and critical information; and iv. Pending matters from previous year. 9. Risk Assessment; 10. Audit Programme; 11. Grade and Number of Employees; 12. Audit Time Frame; 13. Audit Fee; 14. Contact Person; 15. Audit Report of the Private Auditor to the Auditor General; 16. Other Significant Matters; Nepal 1. Description about entity to be audited; introduction, establishment year, objectives, functions, legal, institutional and policy arrangements, staff positions, annual and periodical programmes and progress statements, financial transactions, financial Statements etc.; 2. Audit Objectives, Scopes, Methodology; 3. Audit Programme; 4. Audit Team and Responsibility; 5. Ethical Requirements and Consideration of Competency Required; and 6. Supervision Arrangements Singapore The APM for financial or compliance audit include: 1. Audit Mandate; 2. Audit Objective and Scope; 3. Significant Events and Developments; 4. Financial Highlights; 5. Risk Assessment; and 6. Audit Approach and Strategy. Vietnam Financial and performance audits shall be planned separately but compliance audit normally is planned, as well as conducted in conjunction with a financial/performance audit. 34 Methods for Developing Risk-Based Audit Plan From the table above, there are seven common contents of the APM encompassing the followings: 1. Basic information of the unit and subject matter of the audit; 2. Audit objectives and scope; 3. Audit methodology; 4. Areas of audit risk; 5. Assessing the priorities; and 6. Timing and assignment of audit areas. 4.3.7 Benefits of Risk-Based Audit Plan ISSAI 1300 paragraph 2 stated the following five benefits of preparing a Risk-Based Audit Plan: i. ii. iii. iv. v. Helping the auditor to devote appropriate attention to important areas of the audit. Helping the auditor in identifying and resolving potential problems on a timely basis. Helping the auditor properly to organise and manage the audit engagement so that it is performed in an effective and efficient manner. Assisting in the selection of engagement team members with appropriate level of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them. Facilitating the direction and supervision of engagement team members and the review of their work. Survey results showed that more than 80% of the respondents agree on all the benefits of preparing a risk-based audit plan as per ISSAI 1300. Details are depicted in Table 8. TABLE 8 BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN RESPONDENTS NO. BENEFITS AGREE DISAGREE NOT APPLICABLE NO % NO % NO % 1 Helping the auditor to devote appropriate attention to important areas of the audit. 23 92 0 0 2 4 2 Helping the auditor in identifying and resolving potential problems on a timely basis. 22 88 1 4 2 4 3 Helping 22 88 1 4 2 4 the auditor properly to 35 Methods for Developing Risk-Based Audit Plan RESPONDENTS NO. BENEFITS AGREE DISAGREE NOT APPLICABLE NO % NO % NO % 4 Assisting in the selection of engagement team members with appropriate level of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them. 22 88 1 4 2 4 5 Facilitating the direction and supervision of engagement team members and the review of their work. 23 88 0 0 2 4 organize and manage the audit engagement so that it is performed in an effective and efficient manner. The survey results showed that although 8 SAIs are not adopting risk-based auditing either fully or partially, 5 of them recognised the benefits of preparing a risk-based audit plan. 4.3.8 Preparing Audit Plan for Financial Audit ISSAI 1300 on Planning an Audit of Financial Statements requires the auditors to develop an audit plan which includes a description of: (i) Nature, timing and extent of planned risk assessment procedures (as required by ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its’ Environment); (ii) Nature, timing and extent of planned further (substantive) audit procedures at the assertion level (as required by ISSAI 1330, The Auditor’s Responses to Assessed Risks); and (iii) Other planned audit procedures that are required to be carried out in compliance with other ISSAIs. The survey results showed that 80% of 25 SAIs included description (i) and (ii) above in the financial audit whilst 64% of 25 SAIs described other planned audit procedures that are required to be carried out in compliance with other ISSAIs. Details of the results are depicted in Figure 7. 36 Methods for Developing Risk-Based Audit Plan FIGURE 7 SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF PROCEDURES IN THE AUDIT PLAN FOR FINANCIAL AUDIT 25 20 20 20 16 15 10 7 4 5 4 1 1 2 0 (i) Nature, timing and extent of (ii) Nature, timing and extent of (iii) Other planned audit planned risk assessment planned further (substantive) procedures that are required to procedures audit procedures at the be carried out in compliance assertion level with other ISSAIs Included in the audit plan for financial audit Not included in the audit plan for financial audit Not applicable Note: 1. SAI Japan answered ‘Not Applicable’ to all items. 2. SAI Singapore answered (iii) as ‘Not Applicable’. SAI Japan answered ‘Not Applicable’ to the three requirements of ISSAIs on financial audit because the SAI conducts direct reporting engagements under the provisions of the laws and ordinances and has no legal grounds to conduct attestation engagements, which makes the adoption of ISSAIs on financial audits difficult. For other planned audit procedures that are required to be carried out in compliance with other ISSAIs, SAI Singapore answered ‘Not Applicable’ as the SAI is guided by the Singapore Standards on Auditing issued by the Institute of Singapore Chartered Accountants for financial auditing. ISSAI 1315 on Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment) and ISSAI 1330 on The Auditor’s Responses to Assessed Risks listed the steps in developing the financial audit plan: i. ii. iii. Obtaining an understanding of the entity and its environment, including the entity’s internal control (as required by ISSAI 1315, Using the understanding of the entity to identify and assess the risks of material misstatement at the financial statement and assertion levels (as required by ISSAI 1315); Designing and implementing responses to these assessed risks of material misstatements (as required by ISSAI 1315); 37 Methods for Developing Risk-Based Audit Plan iv. v. Identifying specific procedures required for material financial statement areas (ISSAI 1330); and Determining what audit procedures and the extent of testing required (ISSAI 1330). The survey results (Figure 8) showed that 72-88% of the SAIs followed the steps stated in ISSAI 1315 and ISSAI1330. FIGURE 8 SAIS WHICH PERFORM THE STEPS IN DEVELOPING AN AUDIT PLAN FOR FINANCIAL AUDIT 0 (i) Obtaining an understanding of the entity and its environment, including the entity’s internal control (ii) Using the understanding of the entity to identify and assess the risks of material misstatement at the financial statement and assertion levels (iii) Designing and implementing responses to these assessed risks of material misstatements (iv) Identifying specific procedures required for material financial statement areas (v) Determining what audit procedures and the extent of testing required 5 10 15 20 25 22 1 2 20 3 2 18 5 2 18 5 2 20 3 2 Performing the step in developing an audit plan for financial audit Not performing the step in developing an audit plan for financial audit Not applicable Notes: 1. SAI Japan answered “Not applicable” for all five aspects because of limited on legal grounds to conduct attestation engagements. 2. SAI Saudi Arabia answered “Not applicable” for all questions because the officer who answered the questionnaire works at the performance auditing department of the SAI. Further questions were asked on each of the five steps in developing the financial audit plan. For the first step, in obtaining an understanding of the entity and its environment, including the entity’s internal control, the 17 SAIs use various templates such as model or programme 38 Methods for Developing Risk-Based Audit Plan to understand the client; standardised forms or guides; audit guide and ISSAIs; and SAIs’ own standards. Details are shown in Table 9. TABLE 9 TEMPLATES USED IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT TEMPLATE i. SAI Use a model or program for understanding the client Australia, Cambodia Lao PDR Vietnam Use standardised forms or guides Vietnam Singapore Malaysia Nepal Korea Iraq Bahrain Use audit guides and International Standards for Supreme Audit Institutions Bangladesh Cyprus India Indonesia Jordan Iran Own standards China In identifying and assessing the risks of material misstatement at the financial statement and assertion levels (Step 2), the 17 SAIs use various templates such as programme on evaluation of the audit risks; table or matrix of risk assessment; models or guides and ISSAIs. Details are depicted on Table 10. TABLE 10 RISK ASSESSMENT TEMPLATE TEMPLATE SAI Program on evaluation of the audit risks Australia Korea Jordan Bahrain Cyprus Table or matrix of risk assessment Singapore Philippines Iraq Indonesia India Models or guides Laos 39 Methods for Developing Risk-Based Audit Plan TEMPLATE SAI Vietnam Nepal Malaysia Korea Identify and assess the risks of misstatement of the financial statements material China ISSAI Bangladesh Thirteen SAIs reported their methods and techniques in designing and implementing responses to the assessed risks of material misstatements (Step 3). SAIs of Bahrain, Bangladesh, Cyprus, Nepal, Philippines and Vietnam design an audit programme. SAIs of Australia, Cambodia, India, Korea, Malaysia and Singapore design an objective testing model. SAI Lao PDR designs an audit program as well as an objective testing model. Step 4 is about identifying specific procedures required for material financial statement areas. SAIs of Australia, Cambodia, Indonesia, India, Iraq, Korea, Laos, Singapore and Malaysia have models for linking the detailed audit procedures with audit risks. For example in the case of Australia National Audit Office, the ‘Bridge’ details the line items and disclosures covered for each material process, the testing performed (control and/or substantive) and the assertions addressed by each procedure. SAIs were also required to explain their methods on determining audit procedures and the extent of testing required (Step 5). SAI Australia uses an objective control and substantive testing to determine sample selections. The audit procedures and the extent of testing for SAIs of Cambodia, India, Indonesia, Iraq, Korea, Lao PDR, Malaysia and Singapore are in accordance to their audit programmes. Apart from the five steps, 3 SAIs (Australia, Bangladesh and India) described other steps included in the planning stage of the financial audit as per Table 11. TABLE 11 OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE SAI Australia STEPS Establish engagement team and independence; Determine the need to appoint a Quality Review Executive (EQCR); Consider whether to engage IT Audit; Hold an engagement team planning meeting; Document the legislative basis for the engagement; Prepare for and conduct client and internal audit planning meeting; Determine materiality; 40 Methods for Developing Risk-Based Audit Plan SAI STEPS Perform risk assessment analytical procedures; Consider using the work of internal audit, experts, other auditors/service organisations Consider the need to use external confirmations and solicitor’s representation letters; Review opening balances for initial audits; and Prepare a budget and develop a monitoring plan. The auditor also assesses and responds to fraud risks and communicates the audit strategy to the client. Bangladesh India Deciding documentation and requirements Materiality level calculation matrix. Materiality assessment for selection of significant audit areas. 4.3.9 Preparing Audit Plan for Performance Audit ISSAI 3000 on Standard for Performance Auditing and ISSAI 3200 (Draft endorsement version 2016) on Guidelines for the Performance Auditing Process mentioned the following steps in developing the performance audit plan: (i) Understanding the audit topic and identifying problems in the area. As part of the planning process, there is a need to develop a sound understanding of the subject matter and of the risks and challenges in the area (ISSAI 3200.21). (ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states that the audit objectives, audit questions and scope are interrelated and need to be considered together. (iii) Designing and planning the audit engagement. ISSAI 3000 (2003) on standards and guidelines for performance auditing based on INTOSAI’s Auditing Standards and practical experience, discusses the methodological planning and administrative planning as follows: Methodological planning - Performance audit can draw upon a large variety of data-gathering and analysis techniques, with due consideration on the validity and reliability of methods to be used. Administrative planning - It involves the selection of the audit team and team leader and the development of an activity plan including the time table and resources needed. The survey results showed that 21 out of 25 SAIs comply to step (i) and (ii) above and 20 SAIs comply to step 3 in developing the performance audit plan. Details are as per Figure 9. 41 Methods for Developing Risk-Based Audit Plan FIGURE 9 STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN AS PER ISSAI 25 21 21 20 20 15 10 4 5 0 4 0 1 4 0 (i) Understanding the audit (ii) Selecting a focus for the topic and identifying problems audit or the “audit problem” in the area. (iii) Designing and implementing responses to these assessed risks of material misstatements SAIs Performing the step in developing an audit plan for performance audit SAIs not performing the step in developing an audit plan for performance audit Not applicable Apart from the three steps as per ISSAI 3100, SAIs of Australia, Bangladesh, India, Indonesia and Nepal enumerated other steps in developing performance audit plan as shown in Table 12: TABLE 12 OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN SAI Australia CONTENTS OF PLANNING MEMORANDUM The ‘Audit Work Plan’ documents include: Audit objective and criteria; Audit scope; Rationale for undertaking the audit and likely impacts; Background for the audit; Audit method; Audit team; Pre-audit work including consultation; Assessment of performance audit engagement and operational risk; Significant risks/issues; Estimated project hours and costs; and Milestones and target dates Bangladesh Conduct entry meeting Conduct pre-study Submit a report for approval India Assess audit team skills and whether external expertise is to be augmented. Preparation of Audit Design Matrix Establishing time table and resources Understanding the entity Selecting audit scope & objective Developing criteria Developing Audit Design Matrix. Indonesia 42 Methods for Developing Risk-Based Audit Plan SAI Nepal CONTENTS OF PLANNING MEMORANDUM Engaging Civil Society Organisations in the audit process. Formation of the Steering Committee to oversee CSOs engagement in audit. The Audit Advisory Committee provides suggestions regarding areas to be covered in the performance audit. In accordance to ISSAIs, the performance audit plan must contain the following information: vii. viii. ix. x. xi. xii. Background knowledge and information needed to understand the entity to be audited; Initial assessment of the problem risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit; Audit objective, questions or hypothesis, criteria, scope and period to be covered by the audit; Methodology, including techniques to be used for gathering evidence and conducting the audit analysis; Overall activity plan which includes staffing requirements (i.e. sufficient competencies, human resources, and possible external expertise required for the audit); and Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit. The survey results revealed that 18 out of 25 SAIs provide the background knowledge and information of the entity (item i), 19 SAIs include information pertaining to items (ii)(iv), 16 SAIs include information on staffing requirements and only 12 SAIs include information on estimated cost of the audit, key project timeframes, milestones and the main control points of the audit in the performance audit plan (item vi). Details are shown in Table 13. TABLE 13 INFORMATION INCLUDED IN THE PERFORMANCE AUDIT PLAN RESPONDENTS NO. 1. INFORMATION IN THE AUDIT PLAN Background knowledge and information needed to understand the entity to INCLUDED IN THE AUDIT PLAN FOR PERFORMANCE AUDIT NOT INCLUDED IN THE AUDIT PLAN FOR PERFORMANCE AUDIT NOT APPLICABLE NO ANSWER TOTAL % TOTAL % TOTAL % TOTAL % 18 72 2 8 4 16 1 4 43 Methods for Developing Risk-Based Audit Plan RESPONDENTS NO. INFORMATION IN THE AUDIT PLAN INCLUDED IN THE AUDIT PLAN FOR PERFORMANCE AUDIT NOT INCLUDED IN THE AUDIT PLAN FOR PERFORMANCE AUDIT NOT APPLICABLE NO ANSWER TOTAL % TOTAL % TOTAL % TOTAL % 19 76 1 8 4 16 1 4 Audit objective, questions or hypothesis, criteria, scope and period to be covered by the audit 19 76 1 8 4 16 1 4 Methodology, including techniques to be used for gathering evidence and conducting the audit analysis 19 76 1 8 4 16 1 4 Overall activity plan which Includes staffing requirements (i.e. sufficient competencies, human resources, and possible external expertise required for the audit) 16 64 4 16 4 16 1 4 Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit 12 48 7 28 4 16 2 8 be audited 2. 