methods for developing risk-based audit plan · 2018. 9. 6. · methods for developing risk-based...

Methods for Developing Risk-Based Audit Plan


TABLE OF CONTENTS

ACKNOWLEDGMENT

TABLE OF CONTENTS

LIST OF ABBREVIATIONS

LIST OF TABLES

LIST OF FIGURES

ABSTRACT

PART 1 INTRODUCTION

1.1 Background of the Research

1.2 Problem Statement

1.3 Research Objectives and Scope

1.4 Significance of the Study

1.5 Summary

PART 2 LITERATURE REVIEW

2.1 Introduction

2.2 Risk-Based Auditing

2.3 Risk-Based Auditing Approach

2.4 Risk-Based Auditing Planning

2.5 Audit Risks

2.6 Attributes of a Good Audit Planning Memorandum

2.7 Summary

PART 3 RESEARCH METHODOLOGY

3.1 Introduction

3.2 Research Methodology

3.3 The Descriptive Design

3.4 Research Instrument

3.5 Data Collection

3.5 Summary

PART 4 RESULTS BASED ON QUESTIONNAIRE

4.1 Introduction

4.2 Descriptive Results

4.3 Adoption of Risk-Based Audit Approach

4.4 Preparation of the Audit Plan/Risk-Based Audit Plan


4.5 Methods in Developing Risk-Based Audit Plan

4.6 Summary

PART 5 RESULTS BASED ON EXTENDED STUDY

5.1 Introduction

5.2 Analysis of Results

5.3 Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA)

5.4 Extended Study on SAIs RBA Approach and Practices (Combination of

RBA and Other Approaches)

5.5 Summary

PART 6 CONCLUSION AND IMPLICATIONS

6.1 Conclusion

6.2 Implications

6.3 Limitations

6.4 Suggestions for Future Research

REFERENCES

Appendix A Questionnaire

Appendix B Research Team Members


i

It is with immense pleasure for the National Audit Department of Malaysia (NADM) to

present this 11th ASOSAI Research Project on “Methods for Developing Risk-Based Audit

Plan”. The research team led by NADM wishes to express our deep appreciation to those

who have contributed in the completion of this report.

A special acknowledgment should be awarded to the Auditor General of Malaysia and Chair

of ASOSAI, Tan Sri Dr. Madinah Mohamad who has personally provides professional

guidance in enhancing the research report. Our gratitude to NADM reviewer team who

provide their expertise in improving the final report.

Our appreciation also goes to the SAIs which responded to the questionnaires and the three

SAIs for hosting the research meetings namely Board of Audit and Inspection of South

Korea, State Audit Office of Vietnam and State Audit Bureau of Kuwait. Thank you for your

support to the research project.

Lastly, this research project would not have been possible without the cooperation spirit and

high commitment of the Heads of participating SAIs and the research team comprising SAIs

of Bangladesh, Indonesia, Iran, Iraq, Kuwait, Malaysia, Philippines, Saudi Arabia, South

Korea, Russia and Vietnam. A great time and effort have been put to produce this research

project.

It is our hope that the results of this research provide insights for the ASOSAI members to

develop ISSAIs compliant risk-based plan for the financial, performance and compliance

audits.

ACKNOWLEDGEMENTS


ii

ACCA Association of Chartered Certified Accountants

AF Assurance Factors

ANAO Australian National Audit Office

AR Audit Risk

ASOSAI Asian Organisation of Supreme Audit Institutions

AWP Audit Work Plan

BPK The Audit Board of Indonesia

CAATs Computer Assisted Audit Techniques

COA Commission on Audit (SAI Philippines)

COSO The Committee of Sponsoring Organisations of the Treadway Commission

CR Control Risk

DR Detection Risk

FSLI Financial Statement Line Item

GRI Government Risk Identification

GRM Government Risk Model

GWSPA Government-wide and Sectoral Performance Audit

IAASB International Auditing and Assurance Standards Board

ICT Information and Communication Technology

IFAC International Federation of Accountants

INTOSAI International Organisation of Supreme Audit Institutions

IR Inherent Risk

IRRBA Integrated Results and Risk-based Audit

LIST OF ABBREVIATIONS


iii

ISA International Standards on Auditing

ISSAIs The International Standards of Supreme Audit Institutions

OCAG Office of the Comptroller and Auditor General (SAI Bangladesh)

PASG Performance Audit Services Group

RAD Risk Assessment Document

RBA Risk-based Audit

RoMM Risk of Material Misstatement

SAI Supreme Audit Institution


iv

NO. PAGE

TABLE 1

ISSAI PRE-PLANNING STAGE

TABLE 2 ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO

CRITERIA

TABLE 3 SELECTED SAIS FOR EXTENDED STUDY

TABLE 4 DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE IN PARENTHESES)

TABLE 5

AUDIT APPROACHES ADOPTED BY SAIS

TABLE 6

PROCESS OF PREPARING A RISK-BASED AUDIT PLAN

TABLE 7

CONTENTS OF PLANNING MEMORANDUM

TABLE 8

BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN

TABLE 9

TEMPLATES USED IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

TABLE 10 RISK ASSESSMENT TEMPLATE

TABLE 11

OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE

TABLE 12

OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN

TABLE 13

INFORMATION INCLUDED IN THE PERFORMANCE AUDIT PLAN

TABLE 14

STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER ISSAI 4100

TABLE 15

OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN

TABLE 16

ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL CONTROL SYSTEM

TABLE 17

COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK CONSIDERED BY SAIS

TABLE 18

RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN

TABLE 19 AUDIT APPROACHES

TABLE 20 RBA PLAN

LIST OF TABLES


v

TABLE 21 METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT

TABLE 22 METHODS IN DEVELOPING RBA PLAN: PERFORMANCE AUDIT

TABLE 23 METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT

TABLE 24 RATIONALE FOR CONDUCTING THE AUDIT


vi

NO.

PAGE

FIGURE 1

DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT PLAN

FIGURE 2 SAI THAT SUBMITTED SURVEY QUESTIONNAIRE

FIGURE 3 DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS IN DEVELOPING RISK-BASED AUDIT PLAN

FIGURE 4

PREPARATION OF AUDIT PLANS

FIGURE 5

SAIS HAVING STRUCTURED GUIDELINES IN PREPARING RISK-BASED AUDIT PLAN

FIGURE 6 SAIS USING RISK ANALYSIS IN THE PREPARATION OF THE AUDIT PLAN

FIGURE 7

SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE AND PERFORMANCE AUDITS

FIGURE 8

SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF PROCEDURES IN THE AUDIT PLAN FOR FINANCIAL AUDIT

FIGURE 9

SAIS WHICH PERFORM THE STEPS IN DEVELOPING AN AUDIT PLAN FOR FINANCIAL AUDIT

FIGURE 10

STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN AS PER ISSAI

FIGURE 11

INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN

FIGURE 12

SAIS DETERMINING MATERIALITY IN PLANNING AND PERFORMING THE AUDIT

FIGURE 13

ADOPTION OF COSO FRAMEWORK

FIGURE 14

PROCESS DOCUMENTATION/WALKTHROUGH FOR THE BUSINESS PROCESS OR ACCOUNTING PROCESS

FIGURE 15 TEMPLATE ON ASSESSING RISKS AND INPUT TO THE BRIDGE

FIGURE 16

THE BRIDGE PROCESS

FIGURE 17

KEY STEPS IN START-UP PHRASE

LIST OF FIGURES


vii

FIGURE 18 PEFORMANCE AUDIT PLANNING PROCESS

FIGURE19 IRRBA FRAMEWORK


viii

The research study sets out to examine the methods used in developing the risk-based audit

plans and to identify the practices in developing financial, performance and compliance audit

plans in compliance with ISSAIs. A descriptive design is utilised to obtain information about

the methods and practices on risk-based audit plan. The respondents were the 48 ASOSAI

member countries.

A semi-structured survey questionnaire comprising open and closed ended questions are

used for the purpose of breadth and depth understanding of the risk-based audit

implemented by the ASOSAI members. Specific criteria for the respondent are given to

ensure the respondents provide complete and accurate information. The survey results are

analysed and based on the analysis, 11 SAIs (Australia, Bangladesh, Cyprus, India,

Indonesia, Iraq, Jordan, Malaysia, Nepal, Philippines and Singapore) are selected for

extended study based on the determined criteria.

The research study found that all respondent SAIs conduct financial audit, while compliance

and performance audits are not performed by every SAI. Aside from the three main audit

types, SAIs conducted other audits which have similarities with the three audits, particularly

in the cases of SAIs Australia, Bangladesh, China and Japan. The primary reason for the

differences in audits being conducted is the legal framework, mandate and authority of the

SAI.

It is revealed that not all SAIs adopted the risk-based approach either fully or partially in

planning the audit. Other approaches such as system-based, results-oriented, problem-

based, transaction-based, fundamental and topic-based audit. This suggests the diversity in

the audit methodologies adopted by the ASOSAI members. In spite of that, majority of the

SAIs recognised the benefits of preparing the risk-based audit plan.

On the preparation of the audit plan, the findings revealed that most of them prepared

separate audit plans for the financial, performance and compliance audits. The preparation

of the procedures/steps/content requirements of financial, performance and compliance

audit plans is in accordance with ISSAI 1300-Planning an Audit of Financial Statements,

ISSAI 3000- Standard for Performance Auditing and 4000 – Compliance Auditing Standard.

Compliance to ISSAIs is highest in the financial audit, followed by performance and

compliance audits.

A significant number of SAIs do not use a guide or required to do so due to organisational or

legislative reasons. A structured guidelines will provide guidance on the methods/procedures

in developing the plans. Even though there are SAIs which do not adopt the risk-based

approach, majority of them conducted risk analysis in planning the audit. This implies that

ABSTRACT


ix

SAIs are aware of the importance of risk analysis to help them to achieve maximum value for

their auditing efforts.

The research study found that majority of SAIs determine materiality in the audit planning

and performance. Although not all the SAIs adopt the COSO framework formally, they

considered the components of the COSO Framework in understanding or assessing the

entity’s internal control. On risk assessment, most of the SAIs considered the control and

inherent risks compared to the detection risks. .

Based on the extended study, only 4 SAIs – Australia, Malaysia, Nepal and Philippines fully

adopt the risk-based audit. The practices carried out by SAI Australia and Nepal for

developing the financial and compliance audit plan, SAI Australia for the performance audit

plan and SAI Indonesia for the compliance audit plan can used as a reference for the

ASOSAI members.


1

PART 1

INTRODUCTION

1.1 Research Project Background

The ASOSAI Research Project is conducted in accordance to Article II of the Asian

Organization of Supreme Audit Institutions (ASOSAI) Charter and Rule 2, Section 2.2 of the

ASOSAI Rules and Regulations. The objective of the research is to encourage and facilitate

the sharing of knowledge and experiences among the member SAIs to enhance their audit

capacities. The 11th Asian Organisation of Supreme Audit Institutions (ASOSAI) Research

Project on “Methods for Developing Risk-Based Audit Plan” was approved in the 49th

Governing Board Meeting held in Kuala Lumpur, Malaysia in February 2015.

A total of 11 SAIs participated in the research project led by the National Audit Department

of Malaysia. The SAIs are Bangladesh, Indonesia, Iran, Iraq, Korea, Kuwait, Malaysia,

Philippines, Russia, Saudi Arabia and Vietnam participated in this research project. The

research team members met five times over the period of November 2015 to July 2018 to

discuss and monitor the progress of the research project.

No. Activity Date and Venue

1. 1ST Research Meeting (Presentation of country papers and discussion of research project framework)

November 16-18, 2015 Malaysia

2. 2ND Research Meeting (Finalizing Part 1 and outline of questionnaire)

May 2-4, 2016 South Korea

3. 3RD Research Meeting (Discussions on Part 2 and Part 3)

November 22-24, 2016 Vietnam

4. 4TH Research Meeting (Discussion on Part 4)

April 24-26, 2017 Kuwait

5. 5th Research Meeting (Discussion on the overall research project)

July 10-11, 2018 Malaysia

During the first meeting, the research team discussed the milestones and outline of the

project as well as assigned the group members into 4 groups whereby each group prepared

their respective parts of the research report. During the second meeting, the research team

discussed the methodology and empirical studies relating to the research topic and

developed a set of questionnaires which were sent to all ASOSAI members SAI.

The respective group presented the analysis of the 25 completed questionnaires in the third

meeting. During the fourth meeting, the research team discussed the findings of 8 selected

SAIs based on the documents submitted by them. The final meeting discussed the overall

research project report in terms of the facts, data, appropriateness of the discussions.


2

1.2 Problem Statement

SAIs adopt different audit methods/approaches, but based on the survey distributed by

the ASOSAI Secretariat, it showed that majority of the ASOSAI members were interested

to gain and share knowledge from the experienced SAIs in risk based audit planning.

This was the main reason why the topic of Methods for Developing Risk-based Audit

Plans was selected.

1.3 Research Objectives and Scope

The objectives of the research are as follows:

1. To describe the methods used by the ASOSAI member countries in developing

risk-based audit plan;

2. To identify the practices carried out in developing the risk-based audit plan for

financial, performance and compliance audits in compliant with ISSAIs.

This research focuses on the planning stage of the audit to determine the methods in

developing the risk-based audit plans for the financial, performance and compliance audits

that correspond with international auditing standards set by INTOSAI and IAASB. The target

respondents are all 48 ASOSAI member countries.

1.4 Significance of the study

Risk is defined as the threat that an event, action or inaction will adversely affect the agency

/entity’s ability to successfully achieve its mandate and objectives and execute its strategies.

Perception of risks varies from one SAI to another as it depends on several factors to

influence the risk including economic interests, public perception and cultural values. In

terms of compliance audit, performance audit and financial audit that involve audit risk

planning and analysis, there are variety of methods to identify and evaluate risks; different

SAIs may have different approach and judgment based on their own perceptions and social

agenda. In this matter of fact, this paper was designed to develop a better understanding on

the risk-based audit plan for financial, performance and compliance audits as well as to

assist auditors to prepare Risk Based Audit Plan according to ISSAIs to ensure that the audit

is conducted in an effective and efficient manner.

1.5 Summary

This part has outlined and described the background of this research, its objectives and the

significance of this study. This research is undertaken to examine the implementation of risk

based audit in preparing audit plan for financial, compliance and performance audit.


3

PART 2 LITERATURE REVIEW

2.1 Introduction

This chapter discusses literature review related to risk based auditing (RBA). The reading of

empirical research on RBAs is necessary to gain a deep understanding of this matter and to

identify the gap in this area. By reading empirical research as well, we will be able to identify

the framework to be reviewed and the expected results to be obtained.

Literature reviews typically appear as detailed independent works or as brief introductions to

reports of new primary data. When a literature review appears independent of new data, it

can serve many different purposes (Cooper 1998). It can have numerous different focuses,

goals, perspectives, coverage strategies, organisations, and audiences (Cooper, 1988). For

instance, literature reviews can focus on research outcomes, research methods, theories,

applications, or all these. Literature reviews can attempt to integrate what others have done

and said, to criticize previous scholarly works, to build bridges between related topic areas,

to identify the central issues in a field, or all these. Literature reviews combining two specific

sets of focuses and goals appear most frequently in the scientific literature. The first type of

literature review has been alternately called a research synthesis, integrative research

review, or research review. The second kind of literature review is a theoretical review. Here,

the reviewer hopes to present the theories offered to explain a particular phenomenon and to

compare them in breadth, internal consistency, and the nature of their predictions (Cooper

1998).

2.2 Risk Based Auditing

Risk is a complex, multidimensional phenomenon. According to Yates (2002), in an action

taking setting, risk is the potential for negative consequences to occur as a result of the

action taken. The dimensions of risk include i) multiple causes of potential negative

consequences, ii) multiple types of negative consequences, iii) the significance of each type

of negative consequence, iv) multiple stakeholders who might suffer different types of

negative consequences at varying significance levels, and v) a distribution of probabilities

associated with each combination of the preceding dimensions. To select an audit that will

add value, it is appropriate to identify risk. Risk in the audit context is the chance of poor

performance by an organization, or the possibility of error and wrongdoing.

A risk-based auditing allows an organisation to understand the current risks and assess the

effectiveness of existing controls. Additionally, it allows management to target resources to

specific operations. As sites and corporations continue to reduce injury incidents and rates, a

risk-based audit approach guides resource allocation. The basic premise of risk-based


4

auditing is that auditors should devote more resources to accounts that are likely to be

misstated and fewer resources to those that are less likely to be misstated (Bell et al. 2005;

Rittenberg and Schwieger 2005; Knechel 2007). This approach is expected to lead to more

effective and efficient audits (Bell et al. 2005; Public Company Accounting Oversight Board

[PCAOB] 2007). However, if auditors do not accurately assess misstatement risk at the

account level, audit resources will be misallocated, resulting in undetected misstatements

(Kinney 2005; O'Donnell and Schultz 2005). Auditors could wrongly assess misstatement

risk by focusing on observable non-strategic risk factors that indicate certain accounts are

more likely than others to be misstated and by failing to appreciate the attendant implications

for unobservable strategic risks that arise when financial reporting managers anticipate that

auditors will allocate resources based on those non-strategic risk factors (Fellingham and

Newman 1985). By fixating on non-strategic risk factors and by allocating resources

accordingly, auditors could actually create opportunities for fraud among the ostensibly low-

risk accounts.

Auditors literally start the audit process by equipping themselves with knowledge of the

nature of the business of the entity and its business environment. Auditors arm themselves

with sufficient information about a business and its environment so as to assess risks

associated with the business. Salehi and Khatiri (2011) has explored the factors hindering

the performance of risk-based auditing, including the lack of timely preparation of financial

statements by auditors, lack of sufficient standards, lack of statistical methods used by

auditors and lack of necessary auditing training. From perspective of the internal audit, the

allocation of limited resources in the most effective way requires an assessment of risk

across all the auditable areas. In this regard, the objective of risk-based planning is to

ensure that the auditor examines subjects of highest risk to the achievement of the

organization’s objectives. The internal audit activity may gather the information to support

this assessment during multiple engagements. The results of these engagements, when

viewed together, provide an understanding of the organization’s risk management processes

and their effectiveness. Risk management processes are monitored through ongoing

management activities, separate evaluations, or both.