3. 4. 5. 6. Initial assessment of the problem risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit 44 Methods for Developing Risk-Based Audit Plan 4.3.10 Preparing Audit Plan for Compliance Audit ISSAI 4100 on Compliance Audit Guidelines - For Audits Performed Separately from the Audit of Financial Statements stated the following steps in developing compliance audit plan: i. ii. iii. iv. v. vi. vii. Determine the subject matter, criteria and scope of compliance audit; Understand the entity; Understand the control environment and internal control system; Risk assessment of the subject matter/audited entity; Consideration of risks of fraud; Determine reliance on internal controls; and Link identified risks to audit strategy (audit procedures). Survey results revealed that a range of 13 to 18 SAIs perform the above steps in developing the compliance audit plan. Although 18 out of 25 SAIs (72%) understand the entity, only 13 SAIs (52%) link the identified risks to audit strategy. Details are illustrated in Table 14. TABLE 14 STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER ISSAI 4100 RESPONDENTS PERFORMING THE STEPS NOT PERFORMING THE STEPS NOT APPLICABLE TOTAL % TOTAL % TOTAL % TOTAL % Determine the subject matter, criteria and scope of compliance audit 17 68 2 8 3 12 3 12 2. Understand the entity 18 72 1 4 3 12 3 12 3. Understand the environment and control system 17 68 2 8 3 12 3 12 NO. 1. STEPS control internal NO ANSWER 4. Risk assessment of the subject matter/audited entity 14 56 5 20 3 12 3 12 5. Consideration of risks of fraud 14 56 5 20 3 12 3 12 6. Determine reliance internal controls 15 60 4 16 3 12 3 12 7. Link identified risks to audit strategy (audit procedures) 13 52 5 20 3 12 4 16 on 45 Methods for Developing Risk-Based Audit Plan It is noted that SAI Japan did not provide their responses because specific information in their audit plan is confidential. SAIs Nepal and Vietnam conducted compliance audit with the financial audit or performance audit and therefore, there are no responses from them. SAIs of Bahrain, Bangladesh, India, Indonesia, Jordan and Singapore reported other steps performed by them besides the steps detailed in ISSAI 4100 (Table 15). TABLE 15 OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN SAI Bahrain CONTENTS OF PLANNING MEMORANDUM Understand all related business processes. Prepare documents and information flowcharts for business processes. Identify all probable and expected risks. Classify identified risks (High, medium, low). Identify risky areas and prepare the audit plan and work program based on the areas. Bangladesh Special compliance audits and pilot ISSAI compliant compliance audit plans must be approved. India Allocation of audit resources for the audits to be undertaken Indonesia Understanding expectation and objective of the assignment of compliance audit Jordan Size of job, mandate, time, implementation Singapore Identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control (Singapore Standards on Auditing 315 issued by the Institute of Singapore Chartered Accountants) In line with the requirements pertaining to compliance audit, SAIs are also expected to include in their compliance audit plans the following information: i. ii. iii. Description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework; Description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria; and Description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments. The survey results revealed that 60% out of 25 SAIs included information on item (i), 48% of the SAIs included the information on item (ii) and 56% of the SAIs included information on item (Figure 10). 46 Methods for Developing Risk-Based Audit Plan FIGURE 10 INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN 25 20 15 14 15 12 10 6 5 4 3 4 5 3 0 (i) Determine the subject (ii) Description of the nature, (iii) Description of the nature, matter, criteria and scope of timing and extent of risk timing and extent of planned compliance audit assessment procedures audit procedures related to sufficient to assess the risks the various compliance audit of non-compliance, related to criteria and risk assessments the various audit criteria Included in the audit plan for compliance audit Not included in the audit plan for compliance audit Not applicable 4.3.11 Determining Materiality at the Planning Stage Materiality is a key element in risk-based auditing as it is an important consideration in defining audit objectives and criteria, defining the extent of audit procedures and forming conclusions. ISSAI 1320 on Materiality in Planning and Performing the Audit requires SAIs to apply the concept of materiality in planning and execution phases and in evaluating the effect of identified misstatements on the audit and uncorrected misstatements in the financial audit. For compliance audit, ISSAI 4000 requires the auditor to determine materiality to form a basis for the design of the audit and for performance audit, the auditor is required by ISSAI 3000 to consider materiality at all stages of the audit process, including the financial, social and political aspects of the subject matter. In the survey conducted, it is revealed that most of the SAIs determined materiality in audit planning and performance for the financial audit. On the other hand, there are only 15 SAIs 47 Methods for Developing Risk-Based Audit Plan (Australia, Bahrain, Bangladesh, China, India, Indonesia, Iran, Iraq, Jordan, Korea, Kuwait, Malaysia, Mongolia, Nepal and Vietnam) which determined materiality for performance audits and 14 SAIs (56%) determined materiality for compliance audits. Details are shown in Figure 11. FIGURE 11 SAIS DETERMINING MATERIALITY IN PLANNING AND PERFORMING THE AUDIT 25 21 20 15 14 15 10 5 5 3 5 4 3 0 0 Financial audit Performance audit Compliance audit SAIs determining materiality SAIs not determining materiality Not applicable 4.4 Internal Control System and Risk Assessment 4.4.1 Internal Control System The evaluation of internal control system and risk analysis and identification is an essential procedure for audit planning as per ISSAI 1315 "Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment". Since 2004, INTOSAI has incorporated the Committee of Sponsoring Organisations (COSO) framework in its internal control standard guidelines (INTOSAI.GOV 9100 and 9120). The COSO Framework is a tool for auditors to use to evaluate the internal control system with the purpose of identifying and analysing risk during the audit process. In this framework, there are five components of internal control—Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. 48 Methods for Developing Risk-Based Audit Plan Based on survey results (Figure 12), only 12 (Australia, Bahrain, Bangladesh, Cambodia, China, Indonesia, Iran, Kuwait, Malaysia, Mongolia, Philippines and Vietnam) out of 25 SAIs adopted the COSO Framework in understanding the entity’s internal control. FIGURE 12 ADOPTION OF COSO FRAMEWORK SAIs adopting the COSO Framework 13 52% 12 48% SAIs not adopting the COSO Framework Not applicable Several SAIs which did not adopt COSO Framework i.e SAI Bangladesh, Cyprus, Japan, Jordan, Korea and Nepal described alternative methods as per Table 16. TABLE 16 ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL CONTROL SYSTEM SAI EXPLANATION Bangladesh The internal control questionnaire included in the Entity Wide Audit Manual has been developed using the COSO Framework. Cyprus No explicit assessment of the internal controls of audited entities is usually performed. Understanding of the internal control environment and its effectiveness normally arises during the audit or from previous audit experience. Japan When conducting audits, the BOA takes into consideration effectiveness of internal control in auditees’ organizations. On the other hand, in Japan, many government organizations, such as the State, are not required to adopt internal control framework such as COSO framework. However, some organizations including independent administrative agencies adopt the idea correspond to COSO Framework. Jordan We have Internal Control Regulation with mandatory application. Korea Although COSO Framework is not stated in the BAI’s financial audit manual, a standard internal control system, including COSO, is used. Nepal We do not specifically spell out the COSO, however, our procedure 49 Methods for Developing Risk-Based Audit Plan SAI EXPLANATION covers components of internal controls discussed by COSO framework. Please refer to Financial Audit manual for detail. In spite of the significant number of SAIs which did not adopt COSO Framework, majority of respondent SAIs consider the components of COSO Framework in understanding or assessing the entity’s internal control. Details are as per Table 17. TABLE 17 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK CONSIDERED BY SAIs COMPONENT RESPONDENTS CONSIDERING TO USE NOT CONSIDERING TO USE TOTAL % TOTAL % Control Environment 22 88 3 12 Risk Assessment 22 88 3 12 Control Activities 24 96 1 4 Information and Communication 21 84 4 16 Monitoring Activities 23 92 2 8 4.4.2 Risk Assessment ISSAI 1003 on Glossary of Terms to INTOSAI Financial Audit Guidelines mentioned three types of risk- inherent, control and detection. Definitions of the three risks are as follows: Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Control risk is defined as the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected, on a timely basis by the entity’s internal control. Detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. 50 Methods for Developing Risk-Based Audit Plan ISSAI 1330 on Auditor’s Response to Assessed Risks requires the auditor to design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement (a function of inherent and control risks) at the assertion level. The risk of material misstatement (inherent and control risks) and detection risk constitute the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of Financial Auditing requires the auditor to reduce audit risk to an acceptably low level in the circumstances of the audit. The survey results showed that while control risk is being considered in the preparation of the audit plan by 22 out of 25 SAIs (88%), detection risk is only considered by 17 SAIs (68%). Details are as shown in Table 18. TABLE 18 RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN RESPONDENTS RISK ASSESSING THE RELEVANT RISK DO NOT ACCESS THE RISK INVOLVED TOTAL % TOTAL % Inherent risk 21 84 4 16 Control risk 22 88 3 12 Detection risk 17 68 8 32 4.5 Summary This part reported the findings based on the questionnaire in relation to the research objective on determining the methods used by the ASOSAI members in developing riskbased audit plan. Descriptive analysis is used for analysing the results. The research study found that the methods used by the ASOSAI members in developing the financial, performance and compliance audit plans are in accordance to ISSAI 1300, ISSAI 3000 and ISSAI 4000. Risk assessment and analysis as well as materiality are considered in developing the audit plans. The research study also found that half of the SAIs adopt the COSO framework to establish, assess and enhance their internal controls. 51 Methods for Developing Risk-Based Audit Plan PART 5 RESULTS BASED ON EXTENDED STUDY 5.1 Introduction This part discusses the results of the extended studies of 7 SAIs whereby 4 SAIs fully adopted risk-based audit approach and the remainder adopted combination of approaches. 5.2 5.2.1 Analysis of the Results Analysis on 7 Selected SAI’s Practices As mentioned earlier on in Part 3, survey questionnaire prepared to obtain information for developing risk-based audit plan from all ASOSAI members was distributed among members. According to information from those received questionnaires, all participating SAIs in this 11th ASOSAI Research Project agreed that good practices from several selected SAIs will be beneficial as the reference for further analyses. Initially, there were 11 SAIs (Australia, Bangladesh, Cyprus, India, Indonesia, Iraq, Jordan, Malaysia, Nepal and The Philippines) selected for extended study based on their responses to the questionnaire. However, only 7 SAIs (Australia, Bangladesh, Indonesia, Iraq, Malaysia, Nepal and Philippines) submitted their audit planning documents. The documents received from 7 SAIs are: i. Australia – Financial Audit Guide – Bridge, Financial Audit Guide – Risk Assessment Documents (RAD), Materiality Template, PAAM 70.1 Engagement Risk Rating, Performance Audit Manual, Performance Audit Work Plan Template, Risk Assessment Template and Summary Planning Memorandum Template. ii. Bangladesh – Fraud Audit Manual, Financial and Compliance Audit Manual, Procurement Manual, Investigation Manual, Audit Plan (Sample), Environment Audit Report and Experience Sharing on Financial Audit. iii. Indonesia – Financial Audit Guidelines, Performance Audit Guidelines and Special Purpose Audit Guidelines iv. Iraq – Guide on Performance Evaluation for Programs and Policies and Audit Approach on Risk Method. v. Malaysia – Guidelines on Auditing Based on ISSAI, Guidelines – 200 Identifying and Assessing the Risks of Material Misstatement and Guidelines – 300 Audit Planning Memorandum. 52 Methods for Developing Risk-Based Audit Plan vi. Nepal – Financial Audit Manual and Performance Audit Guide. vii. Philippines – Integrated Results and RBA Manual and IRRBAM – Forms and Templates. 