2.3 Risk Based Auditing Approach

Given the nature of the audit process, every audit assignment presents a different challenge,

with no two audit assignments being the same. For example, no two entities are the same in

terms of business sector, location, size, employees, governance issues, ethos, and

complexity of operations. There is no one single approach to auditing which ensures the

performance of a perfect audit. However, it is generally accepted that for most entities of

size, the risk-based audit approach will minimise the possibility of audit objectives not being

met. Consequently ISA 315, Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and its Environment, compels auditors to adopt a risk-

based approach to audits. In so doing, it requires auditors to make risk assessments of


5

material misstatements at the financial statement and assertion levels, based on an

appropriate understanding of the entity and its environment, including internal controls.

Auditor should be familiar with assertions made by management, as described in ISA 500,

(Audit Evidence). As the auditor is required to focus on the entity and its environment when

making risk assessments, this is known as the ‘top down’ approach to identifying risks, and

auditors should become familiar with this term. The word ‘top’ refers to the day-to-day

operations of the entity and the environment in which it operates; ‘down’ refers to the

financial statements of the entity. In summary, this approach requires auditors to identify the

key day-to-day risks faced by a business, to consider the impact these risks could have on

the financial statements, and then to plan their audit procedures accordingly. For this reason,

the approach is often referred to as the ‘business risk approach’. When adopting this

approach, in order to facilitate the identification of risks and the assessment of their effect on

the financial statements, risks are categorised as: financial risks – such as cash flow risks;

compliance risks – such as breaching of laws and regulations risk; and operational risks –

such as loss of key employee risk and loss of data risk (Brian Pine, 2008). The ultimate

objective of adopting the business risk approach is to reduce audit risk – the risk that the

auditor will give an inappropriate opinion on the financial statements. Hence, auditors should

therefore understand how business risk is linked to audit risk and how the business risk

approach is integral to the use of the audit risk model when planning audit work.

The importance of the adoption of risk-based audit approach has received great emphasis in

the realm of public sector auditing. It is further emphasizes in the International Standards of

Supreme Audit Institutions (ISSAI) which states the following points:

The auditor shall design and implement overall responses to address the

assessed risks of material misstatement at the financial statement level (ISSAI

1330);

The auditor shall actively manage audit risk to avoid the development of

incorrect or incomplete audit finding, conclusion, and recommendation or failing

to add value (ISSAI 3000); and

The auditor shall perform procedures to reduce the risk of producing incorrect

conclusion to an acceptable low level (ISSAI 4000).

A risk-based audit approach allows SAI to understand current risks and assess the

effectiveness of existing controls. Additionally, it allows management to target resources to

specific operations. As sites and corporations continue to reduce injury incidents and rates, a

risk-based audit approach guides resource allocation. The aim of the risk assessment

auditing standards is to improve the quality and effectiveness of audit by substantially

changing audit practices. Statements on Auditing Standard provide increased rigor to the

audit process in a number of key areas including the assessments of inherent and control

risks and the linking of these risk assessments to further audit procedures (Ramos, 2009).


6

The risk assessment standards prohibited the auditor form “defaulting to the maximum”

control risk. On all audits the auditor should evaluate the design and implementation of

internal control to properly identify and assess risk. Implementing and applying this standard

in practices has proven to be a challenge for many firms, which have difficulty linking their

internal control work to the substantive procedures and other aspects of the engagement,

finding sufficient benefit to justify the increased audit costs that result from the stricter

standard and determining how to evaluate the effectiveness of the internal control design. .

Bowlin (2011) has studied on the risk based audit approach and found that, there are

potential pitfalls in risk-based auditing if auditors do not accurately assess misstatement risk

at the account level and this will result in misallocation of audit resources.

ISSAI 13301 (2007) focusing on the auditor’s responses to assessed risks which includes

practice note providing additional guidance for public sector auditors related to audit

procedures responsive to the assessed risks of material misstatement at the assertion level.

ISSAI 1330 also addresses the importance in evaluating the sufficiency and appropriateness

of audit evidence as well as specific consideration for public sector auditors with a judicial

role. This ISSAI derives from ISA 330 which deals with the auditor's responsibility to design

and implement responses to the risks of material misstatement identified and assessed by

the auditor in accordance with ISA 315 (Identifying and Assessing the Risks of Material

Misstatement through Understanding the Entity and its Environment) in an audit of financial

statements.

ISSAI 30002 (2003) is a guideline for performance auditing based on INTOSAI's Auditing

Standards and practical experience. This guidelines aim to assist SAI’s performance

auditors in managing and conducting performance audits efficiently and effectively as well as

to provide a basis for good performance audit practices and establish a framework for the

further development of performance audit methodology and professional development. The

guidelines take into account relevant INTOSAI auditing standards based on generally

accepted principles of performance auditing, distilled from the experience of INTOSAI

members. Standardisation in performance auditing is mostly a question of what to do, rather

than how to do it. The guidelines consist of five main parts:

a. Part 1 sets out the general framework for performance auditing;

b. Part 2 defines application of auditing principles to performance auditing which

refers to government’s auditing principles applied to performance auditing;

c. Part 3 provides standards and guidance for planning performance audits;

d. Part 4 provides standards and guidance for conducting performance audits;

and

1 ISSAI 1330 – The Auditor's Responses to Assessed Risks

2 ISSAI 3000 – Standards and guidelines for performance auditing based on INTOSAI's Auditing

Standards and practical experience


7

e. Part 5 provides standards and guidance for presenting the audit results

specifically on reporting standards and guidance.

The appendices contain further information on how to plan and conduct performance audits.

They also include information on performance auditing in relation to information technology

(IT), and on conducting performance audits with an environmental perspective. A framework

of system-oriented approaches in performance auditing is also presented.

The updated version of ISSAI 3000 (2016) on Standard for Performance Auditing and ISSAI

3200 Guidelines for the Performance Auditing Process refers to the following:

(i) Understanding the audit topic and identifying problems in the area. As part of

the planning process, there is a need to develop a sound understanding of the

subject matter and of the risks and challenges in the area (ISSAI 3200.21).

(ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states

that the audit objectives, audit questions and scope are interrelated and need to be

considered together.

(iii) Designing and planning the audit engagement. The 2003 ISSAI 3000,

Standards and guidelines for performance auditing based on INTOSAI’s Auditing

Standards and practical experience, discusses the methodological planning and

administrative planning as follows:

Methodological planning - Performance audit can draw upon a large variety of

data-gathering and analysis techniques, with due consideration on the validity

and reliability of methods to be used.

Administrative planning - It involves the selection of the audit team and team

leader and the development of an activity plan including the time table and

resources needed.

ISSAI 40003 (2010) refers on general introduction on compliance audit guidelines and is to

assist SAIs in applying the INTOSAI Auditing Standards, particularly in their work on

reporting on compliance. This compliance audit guidelines are written from two main

perspectives which are ISSAI 4100 that deals with compliance audit performed separately

from the audit of financial statements, for example as a separate audit task or related to

performance audit and ISSAI 4200 that deals with compliance audit related to the audit of

financial statements. The two ISSAIs are written as consistent, stand-alone documents.

IIA 2100 on Nature of Work requires that the internal audit activity must evaluate and

contribute to the improvement of the organization’s governance, risk management, and

control processes using a systematic, disciplined, and risk based approach. Internal audit

3 ISSAI 4000 – Compliance Audit Guidelines – General Introduction


8

credibility and value are enhanced when auditors are proactive and their evaluations offer

new insights and consider future impact.

2.4 Risk Based Auditing Planning

Pickett (2003) defines planning as a response to demands and new challenges posed for

audit, and as means of expectation and focusing resources to achieve effective results.

Pickett (2003) also provided three alternative approaches in planning:

a. The traditional planning-cyclical audit model which involves looking at everything

on cyclical basis over three years and evaluate. In the absence of risk register,

the auditor should identify a list of risks the client is facing. Other factors such as

impact on reputation, materiality, and state of controls are used to assess the risk

universe and prioritize the risky areas;

b. An advanced approach is the emphasis on the corporate governance framework.

Audit resources are focused on board managements and accountability, control

framework in use, communication across the organization and the role and

impact of audit committee; and

c. Risk-based audit planning which is ‘an approach to audit work that focuses on

strategic, regulatory, financial and business risk that confront the organization

and which uses these risks to steer the audit process in a way that maximizes the

impact of audit assurance and consulting work’.

Risk based audit planning emphasises the importance and the impact that an effective audit

strategy and audit plan for the achievement of the goals, objectives and the mission of the

internal audit unit. Planning provides for a systematic approach to audit work and requires

knowledge covering a wide range of issues in public management, including risk

assessment and internal control. Another reference provided that risk-based audit planning

is an approach that focuses on analysing risk and develop an audit program that is suitable

for risk that have been identified (Arun District Council, 2009). During the planning stage, the

auditor gains an understanding of the client, the client’s internal controls, the client’s

information technology (IT) environment, the client’s corporate governance environment and

the client’s closing procedures. The process of understanding the client involves

consideration of issues at the entity level, the industry level, and the broader economic level.

The auditor will also assess the likelihood that their client’s financial statements are

misstated due to limitations in its IT system. Governance structures are used to assess the

level of risk faced and to design controls to reduce identified risks. Lastly, there is also a risk

that the client’s closing procedures are inadequate (Moroney, Campbell, Hamilton & Warren

2015).

Furthermore, Moroney et. al (2015) also explained that the auditor will identify any related

parties, factors that may affect their client’s going concern status, and significant accounts


9

and classes of transactions that will require close audit attention to gauge the risk of material

misstatement. Related party transactions require some specific consideration throughout

the audit and specific procedures should be performed and documented. The auditor also

assesses fraud risk and performs procedures to support the assessment. The auditor will

also consider the appropriateness of the going concern assumption during the planning

stage and then throughout the audit.

Pickett (2006) also has discussed the importance of audit planning and the issues on the

risk of expressing an inappropriate opinion due to the following which may be addressed

through an effective audit planning:

Performing the wrong audit;

Employing the wrong audit approach;

Using the wrong staff;

Breaching professional standards;

Performing work at the wrong time; and

Issuing the wrong reports and delivering the wrong underlying assurances.

In the context of internal audit, it is discussed that the allocation of limited resources in the

most effective way requires an assessment of risk across all the auditable areas (Internal

Audit Community of Practice (IA COP), 2014). In this regard, the objective of risk-based

planning is to ensure that the auditor examines subjects of highest risk to the achievement of

the organization’s objectives. Also in this material, some examples were provided for the

concepts discussed such as the common risk factors used by internal audit units. Certain

illustrations of activities were also provided, such as scoring impact criteria, scoring risk

factors and weighing risk factors. Nonetheless, it is worth emphasising that such reference

pertains only to internal audit.

Study done by Laudato (2016) which focus on the audit firms has found that certain

provisions of International Standards in Auditing (ISAs) pertaining to risk-based audit

planning, particularly in the identification and assessment of risks, responses to assessed

risks, and materiality. An example was provided on how to prepare the corresponding audit

strategy memorandum based on the discussions.

Jakovac, Domokos, & Nemeth (2016) states that SAI planning is a complex, multi-phase

process which forms a hierarchic system from strategic planning through resource plans and

the creation of operative audit plans all the way to feedback. The key steps of planning are

the following:

a. Strategic planning sets out the key tasks of the institution as well as its ethical

requirements, values, priorities, and the directions and main objectives of the

given period. Strategic planning defines audit topics and audit criteria. The


10

objectives of selection criteria vary depending on what type of audit they serve as

basis for.

b. Annual planning lists and presents the audits to be carried out in the given period.

It is prepared in harmony with the audit priorities set out in the strategy as well as

with macro and risk analyses and the requirements stipulated by legal

regulations, while also taking into account “anticipated demand” for audit reports.

The objective is to select eh areas, programs and organizations to be audited in

the coming period, and to determine the order of audits depending on capacity.

c. Audit planning comprises the formulation of the specific audit strategy and the

preparation of the audit plan. It is in this phase that the objectives, scope,

method and criteria of the given audit must be formulated in detail, were audit

questions must be drafted and the sample to be audited is to be defined and

where the documents supporting the audit must be prepared.

Furthermore, Jakavoc et al. (2016) also explained that the INTOSAI standards require

the foundation of the planning work processes of supreme audit institutions must be laid

down by risk analyses. Normally, the state audit office conduct risk analysis during:

a. The selection of audit priorities and areas. The goal of risk analysis depends on

the audit directions set out in the aforementioned SAI strategy.

b. The analysis of the controls and measures of the audited entities. The state audit

office seeks to identify the organizational processes where significant residual

risk threatens the accomplishment of organizational goals.

c. The definition of the issues and scope of the audit. Risk analysis supports the

establishment of audit procedures, including sampling and the planning of control

tests.

The International Standards of Supreme Audit Institutions (ISSAIs) 13004, 40005 and 30006

require the development of audit plans for financial, performance and compliance audits,

respectively. ISSAI 1300, Planning an Audit of Financial Statements, requires the auditors to

develop an audit plan in order to perform the audit in an effective manner that includes a

description of:

i. Nature, timing and extent of planned risk assessment procedures (as required by

ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and Its’ Environment);

ii. Nature, timing and extent of planned further (substantive) audit procedures at the

assertion level (as required by ISSAI 1330, The Auditor’s Responses to

Assessed Risks); and

4 ISSAI 1300, Planning and Audit of Financial Statements

5 ISSAI 4000, Compliance Audit Standard

6 ISSAI 3000, Standard for Performance Auditing


11

iii. Other planned audit procedures that are required to be carried out in compliance

with other ISSAIs.

The proper planning helps in a timely commissioning of the team members and facilitates

the guidance of the members and supervise their work also it helps when that is applicable

to coordinating work between auditors and experts.

A general auditing guidelines on planning an audit of financial statements is specified in

ISSAI 1300 (2007). This standard supports and explains ISSAI 1300 with respect to the

public sector. This guideline deals with the auditor's responsibility to plan an audit of financial

statements in the context of recurring audits.

ISSAI has also issued guidelines for the pre-planning stage. The pre-planning stage consists

of the main two activities governed by a set of standards as shown in the following table:

TABLE 1 ISSAI PRE-PLANNING STAGE

PRE-PLANNING ACTIVITIES AUDIT STANDARDS

Adhere to codes of ethical behaviour and

core audit principles

Code of ethical conduct of the International

Federation of Accountants IFAC

Code of ethical conduct INTOSAI

Efficiency of audit team • ISSAI 100, 200, 300, 400

• ISSAI 3000

• ISA 220

• ISSAI 1220

ISA 210

Source: SAI Iraq’s Country Paper

The actual planning phase consists according to the quality assurance manual’s draft of the

following activities which are governed by a set of standards as:

PLANNING ACTIVITIES AUDIT STANDARDS

Understanding of the entity subject to audit

and its environment

ISA 315

ISSAI 1315

Set a goal and scope of the audit task ISA 200

Identify materiality ISA 320

Identify and assess the risks of substantial

misstatement

ISA 330

ISSAI 1330


12

ISA 315

Prepare a detailed audit plan ISA 300

ISSAI 1330

Design audit procedures for risks that have

been evaluated

ISA 300

ISSAI 1330

Source: SAI Iraq’s Country Paper

On the other hand, the evaluation of internal audit system also has a key position in the

planning stage, according to the criterion of INTOSAI 9100.

ISSAIs 3000 and 3200 states that the SAIs are also expected to include the following

information in their audit plan for performance audit:

i. Background knowledge and information needed to understand the entity to be

audited;

ii. Initial assessment of the problem risk, possible sources of evidence, auditability

and the materiality or significance of the area considered for audit;

iii. Audit objective, questions or hypothesis, criteria, scope and period to be covered

by the audit;

iv. Methodology, including techniques to be used for gathering evidence and

conducting the audit analysis;

v. Overall activity plan which includes staffing requirements (i.e. sufficient

competencies, human resources, and possible external expertise required for the

audit); and

vi. Estimated cost of the audit, key project timeframes, milestones and the main

control points of the audit.

ISSAI 4100 on Compliance Audit Guidelines—For Audits Performed Separately from the

Audit of Financial Statements list the following as the process for the audit work:

i. Determine the subject matter, criteria and scope of compliance audit;

ii. Understand the entity;

iii. Understand the control environment and internal control system;

iv. Risk assessment of the subject matter/audited entity;

v. Consideration of risks of fraud;

vi. Determine reliance on internal controls; and

vii. Link identified risks to audit strategy (audit procedures).

In line with the requirements pertaining to compliance audit, SAIs are also expected to

include in their audit plan for compliance audit the following information:


13

i. Description of identified criteria related to the scope and characteristics of the

compliance audit and to the legal, regulatory or appropriations framework;

ii. Description of the nature, timing and extent of risk assessment procedures

sufficient to assess the risks of non-compliance, related to the various audit

criteria; and

iii. Description of the nature, timing and extent of planned audit procedures related

to the various compliance audit criteria and risk assessments.

The research results show that the common actual process in preparing the plan among

participated survey SAIs covers the following steps:

a. Understanding the Entity and Its Business Process (including previous audit

reports);

b. Conducting Initial Analytical Procedures;

c. Understanding the Internal Control System;

d. Initial Risk Identification and Risk Analysis

e. Risk Assessment: IR, CR, DR

f. Determining the Audit Materiality, Criteria

g. Preparing Audit Plan Memorandum

Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement),

ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning

and Performing an Audit).


14

Similar to ISSAI 1300, the research also show that the auditor shall include in the audit

documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant

changes made during the audit engagement to the overall audit strategy or the audit

plan, and the reasons for such changes. The documentation of the overall audit strategy

is a record of the key decisions considered necessary to properly plan the audit and to

communicate significant matters to the engagement team. For example, the auditor may

summarize the overall audit strategy in the form of a memorandum that contains key

decisions regarding the overall scope, timing and conduct of the audit. Planning

memorandum is one form of this kind of documentation.