5.2.2 Findings on Extended Study 5.2.2.1 Analysis on Audit Approaches Analysis on both questionnaires and documents submitted by the 7 selected SAIs found that only 3 out of 7 SAIs solely adopt Risk-based Audit in all types of audit. The remaining 4 SAIs use both RBA and system-based approach in their audit works. The summary of the audit approaches adopted by 7 SAIs are as follows: TABLE 19 AUDIT APPROACHES Fully RBA Australia Bangladesh Indonesia RBA & System-based or other approaches Iraq Malaysia Nepal Philippines The 4 SAIs that have fully adopted RBA is Australia, Indonesia Nepal and Philippines. While the other SAIs use both RBA and other approaches. It is also found that there are different approaches other than the aforementioned method. This indicates the diversity in the methodologies adopted by ASOSAI members. Other approaches include results-oriented, problem-based, transaction-based, fundamental and topic-based audit. This research will focus only on RBA approach in the planning stage. This study is conducted in order to foster the adoption of risk-based auditing, especially in the audit planning, as a tool to gain effective audit in the long run. Even though there are SAIs which do not fully adopt RBA, majority of respondents take into account risks in their audit planning. This means they might unconsciously already implement few aspects of RBA approach, but not in a very structured way. 53 Methods for Developing Risk-Based Audit Plan 5.2.2.2 Risk Based Audit Planning Similar to ISSAI 1300, 3000, and 4000 that require the development of audit plans for financial, performance and compliance audits, respectively, not all respondent SAIs prepare separate audit plans. The research findings indicate that almost SAIs follows ISSAI 1300 to prepare audit plan separately among: Compliance audit, Financial Audit and Performance Audit except SAI Philippines. The summary of methods in developing RBA Plan by the 7 selected SAIs is as follows: TABLE 20 RBA PLAN Separate RBA Audit Plan Combine RBA Audit Plan Australia Bangladesh Indonesia Iraq Malaysia Nepal Philippines Based on the analysis, it is believe that each types of audit have a different objective, scope and methodologies so a separate guideline for each types of audit may facilitate auditor to conduct the audit effectively. Further analysis on the SAIs document also found that almost SAIs follow the ISSAI during the audit planning for all type of audit. In developing the RBA Plan for financial audit, the understand the entity and its environment is the first step in planning the audit. After that, SAIs will understand the entity’s internal control, conduct risk assessment, determine materiality and establishing audit strategy and audit plan. Details information on the financial audit plan is as Table 21. TABLE 21 METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT Understanding entity and its environment Understanding the entity’s internal control Determining materiality Conducting risk assessment procedures Establishing audit strategy and audit plan Australia Bangladesh Indonesia Iraq 54 Methods for Developing Risk-Based Audit Plan Malaysia Nepal Philippines Source: RBA Documents from the 8 selected SAIs Based on the RBA documents on performance audit, the research found that only 4 SAIs that has follows all the requirement under the ISSAI 3000 on the performance audit plan. Nepal and Philippines only follows few requirement such as understanding the entity and subject matter; defining the scope of audit and choosing audit methodology. However, Bangladesh does not used RBA on the performance audit plan. The detail steps follows by the SAI on the RBA performance audit plan are as Table 22. The study also shows that only Bangladesh and Indonesia use the RBA in planning the compliance audit. While, Iraq, Malaysia and Nepal do not use RBA for compliance audit. SAI Philippines only follows few steps on the RBA for the compliance audit as their approach is an integrated audit plan for all kinds of audit. The detail steps follows by the SAI on the RBA compliance audit plan are as Table 23. 55 Methods for Developing Risk-Based Audit Plan TABLE 22 METHODS IN DEVELOPING RBA PLAN: PERFORMANCE AUDIT Assessing Choosing Estimating Selecting potential audit cost of the Understanding Defining audit topics Defining Setting methodology, audit Selecting the entity and the audit Determining audit, key that are the the topics in including project an audit the subject objectives overall auditable scope audit techniques to terms of timeframes topic matter (what is and audit activity plan (assessing of audit criteria risks, be used for and the audited) questions materiality auditability) gathering main and evidence and control problems conducting points of Australia identified the audit the audit Bangladesh analysis Indonesia Iraq Malaysia Nepal Philippines Identifying intended users and responsible party TABLE 23 METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT Defining the subject Understanding Understanding Assessing matter and the the entity and the entity’s risk corresponding audit its environment internal criteria control Australia Bangladesh Indonesia Iraq Malaysia Nepal Philippines *Philippines use Integrated Results and Risk-based Audit for all types of audit Establishing materiality for planning purpose Developing audit strategy and audit plan 56 Methods for Developing Risk-Based Audit Plan 5.3 Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA) Further analysis was done on the 7 SAIs that adopt solely RBA or together with other approaches in their audit planning. Three out of 7 SAIs have fully adopted the risk based audit plan. ANO prepared the most comprehensive and detailed guidelines for both financial and performance audit, while SAI Indonesia prepared detailed guideline for compliance audit. The details processes and procedures related to the RBA on three types of auditing; financial, performance and compliance audit that were received from the SAI Australia, Indonesia and Nepal are explain as bellows: 5.3.1 Financial Audit 5.3.1.1 Australian National Audit Office (ANAO) As required by the ISSAIs, for the first step on the planning stages, the auditor must gain an understanding of our client’s organization and complete the following documents: • • • • Business Understanding and Risk Identification (BURI); Entity’s Internal Control; Fraud Work Program; and Process Documentation/Walkthrough for the business process or accounting process. After understand the entity, the auditors need to commencing the Risk Assessment Document (RAD). ANAO uses the RAD as their template to document their risk assessments for all significant business or accounting processes. The RAD documents consist of: i. ii. The identified inherent risks of material misstatement (ROMM) for each material financial statement line item (FSLI) within each significant business or accounting process at an assertion level; and Their assessment of each identified inherent ROMM. The risks documented in the RAD are an input to the Bridge, in which they design and document the audit procedures they plan to undertake to address the assessed risks. They complete a RAD for each significant business and accounting process. In the RAD, they identify, by financial statement line item, the inherent risks of material misstatement and assess the level of that risk. The Engagement Executive must review all RADs where a significant or elevated risk has been identified. The Manager must review all RADs. These reviews are undertaken prior to the commencement of the audit fieldwork. 57 Methods for Developing Risk-Based Audit Plan FIGURE 13 PROCESS DOCUMENTATION/WALKTHROUGH FOR THE BUSINESS PROCESS OR ACCOUNTING PROCESS Fraud Assessment Internal Control Process documentation and walkthrough Understanding FSLI Bridge RAD (assertion level) BURI Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD) Through the completion of these documents, they are able to identify risk factors that may affect one or more assertions for the material Financial Statement Line Item (FSLI). The ROMM must be considered for each FSLI within the business or accounting process. It should be clear within the RAD which risks relate to which FSLI. Below is guidance on how to complete the template. The following figure provides an overview of the process. FIGURE 14 TEMPLATE ON ASSESSING RISKS AND INPUT TO THE BRIDGE • Identify the set of assertions relevant to the FSLI or disclosure • Identify risks • Document the associated accounting process Identify Inherent Risk by FSLI Assess Impact on FSLI • Determine likelihood • Determine consequence • Determine overall risk rating • Document justifiation • Populate Bridge with Significant and Elevated risk • Link all Normal risk to specific audit procedures in the Bridge that address that assertion Populate the Bridge Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD) 58 Methods for Developing Risk-Based Audit Plan All significant risks are required to be transposed to the Bridge. One way to ensure this is to link all the risks from the RAD to the Bridge. The Bridge is an ANAO template used to document our planned audit approach and the outcome of that plan. They use it to document: ii. The identified and assessed risk of material misstatement (ROMM) at the financial report level and the assertion level; and iii. Their audit response to the assessed ROMM, including the nature, timing and extent of their audit procedures and the link of those audit procedures to the relevant assertions. The Bridge is central to their audit approach. A Bridge is completed for each significant business/accounting process/or financial statement line item (FSLI) every year. Each Bridge details their response to significant, elevated and normal risks of material misstatement. In order to identify and assess the ROMM as required by standard, they determine materiality for the audit and perform risk assessment procedures as required by standard. Risk assessment procedures include completing the BURI, the Laws and Regulations template, process documentation and other planning procedures. The identified ROMMs are documented in the RAD and Bridge for the relevant Process/Account Balance/or FSLI. Once the risks and assertions are identified, audit procedures to address the risks are designed and recorded in the Bridge. The objective is to reduce to an acceptable level, our risk that a material misstatement remains undetected. FIGURE 15 THE BRIDGE PROCESS Identify Significant Bus /Acc Processes Risk Assessment Procedures (incl BURI) Update for Results of testing Bridge Design Audit Response RAD Source: ANAO Financial Audit Guide – Bridge 59 Methods for Developing Risk-Based Audit Plan Before completion of planning, the Engagement Executive must review and sign-off all Bridges which include significant risk(s) and/or critical areas of judgment, especially those relating to difficult or contentious matters, and a sample of Bridges which include Elevated and/or Normal risks. The Audit Manager must review and sign-off all Bridges. The Bridge is initially completed at the planning stage and is required to be updated during the audit to reflect the results of the audit procedures or changes that affect the audit approach. Each successive change to a Bridge must be reviewed at an appropriate level. The completed Materiality Template or Summary Planning Document is used as a reference to ensure that all material FSLIs (whether material by nature or quantum) are identified in a Bridge. FSLIs are used as the basis of our audit approach because they are required to assess the ROMM at the assertion level and the assertions describe qualities of financial information, not the qualities of processes. Only significant and elevated ROMM are recorded individually on the Bridge. Normal ROMM may be documented in the RAD and are addressed in the Bridge with sufficient coverage over all assertions for the FSLI. Risks are described (for significant and elevated risks) with reference to a specific assertion. This will target the work required and will focus audit effort on specific risk. For each Significant and Elevated Risk, the Auditors are required to document management’s key control(s), regardless of whether they intend to rely on the operating effectiveness of the control. No matter what level of assurance they obtain from tests of controls, some substantive procedures will always need to be performed for each material balance, class of transactions or disclosure. 5.3.1.2 Indonesia Based on the BPKRI documentation, the audit planning is conducted to prepare Audit Program which will be used as the basis for audit engagement, so the audit can proceed efficiently and effectively. Audit planning stage consists of ten (10) activity steps, which are: i. Understanding Audit Objectives and Engagement Expectation Understanding audit objectives and engagement expectation are conducted to find out what final result and audit objectives are expected by the Signing Officer as well as to determine the criteria to measure engagement performance obtained through communication between Auditors and the Signing Officer. Steps in understanding audit objectives and engagement expectation include: a. Discussing and communicating with the Signing Officer Together with the Signing Officer, Auditors build a clear understanding, which can be used as a basis to define, prioritize, and measure the Auditors’ performance in audit engagement. 60 Methods for Developing Risk-Based Audit Plan b. Submitting audit objectives and engagement expectation Auditors carry out the step by reviewing (initial assessment) the entity and update their knowledge on the entity’s scope of work. Initial consideration of such information enables Auditors to prepare for discussion with the Signing Officer and to determine areas to be further explored. c. Setting audit objectives and engagement expectation The formulated audit objectives and engagement expectation are documented in writing and signed by the Team Leader, Supervisor, Audit Manager, or Signing Officer. ii. Understanding the Entity and Its Business Process Understanding the entity and its business process is intended to gain in-depth and sufficient understanding of the general work processes and risks associated with each specific work process of the audited entity, as well as to identify and understand issues important to the entity in achieving its objectives. iii. Understanding Previous Audit Reports The objectives of this step are: iv. a. Obtain deeper understanding of the entity’s work processes and associated risks based on follow-up implementations on BPK’s recommendations; b. Assess follow-up implementations on BPK’s recommendations; and c. Analyse the impact of follow-up implementations on the audited financial statements. Conducting Initial Analytical Procedures The purpose of this procedure is to help Auditors plan the nature, timeline, and scope of other procedures for the next stage, or audit procedures to be used to obtain audit evidence for account balances or specific transaction classes. Initial Analytical Procedure Techniques commonly involve comparing recorded balances with other data (such as previous year’s balances, balances in related accounts, or similar posts in the previous year), using ratios or other related matters, and analysis of the industry/entity’s activities. 61 Methods for Developing Risk-Based Audit Plan v. Understanding Internal Control System Understanding the internal control system is intended to assess internal undertaken by the entity to conduct its activities effectively and efficiently, assess the possibility of misstatement and fraud. In this step, Auditors also the possibility of misstatement caused by matters related to internal environmental risks. vi. control and to assess control Initial Risk Identification and Assessment The objective of this step is to assess audit risks, so the prepared audit procedures can be focused on high-risk areas caused by misstatements or fraud, therefore making the audit process more effective and efficient. Inputs required in this step are: vii. a. Previous audit working papers (if this is a second-year audit or later), especially on risk assessment; b. General review of the entity; c. Results of fraud risk assessment; d. Previously conducted discussion with the entity’s leader/management or its audit committee; e. Previous discussions with personnel of the internal supervision work unit and reviewing internal supervision reports; and f. Understanding of internal control. Setting Initial Materiality Threshold Auditors set materiality threshold for the financial audit. In developing audit strategy, Auditors classify materiality into two (2) groups: a. Planning Materiality (PM) is related with the financial statements as a whole; and b. Tolerable Misstatement (TM) is related with individual accounts or financial posts viii. Determining Sampling Method Auditors determine the sampling method based on professional judgment. Sampling is a test element conducted by Auditors to provide assurance on the quality of information presented and disclosed in the financial statements. The sampling method utilized can be statistical or non-statistical. 