The common approach in preparing the planning memorandum includes the following

information:

a. Basic information of the entity (including related parties and significant events);

b. Audit objective and scope;

c. Audit methodology (including understanding the internal control system, risk

assessment, materiality, and sampling);

d. Audit resources (team, budget, timeline/timeframe);

e. Targeted area (significant risks); and

f. Audit Program.

2.5 Audit Risks

The ISSAIs identify three risks—inherent risk, control risk and detection risk. ISSAI 1003,

Glossary of Terms to INTOSAI Financial Audit Guidelines, defines the said risks as follows:

Inherent risk is the susceptibility of an assertion about a class of transaction,

account balance or disclosure to a misstatement that could be material, either

individually or when aggregated with other misstatements, before consideration

of any related controls.

Control risk is defined as the risk that a misstatement could occur in an

assertion about a class of transaction, account balance or disclosure, and that

could be material, either individually or when aggregated with other

misstatements, will not be prevented or detected and corrected, on a timely basis

by the entity’s internal control.

Detection risk is the risk that the procedures performed by the auditor will not

detect a misstatement that exists and that could be material, either individually or

when aggregated with other misstatements.

ISSAI 1330 on Auditor’s Response to Assessed Risks, requires the auditor to design and

perform further audit procedures whose nature, timing and extent are based on and are


15

responsive to the assessed risks of material misstatement (a function of inherent and control

risks) at the assertion level.

The risk of material misstatement (inherent and control risks) and detection risk constitute

the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion

if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of

Financial Auditing, requires the auditor to reduce audit risk to an acceptably low level in the

circumstances of the audit.

All the information on the evaluation of audit risk or the auditor’s assessment of risks, taking

into account their opinion of the control environment together with the controls in place for

each of the areas being reviewed should be discussed in the Audit Planning Memorandum.

2.6 Attributes of a good Audit Planning Memorandum

Audit Planning Memorandum (APM) is prepared to set out the objectives of the audit, to spell

out how the auditor aims to achieve these objectives. It is also a tool to monitor the progress

of the audit and promotes high quality and professional audit work. Normally, APM will be

prepared during the planning stage. The purposes of the audit plan are, first, to contribute to

the effectiveness of the audit and, second, to contribute to the audit efficiency. This

memorandum should be completed and approved as part of initial audit planning. In

completing this document there may be occasions when matters already documented in

other work papers are relevant. There is no need to re-write such material if a specific

reference can be made.

This memorandum is structured so that planning documentation common to all projects is

presented. All items should be read and considered on every project. When a section is not

applicable, indicate "N/A", with a brief explanation why it is not applicable. The planning

memorandum is divided into four sections:

i. Introduction / Background

ii. Management Concerns & Issues

iii. Administration and job set up;

iv. Risk assessment; and

v. Nature and Scope of Audit

2.7 Conclusions

The risk-focused description and definition of organisations’ operating environment and

operations has gained increasing prominence over recent decades. A risk-based auditing

allows an organization to understand the current risks and assess the effectiveness of

existing controls. Additionally, it also allows management of the audit organization to target


16

resources to specific operations. Normally, risk based approach required auditor to have

proper audit planning. Audit Planning is an important phase during the audit proses. During

the planning stage, the auditor gains an understanding of the client, the client’s internal

controls, the client’s information technology (IT) environment, the client’s corporate

governance environment and the client’s closing procedures. In the context of internal audit,

it is discussed that the allocation of limited resources in the most effective way requires an

assessment of risk across all the auditable areas (Internal Audit Community of Practice (IA

COP), 2014). In this regard, the objective of risk-based planning is to ensure that the auditor

examines subjects of highest risk to the achievement of the organization’s objectives. Within

the planning of audits also, the selection process and analysis of audit subjects’ risk that

supports sampling procedures can be distinguished logically from the enumeration of risks to

the conduct of the audit. Risks are analysed by the audit organisation, but the risks

themselves can arise in the audited organisations in the former, and in the auditing

organisation in the latter case; the analyst and the party at risk are therefore separated from

each other. As conclusion, risk based audit approach is approach that need auditor analyse

the risk by gathering necessary, relevant and reliable information, possible threats identified

and analysed the impact and probability, then evaluated.


17

PART 3 RESEARCH METHODOLOGY

3.1 Introduction

Research design provides a framework for the collection and analysis of data (Bryman and

Bell, 2007). Therefore, this part provided details of research design in relation to qualitative,

quantitative and mixed methods research as three major approaches to research in social

sciences. This part also explained the methodology employed in this research and methods

of collecting and analysing data.

3.2 Research Methodology

In research, methodology refers to the ‘general logic and theoretical perspective’ of a study,

whereas methods refer to techniques, procedures or strategies analysing and interpreting

data (Bogdan and Biklen, 2007 cited by Long, 2014). Generally there are three research

methodologies; quantitative, qualitative and mixed methods (Creswell, 2014. Quantitative

methods emphasize objective measurements and are either descriptive (subjects usually

measured once) or experimental (subjects measured before and after treatment). While,

qualitative studies assume social reality exists independent of the knower and knowledge is

subjective and personal.

Qualitative methods involve close, personal contacts that use the researcher as the

‘instrument’ for recording observations. It emphasizes on open ended information that

researcher usually gathers through interviews, focus groups and observations.

Quantitative methods emphasize objective measurements and the statistical, mathematical

or numerical analysis of data collected through questionnaires or by manipulating pre-

existing statistical data using computational techniques It is used to quantify attitudes,

opinions, behaviour and other defined variables; and generalise results from a larger sample

population.

Mixed methods refer to an emergent methodology of research that advances the systematic

integration of ‘mixing’ quantitative and qualitative data within a single investigation or

sustained program of inquiry. This method is used in this research because of time, logistics

and resources constraints.

3.3 Research Method

This research used a descriptive approach that requires the use of mixed methods to

provide insight of the topic under study. This approach gives an opportunity to the

researcher to investigate the issue of risk based audit plan within public sector organisation


18

or SAIs in a comprehensive way. However, this method could be influenced by SAIs

respective mandate, law and regulation, procedures and the nature of audit. Typically,

descriptive research is aimed at casting light on current issues or problems through a

process of data collection that enables them to describe the situation more completely than

was possible without employing this method (Fox, W.&Bayat,M.S:2007). Descriptive

research is used to describe characteristics and/or behaviour of sample population. The

main purposes of this study can be explained as describing, explaining and validating

research findings on methods for developing RBA plan among the respondent SAIs.

Consistent with this view, the data for this research were gathered from survey

questionnaires and extended study.

In this research, the survey questionnaire was used to gain information to present risk-based

audit planning methodologies to serve as a reference for the auditors in the preparation of a

Risk-Based Audit Plan. Based on the survey results, the extended study was conducted on

selected SAIs through email to submit their guidelines or manuals which provide a detailed

walkthrough of their risk-based audit planning procedures, as well as the corresponding

documentation therefor (i.e., templates and sample working papers).

3.4. Research Instrument

In order to fulfil the study objective, survey questionnaires and reviewing documents were

involved. A survey research was used as a preliminary study to obtain information to the

extent of risk based audit that has been performed by SAI members. This includes current

knowledge and understanding of risk based audit approach, practices and processes of risk

assessment in accordance to ISSAI or related best practices in each SAI. This information

gave input to the research from the theoretical and practical perspective and to explore the

possible issues regarding the adoption of risk-based audit planning in audit works. Based on

the survey analysis, the researchers performed extended study to explore more on the risk-

based audit planning process adopted by selected ASOSAI members. The sources of data

were obtained from the audit planning documents submitted by the selected SAIs.

3.4.1 Primary Data

Primary data are information collected by a researcher specifically for a research

assignment. The information need to be gathered because no one has compiled and

published the information in a forum or platform accessible to the public. Primary data are

original in nature and directly related to the issue or problem and current data.

In this research, the primary data were collected from 25 ASOSAI members through

questionnaire. The questionnaires consisted of SAI characteristic related to types of audit,

audit approach and the processes involved in audit planning for each type of audit.


19

3.4.2 Secondary Data

Secondary data are the data available in written, typed or in electronic forms. Secondary

data is also used to gain initial insight into the research problem. In this research, the

secondary data were collected from country papers, publications, articles of the 25 selected

SAIs that develop a Risk Based Audit Plan in conducting their audit works.

3.4.3 Survey Questionnaire

In this research, the survey questionnaire was designed in semi-structured; it consisted of

close-ended and open-ended questions. Majority of the close-ended questions were

answerable by Yes, No and Not Applicable. The open-ended questions, on the other hand,

were provided in cases where (1) the answers of the respondents are not among the given

options, thus, the need to identify and describe others; and (2) there is a need to obtain the

particulars and evidence supporting the Yes answers.

The survey were distributed through postal mail, email or fax addressed to the Heads of the

48 ASOSAI members SAIs, as per consensus during the 2nd ASOSAI Research Project

meeting on 2-4 May 2016. The selection of the particular person who would answer the

questionnaire was left upon the judgment of the SAI Head, with the assumption that the SAI

Head will choose someone who can give reliable information as far as the topic of the

research project is concerned. The purpose of the survey was to determine:

Which among the target SAIs adopt the risk-based audit approach;

Which among the target SAIs have a structured guideline in preparing a

risk-based audit plan;

The contents of planning memorandum of target SAIs, if any;

Which among the target SAIs prepare an audit plan for financial,

performance and compliance audits;

The steps adopted by target SAIs in the preparation of an audit plan for

financial, performance and compliance audits;

The perception of target SAIs on the achievement of benefits in preparing

a Risk-Based Audit Plan; and,

The contents/elements of the audit plan.

The questionnaire in this research was based on the literature review (see Part 2) and other

instruments based on ISSAI requirements on audit planning. This questionnaire was

customised pertaining to the preparation of the Risk Based Audit plan that was used in this

study. The content, criteria and scope of the questionnaires had been discussed excessively

and through brainstorming among members of this group. The discussion was led by Group

2 comprised of representatives from SAI Philippines, Iran and Bangladesh. Templates


20

questionnaire from SAI Philippines, SAI Iran and SAI Bangladesh were being used as

reference in designing the final questionnaire.

In this research, the survey questionnaire was designed and divided into four main parts:

Basic Information of SAI;

Preparation of audit plan (or risk-based audit plan);

Internal control system and Risk Assessment; and

Documentation in the preparation of Risk-Based audit plan.

3.4.4 Extended Study

In line with the research objectives of describing the methods used by the ASOSAI members

in developing risk based audit plan, the extended study was conducted among selected SAI

to identify the practices of ASOSAI members in developing audit plan for financial,

performance and compliance audits in accordance with ISSAIs.

The set of criteria that must be satisfied for the selection were as follows:

a. The SAI adopted the risk-based audit approach or both risk-based and systems-

based audit approaches (should have a yes answer in Item II.1.c.i of the survey

questionnaire);

b. The SAI has a structured guideline in preparing a risk-based audit plan (should

have a yes answer in Item II.1.d of the survey questionnaire); and

c. The SAI prepared a planning memorandum for financial, compliance and

performance audits, whichever were being performed by the SAI (should have a

yes answer in Item II.1.f of the survey questionnaire).

3.5 Data Collection

3.5.1 The survey questionnaire

The deadline of the survey was September, 11, 2016. Out of 48 copies of the questionnaire

distributed, only 25 successfully completed and returned. The 25 SAIs who answered the

questionnaires were shown in Figure 1.


21

A descriptive analysis was conducted on 25 SAIs to obtain information on the following;

a) The adoption on risk-based audit approach;

b) The availability of risk-based audit guidelines ; and

c) The preparation of audit plan memorandum for financial, performance and compliance

audits.

Details of the descriptive analysis of the 25 SAIs were depicted in Table 2.

TABLE 2

ANSWERS OF 25 SAIS ON QUESTIONS PERTAINING TO CRITERIA

SAI

Adopts Risk-Based Audit

Approach

Has a structured

guideline in preparing a risk-based audit plan

Prepares a planning memorandum for

financial, compliance and performance audits

To be included in

the extended studies

1. Australia

2. Azerbaijan No ans.

3. Bahrain

4. Bangladesh

5. Cambodia

6. China

7. Cyprus

8. India

9. Indonesia

10. Iran Not applicable

11. Iraq

12. Japan Not applicable No ans.

1. Australia

2. Azerbaijan

3. Bahrain

4. Cambodia

5. China

6. Cyprus

7. India

8. Indonesia

9. Iran

10. Iraq

11. Japan

12. Jordan

13. Korea

14. Kuwait

15. Bahrain

16. Lao PDR

17. Malaysia

18. Mongolia

19. Myanmar

20. Nepal

21. Philippines

22. Saudi Arabia

23. Singapore

24. Tajikistan

25. Vietnam

FIGURE 1

SAI THAT SUBMITTED SURVEY QUESTIONNAIRE


22

SAI


Approach

Has a structured

guideline in preparing a risk-based audit plan

Prepares a planning memorandum for

financial, compliance and performance audits

To be included in

the extended studies

13. Jordan

14. Korea

15. Kuwait Not applicable

16. Laos

17. Malaysia

18. Mongolia

19. Myanmar Not applicable No ans.

20. Nepal

21. Philippines

22. Saudi Arabia Not applicable Not applicable

23. Singapore

24. Tajikistan Not applicable

25. Vietnam Not applicable

Note: SAI Bahrain is not included in the extended study since it adopts risk-based audit

approach together with an approach called “coverage range.”

3.5.2 The extended study

Based on the results of the survey, 11 SAIs out of 25 respondents SAIs were selected as the

subject for the extended studies. Among the 11 selected SAIs, five (5) adopt only risk-based

audit approach while six (6) adopt both risk- and systems-based audit approaches. (Table 3).

TABLE 3

SELECTED SAIS FOR EXTENDED STUDY

SAI


Approach

Adopts Systems-Based

Audit Approach

1. Australia

2. Indonesia

3. Jordan

4. Nepal

5. Philippines


23

SAI


Approach

Adopts Systems-Based

Audit Approach

6. Bangladesh

7. Cyprus

8. India

9. Singapore

10. Malaysia

11. Iraq

From the 11 selected SAIs, seven (7) SAIs submitted sufficient documents which were used

for extended studies. SAIs Australia, Iraq, Malaysia and Nepal had submitted references for

its financial and performance audit planning procedures. SAI Bangladesh submitted

references for its financial and compliance audit procedures. SAI Indonesia submitted

references for its planning procedures on all three audits. Finally, SAI Philippines submitted

references for the comprehensive audit (financial, compliance and performance audits

performed together by an engagement team) it conducts.

3.6 SUMMARY

This research was conducted based on survey questionnaire and extended study. Data were

collected from both methodology through analysing questionnaires and reviewing

documents. In this research, data collection framework could be described below;

FIGURE 2 DATA COLLECTION FOR DESCRIBING METHODS USED BY THE ASOSAI MEMBERS

IN DEVELOPING RISK-BASED AUDIT PLAN

•CLOSE ENDED

•OPEN ENDED

SURVEY QUESTIONNAIRES

•ANALYSIS OF RISK BASED AUDIT IN FINANCIAL, COMPLIANCE, PERFORMANCE AUDITS IN 11 SELECTED SAIs

EXTENDED STUDY


24

This part has outlined and described the methodological and theoretical approach

undertaken to examine the implementation of risk based audit in selected SAIs. This

research applied a descriptive approach to gather information from the respondents SAIs

pertaining to the preparation of the audit plan in 3 types of Audit; Financial, Compliance and

Performance, ISSAI compliance among the respondents and adoption of RBA in planning

the audit. Research finding and analysis will be discussed in Part 4 based on questionnaires

and Part 5 based on extended study.


25

PART 4 RESEARCH RESULTS BASED ON QUESTIONNAIRES

4.1 Introduction

This part describes and discusses the research findings based on questionnaires. It relates

to the first research objective of identifying the methods used by SAIs to develop risk-based

audit plans. The research findings and discussion will be presented under three topics:

descriptive analysis based on basic information given by the SAIs, information pertaining to

preparation of Audit Plan/Risk-Based Audit Plan well as internal control system and risk

assessment.

4.2 Descriptive Analysis

The questionnaires were sent to all members of the ASOSAI and 25 SAIs responded (52%).

The 25 responses were from SAI Australia, Azerbaijan, Bahrain, Bangladesh, Cambodia,

China, Cyprus, India, Indonesia, Iran, Iraq, Japan, Jordan, Korea, Kuwait, Laos, Malaysia,

Mongolia, Myanmar, Nepal, Philippines, Saudi Arabia, Singapore, Tajikistan and Vietnam.

The descriptive analysis (Table 4) of the respondent SAIs indicated that 6 SAIs (Australia,

India, Iran, Japan, Malaysia and Philippines) have been existed for more than 100 years. 9

SAIs (Cyprus, Indonesia, Iraq, Jordan, Korea, Kuwait, Myanmar, Nepal and Singapore) fall

under the category between 50 – 100 years of existence. 10 SAIs (Azerbaijan, Bahrain,

Bangladesh, Cambodia, China, Lao PDR, Mongolia, Saudi Arabia, Tajikistan and Vietnam)

have been in existence less than 50 years.

It is found that 17 (68%) out 25 SAIs were established by their respective constitutions or

laws. The 17 SAIs are Australia, Azerbaijan, Bangladesh, Cambodia, India, Indonesia, Iran,

Japan, Jordan, Korea, Lao PDR, Malaysia, Myanmar, Nepal, Philippines and Singapore). All

SAIs have mandates/functions/responsibilities to conduct the audits. Half of the respondents

followed the Westminster model which is intrinsically linked to the system of parliamentary

accountability. 6 SAIs (Azerbaijan, Indonesia, Japan, Korea, Philippines and Tajikistan)

followed the Board or Collegiate model where a number of members form its governing

board or college and make decisions jointly.


26

TABLE 4 DESCRIPTIVE DETAILS OF RESPONDENTS (PERCENTAGE IN PARENTHESES)

Basic Information Respondents

n = 25

Establishment <100 years 6 (24%)

50-100 years 9 (36%)

<50 years 10 (40%)

Constitutional/Legal Constitution 12 (48%)

Status Law/Act 5 (20%)

Others 3 (12%)

Not stated 5 (20%)

Mandate Yes 25 (100%)

Types of SAI Westminster 13 (52%)

Judicial 1 (4%)

Board/Collegiate 6 (24%)

Others 1 (4%)

Not stated 4 (16%)

It can be concluded that there are differences in the characteristics of responding SAIs in

terms of the legal status or mandate depending on the institutional models.

4.3 Information Pertaining to the Preparation of the Audit Plan/Risk-Based Audit

Plan

4.3.1 Types of Audits Conducted

All of the 25 SAIs conducted financial audits, 22 SAIs (88%) conducted compliance

audits and 21 SAIs (84%) conducted performance audit. Other types of auditing

performed by SAIs are audit of performance statements, audit of appropriateness of

performance measures, performance audits of commonwealth partners, forensic

audit, special purpose audit, management audit of Government Linked Companies,

assurance review or other audits which have similarities with either financial,

compliance or performance audits.

4.3.2 Preparation of Audit Plans

The International Standards of Supreme Audit Institutions (ISSAIs) 1300: Planning

and Audit of Financial Statements, ISSAI 3000: Standard for Performance Auditing

and ISSAI 4000: Compliance Auditing Standard require SAIs to develop audit plans


27

for financial, performance and compliance audits. The survey results (Figure 3)

indicated that most of the SAIs prepare separate audit plans for financial,

performance and compliance.

FIGURE 3

PREPARATION OF AUDIT PLANS

Note: SAI Myanmar answered “Not applicable”.

The survey results showed that 84% of the 25 SAIs prepare separate audit plans.

Three SAIs (Cyprus, Japan and Philippines) prepare one audit plan for all types of

audits. SAI China, Vietnam and Nepal prepare combined audit plans for compliance

and financial audits together.

4.3.3 Adoption of Risk-Based Audit Approach

The importance on the consideration of risks is mentioned in the following ISSAIs:

The auditor shall design and implement overall responses to address the

assessed risks of material misstatement at the financial statement level

(ISSAI 1330);

The auditor shall actively manage audit risk to avoid the development of

incorrect or incomplete audit finding, conclusion and recommendation or

failing to add value (ISSAI 3000); and

The auditor shall perform procedures to reduce the risk of producing

incorrect conclusion to an acceptable low level (ISSAI 4000).

Based on their responses, 7 SAIs (Australia, Cambodia, Indonesia, Jordan,

Mongolia, Nepal and Philippines) fully adopted risk-based audit approach. SAIs of

China, Cyprus, Iraq and Singapore adopted risk-based and system based audit

approaches. SAIs of Bahrain and Lao PDR adopted risk-based and other audit

21 84%

3 12%

1 4%

Preparing separateAudit Plans

Not preparing separateAudit Plans

Not applicable


28

60%

15 8% 2

32% 8

Has a structuredguideline in preparing arisk -based audit plan

Has no structuredguideline in preparing arisk -based audit plan

Not applicable (notadopting risk- basedapproach)

approaches and 4 SAIs (Bangladesh, India, Korea and Malaysia) utilised risk-based,

system-based and other audit approaches. SAI Kuwait and SAI Iran utilised system-

based audit approach. Other approaches include results-oriented, problem-based,

transaction-based, fundamental and topic-based.

TABLE 5 AUDIT APPROACHES ADOPTED BY SAIS

AUDIT APPROACH NO. OF SAIS

Risk-based only 7

Risk-based and system-based 4

Risk-based and others 2

Risk-based, system-based and others 4

System-based only 2

Others 5

System-based and others 1

4.3.4 Structured Guideline in Preparing Risk-Based Audit Plan

The development of structured guidelines will assist the auditor to conduct an

effective risk-based audit plan. The results illustrated in Figure 4 showed that 15 out

of 25 SAIs have structured guidelines to prepare the plans. The 15 SAIs are

Australia, Bahrain, Bangladesh, Cambodia, China, Cyprus, India, Indonesia, Iraq,

Jordan, Malaysia, Mongolia, Nepal, Philippines and Singapore.

FIGURE 4 SAIS HAVING STRUCTURED GUIDELINES IN PREPARING RISK-BASED

AUDIT PLAN

N

Note: SAIs Lao PDR and Korea answered “No”


29

The survey results revealed that 14 out of 15 SAIs which have structured guidelines

enumerated the processes of preparing a Risk-Based Audit Plan as shown in Table

6.

TABLE 6 PROCESS OF PREPARING A RISK-BASED AUDIT PLAN

SAI PROCESS OF PREPARING A RISK-BASED AUDIT PLAN

Australia A risk-based audit approach for financial statements audit entails: 1. A systematic approach to planning focussing on high risk areas; 2. The evaluation of internal control systems; and 3. The use of analytical procedures to form an opinion that is within the

desired level of assurance.

The audit strategy is communicated to the client including a snapshot of the risk assessment followed by a detailed assessment and planned response to the key areas of audit focus, as well as information on the audit approach to all material processes.

Bahrain The process involves: 1. Understand all related business processes. 2. Prepare documents and information flowcharts for business processes. 3. Identify all probable and expected risks. 4. Classify identified risks (High, medium, low). 5. Identify risky areas and prepare the audit plan and work program based on

that.

Bangladesh A risk assessment matrix is developed from the lessons learned by conducting ISSAI compliant for financial and compliance audits. Risks are assessed using the matrix and then the plan is developed based on the risks assessed.

Cambodia The audit teams gather the information about the audited entity and perform analytical procedures, calculate overall materiality, performance materiality in order to identify the accounts for doing the risk assessment. Auditors assess the inherent risk, control risk, fraud risk and compliance risk of the account and the audit procedures to uncover the risks identified.

China The process involves comprehensively analysing the risk and understanding the basic situation of the audited entities, confirming the factors that affect audit objectives, testing and evaluating the inherent risk and risk control of audited entities, determine the acceptable level of audit risk, determining corresponding countermeasures of audit and appropriate audit procedures.

Cyprus The Internal Auditing Guidelines outline the steps to be followed in preparing an audit plan. The Guidelines include templates for the assessment of audit risk, calculating materiality levels and determining the main audit areas based on the risk assessment performed.

Indonesia The general process of risk-based audit planning is as follows:

Understanding the Audit Objectives and Engagement Expectation;

Understanding the Entity and Its Business Process;

Understanding Previous Audit Reports;

Conducting Initial Analytical Procedures;

Understanding the Internal Control System;

Initial Risk Identification and Risk Assessment;


30


Setting the Initial Materiality Threshold;

Determining the Sampling Method;

Determining the Audit Criteria; and

Preparing the Audit Program.

Iraq The process starts from the initial survey and the evaluation of the internal auditing system and determining the potential and auditing risks for all kinds of accounts and calculating the percentage of every one and then calculate and determine the size of the required sample for auditing in such a way that it will represent all of them and sufficient to reach to a technical and neutral opinion about accurately and appropriateness of the financial statements. This is still in the initial stages and includes 25% of work plan prepared to implement tasks.

Jordan The process includes problem analysis, audit objectives, audit scope, audit problem and audit criteria.

Malaysia The audit planning process includes: 1. Understanding the entity and its environment; 2. Identifying and assessing the risks of material misstatement for classes of

transactions, account balances, and disclosures; 3. Audit planning memorandum; 4. The auditor’s responsibilities relating to fraud; 5. Review of the internal auditor’s report; 6. Communication with those charged with governance; 7. Audit considerations relating to an entity; 8. Using a service organization; 9. The auditor's responsibilities relating to other information in documents

containing audited financial statements; and 10. Review of financial statements opening balances.

Mongolia General process for audit planning is as follows: 1. Identifying weaknesses; 2. Identifying risks by inherent and internal control based on weaknesses

and evaluate auditors’ risks by account; 3. Determining materiality; 4. Developing audit questions, audit procedures criteria; 5. Developing audit programme; and 6. Finalise and approve audit plan.

Nepal All the audited entities are graded into Grade A, B and C based on defined evaluation criteria. All Grade A entities and 50% of Grade B and 1/3rd of Grade E entities are audited by adopting detailed audit procedures. Others are audited using simplified procedure. The rest of 50% of Grade B and 2/3rd of the Grade C entities are audited in two and three years interval respectively.

Philippines

The process starts with strategic planning and risk identification and the agency audit planning and risk assessment as per the Integrated Results and Risk Based Audit Manual (IRRBAM) that considers the following processes: 1. Preparing the agency audit work step; 2. Understanding the agency; 3. Identifying significant agency risks; 4. Understanding and assessing agency level controls; 5. Understanding the process; and 6. Conducting audit risk assessment and planning


31


Singapore The process involves acquiring an understanding of the entity being audited and its environment, identifying and analysing key risks, considering the internal controls in place and designing the audit approach /strategy.

4.3.5 Risk Analysis in Preparing the Audit Plan

Analysing or assessing risks is part of planning to ensure that the scarce resources

are addressed to the audit of areas of highest risks. Auditors must have a thorough

understanding of risks facing the audited entity and their potential impact and

probability. Then, they have to apply realistic judgments on the importance and

probability of risks identified.

The survey results revealed that majority of the SAIs analyse risks in preparing the

audit plan (Figure 5). Even though 17 SAIs explicitly reported that they adopt risk-

based auditing either fully or partially, another 5 SAIs (Azerbaijan, Iran, Myanmar,

Tajikistan and Vietnam) which did not adopt risk-based auditing also conduct risk

analysis in preparing the audit plan.

FIGURE 5

SAIS USING RISK ANALYSIS IN THE PREPARATION OF THE AUDIT PLAN

Note: SAI Saudi Arabia answered “Not applicable,” while SAI Japan answered “No”.

4.3.6 Preparation of Audit Planning Memorandum

In order to ensure a high standard of performance, it is important that the auditor

prepare adequately for his/her work. Planning for an audit is essential for the smooth

performance of the audit work and its successful completion. It will not only

guarantee a valid audit opinion but ensure that the objective is achieved, the audit is

23 92%

1 4%

1 4%

Using risk analysis in thepreparation of Audit Plan

Not using risk analysis inthe preparation of AuditPlan

Not applicable


32

properly directed and control as well as the high risks audit areas are given due

attention.

The survey results (Figure 6) indicated that slightly more than half of the 25

respondent SAIs (Australia, Bahrain, Bangladesh, Cyprus, Indonesia, Iraq, Jordan,

Korea, Lao PDR, Malaysia, Nepal, Singapore and Vietnam) prepared the Audit

Planning Memorandum (APM) for financial, compliance and performance audits.

Nine SAIs (Azerbaijan, Cambodia, China, Iran, Kuwait, Mongolia, Philippines and

Tajikistan did not prepare the APM.

FIGURE 6

SAIs PREPARING APM FOR FINANCIAL, COMPLIANCE AND PERFORMANCE AUDITS

Note: SAI Saudi Arabia answered “Not applicable,” while SAIs Japan and Myanmar have answered “No”.

10 SAIs (Australia, Bahrain, Cyprus, Indonesia, Jordan, Lao PDR, Malaysia, Nepal,

Singapore and Vietnam) mentioned the contents of the APM as presented in Table 7.

TABLE 7

CONTENTS OF PLANNING MEMORANDUM

SAI CONTENTS OF PLANNING MEMORANDUM

Australia Financial statement audit: For each material process, the affected financial statement line items, a description/overview of the items, the relevant control activities/information systems, key IT systems, information systems, the audit team’s intended control reliance and rotation considerations, a link to the relevant audit work and a summary of elevated and significant risks.

Bahrain 1. Introduction (Bases and purpose of the plan);

13 52%

9 36%

1 4% 2

8%

Preparing planningmemorandum

Not preparing planningmemorandum

Not applicable

No answer


33


2. Background about the entity to be audit (Duties and responsibilities, organisational structure, goals, important related statistics …etc.);

3. Related parties and concerned organizational units; 4. Audit goals, scope, and methodology; 5. Audit standards, guidelines and all related criteria (Decrees, ministerial

decisions, policies and procedures manuals, etc.); 6. Strengths and weaknesses; 7. Timelines and schedules of the audit assignment; 8. Details of team members; and 9. Risk analysis document and audit work program.

Cyprus 1. Audited entity background: Mission, legal framework, organizational structure, budget and staff.

2. Risk assessment: Template document to be completed. 3. Materiality calculation document: Template document to be completed. 4. Audit budget (available man days), timeframe and audit team members. 5. Audit team meeting minutes, determining the areas on which the audit

will focus. 6. Audit steps to be followed, including available man days for each step

and the member(s) of staff to which steps are assigned. [A detailed audit programme including steps to be followed in each audit area has so far been adopted for central government entities and municipalities. A similar programme has been prepared for the audit of statutory bodies; however, it is yet to be adopted.]

Indonesia 1. The legal basis for the audit; 2. Audit standard; 3. Audit objective; 4. General information about the entity; 5. Audit scope; 6. The result of understanding the entity’s internal control system; 7. Targeted audit; 8. Audit criteria; 9. The rationale/reasons of the audit; 10. Audit methodology; 11. The audit period; 12. The composition of the team and the detailed audit fee; 13. The audit report framework; and 14. The distribution of report.

Jordan 1. The legal framework of the entity; 2. The mandate of the entity; 3. The objectives of the entity; 4. The Internal audit system; 5. The problem/s; and 6. Auditing process.

Lao PDR 1. Background information of the entity; 2. Audit objective and scope; 3. Audit Methodology; 4. Audit risk area; 5. Assessing whether of priority; and 6. The timing and staffing


34


Malaysia 1. Introduction; i. Background (Establishment of Entity – Establishment Act); and ii. Activity/Main Operation.

2. Organisational Structure; 3. Accounting System; 4. Accounting Policy; 5. Main and Key Activity; 6. Audit Objective, Scope and Methodology; 7. Setting the Materiality Level; 8. Audit Approach;

i. Examine the system and determine the existence of internal control which is supported by the chart to express an audit opinion:

ii. Specify the sample size and methods of selection and the branches visited;

iii. Auditing in computerised environment. Evaluate the integrity of the system in producing financial statements and critical information; and

iv. Pending matters from previous year. 9. Risk Assessment; 10. Audit Programme; 11. Grade and Number of Employees; 12. Audit Time Frame; 13. Audit Fee; 14. Contact Person; 15. Audit Report of the Private Auditor to the Auditor General; 16. Other Significant Matters;

Nepal 1. Description about entity to be audited; introduction, establishment year, objectives, functions, legal, institutional and policy arrangements, staff positions, annual and periodical programmes and progress statements, financial transactions, financial Statements etc.;

2. Audit Objectives, Scopes, Methodology; 3. Audit Programme; 4. Audit Team and Responsibility; 5. Ethical Requirements and Consideration of Competency Required; and 6. Supervision Arrangements

Singapore The APM for financial or compliance audit include: 1. Audit Mandate; 2. Audit Objective and Scope; 3. Significant Events and Developments; 4. Financial Highlights; 5. Risk Assessment; and 6. Audit Approach and Strategy.

Vietnam Financial and performance audits shall be planned separately but compliance audit normally is planned, as well as conducted in conjunction with a financial/performance audit.


35

From the table above, there are seven common contents of the APM encompassing the

followings:

1. Basic information of the unit and subject matter of the audit;

2. Audit objectives and scope;

3. Audit methodology;

4. Areas of audit risk;

5. Assessing the priorities; and

6. Timing and assignment of audit areas.

4.3.7 Benefits of Risk-Based Audit Plan

ISSAI 1300 paragraph 2 stated the following five benefits of preparing a Risk-Based

Audit Plan:

i. Helping the auditor to devote appropriate attention to important areas of the audit.

ii. Helping the auditor in identifying and resolving potential problems on a timely

basis.

iii. Helping the auditor properly to organise and manage the audit engagement so

that it is performed in an effective and efficient manner.

iv. Assisting in the selection of engagement team members with appropriate level of

capabilities and competence to respond to anticipated risks, and the proper

assignment of work to them.

v. Facilitating the direction and supervision of engagement team members and the

review of their work.

Survey results showed that more than 80% of the respondents agree on all the

benefits of preparing a risk-based audit plan as per ISSAI 1300. Details are depicted

in Table 8.

TABLE 8

BENEFITS IN PREPARING A RISK-BASED AUDIT PLAN

NO. BENEFITS

RESPONDENTS

AGREE DISAGREE NOT

APPLICABLE

NO % NO % NO %

1 Helping the auditor to devote appropriate attention to important areas of the audit.

23 92 0 0 2 4

2 Helping the auditor in identifying and resolving potential problems on a timely basis.

22 88 1 4 2 4

3 Helping the auditor properly to 22 88 1 4 2 4


36

NO. BENEFITS

RESPONDENTS

AGREE DISAGREE NOT

APPLICABLE

NO % NO % NO %

organize and manage the audit engagement so that it is performed in an effective and efficient manner.

4

Assisting in the selection of engagement team members with appropriate level of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them.

22 88 1 4 2 4

5 Facilitating the direction and supervision of engagement team members and the review of their work.

23 88 0 0 2 4

The survey results showed that although 8 SAIs are not adopting risk-based auditing either

fully or partially, 5 of them recognised the benefits of preparing a risk-based audit plan.

4.3.8 Preparing Audit Plan for Financial Audit

ISSAI 1300 on Planning an Audit of Financial Statements requires the auditors to

develop an audit plan which includes a description of:

(i) Nature, timing and extent of planned risk assessment procedures (as required

by ISSAI 1315, Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and Its’ Environment);

(ii) Nature, timing and extent of planned further (substantive) audit procedures at

the assertion level (as required by ISSAI 1330, The Auditor’s Responses to

Assessed Risks); and

(iii) Other planned audit procedures that are required to be carried out in compliance

with other ISSAIs.

The survey results showed that 80% of 25 SAIs included description (i) and (ii) above

in the financial audit whilst 64% of 25 SAIs described other planned audit procedures

that are required to be carried out in compliance with other ISSAIs. Details of the

results are depicted in Figure 7.