62 Methods for Developing Risk-Based Audit Plan a. Sampling by statistical method in control testing is conducted with attribute sampling method, while substantive testing is conducted with variable sampling method. b. Sampling by non-statistical method is determined using the Auditors’ professional judgment by taking into account the scope of audit, risk and materiality levels, the accounting system used by the audited entity, and the cost and benefit principle. ix. Fulfilling the Needs for Auditors; This step is carried out with the objectives of: x. a. Forming an Audit Team with the appropriate expertise composition as required by the audit engagement; b. Informing Audit Team Members about the forthcoming engagement, which covers audit objectives, audit scope, the Signing Officer’s expectations, and audit performance measures; and c. Dividing audit tasks in line with their respective expertise and obtaining Audit Team Members’ commitment on their roles in completing the engagement and fulfilling the Signing Officer’s expectations, so the audit can be conducted effectively and efficiently. Preparing Audit Program and Individual Audit Program The objective of preparing audit program is to summarize all planning steps into a formal documentation to be approved. Audit Program explains in detail the type, timeline, and scope of audit procedures. 5.3.1.3 Nepal The Planning process for SAI Nepal on the financial and compliance audit consists of the following steps: i. Understanding the Planning Process The Strategic Plan, The annual audit plan-Tier I, The Ministry level (or, Directorate level) plan-Tier II, The entity level plan (or, detailed audit plan or audit program)-Tier III; 63 Methods for Developing Risk-Based Audit Plan ii. Understanding the Entity Level Strategic Plan The entity level strategic plan is the first activity in the audit process. It may be defined as the process that sets the direction of the audit and links the understanding of the entity’s operations to the focus of the audit work. iii. Overall Audit Strategy The overall audit strategy must set the scope, timing and direction of the audit. It should also guide the development of the detailed audit plan. The establishment of the overall audit strategy involves the summary of the audit work completed during the strategic planning phase of the audit. iv. The Audit Plan The audit plan is more detailed than the overall audit strategy in that it includes the nature, timing and extent of audit procedures to be performed by the team members. The basic purpose of detailed planning is to provide guidance on determining overall conclusions to date and designing and performing further audit procedures. This is done in order to respond to the identified risks of material misstatement at the financial statement and assertion levels done at the preliminary planning stage. v. Planning Documentation (The Working Papers) The auditors should document the operations of each audited component of the entity and the nature and type of audit tests to be completed. This documentation is to be kept in the relevant Working papers, which an audit team is required to maintain. The system description is the first step to the detailed planning and should be completed for all components. It starts with the identification of key activities in the transaction life cycle. After this, inherent and control risks and management controls to mitigate these risks should be documented. The auditor should determine the responses to address the risks of material misstatement at the financial statement level. vi. Understanding the Entity’s Business and Environment In the entity level strategic planning phase, the auditor shall gather information to obtain an understanding of the following: a. Overall understanding of the entity; b. The entity’s accounting policies; c. The entity’s control environment, and internal controls; 64 Methods for Developing Risk-Based Audit Plan d. The measurement and review of the entity’s financial performance. vii. Materiality The objective of the auditor is to apply the concept of materiality appropriately throughout the audit, especially when: a. Identifying the components to be audited (strategic planning); b. Determining the nature, timing and extent of audit procedures (detailed planning); and c. Evaluating the effect of misstatements (reporting). During planning, the auditor should establish an acceptable materiality for the financial statements as a whole so as to plan to detect quantitative material misstatements. The auditor should calculate the quantitative materiality level as a numerical value based on professional judgment. viii. Risk Assessment Risk assessment procedures assist the auditor in obtaining an understanding of the entity and its environment. The procedures should be sufficient to identify and assess the risks of material misstatement both on the financial statements as a whole and for each relevant assertion relating to account balances. ix. Planning Analytical Procedures Analytical procedures are performed to assist in planning the audit and to enhance the overall understanding of the entity’s operations. To the extent that it has not been covered during the development of audit strategy and planning, the auditors should use analytical procedures to: a. Analyse relevant information; b. Discuss results with management. x. Assessment of Internal and IT Controls The auditor shall obtain an understanding of internal and IT controls relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. 65 Methods for Developing Risk-Based Audit Plan xi. Consideration of Fraud There are two types of frauds: fraudulent financial reporting and misstatement of assets. Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred. xii. Using the Work of Others Due to technicalities of audit work, involving experts may also be necessary to obtain sufficient and appropriate audit evidence and to draw conclusion on a specific issue. xiii. Identification of Significant Financial Statement Accounts and Assertions Using the information already collected during the planning analytical procedures, the analysis of relevant information and discussions with management, the auditor should identify the significant financial statement account balances and classes of transactions. xiv. Audit Procedures Responsive to Risks of Material Misstatement In designing further audit procedures, the auditor considers such matters as the following: a. The significance of the risk; b. The likelihood that a material misstatement will occur; c. The characteristics of the class of transactions, account balance, or disclosure involved; d. The nature of the specific controls used by the entity and in particular whether they are manual or automated; e. Whether the auditor expects to obtain audit evidence which will be used to determine if the entity’s controls are effective in preventing, or detecting and correcting, material misstatements. The nature of the audit procedures is of most importance in responding to the assessed risks. xv. Routine and Non-Routine Transactions Routine transactions record the entity’s day-to-day operations transactions with the outside world. Non-routine transactions are transactions that are unusual either due to size or nature, or that occur infrequently. 66 Methods for Developing Risk-Based Audit Plan xvi. Risks Assessment Process Risks are the set of circumstances that hinder achievement of objectives. There are three components of risk which include: Risk Event, Probability of the Risk Event, and Impact of Risk Event (Risk Event Value). Risk Event is a discrete occurrence that may affect the project for better or for worse. xvii. Risk of Significant Misstatement The risk of significant misstatements on the financial statements when they are received by the auditor is the combination of inherent risk and control risk. While developing the audit strategy and planning, the auditor should consider the entitywide conditions or events that may increase the risk of significant misstatements. The risks facing the entity’s operations need to be considered, and whether these risks are likely to affect the financial statements and therefore have audit implications. xviii. Critical Audit Objectives Critical audit objectives often involve a high risk of significant misstatements and subjectivity in the evaluation of audit evidence. Audit objectives relating to nonroutine transactions may also involve higher risk of significant misstatements or subjectivity in the evaluation of audit evidence. xix. Audit Planning Memorandum The Audit Planning Memorandum usually includes the following items as a minimum: a. Technical aspects: b. Background information, a brief history of (ministry/department/project) and current financial position; the entity, c. Recent developments, performance during the year, changes in entity’s operations, acquisitions, and dispositions/auctions; d. Objectives and duties of the operations (ministries) highlighting analysis of key areas of the development plan and long-term plans; e. Incorporation and analysis of the operation’s (Ministry’s) budget and work plan for the year and comparison of budget against the actual results of the entity; f. A summary of the approach to obtaining an understanding of internal control; g. A summary of the nature, timing and extent of audit procedures for critical audit objectives; and 67 Methods for Developing Risk-Based Audit Plan h. A summary of work to be performed by internal auditors and/or specialists. i. Audit Logistic Aspects: j. Staffing, including details of the audit team members and other auditors k. Key people in the entity’s organization to be contacted l. The required type and timing of report on the audit of the financial statements and other reports to the entity; and m. Timetable. xx. Audit Program As part of the planning stage and before any fieldwork can be performed, the auditor need to create the audit program which will identify the test and the procedures required to meet the audit objectives identified in the audit planning memorandum. 5.3.2 Performance Audit 5.3.2.1 Australia National Audit Office (ANAO) The two primary components of the start-up phase of an individual performance audit are: i. Initial planning, including the collection of information about the entity and activity to be audited; and ii. The preparation of an audit plan that will provide the basis for the conduct of the audit. Key steps in the start-up phase are as follow: 68 Methods for Developing Risk-Based Audit Plan FIGURE 17 KEY STEPS IN START-UP PHRASE Source: ANAO Performance Audit Manual Prior to the preparation of the Audit Work Plan, agreement is required from the Executive before resources are expended preparing an Audit Work Plan. The estimate of the hours and cost of the planning phase for each audit must be approved by the responsible Group Executive Director. Planning involves developing an overall plan for the scope, emphasis, timing and conduct of the audit. The audit plan should set out the approach for the nature, timing and extent of evidence-gathering procedures. Formal approval should be sought for any change significant enough to impact on the audit objective, scope, budget or timeframes. Obtaining an understanding of the activity and its context is an essential part of planning and conducting a performance audit. It includes gaining a knowledge of the entity(s) that is responsible for the activity, and where relevant, the broader program of which the activity is part of it. 69 Methods for Developing Risk-Based Audit Plan 5.3.2.2.1 Audit Work Plan (AWP) The AWP shall include: a rationale for undertaking the audit; background for the audit; the audit objective(s), scope and criteria; audit method; likely impacts; identification and consultation with internal and external stakeholders; the audit's budget, milestones and target dates; and an overall performance audit engagement risk and operational risk rating. Prior to developing the AWP, the audit team should set up a project in Change point so that costs, including staff time costs, can be allocated to the audit. A Change point project is established by request made to the Performance Audit Service Group (PASG) Business Unit. Change point will generate and assign a unique project code (PAR code) and provides for a budgeting tool for estimating the audit budget and timeline. a. Rationale for Undertaking the Audit The AWP outlines the rationale for conducting the audit. The following table illustrates examples that should be incorporated in a rationale: TABLE 24 RATIONALE FOR CONDUCTING THE AUDIT Materiality High value of assets, annual expenditure or annual revenue of the entity or the program, activity or function. Sensitivity High public visibility of the program; importance of the program to particular client groups; strong Parliamentary or community interest in the performance of the program. Impact Significant impact of the activity, even when it is undertaken by a small unit within an entity with low materiality. Key area/issue presenting risks or challenges to Commonwealth administration The program or activity being a government initiative that is directly to a key area/issue presenting risks or challenges to Commonwealth public administration. Potential benefits from the More efficient business processes; greater accuracy audit in claims processing; better management of contracts; closer adherence to Commonwealth policies; greater accountability through accurate performance reporting; earlier detection of risks to good management or prevention of fraud. 