37

FIGURE 7 SAIS WHICH INCLUDE ISSAI-REQUIRED DESCRIPTIONS OF PROCEDURES

IN THE AUDIT PLAN FOR FINANCIAL AUDIT

Note: 1. SAI Japan answered ‘Not Applicable’ to all items. 2. SAI Singapore answered (iii) as ‘Not Applicable’.

SAI Japan answered ‘Not Applicable’ to the three requirements of ISSAIs on financial

audit because the SAI conducts direct reporting engagements under the provisions of

the laws and ordinances and has no legal grounds to conduct attestation

engagements, which makes the adoption of ISSAIs on financial audits difficult. For

other planned audit procedures that are required to be carried out in compliance with

other ISSAIs, SAI Singapore answered ‘Not Applicable’ as the SAI is guided by the

Singapore Standards on Auditing issued by the Institute of Singapore Chartered

Accountants for financial auditing.

ISSAI 1315 on Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment) and ISSAI 1330 on The Auditor’s

Responses to Assessed Risks listed the steps in developing the financial audit plan:

i. Obtaining an understanding of the entity and its environment, including the entity’s

internal control (as required by ISSAI 1315,

ii. Using the understanding of the entity to identify and assess the risks of material

misstatement at the financial statement and assertion levels (as required by ISSAI

1315);

iii. Designing and implementing responses to these assessed risks of material

misstatements (as required by ISSAI 1315);

20 20

16

4 4

7

1 1 2

0

5

10

15

20

25

(i) Nature, timing and extent ofplanned risk assessment

procedures

(ii) Nature, timing and extent ofplanned further (substantive)

audit procedures at theassertion level

(iii) Other planned auditprocedures that are required to

be carried out in compliancewith other ISSAIs

Included in the audit plan for financial audit

Not included in the audit plan for financial audit

Not applicable


38

iv. Identifying specific procedures required for material financial statement areas

(ISSAI 1330); and

v. Determining what audit procedures and the extent of testing required (ISSAI 1330).

The survey results (Figure 8) showed that 72-88% of the SAIs followed the steps stated

in ISSAI 1315 and ISSAI1330.

FIGURE 8

SAIS WHICH PERFORM THE STEPS IN DEVELOPING AN AUDIT PLAN FOR FINANCIAL AUDIT

Notes: 1. SAI Japan answered “Not applicable” for all five aspects because of limited on

legal grounds to conduct attestation engagements. 2. SAI Saudi Arabia answered “Not applicable” for all questions because the officer

who answered the questionnaire works at the performance auditing department of the SAI.

Further questions were asked on each of the five steps in developing the financial audit plan.

For the first step, in obtaining an understanding of the entity and its environment, including

the entity’s internal control, the 17 SAIs use various templates such as model or programme

22

20

18

18

20

1

3

5

5

3

2

2

2

2

2

0 5 10 15 20 25

(i) Obtaining an understanding of the entity and its environment, including the entity’s

internal control

(ii) Using the understanding of the entity toidentify and assess the risks of material

misstatement at the financial statement andassertion levels

(iii) Designing and implementing responsesto these assessed risks of material

misstatements

(iv) Identifying specific procedures requiredfor material financial statement areas

(v) Determining what audit procedures andthe extent of testing required

Performing the step in developing an audit plan for financial audit

Not performing the step in developing an audit plan for financial audit

Not applicable


39

to understand the client; standardised forms or guides; audit guide and ISSAIs; and SAIs’

own standards. Details are shown in Table 9.

TABLE 9

TEMPLATES USED IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

TEMPLATE SAI

Use a model or program for understanding the client

Australia, Cambodia Lao PDR Vietnam

Use standardised forms or guides Vietnam Singapore Malaysia Nepal Korea Iraq Bahrain

i. Use audit guides and International Standards for Supreme Audit Institutions

Bangladesh Cyprus India Indonesia Jordan Iran

Own standards China

In identifying and assessing the risks of material misstatement at the financial

statement and assertion levels (Step 2), the 17 SAIs use various templates such as

programme on evaluation of the audit risks; table or matrix of risk assessment;

models or guides and ISSAIs. Details are depicted on Table 10.

TABLE 10

RISK ASSESSMENT TEMPLATE

TEMPLATE SAI

Program on evaluation of the audit risks Australia Korea Jordan Bahrain Cyprus

Table or matrix of risk assessment Singapore Philippines Iraq Indonesia India

Models or guides Laos


40

TEMPLATE SAI

Vietnam Nepal Malaysia Korea

Identify and assess the risks of material misstatement of the financial statements

China

ISSAI Bangladesh

Thirteen SAIs reported their methods and techniques in designing and implementing

responses to the assessed risks of material misstatements (Step 3). SAIs of Bahrain,

Bangladesh, Cyprus, Nepal, Philippines and Vietnam design an audit programme.

SAIs of Australia, Cambodia, India, Korea, Malaysia and Singapore design an

objective testing model. SAI Lao PDR designs an audit program as well as an

objective testing model.

Step 4 is about identifying specific procedures required for material financial

statement areas. SAIs of Australia, Cambodia, Indonesia, India, Iraq, Korea, Laos,

Singapore and Malaysia have models for linking the detailed audit procedures with

audit risks. For example in the case of Australia National Audit Office, the ‘Bridge’

details the line items and disclosures covered for each material process, the testing

performed (control and/or substantive) and the assertions addressed by each

procedure.

SAIs were also required to explain their methods on determining audit procedures

and the extent of testing required (Step 5). SAI Australia uses an objective control

and substantive testing to determine sample selections. The audit procedures and

the extent of testing for SAIs of Cambodia, India, Indonesia, Iraq, Korea, Lao PDR,

Malaysia and Singapore are in accordance to their audit programmes.

Apart from the five steps, 3 SAIs (Australia, Bangladesh and India) described other

steps included in the planning stage of the financial audit as per Table 11.

TABLE 11

OTHER STEPS IN THE FINANCIAL AUDIT PLANNING STAGE

SAI STEPS

Australia Establish engagement team and independence; Determine the need to appoint a Quality Review Executive (EQCR); Consider whether to engage IT Audit; Hold an engagement team planning meeting; Document the legislative basis for the engagement; Prepare for and conduct client and internal audit planning meeting; Determine materiality;


41

SAI STEPS

Perform risk assessment analytical procedures; Consider using the work of internal audit, experts, other

auditors/service organisations Consider the need to use external confirmations and solicitor’s

representation letters; Review opening balances for initial audits; and Prepare a budget and develop a monitoring plan. The auditor also assesses and responds to fraud risks and

communicates the audit strategy to the client.

Bangladesh Materiality level calculation matrix. Materiality assessment for selection of significant audit areas.

India Deciding documentation and requirements

4.3.9 Preparing Audit Plan for Performance Audit

ISSAI 3000 on Standard for Performance Auditing and ISSAI 3200 (Draft

endorsement version 2016) on Guidelines for the Performance Auditing Process

mentioned the following steps in developing the performance audit plan:

(i) Understanding the audit topic and identifying problems in the area. As part of the

planning process, there is a need to develop a sound understanding of the

subject matter and of the risks and challenges in the area (ISSAI 3200.21).

(ii) Selecting a focus for the audit or the “audit problem”. ISSAI 3200.35 states that

the audit objectives, audit questions and scope are interrelated and need to be

considered together.

(iii) Designing and planning the audit engagement. ISSAI 3000 (2003) on standards

and guidelines for performance auditing based on INTOSAI’s Auditing Standards

and practical experience, discusses the methodological planning and

administrative planning as follows:

Methodological planning - Performance audit can draw upon a large

variety of data-gathering and analysis techniques, with due consideration

on the validity and reliability of methods to be used.

Administrative planning - It involves the selection of the audit team and

team leader and the development of an activity plan including the time

table and resources needed.

The survey results showed that 21 out of 25 SAIs comply to step (i) and (ii) above and 20

SAIs comply to step 3 in developing the performance audit plan. Details are as per

Figure 9.


42

FIGURE 9 STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN AS PER ISSAI

Apart from the three steps as per ISSAI 3100, SAIs of Australia, Bangladesh, India,

Indonesia and Nepal enumerated other steps in developing performance audit plan as

shown in Table 12:

TABLE 12

OTHER STEPS IN DEVELOPING PERFORMANCE AUDIT PLAN


Australia The ‘Audit Work Plan’ documents include: Audit objective and criteria; Audit scope; Rationale for undertaking the audit and likely impacts; Background for the audit; Audit method; Audit team; Pre-audit work including consultation; Assessment of performance audit engagement and operational risk; Significant risks/issues; Estimated project hours and costs; and Milestones and target dates

Bangladesh Conduct entry meeting Conduct pre-study Submit a report for approval

India Assess audit team skills and whether external expertise is to be augmented.

Preparation of Audit Design Matrix Establishing time table and resources

Indonesia Understanding the entity Selecting audit scope & objective Developing criteria Developing Audit Design Matrix.

21 21 20

0 0 1 4 4 4

0

5

10

15

20

25

(i) Understanding the audittopic and identifying problems

in the area.

(ii) Selecting a focus for the audit or the “audit problem”

(iii) Designing andimplementing responses to

these assessed risks ofmaterial misstatements

SAIs Performing the step in developing an audit plan for performance audit

SAIs not performing the step in developing an audit plan for performance audit

Not applicable


43


Nepal Engaging Civil Society Organisations in the audit process. Formation of the Steering Committee to oversee CSOs engagement

in audit. The Audit Advisory Committee provides suggestions regarding areas

to be covered in the performance audit.

In accordance to ISSAIs, the performance audit plan must contain the following

information:

vii. Background knowledge and information needed to understand the entity to be

audited;

viii. Initial assessment of the problem risk, possible sources of evidence, auditability

and the materiality or significance of the area considered for audit;

ix. Audit objective, questions or hypothesis, criteria, scope and period to be covered

by the audit;

x. Methodology, including techniques to be used for gathering evidence and

conducting the audit analysis;

xi. Overall activity plan which includes staffing requirements (i.e. sufficient


audit); and

xii. Estimated cost of the audit, key project timeframes, milestones and the main

control points of the audit.

The survey results revealed that 18 out of 25 SAIs provide the background knowledge

and information of the entity (item i), 19 SAIs include information pertaining to items (ii)-

(iv), 16 SAIs include information on staffing requirements and only 12 SAIs include

information on estimated cost of the audit, key project timeframes, milestones and the

main control points of the audit in the performance audit plan (item vi). Details are shown

in Table 13.

TABLE 13

INFORMATION INCLUDED IN THE PERFORMANCE AUDIT PLAN

NO. INFORMATION IN THE

AUDIT PLAN

RESPONDENTS

INCLUDED IN THE AUDIT PLAN FOR

PERFORMANCE AUDIT

NOT INCLUDED IN THE AUDIT

PLAN FOR PERFORMANCE

AUDIT

NOT APPLICABLE

NO ANSWER

TOTAL % TOTAL % TOTAL % TOTAL %

1. Background knowledge and information needed to understand the entity to

18 72 2 8 4 16 1 4


44

NO. INFORMATION IN THE

AUDIT PLAN

RESPONDENTS

INCLUDED IN THE AUDIT PLAN FOR

PERFORMANCE AUDIT

NOT INCLUDED IN THE AUDIT

PLAN FOR PERFORMANCE

AUDIT

NOT APPLICABLE

NO ANSWER


be audited

2. Initial assessment of the problem risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit

19

76

1

8

4

16

1

4

3. Audit objective, questions or hypothesis, criteria, scope and period to be covered by the audit

19 76 1 8 4 16 1 4

4. Methodology, including techniques to be used for gathering evidence and conducting the audit analysis

19 76 1 8 4 16 1 4

5. Overall activity plan which Includes staffing requirements (i.e. sufficient competencies, human resources, and possible external expertise required for the audit)

16 64 4 16 4 16 1 4

6. Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit

12 48 7 28 4 16 2 8


45

4.3.10 Preparing Audit Plan for Compliance Audit

ISSAI 4100 on Compliance Audit Guidelines - For Audits Performed Separately from

the Audit of Financial Statements stated the following steps in developing compliance

audit plan:

i. Determine the subject matter, criteria and scope of compliance audit;

ii. Understand the entity;

iii. Understand the control environment and internal control system;

iv. Risk assessment of the subject matter/audited entity;

v. Consideration of risks of fraud;

vi. Determine reliance on internal controls; and

vii. Link identified risks to audit strategy (audit procedures).

Survey results revealed that a range of 13 to 18 SAIs perform the above steps in

developing the compliance audit plan. Although 18 out of 25 SAIs (72%) understand the

entity, only 13 SAIs (52%) link the identified risks to audit strategy. Details are illustrated in

Table 14.

TABLE 14 STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN AS PER ISSAI 4100

NO. STEPS

RESPONDENTS

PERFORMING THE STEPS

NOT PERFORMING

THE STEPS

NOT APPLICABLE

NO ANSWER


1. Determine the subject matter, criteria and scope of compliance audit

17 68 2 8 3 12 3 12

2. Understand the entity 18 72 1 4 3 12 3 12

3. Understand the control environment and internal control system

17 68 2 8 3 12 3 12

4. Risk assessment of the subject matter/audited entity

14 56 5 20 3 12 3 12

5. Consideration of risks of fraud

14 56 5 20 3 12 3 12

6. Determine reliance on internal controls

15 60 4 16 3 12 3 12

7. Link identified risks to audit strategy (audit procedures) 13 52 5 20 3 12 4 16


46

It is noted that SAI Japan did not provide their responses because specific information in

their audit plan is confidential. SAIs Nepal and Vietnam conducted compliance audit with the

financial audit or performance audit and therefore, there are no responses from them. SAIs

of Bahrain, Bangladesh, India, Indonesia, Jordan and Singapore reported other steps

performed by them besides the steps detailed in ISSAI 4100 (Table 15).

TABLE 15 OTHER STEPS IN DEVELOPING COMPLIANCE AUDIT PLAN


Bahrain Understand all related business processes. Prepare documents and information flowcharts for business processes. Identify all probable and expected risks. Classify identified risks (High, medium, low). Identify risky areas and prepare the audit plan and work program based

on the areas.

Bangladesh Special compliance audits and pilot ISSAI compliant compliance audit plans must be approved.

India Allocation of audit resources for the audits to be undertaken

Indonesia Understanding expectation and objective of the assignment of compliance audit

Jordan Size of job, mandate, time, implementation

Singapore Identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity’s internal control (Singapore Standards on Auditing 315 issued by the Institute of Singapore Chartered Accountants)

In line with the requirements pertaining to compliance audit, SAIs are also expected to

include in their compliance audit plans the following information:

i. Description of identified criteria related to the scope and characteristics of the

compliance audit and to the legal, regulatory or appropriations framework;

ii. Description of the nature, timing and extent of risk assessment procedures sufficient

to assess the risks of non-compliance, related to the various audit criteria; and

iii. Description of the nature, timing and extent of planned audit procedures related to

the various compliance audit criteria and risk assessments.

The survey results revealed that 60% out of 25 SAIs included information on item (i), 48%

of the SAIs included the information on item (ii) and 56% of the SAIs included information

on item (Figure 10).


47

FIGURE 10 INFORMATION INCLUDED IN THE COMPLIANCE AUDIT PLAN

4.3.11 Determining Materiality at the Planning Stage

Materiality is a key element in risk-based auditing as it is an important consideration

in defining audit objectives and criteria, defining the extent of audit procedures and

forming conclusions. ISSAI 1320 on Materiality in Planning and Performing the Audit

requires SAIs to apply the concept of materiality in planning and execution phases

and in evaluating the effect of identified misstatements on the audit and uncorrected

misstatements in the financial audit. For compliance audit, ISSAI 4000 requires the

auditor to determine materiality to form a basis for the design of the audit and for

performance audit, the auditor is required by ISSAI 3000 to consider materiality at all

stages of the audit process, including the financial, social and political aspects of the

subject matter.

In the survey conducted, it is revealed that most of the SAIs determined materiality in audit

planning and performance for the financial audit. On the other hand, there are only 15 SAIs

15

12

14

4

6 5

3 4

3

0

5

10

15

20

25

(i) Determine the subjectmatter, criteria and scope of

compliance audit

(ii) Description of the nature,timing and extent of riskassessment procedures

sufficient to assess the risksof non-compliance, related to

the various audit criteria

(iii) Description of the nature,timing and extent of plannedaudit procedures related to

the various compliance auditcriteria and risk assessments

Included in the audit plan for compliance audit

Not included in the audit plan for complianceaudit

Not applicable


48

(Australia, Bahrain, Bangladesh, China, India, Indonesia, Iran, Iraq, Jordan, Korea, Kuwait,

Malaysia, Mongolia, Nepal and Vietnam) which determined materiality for performance

audits and 14 SAIs (56%) determined materiality for compliance audits. Details are shown in

Figure 11.

FIGURE 11 SAIS DETERMINING MATERIALITY IN PLANNING AND PERFORMING THE AUDIT

4.4 Internal Control System and Risk Assessment

4.4.1 Internal Control System

The evaluation of internal control system and risk analysis and identification is an essential

procedure for audit planning as per ISSAI 1315 "Identifying and Assessing the Risks of

Material Misstatement through Understanding the Entity and its Environment". Since 2004,

INTOSAI has incorporated the Committee of Sponsoring Organisations (COSO) framework

in its internal control standard guidelines (INTOSAI.GOV 9100 and 9120). The COSO

Framework is a tool for auditors to use to evaluate the internal control system with the

purpose of identifying and analysing risk during the audit process. In this framework, there

are five components of internal control—Control Environment, Risk Assessment, Control

Activities, Information and Communication, and Monitoring Activities.

21

15 14

3

5 5

0

4 3

0

5

10

15

20

25

Financial audit Performanceaudit

Complianceaudit

SAIs determining materiality

SAIs not determining materiality

Not applicable


49

Based on survey results (Figure 12), only 12 (Australia, Bahrain, Bangladesh, Cambodia,

China, Indonesia, Iran, Kuwait, Malaysia, Mongolia, Philippines and Vietnam) out of 25 SAIs

adopted the COSO Framework in understanding the entity’s internal control.

FIGURE 12 ADOPTION OF COSO FRAMEWORK

Several SAIs which did not adopt COSO Framework i.e SAI Bangladesh, Cyprus, Japan,

Jordan, Korea and Nepal described alternative methods as per Table 16.

TABLE 16 ALTERNATIVE METHODS IN UNDERSTANDING INTERNAL CONTROL SYSTEM

SAI EXPLANATION

Bangladesh The internal control questionnaire included in the Entity Wide Audit Manual has been developed using the COSO Framework.

Cyprus No explicit assessment of the internal controls of audited entities is usually performed. Understanding of the internal control environment and its effectiveness normally arises during the audit or from previous audit experience.

Japan When conducting audits, the BOA takes into consideration effectiveness of internal control in auditees’ organizations. On the other hand, in Japan, many government organizations, such as the State, are not required to adopt internal control framework such as COSO framework. However, some organizations including independent administrative agencies adopt the idea correspond to COSO Framework.

Jordan We have Internal Control Regulation with mandatory application.

Korea Although COSO Framework is not stated in the BAI’s financial audit manual, a standard internal control system, including COSO, is used.

Nepal We do not specifically spell out the COSO, however, our procedure

12 48% 13

52%

SAIs adopting theCOSO Framework

SAIs not adopting theCOSO Framework

Not applicable


50

SAI EXPLANATION

covers components of internal controls discussed by COSO framework. Please refer to Financial Audit manual for detail.

In spite of the significant number of SAIs which did not adopt COSO Framework, majority of

respondent SAIs consider the components of COSO Framework in understanding or

assessing the entity’s internal control. Details are as per Table 17.

TABLE 17 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK CONSIDERED BY SAIs

COMPONENT RESPONDENTS

CONSIDERING TO USE NOT CONSIDERING TO

USE

TOTAL % TOTAL %

Control Environment 22 88 3 12

Risk Assessment 22 88 3 12

Control Activities 24 96 1 4

Information and Communication 21 84 4 16

Monitoring Activities 23 92 2 8

4.4.2 Risk Assessment

ISSAI 1003 on Glossary of Terms to INTOSAI Financial Audit Guidelines mentioned three

types of risk- inherent, control and detection. Definitions of the three risks are as follows:

Inherent risk is the susceptibility of an assertion about a class of transaction,

account balance or disclosure to a misstatement that could be material, either

individually or when aggregated with other misstatements, before consideration

of any related controls.

Control risk is defined as the risk that a misstatement could occur in an

assertion about a class of transaction, account balance or disclosure, and that

could be material, either individually or when aggregated with other

misstatements, will not be prevented or detected and corrected, on a timely basis

by the entity’s internal control.

Detection risk is the risk that the procedures performed by the auditor will not

detect a misstatement that exists and that could be material, either individually or

when aggregated with other misstatements.


51

ISSAI 1330 on Auditor’s Response to Assessed Risks requires the auditor to design and

perform further audit procedures whose nature, timing and extent are based on and are

responsive to the assessed risks of material misstatement (a function of inherent and control

risks) at the assertion level.

The risk of material misstatement (inherent and control risks) and detection risk constitute

the concept of audit risk, or the risk that the auditor will express an inappropriate conclusion

if the subject matter information is materially misstated. ISSAI 200 Fundamental Principles of

Financial Auditing requires the auditor to reduce audit risk to an acceptably low level in the

circumstances of the audit.

The survey results showed that while control risk is being considered in the preparation of

the audit plan by 22 out of 25 SAIs (88%), detection risk is only considered by 17 SAIs

(68%). Details are as shown in Table 18.

TABLE 18

RISK ASSESSMENT IN THE PREPARATION OF AUDIT PLAN

RISK

RESPONDENTS

ASSESSING THE RELEVANT RISK

DO NOT ACCESS THE RISK INVOLVED

TOTAL % TOTAL %

Inherent risk 21 84 4 16

Control risk 22 88 3 12

Detection risk 17 68 8 32

4.5 Summary

This part reported the findings based on the questionnaire in relation to the research

objective on determining the methods used by the ASOSAI members in developing risk-

based audit plan. Descriptive analysis is used for analysing the results. The research study

found that the methods used by the ASOSAI members in developing the financial,

performance and compliance audit plans are in accordance to ISSAI 1300, ISSAI 3000 and

ISSAI 4000. Risk assessment and analysis as well as materiality are considered in

developing the audit plans. The research study also found that half of the SAIs adopt the

COSO framework to establish, assess and enhance their internal controls.


52

PART 5 RESULTS BASED ON EXTENDED STUDY

5.1 Introduction This part discusses the results of the extended studies of 7 SAIs whereby 4 SAIs fully

adopted risk-based audit approach and the remainder adopted combination of approaches.

5.2 Analysis of the Results

5.2.1 Analysis on 7 Selected SAI’s Practices

As mentioned earlier on in Part 3, survey questionnaire prepared to obtain information for

developing risk-based audit plan from all ASOSAI members was distributed among

members. According to information from those received questionnaires, all participating SAIs

in this 11th ASOSAI Research Project agreed that good practices from several selected SAIs

will be beneficial as the reference for further analyses.

Initially, there were 11 SAIs (Australia, Bangladesh, Cyprus, India, Indonesia, Iraq, Jordan,

Malaysia, Nepal and The Philippines) selected for extended study based on their responses

to the questionnaire. However, only 7 SAIs (Australia, Bangladesh, Indonesia, Iraq,

Malaysia, Nepal and Philippines) submitted their audit planning documents.

The documents received from 7 SAIs are:

i. Australia – Financial Audit Guide – Bridge, Financial Audit Guide – Risk Assessment

Documents (RAD), Materiality Template, PAAM 70.1 Engagement Risk Rating,

Performance Audit Manual, Performance Audit Work Plan Template, Risk

Assessment Template and Summary Planning Memorandum Template.

ii. Bangladesh – Fraud Audit Manual, Financial and Compliance Audit Manual,

Procurement Manual, Investigation Manual, Audit Plan (Sample), Environment Audit

Report and Experience Sharing on Financial Audit.

iii. Indonesia – Financial Audit Guidelines, Performance Audit Guidelines and Special

Purpose Audit Guidelines

iv. Iraq – Guide on Performance Evaluation for Programs and Policies and Audit

Approach on Risk Method.

v. Malaysia – Guidelines on Auditing Based on ISSAI, Guidelines – 200 Identifying and

Assessing the Risks of Material Misstatement and Guidelines – 300 Audit Planning

Memorandum.


53

vi. Nepal – Financial Audit Manual and Performance Audit Guide.

vii. Philippines – Integrated Results and RBA Manual and IRRBAM – Forms and

Templates.

5.2.2 Findings on Extended Study

5.2.2.1 Analysis on Audit Approaches

Analysis on both questionnaires and documents submitted by the 7 selected SAIs found that

only 3 out of 7 SAIs solely adopt Risk-based Audit in all types of audit. The remaining 4 SAIs

use both RBA and system-based approach in their audit works. The summary of the audit

approaches adopted by 7 SAIs are as follows:

TABLE 19 AUDIT APPROACHES

Fully RBA RBA & System-based

or other approaches

Australia

Bangladesh

Indonesia

Iraq

Malaysia

Nepal

Philippines

The 4 SAIs that have fully adopted RBA is Australia, Indonesia Nepal and Philippines. While

the other SAIs use both RBA and other approaches. It is also found that there are different

approaches other than the aforementioned method. This indicates the diversity in the

methodologies adopted by ASOSAI members. Other approaches include results-oriented,

problem-based, transaction-based, fundamental and topic-based audit. This research will

focus only on RBA approach in the planning stage. This study is conducted in order to foster

the adoption of risk-based auditing, especially in the audit planning, as a tool to gain

effective audit in the long run.

Even though there are SAIs which do not fully adopt RBA, majority of respondents take into

account risks in their audit planning. This means they might unconsciously already

implement few aspects of RBA approach, but not in a very structured way.


54

5.2.2.2 Risk Based Audit Planning

Similar to ISSAI 1300, 3000, and 4000 that require the development of audit plans for

financial, performance and compliance audits, respectively, not all respondent SAIs prepare

separate audit plans. The research findings indicate that almost SAIs follows ISSAI 1300 to

prepare audit plan separately among: Compliance audit, Financial Audit and Performance

Audit except SAI Philippines. The summary of methods in developing RBA Plan by the 7

selected SAIs is as follows:

TABLE 20

RBA PLAN

Separate RBA Audit Plan Combine RBA Audit Plan

Australia

Bangladesh

Indonesia

Iraq

Malaysia

Nepal

Philippines

Based on the analysis, it is believe that each types of audit have a different objective, scope

and methodologies so a separate guideline for each types of audit may facilitate auditor to

conduct the audit effectively. Further analysis on the SAIs document also found that almost

SAIs follow the ISSAI during the audit planning for all type of audit. In developing the RBA

Plan for financial audit, the understand the entity and its environment is the first step in

planning the audit. After that, SAIs will understand the entity’s internal control, conduct risk

assessment, determine materiality and establishing audit strategy and audit plan. Details

information on the financial audit plan is as Table 21.

TABLE 21 METHODS IN DEVELOPING RBA PLAN: FINANCIAL AUDIT

Understanding

entity and its

environment

Understanding

the entity’s

internal control

Conducting

risk

assessment

procedures

Determining

materiality

Establishing

audit

strategy and

audit plan

Australia

Bangladesh

Indonesia

Iraq


55

Malaysia

Nepal

Philippines

Source: RBA Documents from the 8 selected SAIs

Based on the RBA documents on performance audit, the research found that only 4 SAIs

that has follows all the requirement under the ISSAI 3000 on the performance audit plan.

Nepal and Philippines only follows few requirement such as understanding the entity and

subject matter; defining the scope of audit and choosing audit methodology. However,

Bangladesh does not used RBA on the performance audit plan. The detail steps follows by

the SAI on the RBA performance audit plan are as Table 22.

The study also shows that only Bangladesh and Indonesia use the RBA in planning the

compliance audit. While, Iraq, Malaysia and Nepal do not use RBA for compliance audit. SAI

Philippines only follows few steps on the RBA for the compliance audit as their approach is

an integrated audit plan for all kinds of audit. The detail steps follows by the SAI on the RBA

compliance audit plan are as Table 23.


56

TABLE 22 METHODS IN DEVELOPING RBA PLAN: PERFORMANCE AUDIT

TABLE 23

METHODS IN DEVELOPING RBA PLAN: COMPLIANCE AUDIT

Identifying

intended users

and

responsible

party

Defining the subject

matter and the

corresponding audit

criteria

Understanding

the entity and

its environment

Understanding

the entity’s

internal

control

Assessing

risk

Establishing

materiality for

planning

purpose

Developing

audit

strategy and

audit plan Australia

Bangladesh

Indonesia

Iraq

Malaysia

Nepal

Philippines

*Philippines use Integrated Results and Risk-based Audit for all types of audit

Selecting

an audit

topic

Assessing

potential

audit

topics in

terms of

risks,

materiality

and

problems

identified

Selecting

audit topics

that are

auditable

(assessing

auditability)

Understanding

the entity and

the subject

matter (what is

audited)

Defining

the audit

objectives

and audit

questions

Defining

the

scope

of audit

Setting

the

audit

criteria

Choosing

audit

methodology,

including

techniques to

be used for

gathering

evidence and

conducting

the audit

analysis

Determining

overall

activity plan

Estimating

cost of the

audit, key

project

timeframes

and the

main

control

points of

the audit Australia

Bangladesh

Indonesia

Iraq

Malaysia

Nepal

Philippines


57

5.3 Extended Study on SAIs RBA Approach and Practices (Fully Adopted RBA)

Further analysis was done on the 7 SAIs that adopt solely RBA or together with other

approaches in their audit planning. Three out of 7 SAIs have fully adopted the risk based

audit plan. ANO prepared the most comprehensive and detailed guidelines for both financial

and performance audit, while SAI Indonesia prepared detailed guideline for compliance

audit. The details processes and procedures related to the RBA on three types of auditing;

financial, performance and compliance audit that were received from the SAI Australia,

Indonesia and Nepal are explain as bellows:

5.3.1 Financial Audit

5.3.1.1 Australian National Audit Office (ANAO)

As required by the ISSAIs, for the first step on the planning stages, the auditor must gain an

understanding of our client’s organization and complete the following documents:

• Business Understanding and Risk Identification (BURI);

• Entity’s Internal Control;

• Fraud Work Program; and

• Process Documentation/Walkthrough for the business process or accounting process.

After understand the entity, the auditors need to commencing the Risk Assessment

Document (RAD). ANAO uses the RAD as their template to document their risk

assessments for all significant business or accounting processes. The RAD documents

consist of:

i. The identified inherent risks of material misstatement (ROMM) for each material

financial statement line item (FSLI) within each significant business or accounting

process at an assertion level; and

ii. Their assessment of each identified inherent ROMM.

The risks documented in the RAD are an input to the Bridge, in which they design and

document the audit procedures they plan to undertake to address the assessed risks. They

complete a RAD for each significant business and accounting process. In the RAD, they

identify, by financial statement line item, the inherent risks of material misstatement and

assess the level of that risk. The Engagement Executive must review all RADs where a

significant or elevated risk has been identified. The Manager must review all RADs. These

reviews are undertaken prior to the commencement of the audit fieldwork.


58

FIGURE 13 PROCESS DOCUMENTATION/WALKTHROUGH FOR THE BUSINESS PROCESS OR

ACCOUNTING PROCESS

Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD)

Through the completion of these documents, they are able to identify risk factors that may

affect one or more assertions for the material Financial Statement Line Item (FSLI). The

ROMM must be considered for each FSLI within the business or accounting process. It

should be clear within the RAD which risks relate to which FSLI.

Below is guidance on how to complete the template. The following figure provides an

overview of the process.

FIGURE 14

TEMPLATE ON ASSESSING RISKS AND INPUT TO THE BRIDGE

Source: ANAO Financial Audit Guide – Risk Assessment Document (RAD)

Bridge

BURI

Fraud Assessment

Process documentation

and walkthrough

Understanding FSLI

RAD

(assertion level)

Internal Control

• Identify the set of assertions relevant to the FSLI or disclosure

• Identify risks

• Document the associated accounting process

Identify Inherent Risk by FSLI

• Determine likelihood

• Determine consequence

• Determine overall risk rating

• Document justifiation

Assess Impact on FSLI • Populate Bridge with

Significant and Elevated risk

• Link all Normal risk to specific audit procedures in the Bridge that address that assertion

Populate the Bridge


59

All significant risks are required to be transposed to the Bridge. One way to ensure this is to

link all the risks from the RAD to the Bridge. The Bridge is an ANAO template used to

document our planned audit approach and the outcome of that plan. They use it to

document:

ii. The identified and assessed risk of material misstatement (ROMM) at the financial

report level and the assertion level; and

iii. Their audit response to the assessed ROMM, including the nature, timing and

extent of their audit procedures and the link of those audit procedures to the

relevant assertions.

The Bridge is central to their audit approach. A Bridge is completed for each significant

business/accounting process/or financial statement line item (FSLI) every year. Each Bridge

details their response to significant, elevated and normal risks of material misstatement. In

order to identify and assess the ROMM as required by standard, they determine materiality

for the audit and perform risk assessment procedures as required by standard.

Risk assessment procedures include completing the BURI, the Laws and Regulations

template, process documentation and other planning procedures. The identified ROMMs are

documented in the RAD and Bridge for the relevant Process/Account Balance/or FSLI. Once

the risks and assertions are identified, audit procedures to address the risks are designed

and recorded in the Bridge. The objective is to reduce to an acceptable level, our risk that a

material misstatement remains undetected.

FIGURE 15

THE BRIDGE PROCESS

Source: ANAO Financial Audit Guide – Bridge

Bridge

Identify Significant Bus /Acc

Processes

Risk Assessment Procedures (incl BURI)

RAD Design Audit

Response

Update for

Results of testing


60

Before completion of planning, the Engagement Executive must review and sign-off all

Bridges which include significant risk(s) and/or critical areas of judgment, especially those

relating to difficult or contentious matters, and a sample of Bridges which include Elevated

and/or Normal risks. The Audit Manager must review and sign-off all Bridges.

The Bridge is initially completed at the planning stage and is required to be updated during

the audit to reflect the results of the audit procedures or changes that affect the audit

approach. Each successive change to a Bridge must be reviewed at an appropriate level.

The completed Materiality Template or Summary Planning Document is used as a reference

to ensure that all material FSLIs (whether material by nature or quantum) are identified in a

Bridge. FSLIs are used as the basis of our audit approach because they are required to

assess the ROMM at the assertion level and the assertions describe qualities of financial

information, not the qualities of processes. Only significant and elevated ROMM are

recorded individually on the Bridge. Normal ROMM may be documented in the RAD and are

addressed in the Bridge with sufficient coverage over all assertions for the FSLI. Risks are

described (for significant and elevated risks) with reference to a specific assertion. This will

target the work required and will focus audit effort on specific risk. For each Significant and

Elevated Risk, the Auditors are required to document management’s key control(s),

regardless of whether they intend to rely on the operating effectiveness of the control. No

matter what level of assurance they obtain from tests of controls, some substantive

procedures will always need to be performed for each material balance, class of transactions

or disclosure.

5.3.1.2 Indonesia

Based on the BPKRI documentation, the audit planning is conducted to prepare Audit

Program which will be used as the basis for audit engagement, so the audit can proceed

efficiently and effectively. Audit planning stage consists of ten (10) activity steps, which are:

i. Understanding Audit Objectives and Engagement Expectation

Understanding audit objectives and engagement expectation are conducted to find

out what final result and audit objectives are expected by the Signing Officer as well

as to determine the criteria to measure engagement performance obtained through

communication between Auditors and the Signing Officer. Steps in understanding

audit objectives and engagement expectation include:

a. Discussing and communicating with the Signing Officer

Together with the Signing Officer, Auditors build a clear understanding,

which can be used as a basis to define, prioritize, and measure the Auditors’

performance in audit engagement.