70 Methods for Developing Risk-Based Audit Plan Previous coverage No previous ANAO performance audit coverage; very limited internal review of a significant program; possibility of a follow-up audit foreshadowed in a previous ANAO audit; a follow-up audit requested by a Parliamentary committee. Value for money Multiple factors need to be taken into account when determining value of money. Refer to the Supplementary Guidance for details on applying a value for money perspective. Source: ANAO Performance Audit Manual b. Background to the Audit Each AWP includes background information regarding the entity, program or function to be audited. This background information reflects and generally builds on the material for the particular audit that was included in the planned Audit Work Program. c. Audit Objective The audit objective is a key statement that is intended to define the intention of the audit and must be expressed in terms that can be concluded against, such as statements like ‘the audit reviewed the administration of program xyz’. The objective of a performance audit is to provide an assessment of specified elements of an entity's operations. The assessment should address one or more of the following: administrative effectiveness; efficiency; or compliance. These terms are defined as follows: The audit objective and the audit scope are interrelated and should be considered together. The audit objective needs to be realistic and achievable and give sufficient understanding to the entity and other relevant parties about the focus of the audit. The audit objective also provides the basis for developing the audit criteria and the audit approach. d. Audit Criteria Suitable criteria shall be established to enable an assessment of the matters subject to audit. They shall be expressed in the form of a question that will be subsequently answered in the findings and conclusion of the audit. Audit criteria are reasonable and attainable standards of performance against which the extent of administrative effectiveness, efficiency or compliance aspects of an entity’s programs or activities can be assessed. They reflect a desirable (normative) model for the subject matter being reviewed. They represent good practice, a reasonable expectation of what 71 Methods for Developing Risk-Based Audit Plan should be. Criteria may range from general to specific. Suitable criteria must be identified for each audit. Suitable criteria are those that are relevant to the subject matters being audited and appropriate to the circumstances. e. Audit Scope The audit scope defines the boundary of the audit. Determining the scope of the audit is a critical part of the planning process as it directly affects the procedures and resources that will be required to complete the audit and the matters that will be reported. The scope is usually established based on information obtained in previous audits and information gathered during the planning phase or through the conduct of a scoping study. Materiality and risk are generally considered together and assist to identify that part of the entity, program or function that is material and/or high-risk and, therefore, within scope. In assessing materiality and risk, a team would consider both quantitative and qualitative factors. Auditability refers to assessing whether particular matters can be included within the scope, that is, whether suitable criteria and audit approaches are available or can be established within the timeframes proposed. In defining the scope of the audit, it can also be useful to specify any associated matters that are not within the scope of the audit and the reasons for their proposed exclusion from the audit. The audit method sets out the means to be used to collect information relating to the audit criteria. The method explains the intended use of specific data collection tools such as sample surveys, case studies, interviews, document reviews, compliance and/or system control analysis and testing. The audit method also specifies where and why particular fieldwork is to be carried out and lists the involvement of any external stakeholders. f. Likely Impacts The likely impacts describe the expected benefits of conducting the audit. Audit teams may find it useful to consider the interests of relevant stakeholders, such as Parliament, Commonwealth entities or the public, when assessing the likely impacts of the audit. Performance audits should result in a lasting benefit to the entity (or entities) audited, the Parliament or taxpayer, for example, through improved service delivery, financial savings or improved governance. g. Stakeholders i. Internal stakeholders: engaging the IT Audit Branch ii. External stakeholders 72 Methods for Developing Risk-Based Audit Plan iii. Citizen contribution The Audits in Progress section of the ANAO website has a feature that allows members of the public to contribute information during the evidence collection stage for all performance audits. The facility enables and promotes closer public engagement with the audit process and aligns with broader Australian Government initiatives to promote the use of technology to encourage more open and transparent government, to have the public inform policy, and to provide better access to government information. h. Budget, Milestones and Target Dates The estimated tabling date for each audit specified in the AWP shall take into account the Parliamentary Calendar and the spread of tabling dates throughout the year. Each AWP should include the key milestones and target dates for the audit. These are the dates for: i. i. The proposed commencement of the audit; ii. Key points of PASG executive and the executive consultation (where required); iii. Reporting milestones; and iv. The proposed tabling of the report. Duration of Audit If there is likely to be a significant delay between the date the AWP is approved and the conduct of the entry interview (or commencement of the actual audit where an entry interview is not practical), an explanation of the reasons for this should be included in the AWP for Executive consideration and decision. j. Cost of an Audit This includes the estimated costs of staff resources and the employment of contractors and experts, and the estimated costs of travel and report publication. The costs of the initial planning phase of the audit and scoping study, where undertaken, are also to be included. k. The Audit Team The audit team shall have the appropriate level of skills, competence and knowledge to conduct a performance audit. The planning of an audit includes an assessment of 73 Methods for Developing Risk-Based Audit Plan whether the team has adequate skills, competence and knowledge to undertake the particular audit. In determining the composition of the audit team, it would be expected that the following factors will be taken into consideration: i. The experience of the Audit Manager; ii. The number, level and experience of other team members; iii. The benefit of utilizing the IT Audit Branch to assist in conducting elements of the audit; iv. The benefit of engaging specialists and/or experts to support the in-house team in addressing complex and/or technical issues; and v. The complexity and expected impact of the audit. The work of the audit team should be carefully directed and supervised throughout the audit to ensure that the work will meet the ANAO Auditing Standards. l. Engaging Contractors, Specialists or Experts The Auditor-General, or delegate, may at any time engage the services of a person under contract, with agreed terms of engagement, to assist with a performance audit. The AWP should specify the reasons why contract resources are required, the proposed involvement of the contractor, specialist or expert, and the estimated costs. m. Materiality, Risk Assessment and Management Plan The AWP for each audit shall briefly identify any significant risks or issues confronting the audit. A detailed risk assessment and management plan is completed and attached to the AWP that addresses each risk and its corresponding mitigation strategy. The audit team considers materiality and performance engagement risk when planning and conducting an audit so that performance audit risk is reduced to an acceptable level. Performance engagement risk means the risk that the auditor expresses an inappropriate conclusion when the performance of an audited activity is not materially effective, efficient or economic. This would arise where the conclusion is based on evidence that is not soundly based or that is improper or incomplete as the result of inadequacies in the evidence-gathering process, misrepresentation or fraud. 74 Methods for Developing Risk-Based Audit Plan Performance audit operational risk refers to the risk that an audit will not be completed in accordance with the approved budget and timeframe and to the required quality. Areas of possible operational risk can include: i. The reputation of the ANAO arising, for example, from potential conflicts with the results of previous audit coverage; ii. The complexity of the audit itself; that is, the subject matter, the approach being used and the proposed analytical techniques; iii. The potential delays in obtaining access, documentation and/or being able to hold discussions with relevant entity staff; iv. The availability of appropriate audit resources; v. Unexpected changes to the audit team; vi. Changes to staff or administrative arrangements in the entity or program subject to audit; vii. Timely availability and reliability of entity information and data; and viii. The quality of relations with the entity. Each identified operational risk needs to be analysed by the degree of its likelihood of occurring and impact and consequence on the audit if it occurs. Because this process is often qualitative, i.e. based on stakeholders’ subjective judgements about the risk, it is best to keep the range of descriptions simple. i. Evaluating operational risks involves assessing both likelihood and impact to determine the overall level of risk to the audit. The level of risk will determine the governance level required in managing it - high level risks require higher levels of governance input and approval; low level risks can be managed by the lowest governance level, such as an audit team member; and ii. In selecting treatments for operational risks there are a number of approaches that decision-makers may take. Whatever approach is taken, it will be necessary to determine if any residual operational risk remains and to re-evaluate it. 5.3.2.2 Indonesia The purpose of the audit planning in performance audit is to design the Audit Work Plan and Audit Program of a detailed audit. These documents will be used as basis for the detailed audit, so it can be conducted efficiently and effectively. The audit planning activities consists of 7 stages: 75 Methods for Developing Risk-Based Audit Plan a. Determining Audit Potential Topics; The preliminary step in a performance audit planning is to determine the audit potential topic. Each of audit working unit must prepare a potential topic. The main purposes of the determining audit potential topics are: i. In order to enable the performance audit to improve the government performance in providing the public service; ii. In order to enable the audit to be more focused, so that the audit can be conducted efficiently and effectively; and iii. In order to enable the limited audit resources to be allocated in the proper audit topics. iv. The inputs which are required for this activity cover: v. Strategic plan and the board’s policy on the performance audit; b. Designing Preliminary Audit Program Several information which can be stated in the Preliminary audit program are as follows: i. Basis of audit; ii. Standard of audit; iii. Audited organization/program; iv. Audited fiscal year; v. Identity and general information of the audited entity; This Preliminary Audit Program will be used by the auditor as guidelines in the operation planning stage to identify: i. Issues/problems related to the audited entity/program; ii. Key area which becomes the focus in the implementation of the detailed performance audit; iii. Objective and scope of performance audit; iv. Criteria of audit to be used, and v. Type of evidence and procedures of audit. 76 Methods for Developing Risk-Based Audit Plan c. Entity Understanding and Issues Identification The auditor requires entity understanding in order to understand the main activity, business process, encountered issues and problems, regulations related to the audited entity/activity/program. In order to identify significant issues of the entity, there are two main approaches which can be used, namely result-oriented approach and process-oriented approach. d. Determining the Key Area The key area is an area, division, program or activity which is the focus of an audit in the audited entity. The determination of a key area is very important so that the audit can be more focused on the audit objective and the use of more efficient and effective audit resources is feasible. In order to determine the key area priority, the selection factors approach will be used. e. Determining the Objective and Scope of Audit The performance audit objective must be seriously considered and clearly stated. The objective must be defined clearly in order to help the audit team in taking the final conclusion at the end of the audit. If the audit objective has been correctly and clearly stated, the audit will be more directed to the activities to respond the questions arising from the audit objective. Therefore, the Performance Audit objective must be defined accurately, in order to avoid unnecessary audit procedures. The benefits of the determination of the objective and scope of audit are: i. To assist in identifying issues to be audited and reported; ii. To assist in focusing the audit evidence collection activities; iii. To prepare the parameter or measurement of the audit limits such as the audited period or location of the site audit to be chosen; and iv. To help the audit team in making the decision at the end of audit. The necessary inputs in the determination of audit scope and objectives activity are the outputs of the entity understanding and issues identification activities and the outputs of the key area determination activity. The steps required for determining the objective and scope of audit are determining audit objective and determining the audit scope. 77 Methods for Developing Risk-Based Audit Plan f. Determining the Audit Criteria Criteria are standards of performance that makes sense and can be achieved to evaluate the economic, efficiency and effectiveness aspects of an activities performed by the audited entity. The criteria reflect a normative model of control of the issues which are being reviewed. The criteria represent good practices, namely a reasonable expectation of ‘what is supposed to be’. If the conditions meet or exceed the criteria, this indicates that the entity has implemented the best practices. On the other hand, if the condition does not meet the criteria, this indicates that an improvement is necessary. g. Drafting of Audit Work Plan and detailed Audit Program After the auditor conducts a preliminary audit and decides to do a detailed audit, the next level to do is to set up the Audit Work Plan and audit program of the detailed audit. The Audit Work Plan for the detailed audit is a BPK detailed audit activity plan in one year covering the topic of audit, audit type, human resources requirements and audit budget. The main objectives of the drafting detailed audit work plan are to determine the detailed audit topics to be carried out in one year; and determine the resources allocation, either in the form of human resources, timing and budget required for each audit topic. An adequate audit program is able to identify the significant aspects of the audit; prepared based on the clear and accurate supporting information; provide guidance in implementing effective evaluation; assist in collection of audit evidence which is sufficient, reliable, and relevant to support the opinions/statements of opinion or the audit conclusions and achieve the audit objectives. 5.3.2.3 Nepal The process and procedures of the RBA plan for performance audit are almost same as financial audit. In general, the planning process for performance audit can be shown in this figure. 78 Methods for Developing Risk-Based Audit Plan FIGURE 18 PEFORMANCE AUDIT PLANNING PROCESS Review Background Information of the Entity Review Operational Objectives, Strategy and Mandates Prepare Segment Operation Model Perform Operational Process Analysis Perform Risk Assessment Determine Audit Objectives, Scope and Methodology Audit Questions Specify Audit Criteria Prepare Audit Planning Memorandum Source: Nepal Performance Auditing Guide Generally, RBA approaches for performance audit in Nepal is almost same as financial and compliance audit. The summary of the RBA process for the performance audit can be express as Table 5. . 5.3.3 Compliance Audit Based on the document received, SAI Australia and Nepal do not have specific compliance audit. The compliance audit will be part of the financial audit. Only Indonesia has the specific risk based audit plan for compliance audit. 79 Methods for Developing Risk-Based Audit Plan 5.3.3.1 Indonesia Based on the document received by the SAI Indonesia, audit planning for compliance audit consists of 5 stages, which are: a. Understanding the Audit Objectives and Engagement Expectation Understanding the audit objectives and engagement expectation is carried out to reduce the risk of misinterpreting the requested task or the expectations of other parties, both by the Auditors as well as the Signing Officer. Such understanding is obtained through communication between the Auditors and the signing officer, taking into account the following inputs: i. Previous year’s financial statements, performance, and special purpose audit reports. ii. Monitoring reports of follow-up on financial statements, performance, and special purpose audits. iii. Government internal audit reports. iv. The entity’s database. v. Communication with the previous Auditors. The Auditors should properly communicate verbally or in writing with the signing officer, the result of which must be documented in the audit objectives and engagement expectation form. The form should be signed by the signing officer and the Auditors to ensure uniform perception of the engagement. The form is used as one of the basis for preparing an audit plan. b. Understanding the Entity Understanding the audited entity is intended to obtain data and information on: i. The entity’s objectives; ii. The entity’s main programs/activities; iii. Objectives of the programs/activities; iv. The entity’s accounting system; v. Procedures to implement and supervise activities; vi. Resources used to carry out activities; and vii. Previous audit results and other studies associated with the audited matter. 