61

b. Submitting audit objectives and engagement expectation

Auditors carry out the step by reviewing (initial assessment) the entity and

update their knowledge on the entity’s scope of work. Initial consideration of

such information enables Auditors to prepare for discussion with the Signing

Officer and to determine areas to be further explored.

c. Setting audit objectives and engagement expectation

The formulated audit objectives and engagement expectation are

documented in writing and signed by the Team Leader, Supervisor, Audit

Manager, or Signing Officer.

ii. Understanding the Entity and Its Business Process

Understanding the entity and its business process is intended to gain in-depth and

sufficient understanding of the general work processes and risks associated with

each specific work process of the audited entity, as well as to identify and understand

issues important to the entity in achieving its objectives.

iii. Understanding Previous Audit Reports

The objectives of this step are:

a. Obtain deeper understanding of the entity’s work processes and associated

risks based on follow-up implementations on BPK’s recommendations;

b. Assess follow-up implementations on BPK’s recommendations; and

c. Analyse the impact of follow-up implementations on the audited financial

statements.

iv. Conducting Initial Analytical Procedures

The purpose of this procedure is to help Auditors plan the nature, timeline, and scope

of other procedures for the next stage, or audit procedures to be used to obtain audit

evidence for account balances or specific transaction classes.

Initial Analytical Procedure Techniques commonly involve comparing recorded

balances with other data (such as previous year’s balances, balances in related

accounts, or similar posts in the previous year), using ratios or other related matters,

and analysis of the industry/entity’s activities.


62

v. Understanding Internal Control System

Understanding the internal control system is intended to assess internal control

undertaken by the entity to conduct its activities effectively and efficiently, and to

assess the possibility of misstatement and fraud. In this step, Auditors also assess

the possibility of misstatement caused by matters related to internal control

environmental risks.

vi. Initial Risk Identification and Assessment

The objective of this step is to assess audit risks, so the prepared audit procedures

can be focused on high-risk areas caused by misstatements or fraud, therefore

making the audit process more effective and efficient. Inputs required in this step are:

a. Previous audit working papers (if this is a second-year audit or later),

especially on risk assessment;

b. General review of the entity;

c. Results of fraud risk assessment;

d. Previously conducted discussion with the entity’s leader/management or its

audit committee;

e. Previous discussions with personnel of the internal supervision work unit

and reviewing internal supervision reports; and

f. Understanding of internal control.

vii. Setting Initial Materiality Threshold

Auditors set materiality threshold for the financial audit. In developing audit strategy,

Auditors classify materiality into two (2) groups:

a. Planning Materiality (PM) is related with the financial statements as a whole;

and

b. Tolerable Misstatement (TM) is related with individual accounts or financial

posts

viii. Determining Sampling Method

Auditors determine the sampling method based on professional judgment. Sampling

is a test element conducted by Auditors to provide assurance on the quality of

information presented and disclosed in the financial statements. The sampling

method utilized can be statistical or non-statistical.


63

a. Sampling by statistical method in control testing is conducted with attribute

sampling method, while substantive testing is conducted with variable

sampling method.

b. Sampling by non-statistical method is determined using the Auditors’

professional judgment by taking into account the scope of audit, risk and

materiality levels, the accounting system used by the audited entity, and the

cost and benefit principle.

ix. Fulfilling the Needs for Auditors;

This step is carried out with the objectives of:

a. Forming an Audit Team with the appropriate expertise composition as

required by the audit engagement;

b. Informing Audit Team Members about the forthcoming engagement, which

covers audit objectives, audit scope, the Signing Officer’s expectations, and

audit performance measures; and

c. Dividing audit tasks in line with their respective expertise and obtaining Audit

Team Members’ commitment on their roles in completing the engagement

and fulfilling the Signing Officer’s expectations, so the audit can be

conducted effectively and efficiently.

x. Preparing Audit Program and Individual Audit Program

The objective of preparing audit program is to summarize all planning steps into a

formal documentation to be approved. Audit Program explains in detail the type,

timeline, and scope of audit procedures.

5.3.1.3 Nepal

The Planning process for SAI Nepal on the financial and compliance audit consists of the

following steps:

i. Understanding the Planning Process

The Strategic Plan, The annual audit plan-Tier I, The Ministry level (or, Directorate

level) plan-Tier II, The entity level plan (or, detailed audit plan or audit program)-Tier

III;


64

ii. Understanding the Entity Level Strategic Plan

The entity level strategic plan is the first activity in the audit process. It may be

defined as the process that sets the direction of the audit and links the understanding

of the entity’s operations to the focus of the audit work.

iii. Overall Audit Strategy

The overall audit strategy must set the scope, timing and direction of the audit. It

should also guide the development of the detailed audit plan. The establishment of

the overall audit strategy involves the summary of the audit work completed during

the strategic planning phase of the audit.

iv. The Audit Plan

The audit plan is more detailed than the overall audit strategy in that it includes the

nature, timing and extent of audit procedures to be performed by the team members.

The basic purpose of detailed planning is to provide guidance on determining overall

conclusions to date and designing and performing further audit procedures. This is

done in order to respond to the identified risks of material misstatement at the

financial statement and assertion levels done at the preliminary planning stage.

v. Planning Documentation (The Working Papers)

The auditors should document the operations of each audited component of the

entity and the nature and type of audit tests to be completed. This documentation is

to be kept in the relevant Working papers, which an audit team is required to

maintain. The system description is the first step to the detailed planning and should

be completed for all components. It starts with the identification of key activities in the

transaction life cycle. After this, inherent and control risks and management controls

to mitigate these risks should be documented. The auditor should determine the

responses to address the risks of material misstatement at the financial statement

level.

vi. Understanding the Entity’s Business and Environment

In the entity level strategic planning phase, the auditor shall gather information to

obtain an understanding of the following:

a. Overall understanding of the entity;

b. The entity’s accounting policies;

c. The entity’s control environment, and internal controls;


65

d. The measurement and review of the entity’s financial performance.

vii. Materiality

The objective of the auditor is to apply the concept of materiality appropriately

throughout the audit, especially when:

a. Identifying the components to be audited (strategic planning);

b. Determining the nature, timing and extent of audit procedures (detailed

planning); and

c. Evaluating the effect of misstatements (reporting).

During planning, the auditor should establish an acceptable materiality for the

financial statements as a whole so as to plan to detect quantitative material

misstatements. The auditor should calculate the quantitative materiality level as a

numerical value based on professional judgment.

viii. Risk Assessment

Risk assessment procedures assist the auditor in obtaining an understanding of the

entity and its environment. The procedures should be sufficient to identify and assess

the risks of material misstatement both on the financial statements as a whole and for

each relevant assertion relating to account balances.

ix. Planning Analytical Procedures

Analytical procedures are performed to assist in planning the audit and to enhance

the overall understanding of the entity’s operations. To the extent that it has not been

covered during the development of audit strategy and planning, the auditors should

use analytical procedures to:

a. Analyse relevant information;

b. Discuss results with management.

x. Assessment of Internal and IT Controls

The auditor shall obtain an understanding of internal and IT controls relevant to the

audit. Although most controls relevant to the audit are likely to relate to financial

reporting, not all controls that relate to financial reporting are relevant to the audit.


66

xi. Consideration of Fraud

There are two types of frauds: fraudulent financial reporting and misstatement of

assets. Although the auditor may suspect or, in rare cases, identify the occurrence of

fraud, the auditor does not make legal determinations of whether fraud has actually

occurred.

xii. Using the Work of Others

Due to technicalities of audit work, involving experts may also be necessary to obtain

sufficient and appropriate audit evidence and to draw conclusion on a specific issue.

xiii. Identification of Significant Financial Statement Accounts and Assertions

Using the information already collected during the planning analytical procedures, the

analysis of relevant information and discussions with management, the auditor

should identify the significant financial statement account balances and classes of

transactions.

xiv. Audit Procedures Responsive to Risks of Material Misstatement

In designing further audit procedures, the auditor considers such matters as the

following:

a. The significance of the risk;

b. The likelihood that a material misstatement will occur;

c. The characteristics of the class of transactions, account balance, or

disclosure involved;

d. The nature of the specific controls used by the entity and in particular whether

they are manual or automated;

e. Whether the auditor expects to obtain audit evidence which will be used to

determine if the entity’s controls are effective in preventing, or detecting and

correcting, material misstatements. The nature of the audit procedures is of

most importance in responding to the assessed risks.

xv. Routine and Non-Routine Transactions

Routine transactions record the entity’s day-to-day operations transactions with the

outside world. Non-routine transactions are transactions that are unusual either due

to size or nature, or that occur infrequently.


67

xvi. Risks Assessment Process

Risks are the set of circumstances that hinder achievement of objectives. There are

three components of risk which include: Risk Event, Probability of the Risk Event,

and Impact of Risk Event (Risk Event Value). Risk Event is a discrete occurrence

that may affect the project for better or for worse.

xvii. Risk of Significant Misstatement

The risk of significant misstatements on the financial statements when they are

received by the auditor is the combination of inherent risk and control risk. While

developing the audit strategy and planning, the auditor should consider the entity-

wide conditions or events that may increase the risk of significant misstatements. The

risks facing the entity’s operations need to be considered, and whether these risks

are likely to affect the financial statements and therefore have audit implications.

xviii. Critical Audit Objectives

Critical audit objectives often involve a high risk of significant misstatements and

subjectivity in the evaluation of audit evidence. Audit objectives relating to non-

routine transactions may also involve higher risk of significant misstatements or

subjectivity in the evaluation of audit evidence.

xix. Audit Planning Memorandum

The Audit Planning Memorandum usually includes the following items as a minimum:

a. Technical aspects:

b. Background information, a brief history of the entity,

(ministry/department/project) and current financial position;

c. Recent developments, performance during the year, changes in entity’s

operations, acquisitions, and dispositions/auctions;

d. Objectives and duties of the operations (ministries) highlighting analysis of

key areas of the development plan and long-term plans;

e. Incorporation and analysis of the operation’s (Ministry’s) budget and work

plan for the year and comparison of budget against the actual results of the

entity;

f. A summary of the approach to obtaining an understanding of internal control;

g. A summary of the nature, timing and extent of audit procedures for critical

audit objectives; and


68

h. A summary of work to be performed by internal auditors and/or specialists.

i. Audit Logistic Aspects:

j. Staffing, including details of the audit team members and other auditors

k. Key people in the entity’s organization to be contacted

l. The required type and timing of report on the audit of the financial statements

and other reports to the entity; and

m. Timetable.

xx. Audit Program

As part of the planning stage and before any fieldwork can be performed, the auditor

need to create the audit program which will identify the test and the procedures

required to meet the audit objectives identified in the audit planning memorandum.

5.3.2 Performance Audit

5.3.2.1 Australia National Audit Office (ANAO)

The two primary components of the start-up phase of an individual performance audit are:

i. Initial planning, including the collection of information about the entity and

activity to be audited; and

ii. The preparation of an audit plan that will provide the basis for the conduct of

the audit.

Key steps in the start-up phase are as follow:


69

FIGURE 17 KEY STEPS IN START-UP PHRASE

Source: ANAO Performance Audit Manual

Prior to the preparation of the Audit Work Plan, agreement is required from the

Executive before resources are expended preparing an Audit Work Plan. The

estimate of the hours and cost of the planning phase for each audit must be

approved by the responsible Group Executive Director.

Planning involves developing an overall plan for the scope, emphasis, timing and

conduct of the audit. The audit plan should set out the approach for the nature, timing

and extent of evidence-gathering procedures. Formal approval should be sought for

any change significant enough to impact on the audit objective, scope, budget or

timeframes.

Obtaining an understanding of the activity and its context is an essential part of

planning and conducting a performance audit. It includes gaining a knowledge of the

entity(s) that is responsible for the activity, and where relevant, the broader program

of which the activity is part of it.


70

5.3.2.2.1 Audit Work Plan (AWP)

The AWP shall include: a rationale for undertaking the audit; background for the audit; the

audit objective(s), scope and criteria; audit method; likely impacts; identification and

consultation with internal and external stakeholders; the audit's budget, milestones and

target dates; and an overall performance audit engagement risk and operational risk rating.

Prior to developing the AWP, the audit team should set up a project in Change point so that

costs, including staff time costs, can be allocated to the audit. A Change point project is

established by request made to the Performance Audit Service Group (PASG) Business

Unit. Change point will generate and assign a unique project code (PAR code) and provides

for a budgeting tool for estimating the audit budget and timeline.

a. Rationale for Undertaking the Audit

The AWP outlines the rationale for conducting the audit.

The following table illustrates examples that should be incorporated in a rationale:

TABLE 24 RATIONALE FOR CONDUCTING THE AUDIT

Materiality High value of assets, annual expenditure or annual

revenue of the entity or the program, activity or

function.

Sensitivity High public visibility of the program; importance of

the program to particular client groups; strong

Parliamentary or community interest in the

performance of the program.

Impact Significant impact of the activity, even when it is

undertaken by a small unit within an entity with low

materiality.

Key area/issue presenting

risks or challenges to

Commonwealth

administration

The program or activity being a government

initiative that is directly to a key area/issue

presenting risks or challenges to Commonwealth

public administration.

Potential benefits from the

audit

More efficient business processes; greater accuracy

in claims processing; better management of

contracts; closer adherence to Commonwealth

policies; greater accountability through accurate

performance reporting; earlier detection of risks to

good management or prevention of fraud.


71

Previous coverage No previous ANAO performance audit coverage;

very limited internal review of a significant program;

possibility of a follow-up audit foreshadowed in a

previous ANAO audit; a follow-up audit requested

by a Parliamentary committee.

Value for money Multiple factors need to be taken into account when

determining value of money. Refer to the

Supplementary Guidance for details on applying a

value for money perspective.

Source: ANAO Performance Audit Manual

b. Background to the Audit

Each AWP includes background information regarding the entity, program or function

to be audited. This background information reflects and generally builds on the

material for the particular audit that was included in the planned Audit Work Program.

c. Audit Objective

The audit objective is a key statement that is intended to define the intention of the

audit and must be expressed in terms that can be concluded against, such as

statements like ‘the audit reviewed the administration of program xyz’. The objective

of a performance audit is to provide an assessment of specified elements of an

entity's operations. The assessment should address one or more of the following:

administrative effectiveness; efficiency; or compliance. These terms are defined as

follows:

The audit objective and the audit scope are interrelated and should be considered

together. The audit objective needs to be realistic and achievable and give sufficient

understanding to the entity and other relevant parties about the focus of the audit.

The audit objective also provides the basis for developing the audit criteria and the

audit approach.

d. Audit Criteria

Suitable criteria shall be established to enable an assessment of the matters subject

to audit. They shall be expressed in the form of a question that will be subsequently

answered in the findings and conclusion of the audit. Audit criteria are reasonable

and attainable standards of performance against which the extent of administrative

effectiveness, efficiency or compliance aspects of an entity’s programs or activities

can be assessed. They reflect a desirable (normative) model for the subject matter

being reviewed. They represent good practice, a reasonable expectation of what


72

should be. Criteria may range from general to specific. Suitable criteria must be

identified for each audit. Suitable criteria are those that are relevant to the subject

matters being audited and appropriate to the circumstances.

e. Audit Scope

The audit scope defines the boundary of the audit. Determining the scope of the audit

is a critical part of the planning process as it directly affects the procedures and

resources that will be required to complete the audit and the matters that will be

reported. The scope is usually established based on information obtained in previous

audits and information gathered during the planning phase or through the conduct of

a scoping study.

Materiality and risk are generally considered together and assist to identify that part

of the entity, program or function that is material and/or high-risk and, therefore,

within scope. In assessing materiality and risk, a team would consider both

quantitative and qualitative factors. Auditability refers to assessing whether particular

matters can be included within the scope, that is, whether suitable criteria and audit

approaches are available or can be established within the timeframes proposed.

In defining the scope of the audit, it can also be useful to specify any associated

matters that are not within the scope of the audit and the reasons for their proposed

exclusion from the audit. The audit method sets out the means to be used to collect

information relating to the audit criteria. The method explains the intended use of

specific data collection tools such as sample surveys, case studies, interviews,

document reviews, compliance and/or system control analysis and testing. The audit

method also specifies where and why particular fieldwork is to be carried out and lists

the involvement of any external stakeholders.

f. Likely Impacts

The likely impacts describe the expected benefits of conducting the audit. Audit

teams may find it useful to consider the interests of relevant stakeholders, such as

Parliament, Commonwealth entities or the public, when assessing the likely impacts

of the audit. Performance audits should result in a lasting benefit to the entity (or

entities) audited, the Parliament or taxpayer, for example, through improved service

delivery, financial savings or improved governance.

g. Stakeholders

i. Internal stakeholders: engaging the IT Audit Branch

ii. External stakeholders


73

iii. Citizen contribution

The Audits in Progress section of the ANAO website has a feature that allows

members of the public to contribute information during the evidence collection stage

for all performance audits. The facility enables and promotes closer public

engagement with the audit process and aligns with broader Australian Government

initiatives to promote the use of technology to encourage more open and transparent

government, to have the public inform policy, and to provide better access to

government information.

h. Budget, Milestones and Target Dates

The estimated tabling date for each audit specified in the AWP shall take into

account the Parliamentary Calendar and the spread of tabling dates throughout the

year. Each AWP should include the key milestones and target dates for the audit.

These are the dates for:

i. The proposed commencement of the audit;

ii. Key points of PASG executive and the executive consultation (where

required);

iii. Reporting milestones; and

iv. The proposed tabling of the report.

i. Duration of Audit

If there is likely to be a significant delay between the date the AWP is approved and

the conduct of the entry interview (or commencement of the actual audit where an

entry interview is not practical), an explanation of the reasons for this should be

included in the AWP for Executive consideration and decision.

j. Cost of an Audit

This includes the estimated costs of staff resources and the employment of

contractors and experts, and the estimated costs of travel and report publication. The

costs of the initial planning phase of the audit and scoping study, where undertaken,

are also to be included.

k. The Audit Team

The audit team shall have the appropriate level of skills, competence and knowledge

to conduct a performance audit. The planning of an audit includes an assessment of


74

whether the team has adequate skills, competence and knowledge to undertake the

particular audit.