80 Methods for Developing Risk-Based Audit Plan Comprehensive understanding of the entity’s objectives, goals, strategies, and activities helps the Auditors in identifying: i. How the management can achieve the entity’s objectives and goals, ii. The risks associated with achieving these goals, and iii. How the management manages risks to achieve the entity’s objectives and goals. c. Assessing Risk and Internal Control Steps in assessing risks are as follow: i. Identify risks face by the entity and the impacts of such risks to the attainment of the entity’s objectives. The step is documented in the form of a risk identification working paper. ii. Take into consideration the impacts of laws and regulations, and the possible risk of fraud. iii. Ensure whether the entity has a sufficient control system to identify and mitigate such risks. If the entity is found to have a weak control system, the Auditors can: (1) stop internal control testing and write a conclusion on it, or (2) carry out a substantive testing by expanding the scope of audit and evidence gathering. iv. Set the audit to focus on areas with high risk potential for further audit after taking into account point i, ii and iii above, which can affect the organization activities, programs, and/or its public service functions to be audited. To determine these key areas, the auditors assess the internal control system (through understanding and testing) against risk potentials of the entity by sampling based on risk level. d. Setting Audit Criteria When planning compliance audit, the auditors need to set criteria: i. As a basis for communication between the Auditor and the audited entity’s management regarding the form of the audit. The Auditors will make an agreement with the specific entity regarding the criteria and the acceptability or unacceptability of findings based on the criteria. ii. As a tool to link the objectives with the audit program during evidence gathering and analysis. 81 Methods for Developing Risk-Based Audit Plan iii. As a basis for evidence gathering and the foundation for establishing evidence gathering procedure. iv. As a basis to establish findings, and to add structure and the form of audit observation. Once the sources of criteria have been obtained, the Auditors should check the suitability of such criteria for use. The proper criteria should be reasonable and attainable. Reasonable criteria should be relevant and reliable, while attainable criteria are those that can be achieved with sufficient effort. e. Preparing Audit Program and Individual Audit Program The purpose of preparing Audit Program and Individual Work Program is to make it easier and smoother for the Auditors to carry out their tasks so the audit implementation will be in line with the specified audit objectives. The prepared Audit Program contains information on legal basis, audit standards, audit objectives, audited entity, audit scope, results from understanding the internal control system, audit goals, audit criteria and others. 5.3.4 Integrated Results and Risk-Based Audit Plan (Philippines) The Commission on Audit (SAI Philippines) primarily uses the Integrated Results and RiskBased Audit (IRRBA) Manual in conducting an integrated comprehensive audit and government-wide and sectoral performance audit. Comprehensive audit comprises of financial audit, compliance audit, and agency-based performance audit. IRRBA is composed of five main phases: (1) Strategic Planning and Risk Identification, (2) Agency Audit Planning and Risk Assessment, (3) Execution, (4) Conclusion and Reporting, and (5) Monitoring (see Figure 4.2). Audit planning occurs in two levels: government level (Strategic Planning and Risk Identification) and agency level (Agency Audit Planning and Risk Assessment). 82 Methods for Developing Risk-Based Audit Plan FIGURE 19 IRRBA FRAMEWORK Source: IRRBA Manual, Commission on Audit (2011) 5.3.4.1 Strategic Planning and Risk Identification i. Perform Government Risk Identification In this activity at the strategic level, SAI Philippines identifies the risks that the Philippine Government as a whole may face in achieving its objectives. a. Develop/Update the Government Risk Model (GRM) The Government Risk Model (GRM) (Form 01-01) is a framework consisting of risks categorized into groups that could threaten the government as a whole or the specific processes of the government. The GRM includes a definition of each risk to have a common understanding or risks. Risks are categorized as strategic risk, operations risk, financial risk and compliance risk. b. Identify Government Risks In this activity, the SAI identifies risks which may hinder the government as a whole to achieve its objectives. The sources of risk identification include the State of the Nation Address of the President of the Philippines, the Medium Term Philippine Development Plan, previous annual audit reports, media reports and the knowledge of the auditors. This activity is documented using the Government Risk Identification Template (GRIT) (Form 01-02) which plots the key government risks and the affected agencies including processes, programs, activities or projects. 83 Methods for Developing Risk-Based Audit Plan c. Report the results of GRI The results of the GRI is cascaded down to the concerned audit groups through the SAI Strategic Planning. 5.3.4.2 Agency Audit Planning and Risk Assessment i. Prepare Agency Audit Work step The Agency Audit Work step Template (Form 02-01) is accomplished by the Audit Team Leader for each audited entity. It contains a phase by phase detail of the IRRBA showing the estimated time to complete each phase and the audit team member assigned to complete each activity. ii. Understand the Agency This activity involves the identification of risks applicable to the agency (agency risks). In identifying the agency’s risks, the auditor obtains sufficient understanding of the agency including its purpose, operations and environment. This may be done through the review of relevant information of the agency and its environment, inquiry to the management and others within the agency, and analytical procedures on financial and non-financial information. This is documented using the Understanding the Agency (UTA) Template (Form 02-02). iii. Identify Significant Agency Risks In this activity, the auditors of a particular agency convenes to update the Agency Risk Model and to identify and prioritize agency risks. At this level, they may also identify Key Fraud Risks which shall be evaluated and assessed through the Fraud Brainstorming and Fraud Risk Assessment. a. Update the Agency Risk Model The Agency Risk Model (Form 02-03) is a framework consisting of a list of agency risks which is customized per Agency by obtaining information from the UTA template. It serves as the guide in identifying agency risks. Agency risks are also categorized as strategic risk, operations risk, financial risk and compliance risk. 84 Methods for Developing Risk-Based Audit Plan b. Assess Agency Risks In this activity, the auditor identifies agency risks based on the UTA and GRIT. Identification of risks could be done through workshop, survey or interview. This is documented using the Agency Risk Identification Matrix (Form 02-04). c. Prioritize Significant Agency Risks After the identification of agency risks, the auditors prioritize risks which are significant based on the risk rating provided. Significant risks will be the audit team’s focus for their audit. iv. Understand and Assess Agency-level Controls The auditor obtains an understanding of agency-level controls through inquiry and observation due to the nature of agency-level controls and because audit evidence may not exist or be available in documentary form. In this activity, the five components of internal control are considered: control environment, risk assessment, monitoring, information and communication, and control activities. This is documented using the Agency-Level Controls (ALC) Checklist (Form 02-05). v. Understand the Process Significant processes where significant agency risks reside are the subject of understanding the process. a. Identify critical path of the process In this activity, the auditor obtains an understanding of the critical path of significant processes by understanding each of the following stages: ● Initiation – the point where the transaction first enters the agency’s process and is prepared and submitted for recording ● Recording – the point where the transaction is first recorded in the books and records of the agency ● Processing – any chances, manipulation or transfers of data in the books and records of the agency ● Reporting – the point where the transaction is reported (i.e., posted) in the general ledger 85 Methods for Developing Risk-Based Audit Plan b. Identify process risks Process risks refer to points where risks of material misstatement or risks to the Agency Program/Activity/Project (PAP) objectives, due to error or fraud, can occur in the significant process. Not all process risks are identified, but only those that could have a material effect on the objectives of the process or PAPs. Professional judgment is used in identifying the appropriate level of detail. c. Identify Impact The auditor determines the impact of the process risk by identifying the affected accounts, including assertions, and its impact on the attainment of the objectives of an agency’s PAPs. d. Identify Existing Controls In this activity, the auditor identifies the existing controls that address the identified process risks and determines whether the design of these controls mitigate the identified process risks. Any identified process risk with no controls in place or with inadequate controls are communicated to management to provide them time to address and resolve the control deficiency. The auditor performs a walkthrough to obtain a preliminary assessment of the effectiveness of controls. The process mapping flowchart including the identification of process risks, controls and impact are documented using the Process-Risk-Control (PRC) Matrix (Form 02-06). vi. Conduct Audit Risk Assessment The information obtained in UTA, ALC and PRC will be the basis in evaluating and quantifying risks in the audit. The auditor assesses risk for financial, compliance and agency-based performance audit. a. Financial and Compliance Audits In conducting risk assessment for financial and compliance audits, the auditor assesses risk for each relevant assertion for each significant account. i. Identify significant and material financial statement accounts Significant accounts are the affected accounts identified in the understanding the process using the PRC Matrix. Material accounts are those which fall 86 Methods for Developing Risk-Based Audit Plan above the materiality threshold and are considered material based on qualitative factors. Financial statement accounts that will be assessed are those that are significant and material. ii. Assess inherent risk Inherent risk is assessed as either high or low. If the auditor believes that there is a higher likelihood that a material misstatement could occur, inherent risk is assessed as High. If the auditor believes that it is less likely that a material misstatement could occur, inherent risk is assessed as Low. iii. Preliminary Assess Control Risk The preliminary evaluation is made after understanding the significant processes, risks and controls and after performing walkthroughs, but before any test of controls is performed. Control risk is assessed as Low if controls have been designed and are operating effectively throughout the period of reliance. On the other hand, control risk is assessed as High if: ● It is believed that the controls have not been designed appropriately, implemented effectively, or are unlikely to operate effectively throughout the period of reliance ● Substantive procedures are identified which are believed to provide the necessary evidence to support the related account balances or disclosure ● It is believed that testing controls would be inefficient iv. Make Combined Risk Assessment (CRA) Assessme Low High Minimal Moderate Low High nt High Risk Inherent The auditor combines the assessments on inherent and control risks into one CRA: Low Control Risk Assessment v. Other Material Accounts (OMA) Other Material Accounts (OMA) refer to material financial statement accounts that were not considered as significant based on the results of Agency Risk Assessment and Understanding the Process. The auditor uses high precision 87 Methods for Developing Risk-Based Audit Plan analytical procedures for OMAs (but this procedure should not be redundant with the Analytic Review procedures done in the UTA Template). b. Performance Audit In conducting assessment for Performance Audit, the auditor considers the following factors in evaluating each of the agency’s PAPs: Quantitative Factor: Budget Qualitative Factors: a. Risk to good management b. Significance c. Visibility d. Previous Audit Coverage The risk assessments for Financial, Compliance and Performance Audits is documented using the Audit Risk Assessment and Planning Tool (ARAPT) (Form 02-07). i. Determine Audit Scope and Timing The auditor defines the audit scope or the boundaries and limitations of the audit. ii. Determine the need for specialized skills The auditor determines whether to use the work of an appropriate expert. The details of the work plan (i.e., scope, audit strategy, timing) as part of the ARAPT. 5.4 Extended Study on SAIs RBA Approach and Practices (Combination of RBA and Other Approaches) The research results show that the common actual process in preparing the plan among the SAIs covers the following steps: a. Understanding the Entity and Its Business Process (including previous audit reports); b. Conducting Initial Analytical Procedures; c. Understanding the Internal Control System; d. Initial Risk Identification and Risk Analysis e. Risk Assessment: IR, CR, DR 88 Methods for Developing Risk-Based Audit Plan f. Determining the Audit Materiality, Criteria g. Preparing Audit Plan Memorandum Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement), ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning and Performing an Audit). Similar to ISSAI 1300, the research also show that the auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. The documentation of the overall audit strategy is a record of the key decisions considered necessary to properly plan the audit and to communicate significant matters to the engagement team. For example, the auditor may summarize the overall audit strategy in the form of a memorandum that contains key decisions regarding the overall scope, timing and conduct of the audit. Planning memorandum is one form of this kind of documentation. The common approaches in preparing the planning memorandum include the following information: a. Basic information of the entity (including related parties and significant events); b. Audit objective and scope; c. Audit methodology (including understanding the internal control system, risk assessment, materiality, and sampling); d. Audit resources (team, budget, timeline/timeframe); e. Targeted area (significant risks); and f. Audit Program. Meanwhile, the different approach covers information about audit standard and audit criteria. 5.4.1 Risk Based Audit Plan for Financial Audit The extended study found that most of the respondents have already implemented them in the real audit practice. In the perspective of principle-based standard, how to do the procedure might be different from one SAI to another. But the most important thing is that each SAI has made appropriate efforts through its own manuals and templates, to comply with the requirements of ISSAIs. From the analysis, it has been found that there are no different approaches on all the particular steps (5 steps). The common approached uses templates, matrix, checklist, or using audit program based on their standards, manuals, and guidelines. 89 Methods for Developing Risk-Based Audit Plan Based on the research results, we may conclude that the Audit plan for financial audit should include description of the nature, timing and extent of planned risk assessment procedures; the nature, timing and extent of planned further (substantive) audit procedures at the assertion level; and other planned audit procedures that are required to be carried out in compliance with other ISSAIs. It means the majority has performed the steps required by ISSAIs 1315 and 1330 in preparing an audit plan for financial audit. 5.4.2 Risk-based Audit Plan for Performance Audit In line with requirement of ISSAIs 3000, 3100, and 3200, the research findings also indicate that, in preparing an audit plan for performance audit, SAIs should implement the following steps: a. Understanding the audit topic and identifying problems in the area; b. Selecting a focus for the audit or the "audit problem"; c. Designing and implementing responses to these assessed risks of material misstatements; d. Developing audit memorandum (and/or audit plan). The majority of the audit plan for performance audit contains the following information: b. Background knowledge and information needed to understand the entity to be audited. c. Initial assessment of the problem and risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit. d. Audit objective, questions or hypotheses, criteria, scope and period to be covered by the audit. e. Methodology, including techniques to be used for gathering evidence and conducting the audit analysis. f. Overall activity plan which includes staffing requirements, i.e. Sufficient competencies, human resources, and possible external expertise required for the audit. g. Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit. 5.4.3 Risk-based Audit Plan for Compliance Audit In line with the requirement of ISSAIs 4000, 4100, research findings indicate that, in preparing an audit plan for compliance audit, SAIs should implement the following steps: a. Determine subject matter, criteria and scope of compliance audit; 90 Methods for Developing Risk-Based Audit Plan b. Understand the entity; c. Understand the control environment and internal control system; d. Risk assessment of the subject matter/audited entity; e. Consideration of risks of fraud; f. Determine reliance on internal controls; and g. Link identified risks to audit strategy (audit procedures). The steps related to risk assessment and responses to assessed risks are the ones that still need to be performed by ASOSAI Members (below 60% conduct these steps) so as to comply with ISSAI. The majority of the audit plan for compliance audit contains the following information: i. The subject matter, criteria and scope of compliance audit; ii. Description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria; iii. Description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments. 5.5 Summary Based on the evaluation of documents from those 7 selected SAIs, a general structured of risk-based audit approaches were accordance to ISSAIs and includes these following steps: STEPS FINANCIAL AUDIT PERFORMANCE AUDIT COMPLIANCE AUDIT 1 Understanding the entity Selecting an audit topic as part of the and its environment strategic planning process Identifying intended user(s) and responsible party 2 Understanding the entity’s internal control Assessing potential audit topics in terms of risks, materiality and problems identified Defining the subject matter and the corresponding audit criteria 3 Conducting risk assessment procedures Selecting audit topics that are auditable (assessing auditability) Understanding the entity and its environment 4 Determining materiality Understanding the entity and the subject Understanding the entity’s matter (what is audited) internal control 5 Establishing audit strategy and audit plan Defining the audit objective(s) and audit questions Assess risk 91 Methods for Developing Risk-Based Audit Plan STEPS FINANCIAL AUDIT PERFORMANCE AUDIT COMPLIANCE AUDIT 6 - Defining the scope of the audit Establishing materiality for planning purpose 7 - Setting the audit criteria Developing audit strategy and audit plan 8 - Choosing audit methodology, including techniques to be used for gathering evidence and conducting the audit analysis. - 9 - Determining overall activity plan which includes staffing requirements, i.e. sufficient competencies, human resources, and possible external expertise required for the audit - 10 - Estimating cost of the audit, key project timeframes, milestones and the main control points of the audit - Source: RBA Documents from the 7 selected SAIs Even though there are differences of audit approach among participants but the majority of SAIs agreed that RBA Plan benefits the auditors. 92 Methods for Developing Risk-Based Audit Plan PART 6 CONCLUSION AND IMPLICATIONS 6.1 Introduction This part discusses the conclusion in relation to the research objectives, implications and limitations of the research. It proposes some suggestions for future research. 6.2 Conclusion of Research This study explores the methods used by the ASOSAI members in developing risk-based audit plans for financial, performance and compliance audits in compliant with ISSAIs. It also identifies the practices of the members in developing the plans for the three types of audits. The study stems from the survey of ASOSAI members’ preferences on the topic for the 11th research project. It focuses on the risk-based audit planning and data are collected using survey questionnaires and documentation reviews. 6.2.1 Adoption of Risk-Based Audit Approach The conclusion that can be drawn is that not all SAIs adopted the risk-based approach either fully or partially in planning the audit. This suggests that the differences in their legal status, mandates and authorities influence their adoption of the approach. Further analysis showed that although the percentage of adoption is slightly than half of the respondents, majority of the SAIs recognised that risk analysis is important in improving their audit effectiveness as well as improving risk management and governance processes by reporting its assessment of the risks of the audited entity. This is also supported by the results showing that most of them agreed on the benefits of preparing the risk-based audit plan. Slightly half of the SAIs whether they adopted the risk-based audit approach fully or partially has structured guidelines for preparing the audit plans. In terms of the audit plan, most of the SAIs prepare a separate audit plan for each type of audit. 6.2.2 Methods for Developing Risk-Based Audit Plan It can be concluded that the methods in developing risk-based audit plan in terms of the audit procedures and steps as well as the information of the plan for the financial, performance and compliance audits generally comply with ISSAIs 1300, 4000 and 3000. SAIs’ compliance to ISSAIs varies according to their mandates and regulatory requirements. Some SAIs use their own standards in carrying out the audits. i. Financial Risk-Based Audit Plan Most of the SAIs comply with ISSAI 1315 (Identifying and assessing the risks of material misstatement through understanding the entity and its environment) and ISSAI 1330 (The 93 Methods for Developing Risk-Based Audit Plan auditor’s responses to assessed risks) on the inclusion of the nature, timing and extent of planned risk assessment as well as substantive audit procedures in the audit plan. More than 70% of the SAIs performed ISSAIs five steps in developing the financial audit plans which include understanding the entity and its environment; identifying and assessing the risks; designing and implementing responses, identifying specific procedures and determining the audit procedures and extent of testing. The SAIs used models/ programmes/ forms/ tables/matrices/guides for all the steps in developing the audit plan. ii. Performance Risk-Based Audit Plan It can be concluded that most of the SAIs comply with the ISSAIs 3 steps for developing the performance audit risk-based audit plan. The three steps are understanding the audit topic and identifying problems; selecting the focus area or the audit problem; and designing and implementing responses to the assessed risks. Most of the SAIs’ audit plan contained the background knowledge and information regarding the audited entity; initial assessment of the problem risks, sources of evidence, auditability and materiality/significance audit area; objective, questions/hypothesis, criteria, scope and duration of audit; and methodology including audit gathering techniques and audit analysis. The information on staffing requirements, estimated cost of audit, key project timeframes and milestone is only included by some SAIs. iii. Compliance Risk-Based Audit Plan As compared to the financial and performance audits, SAIs’ compliance to the steps outlined in ISSAI 4100 for developing an audit plan for compliance audit is lower i.e 13-17 SAIs. The steps required are determining the subject matter, criteria and scope; understanding the entity; understanding the control environment and internal control system; risk assessment, consideration of fraud risks; extent of reliance on internal control; and linking the identified risks to audit procedures. The study showed that that only 13 SAIs linked the identified risks to audit procedures. Analysis on the information included by the SAIs in the audit plan revealed that slightly half of the SAIs described the subject matter, criteria, scope, nature of the timing and extent of planned audit procedures to the audit criteria and risk assessment. Only some SAIs described the nature of the timing and extent of risk assessment procedures. 6.2.3 Assessing Risk, Materiality and Internal controls It can be concluded that materiality in planning and performing the audit is very much emphasised in the financial audit, followed by the performance and compliance audits. The COSO framework on internal control is used by less than half of the SAIs. Even though other SAIs did not formally adopt the framework, they considered the components of the COSO framework to understand or assess the entity’s internal control. The components include control environment, risk assessment, control activities, information and communication and 94 Methods for Developing Risk-Based Audit Plan monitoring activities. The survey research showed that most of the SAIs considered the control and inherent risks rather than the detection risk in preparing the audit plan. 6.2.4 Practices in Developing Risk-Based Audit Plan Based on the extended study by reviewing the documents submitted by the respondent, it can be concluded that majority of the SAIs do not fully adopt the risk-based audit approach. Only SAI of Australia, SAI of Indonesia, SAI of Philippines and SAI of Nepal adopted the approach fully. The four SAIs have structured and detailed risk-based audit planning guidelines. The financial risk-based audit plans for SAI Australia and SAI Nepal include the compliance audit. SAI Indonesia has a specific risk-based plan for compliance audit. SAI Philippines has an integrated audit plan for financial, performance and compliance audits. i. Financial Risk-Based Audit Plan The practices in developing the risk-based audit plan for the financial audit are in accordance to ISSAI 1300. In developing the financial risk-based audit plan, the common practices conducted by the SAIs which fully or partially adopted the risk-based audit approach involve firstly, the auditor must thoroughly understand the audited entity in terms of the business, associated risks and internal control. This can be done by reviewing the documents or walk through the business/accounting process or discussion with the audited entity. Secondly, the auditor must perform risk identification and assessment so that the audit procedures will be focused on high risk areas caused by misstatements or fraud. Thirdly, in developing the audit strategy, the auditor must consider the materiality threshold to identify the topics/areas to be audited and to determine the nature, timing and extent of audit procedures. Lastly, the auditor develops the risk-based plan including the audit programmes. ii. Performance Risk-Based Audit Plan The practices carried out by the SAIs who fully and partially adopt the risk-based audits in developing the risk-based performance audit plan are in accordance to ISSAI 3000. Based on ANAO practices, the steps involve are: a. The auditor must gain an in-depth understanding of the programme/activity/project and its context. The appropriate information to be gathered which include objectives of the entity; external and internal accountability relationships, resources, management processes, performance goals, methods of programme delivery, external environment and other publicly available information on the programme. b. The auditor must consider materiality and risk so that the risk is reduced to an acceptable level. Materiality must be considered in the context of qualitative and quantitative factors. The auditor must assess the performance engagement risk and the performance audit operational risk. 95 Methods for Developing Risk-Based Audit Plan c. Lastly, the auditor develops the audit planning memorandum. The content includes the rationale for undertaking the audit, background for the audit, the audit objective (s), scope and criteria, audit method, likely impacts, identification and consultation with internal and external stakeholders, audit budget, milestones, target dates and overall performance audit engagement risk and operational risk rating. iii. Compliance Risk-Based Audit Plan The practices carried out by the SAIs who fully and partially adopt the risk-based audits in developing the risk-based plan for the compliance audit are in accordance to ISSAI 4000. The five stage practices in developing risk-based plan for compliance audit include understanding the audit objectives and engagement expectation, understanding the entity, assessing risk and internal control, setting audit criteria and preparing audit programme and individual audit programme (Indonesia). 6.3 Implications of Research i. ASOSAI ASOSAI should promote all the members to adopt/follow the risk-based audit approach. The implementation of risk-based audit methodology in accordance with ISSAIs will enable the auditors to perform the audits more efficiently and effectively. ASOSAI could conduct training programmes or workshops on risk-based audit approach. SAIs with in-depth knowledge of the facet of risk may contribute to the implementation of risk-based audit plans at the regional or sub regional levels. ASEAN Supreme Audit Institutions (ASEANSAI) has recently completed the long term training programme on ISSAIs implementation (2013 – 2018) on financial risk-based audit which resulted in a creation of a pool of experts/trainers. ii. SAI The support and commitment of the Heads of SAIs are critical for the adoption of the riskbased audit approach at the SAI level. To implement the approach, SAIs need to revise or align their auditing guidelines or manuals. There should be a structured and detailed guidelines or manuals on risk-based audit planning. The SAIs should conduct their training programmes on ISSAIs risk-based auditing. The exchange of knowledge and experiences on the approaches of risk-based audit planning is useful for the auditors. 6.4 Limitations of Research Some limitations should be considered when interpreting the results of this study. Firstly, the results are based on 25 SAIs respondents and thus limit the generalizability of the results to the 48 ASOSAI members SAI. Secondly, there is insufficient empirical study on the riskbased audit planning practised in the public sector as compared to the private sector. This limits the discussion of the findings. Thirdly, this study’s research method uses samples of audit engagement among ASOSAI member countries in developing the risk-based audit 96 Methods for Developing Risk-Based Audit Plan plans. Comparison with the private sector practices is not made due to time constraint. Lastly, the accuracy of the responses given by the SAIs also affect the validity and reliability of the study results. 6.5 Suggestions for Future Research In spite of the limitations, this study’s findings provide evidence of the methods and practices conducted by the SAIs in developing the risk-based audit plan for the financial, performance and compliance audits. Future research is warranted to look into private sector practices in developing the risk-based audit plan which can be emulated by ASOSAI members SAI. The research scope could be expanded to include the execution and implementation stages besides the planning stage. Comparison with the practices of the internal auditors will assist the public sector auditors to understand the risk-based audit approach and prepare the audit plan. 97 Methods for Developing Risk-Based Audit Plan REFERENCES Arun District Council (2009). Risk-Based Auditing. Retrieved April 29, 2009 Arens A, Elder RJ, Beasley (2012). Auditing and Assurance Services: An Integrated Approach. 14thed. Pearson Prentice Hall. Bell, T. B., M. E. Peecher, and I. Solomon. 2005.The 21st Century Public Company Audit. Conceptual Elements of KPMG’s Global Audit Methodology. University of Illinois at Urbana– Champaign, IL: Bowlin, K. 2011. Risk-Based Auditing, Strategic Prompts and Auditor Sensitivity to the Strategic Risk. The Accounting Review. Vol.86,No.4.pp.1231-1253. Burk,J.A., & Hendry, J.A. 2014. Risk-Based Auditing Developing a Comprehensive View of Risk. www.asse.org Cooper, H.M. 1998. Synthesizing Research: A Guide for Literature Reviews. Sage Publications, Inc. Domokos, L., Nyeki,M., Jakovac, K., Nemeth, E., Hatvani, C. 2015. Risk Analysis and Risk Management in the Public Sector and in Public Auditing. Public Finance (Quarterly) Etikan, I., Musa, S., & Alkassim, R. (2015, December 22). Comparison of Convenience Sampling and Purposive Sampling. American Journal of Theoretical and Applied Statistics, 1-4. Retrieved December 1, 2016, from http://article.sciencepublishinggroup.com/pdf/10.11648.j.ajtas.20160501.11.pdf. Fellingham, J. C., and D. P. Newman. 1985. Strategic considerations in auditing.The Accounting Review60 IFAC. (2011b, November 09). Guide to Using ISAs in the Audits of Small- and Medium-Sized Entities, Vol. 2 - Practical Guidance. Retrieved April 2016, from International Federation of Accountants: https://www.ifac.org/system/files/publications/files/SMP-ISA-Audit-GuideVolume-2-3e_0.pdf Internal Audit Community of Practice. (2014, April). Risk Assessment in Audit Planning: A guide for auditors on how best to assess risks when planning audit work. Retrieved January 17, 2017, from Public Expenditure Management Peer Assisted Learning: https://www.pempal.org/sites/pempal/files/event/attachments/cross_day-2_4_pempal-iacoprisk-assessment-in-audit-planning_eng.pdf Knechel, W. R. 2007. The business risk audit: Origins, opportunities.Accounting, Organizations and Society32 (4–5): 383–408 obstacles and Kinney, W. R. 2005. Twenty-five years of audit deregulation and re-regulations: What does it mean for 2005 and beyond? Auditing: A Journal of Practice & Theory24: 89–109. Laudato, M. (2016, November 16). Performing effective (and efficient) audits - the importance of planning and materiality. Retrieved January 17, 2017, from Association of Chartered Certified Accountants: http://www.accaglobal.com/an/ en/member/discover/cpdarticles/audit-assurance/effective-audits.html 98 Methods for Developing Risk-Based Audit Plan Lord. A.T. (1992). Pressure: a methodological consideration for behavioral research in auditing. Auditing: A Journal o f Theory and Practice(11)2: 90-108. McNamee, D. (1997) Risk-based Auditing. The Internal Auditor; Aug 1997; 54, 4; 22-27 Michael, R. 2009. Risk-Based Audit Best Practices. Journal of Accountancy; Dec 2009; 208, 6; ABI/INFORM Collection. pg. 32. O’Donnell, E., and J. J. Schultz. 2005. The halo effect in business risk audits: Can strategic risk assessment bias auditor judgment about accounting details? The Accounting Review 80 (3): Peecher, M.E. (1996) The influence o f auditor's justification processes on their decisions: a cognitive model and experimental evidence. Journal o f Accounting Research(34)1: 125140. Pickett, S. (2003). Internal Auditing Handbook. New Jersey: Wiley. Pickett, S. (2006). Audit Planning: A Risk-Based Approach. New Jersey: John Wiley & Sons, Inc. Quilliam, W.C. (1993). Examining the effects o f accountability on auditors’ valuation decisions. Working Paper, University o f South Florida. Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing Environment, 5e. Mason, Salehi, M., & Khatiri, M. (2011, May 18). A study of risk based auditing barriers: Some Iranian evidence. African Journal of Business Management, 5(10), 3923-3934. Retrieved January 18, 2017, from http://www.academicjournals.org/journal/AJBM/article-full-textpdf/AE4412739929 Zacchea, N.M. 2003. Risk-based audit target selection can increase the probability of conducting value-added audits. The Journal of Government Financial Management; Spring 2003; 52, 1; ABI/INFORM Collection Rittenberg and Schwieger 2005; Knechel 2007 (4): 634–650. Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing Environment, 5e. Mason, OH: Thomson South-Western. Yates, J.F. (1992). Risk-Taking Behavior. New York: John Wiley & Sons.921–939. 99 Methods for Developing Risk-Based Audit Plan Appendix 1 11th ASOSAI Research Project Survey Questionnaire [The questionnaire is prepared to obtain information for developing Risk Based audit plan under ARP] Background: As per ASOSAI Strategic Plan 2016 – 2021, the ASOSAI Secretariat on the basis of survey among SAIs of the region has taken the topic “Methods for developing Risk-Based Audit Plan” as 11th ASOSAI Research Project (ARP) as selected at the 49th Governing Board meeting held in Kuala Lumpur, Malaysia in February 2015. In this regard, you are humbly requested to provide the following information: I. Basic Information of your SAI; II. Information pertaining to the preparation of audit plan (or risk-based audit plan); III. How the internal control system and risk are being assessed; and IV.Documentation in the preparation of Risk-Based audit plan The information will be used in the research project that can be used by the auditors as reference in the preparation of a Risk-Based Audit Plan which may sufficiently increase the audit qualities given the low level or scarce resources. Please submit the filled-in questionnaire to ___________ at_________ by________ (should be typewritten in English and prepared in Microsoft Word format). Country of your SAI: Name and Position of respondent: I. Basic Information of your SAI a) Establishment year: b) Constitutional/Legal status: c) Mandate (functions/ responsibilities) (d) Type of SAI (Westminster, Judicial, or Board/Collegiate): 100 Methods for Developing Risk-Based Audit Plan II. Information pertaining to the preparation of Audit Plan or RiskBased Audit Plan (please tick in the answer boxes) Answers Questions Yes No Not Applicable 1. Types of Audit Conducted and Audit Approach/Methodology (a) What are the types of audit conducted by your SAI? (i) Financial Audit (ii) Performance Audit (iii) Compliance Audit (iv) Others (Please specify) _________________________ _________________________ (b) Do you prepare separate Audit Plan for each type of audit conducted? (c) What is the audit approach/methodology being adopted by your SAI? (i) Risk-Based Audit Approach (ii) Systems-Based Audit Approach (iii) Others (Please specify) _________________________ (d) If you adopt risk- based audit approach, do you have a structured guideline in preparing a risk-based audit plan? If yes, please describe the process briefly (e) Do you use risk analysis for the preparation of the Audit Plan? (f) Do you prepare a Planning memorandum for financial, compliance and performance audit? If yes, please enumerate and describe briefly the contents of your planning memorandum 101 Methods for Developing Risk-Based Audit Plan (g) Do you think the following benefits were achieved in preparing a Risk-Based Audit Plan? (As Per paragraph 2 of ISSAI 1300) (i) Helping the auditor to devote appropriate attention to important areas of the audit (ii) Helping the auditor in identifying and resolving potential problems on a timely basis (iii) Helping the auditor properly to organize and manage the audit engagement so that it is performed in an effective and efficient manner (iv) Assisting in the selection of engagement team members with appropriate level of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them (v) Facilitating the direction and supervision of engagement team members and the review of their work 2. Preparing Audit Plan for Financial Audit (a) Does your Audit Plan for financial audit includes description of the following: (i) Nature, timing and extent of planned risk assessment procedures (ISSAI 1315) (ii) Nature, timing and extent of planned further (substantive) audit procedures at the assertion level (ISSAI 1330) (iii) Other planned audit procedures that are required to be carried out in compliance with other ISSAIs (b) Do you perform the following steps in developing an audit plan for financial audit? (i) Obtain an understanding of the entity and its environment, including the entity’s internal control If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description). ___________________ ___________________ 102 Methods for Developing Risk-Based Audit Plan (ii) Using the understanding of the entity to identify and assess the risks of material misstatement at the financial statement and assertion levels (Risk Assessment) If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ (iii) Designing and implementing responses to these assessed risks of material misstatements If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________ ___________________ (iv) Identify specific procedures required for material financial statement areas If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________ (v) Determine what audit procedures and the extent of testing required If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________ Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed). (vi) ____________________ _____________________ _____________________ 103 Methods for Developing Risk-Based Audit Plan 3. Preparing Audit Plan for Performance Audit (a) Do you perform the following steps in developing an audit plan for performance audit? i. Understanding the audit topic and identifying problems in the area ii. Selecting a focus for the audit – “the audit problem” iii. Designing and planning the audit engagement - Methodological planning (audit design) - Administrative planning iv. Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed). ______________________________ _______________________________ (b) Does your Audit Plan for performance audit contain the following information:? i. Background knowledge and information needed to understand the entity to be audited. ii. Initial assessment of the problem and risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit. iii. Audit objective, questions or hypotheses, criteria, scope and period to be covered by the audit. iv. Methodology, including techniques to be used for gathering evidence and conducting the audit analysis. v. Overall activity plan which includes staffing requirements, i.e. sufficient competencies, human resources, and possible external expertise required for the audit vi. Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit 104 Methods for Developing Risk-Based Audit Plan 4. Preparing Audit Plan for Compliance Audit (a) Do you perform the following steps in developing an audit plan for compliance audit? i. Determine subject matter, criteria and scope of compliance audit ii. Understand the entity iii. Understand the control environment and internal control system iv. Risk assessment of the subject matter/audited entity v. Consideration of risks of fraud vi. Determine reliance on internal controls vii. Link identified risks to audit strategy (audit procedures viii.Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed). ____________________ _____________________ (b) Does your Audit Plan for compliance audit contain the following information:? i. A description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework ii. Description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria iii. Description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments 5. Determining Materiality at Planning Stage (a) Do you determine materiality in planning and performing the audit for: i. Financial Audit ii. Performance Audit iii. Compliance Audit 105 Methods for Developing Risk-Based Audit Plan III. Internal Control System and Risk Assessment Answers Questions Yes a) No Remarks Do you use the COSO Framework in understanding the entity’s internal control? i. If the answer is No, please indicate the framework followed? (You may use separate sheet of paper for description if needed). ____________________________ b) Do you consider the following components in understanding/assessing the entity’s internal control? (i) Control Environment (ii) Risk Assessment (iii) Control Activities (iv) Information and Communication (v) Monitoring Activities c) Do you consider the assessment of the following risks in the preparation of the Audit Plan? (i) Inherent Risk (ii) Control Risk (iii) Detection Risk 106 Methods for Developing Risk-Based Audit Plan IV. Documentation (Contents/Elements of the Audit Plan) [Audit planning documents contain an overall activity plan which includes staffing requirements i.e. sufficient competencies, human resources and possible external expertise required for the audit, an indication of the sound knowledge of the auditors according to the type of audit, background information of the auditee organization etc.] 1. Please enumerate the elements/contents of your Audit Plan for Financial Audit giving brief description of each element: Your answer: (You may use separate sheet of paper for description if needed). 2. Please enumerate the elements/contents of your Audit Plan for Performance Audit giving brief description of each element: Your answer: (You may use separate sheet of paper for description if needed). 3. Please enumerate the elements/contents of your Audit Plan for Compliance Audit giving brief description of each element: Your answer: (You may use separate sheet of paper for description if needed). 4. If you have any other relevant comments regarding the whole issue, please specify below (You may use separate sheet of paper for description if needed). 107 Methods for Developing Risk-Based Audit Plan Appendix 2 RESEARCH TEAM MEMBERS NO. 1. 2. 3. 4. 5. 6. COUNTRY Bangladesh Indonesia Iran 7. 8. TEAM MEMBERS Mr. Anisur Rahman Mr. Gour Chandra Roy Mr. Endra Noviandy Sujadi Mr. Dedi Suprianto Mr. Hadi Favachi Mr. Abbas Ghaderiazad Mr. Khalid Hussein Ali Iraq Ms. Najah Suhail Abed 9. Mrs. Israa Ezziddeen Ali 10. Ms. Eman E Kh A Alhuwaidi 11. Kuwait Mr. Abdullah Ahmed AlSubaie 12. Mr. Talal Tareq Alwaheeb 13. Ms. Patimah Ramuji 14. Malaysia (Chair) 15. 16. 17. Ms. Ivy K Yon Philippines 18. 19. 20. 23. 24. Russia 27. Ms. Abigael Jamille Paraiso Julao Mr. Vladimir Kuleshov Mr. Mikhail Karev Mrs. Ekaterina Nikitina Saudi Arabia South Korea 25. 26. Ms. Sofia Cabides Gemora Mr. Vadim Dubinkin 21. 22. Ms. Jannaatu ‘Adnin Maslan Mr. Abdulrahman Mohammed Mr. Mohammad Falah Al Wahby Ms. Joo Yean Cho Mr. Soowan Hong Vietnam Mr. Nam Hoai Le Mr. Bach Xuan Do 108