In determining the composition of the audit team, it would be expected that the

following factors will be taken into consideration:

i. The experience of the Audit Manager;

ii. The number, level and experience of other team members;

iii. The benefit of utilizing the IT Audit Branch to assist in conducting elements

of the audit;

iv. The benefit of engaging specialists and/or experts to support the in-house

team in addressing complex and/or technical issues; and

v. The complexity and expected impact of the audit.

The work of the audit team should be carefully directed and supervised throughout

the audit to ensure that the work will meet the ANAO Auditing Standards.

l. Engaging Contractors, Specialists or Experts

The Auditor-General, or delegate, may at any time engage the services of a person

under contract, with agreed terms of engagement, to assist with a performance audit.

The AWP should specify the reasons why contract resources are required, the

proposed involvement of the contractor, specialist or expert, and the estimated costs.

m. Materiality, Risk Assessment and Management Plan

The AWP for each audit shall briefly identify any significant risks or issues

confronting the audit. A detailed risk assessment and management plan is completed

and attached to the AWP that addresses each risk and its corresponding mitigation

strategy.

The audit team considers materiality and performance engagement risk when

planning and conducting an audit so that performance audit risk is reduced to an

acceptable level. Performance engagement risk means the risk that the auditor

expresses an inappropriate conclusion when the performance of an audited activity is

not materially effective, efficient or economic. This would arise where the conclusion

is based on evidence that is not soundly based or that is improper or incomplete as

the result of inadequacies in the evidence-gathering process, misrepresentation or

fraud.


75

Performance audit operational risk refers to the risk that an audit will not be

completed in accordance with the approved budget and timeframe and to the

required quality. Areas of possible operational risk can include:

i. The reputation of the ANAO arising, for example, from potential conflicts

with the results of previous audit coverage;

ii. The complexity of the audit itself; that is, the subject matter, the approach

being used and the proposed analytical techniques;

iii. The potential delays in obtaining access, documentation and/or being able

to hold discussions with relevant entity staff;

iv. The availability of appropriate audit resources;

v. Unexpected changes to the audit team;

vi. Changes to staff or administrative arrangements in the entity or program

subject to audit;

vii. Timely availability and reliability of entity information and data; and

viii. The quality of relations with the entity.

Each identified operational risk needs to be analysed by the degree of its likelihood of

occurring and impact and consequence on the audit if it occurs. Because this process

is often qualitative, i.e. based on stakeholders’ subjective judgements about the risk,

it is best to keep the range of descriptions simple.

i. Evaluating operational risks involves assessing both likelihood and impact to

determine the overall level of risk to the audit. The level of risk will determine

the governance level required in managing it - high level risks require higher

levels of governance input and approval; low level risks can be managed by

the lowest governance level, such as an audit team member; and

ii. In selecting treatments for operational risks there are a number of

approaches that decision-makers may take. Whatever approach is taken, it

will be necessary to determine if any residual operational risk remains and to

re-evaluate it.

5.3.2.2 Indonesia

The purpose of the audit planning in performance audit is to design the Audit Work Plan and

Audit Program of a detailed audit. These documents will be used as basis for the detailed

audit, so it can be conducted efficiently and effectively. The audit planning activities consists

of 7 stages:


76

a. Determining Audit Potential Topics;

The preliminary step in a performance audit planning is to determine the audit

potential topic. Each of audit working unit must prepare a potential topic. The main

purposes of the determining audit potential topics are:

i. In order to enable the performance audit to improve the government

performance in providing the public service;

ii. In order to enable the audit to be more focused, so that the audit can be

conducted efficiently and effectively; and

iii. In order to enable the limited audit resources to be allocated in the proper

audit topics.

iv. The inputs which are required for this activity cover:

v. Strategic plan and the board’s policy on the performance audit;

b. Designing Preliminary Audit Program

Several information which can be stated in the Preliminary audit program are as

follows:

i. Basis of audit;

ii. Standard of audit;

iii. Audited organization/program;

iv. Audited fiscal year;

v. Identity and general information of the audited entity;

This Preliminary Audit Program will be used by the auditor as guidelines in the

operation planning stage to identify:

i. Issues/problems related to the audited entity/program;

ii. Key area which becomes the focus in the implementation of the detailed

performance audit;

iii. Objective and scope of performance audit;

iv. Criteria of audit to be used, and

v. Type of evidence and procedures of audit.


77

c. Entity Understanding and Issues Identification

The auditor requires entity understanding in order to understand the main activity,

business process, encountered issues and problems, regulations related to the

audited entity/activity/program.

In order to identify significant issues of the entity, there are two main approaches

which can be used, namely result-oriented approach and process-oriented

approach.

d. Determining the Key Area

The key area is an area, division, program or activity which is the focus of an audit in

the audited entity. The determination of a key area is very important so that the audit

can be more focused on the audit objective and the use of more efficient and

effective audit resources is feasible. In order to determine the key area priority, the

selection factors approach will be used.

e. Determining the Objective and Scope of Audit

The performance audit objective must be seriously considered and clearly stated.

The objective must be defined clearly in order to help the audit team in taking the

final conclusion at the end of the audit. If the audit objective has been correctly and

clearly stated, the audit will be more directed to the activities to respond the

questions arising from the audit objective. Therefore, the Performance Audit objective

must be defined accurately, in order to avoid unnecessary audit procedures. The

benefits of the determination of the objective and scope of audit are:

i. To assist in identifying issues to be audited and reported;

ii. To assist in focusing the audit evidence collection activities;

iii. To prepare the parameter or measurement of the audit limits such as the

audited period or location of the site audit to be chosen; and

iv. To help the audit team in making the decision at the end of audit.

The necessary inputs in the determination of audit scope and objectives activity are

the outputs of the entity understanding and issues identification activities and the

outputs of the key area determination activity. The steps required for determining the

objective and scope of audit are determining audit objective and determining the

audit scope.


78

f. Determining the Audit Criteria

Criteria are standards of performance that makes sense and can be achieved to

evaluate the economic, efficiency and effectiveness aspects of an activities

performed by the audited entity. The criteria reflect a normative model of control of

the issues which are being reviewed. The criteria represent good practices, namely a

reasonable expectation of ‘what is supposed to be’. If the conditions meet or exceed

the criteria, this indicates that the entity has implemented the best practices. On the

other hand, if the condition does not meet the criteria, this indicates that an

improvement is necessary.

g. Drafting of Audit Work Plan and detailed Audit Program

After the auditor conducts a preliminary audit and decides to do a detailed audit, the

next level to do is to set up the Audit Work Plan and audit program of the detailed

audit. The Audit Work Plan for the detailed audit is a BPK detailed audit activity plan

in one year covering the topic of audit, audit type, human resources requirements

and audit budget. The main objectives of the drafting detailed audit work plan are to

determine the detailed audit topics to be carried out in one year; and determine the

resources allocation, either in the form of human resources, timing and budget

required for each audit topic.

An adequate audit program is able to identify the significant aspects of the audit;

prepared based on the clear and accurate supporting information; provide guidance

in implementing effective evaluation; assist in collection of audit evidence which is

sufficient, reliable, and relevant to support the opinions/statements of opinion or the

audit conclusions and achieve the audit objectives.

5.3.2.3 Nepal

The process and procedures of the RBA plan for performance audit are almost same as

financial audit. In general, the planning process for performance audit can be shown in this

figure.


79

FIGURE 18

PEFORMANCE AUDIT PLANNING PROCESS

Source: Nepal Performance Auditing Guide

Generally, RBA approaches for performance audit in Nepal is almost same as financial

and compliance audit. The summary of the RBA process for the performance audit can

be express as Table 5. .

5.3.3 Compliance Audit

Based on the document received, SAI Australia and Nepal do not have specific compliance

audit. The compliance audit will be part of the financial audit. Only Indonesia has the specific

risk based audit plan for compliance audit.

Review Background Information of the Entity

Review Operational Objectives, Strategy and Mandates

Prepare Segment Operation Model

Perform Operational Process Analysis

Perform Risk Assessment

Determine Audit Objectives, Scope and Methodology Audit Questions

Specify Audit Criteria

Prepare Audit Planning Memorandum


80

5.3.3.1 Indonesia

Based on the document received by the SAI Indonesia, audit planning for compliance audit

consists of 5 stages, which are:

a. Understanding the Audit Objectives and Engagement Expectation

Understanding the audit objectives and engagement expectation is carried out to reduce

the risk of misinterpreting the requested task or the expectations of other parties, both by

the Auditors as well as the Signing Officer.

Such understanding is obtained through communication between the Auditors and the

signing officer, taking into account the following inputs:

i. Previous year’s financial statements, performance, and special purpose audit

reports.

ii. Monitoring reports of follow-up on financial statements, performance, and

special purpose audits.

iii. Government internal audit reports.

iv. The entity’s database.

v. Communication with the previous Auditors.

The Auditors should properly communicate verbally or in writing with the signing officer,

the result of which must be documented in the audit objectives and engagement

expectation form. The form should be signed by the signing officer and the Auditors to

ensure uniform perception of the engagement. The form is used as one of the basis for

preparing an audit plan.

b. Understanding the Entity

Understanding the audited entity is intended to obtain data and information on:

i. The entity’s objectives;

ii. The entity’s main programs/activities;

iii. Objectives of the programs/activities;

iv. The entity’s accounting system;

v. Procedures to implement and supervise activities;

vi. Resources used to carry out activities; and

vii. Previous audit results and other studies associated with the audited matter.


81

Comprehensive understanding of the entity’s objectives, goals, strategies, and activities

helps the Auditors in identifying:

i. How the management can achieve the entity’s objectives and goals,

ii. The risks associated with achieving these goals, and

iii. How the management manages risks to achieve the entity’s objectives and

goals.

c. Assessing Risk and Internal Control

Steps in assessing risks are as follow:

i. Identify risks face by the entity and the impacts of such risks to the attainment

of the entity’s objectives. The step is documented in the form of a risk

identification working paper.

ii. Take into consideration the impacts of laws and regulations, and the possible

risk of fraud.

iii. Ensure whether the entity has a sufficient control system to identify and

mitigate such risks. If the entity is found to have a weak control system, the

Auditors can: (1) stop internal control testing and write a conclusion on it, or

(2) carry out a substantive testing by expanding the scope of audit and

evidence gathering.

iv. Set the audit to focus on areas with high risk potential for further audit after

taking into account point i, ii and iii above, which can affect the organization

activities, programs, and/or its public service functions to be audited. To

determine these key areas, the auditors assess the internal control system

(through understanding and testing) against risk potentials of the entity by

sampling based on risk level.

d. Setting Audit Criteria

When planning compliance audit, the auditors need to set criteria:

i. As a basis for communication between the Auditor and the audited entity’s

management regarding the form of the audit. The Auditors will make an

agreement with the specific entity regarding the criteria and the acceptability

or unacceptability of findings based on the criteria.

ii. As a tool to link the objectives with the audit program during evidence

gathering and analysis.


82

iii. As a basis for evidence gathering and the foundation for establishing

evidence gathering procedure.

iv. As a basis to establish findings, and to add structure and the form of audit

observation.

Once the sources of criteria have been obtained, the Auditors should check the suitability

of such criteria for use. The proper criteria should be reasonable and attainable.

Reasonable criteria should be relevant and reliable, while attainable criteria are those

that can be achieved with sufficient effort.

e. Preparing Audit Program and Individual Audit Program

The purpose of preparing Audit Program and Individual Work Program is to make it

easier and smoother for the Auditors to carry out their tasks so the audit implementation

will be in line with the specified audit objectives. The prepared Audit Program contains

information on legal basis, audit standards, audit objectives, audited entity, audit scope,

results from understanding the internal control system, audit goals, audit criteria and

others.

5.3.4 Integrated Results and Risk-Based Audit Plan (Philippines)

The Commission on Audit (SAI Philippines) primarily uses the Integrated Results and Risk-

Based Audit (IRRBA) Manual in conducting an integrated comprehensive audit and

government-wide and sectoral performance audit. Comprehensive audit comprises of

financial audit, compliance audit, and agency-based performance audit.

IRRBA is composed of five main phases: (1) Strategic Planning and Risk Identification, (2)

Agency Audit Planning and Risk Assessment, (3) Execution, (4) Conclusion and Reporting,

and (5) Monitoring (see Figure 4.2). Audit planning occurs in two levels: government level

(Strategic Planning and Risk Identification) and agency level (Agency Audit Planning and

Risk Assessment).


83

FIGURE 19

IRRBA FRAMEWORK

Source: IRRBA Manual, Commission on Audit (2011)

5.3.4.1 Strategic Planning and Risk Identification

i. Perform Government Risk Identification

In this activity at the strategic level, SAI Philippines identifies the risks that the Philippine

Government as a whole may face in achieving its objectives.

a. Develop/Update the Government Risk Model (GRM)

The Government Risk Model (GRM) (Form 01-01) is a framework consisting of risks

categorized into groups that could threaten the government as a whole or the specific

processes of the government. The GRM includes a definition of each risk to have a

common understanding or risks. Risks are categorized as strategic risk, operations

risk, financial risk and compliance risk.

b. Identify Government Risks

In this activity, the SAI identifies risks which may hinder the government as a whole to

achieve its objectives. The sources of risk identification include the State of the Nation

Address of the President of the Philippines, the Medium Term Philippine Development

Plan, previous annual audit reports, media reports and the knowledge of the auditors.

This activity is documented using the Government Risk Identification Template (GRIT)

(Form 01-02) which plots the key government risks and the affected agencies including

processes, programs, activities or projects.


84

c. Report the results of GRI

The results of the GRI is cascaded down to the concerned audit groups through the

SAI Strategic Planning.

5.3.4.2 Agency Audit Planning and Risk Assessment

i. Prepare Agency Audit Work step

The Agency Audit Work step Template (Form 02-01) is accomplished by the Audit Team

Leader for each audited entity. It contains a phase by phase detail of the IRRBA showing

the estimated time to complete each phase and the audit team member assigned to

complete each activity.

ii. Understand the Agency

This activity involves the identification of risks applicable to the agency (agency risks). In

identifying the agency’s risks, the auditor obtains sufficient understanding of the agency

including its purpose, operations and environment. This may be done through the review of

relevant information of the agency and its environment, inquiry to the management and

others within the agency, and analytical procedures on financial and non-financial

information. This is documented using the Understanding the Agency (UTA) Template

(Form 02-02).

iii. Identify Significant Agency Risks

In this activity, the auditors of a particular agency convenes to update the Agency Risk

Model and to identify and prioritize agency risks. At this level, they may also identify Key

Fraud Risks which shall be evaluated and assessed through the Fraud Brainstorming and

Fraud Risk Assessment.

a. Update the Agency Risk Model

The Agency Risk Model (Form 02-03) is a framework consisting of a list of agency risks

which is customized per Agency by obtaining information from the UTA template. It

serves as the guide in identifying agency risks. Agency risks are also categorized as

strategic risk, operations risk, financial risk and compliance risk.


85

b. Assess Agency Risks

In this activity, the auditor identifies agency risks based on the UTA and GRIT.

Identification of risks could be done through workshop, survey or interview. This is

documented using the Agency Risk Identification Matrix (Form 02-04).

c. Prioritize Significant Agency Risks

After the identification of agency risks, the auditors prioritize risks which are significant

based on the risk rating provided. Significant risks will be the audit team’s focus for

their audit.

iv. Understand and Assess Agency-level Controls

The auditor obtains an understanding of agency-level controls through inquiry and

observation due to the nature of agency-level controls and because audit evidence may not

exist or be available in documentary form. In this activity, the five components of internal

control are considered: control environment, risk assessment, monitoring, information and

communication, and control activities. This is documented using the Agency-Level Controls

(ALC) Checklist (Form 02-05).

v. Understand the Process

Significant processes where significant agency risks reside are the subject of understanding

the process.

a. Identify critical path of the process

In this activity, the auditor obtains an understanding of the critical path of significant

processes by understanding each of the following stages:

● Initiation – the point where the transaction first enters the agency’s process and is

prepared and submitted for recording

● Recording – the point where the transaction is first recorded in the books and

records of the agency

● Processing – any chances, manipulation or transfers of data in the books and

records of the agency

● Reporting – the point where the transaction is reported (i.e., posted) in the

general ledger


86

b. Identify process risks

Process risks refer to points where risks of material misstatement or risks to the

Agency Program/Activity/Project (PAP) objectives, due to error or fraud, can occur in

the significant process. Not all process risks are identified, but only those that could

have a material effect on the objectives of the process or PAPs. Professional judgment

is used in identifying the appropriate level of detail.

c. Identify Impact

The auditor determines the impact of the process risk by identifying the affected

accounts, including assertions, and its impact on the attainment of the objectives of an

agency’s PAPs.

d. Identify Existing Controls

In this activity, the auditor identifies the existing controls that address the identified

process risks and determines whether the design of these controls mitigate the

identified process risks. Any identified process risk with no controls in place or with

inadequate controls are communicated to management to provide them time to

address and resolve the control deficiency.

The auditor performs a walkthrough to obtain a preliminary assessment of the

effectiveness of controls. The process mapping flowchart including the identification of

process risks, controls and impact are documented using the Process-Risk-Control

(PRC) Matrix (Form 02-06).

vi. Conduct Audit Risk Assessment

The information obtained in UTA, ALC and PRC will be the basis in evaluating and

quantifying risks in the audit. The auditor assesses risk for financial, compliance and

agency-based performance audit.

a. Financial and Compliance Audits

In conducting risk assessment for financial and compliance audits, the auditor

assesses risk for each relevant assertion for each significant account.

i. Identify significant and material financial statement accounts

Significant accounts are the affected accounts identified in the understanding

the process using the PRC Matrix. Material accounts are those which fall


87

above the materiality threshold and are considered material based on

qualitative factors. Financial statement accounts that will be assessed are

those that are significant and material.

ii. Assess inherent risk

Inherent risk is assessed as either high or low. If the auditor believes that there

is a higher likelihood that a material misstatement could occur, inherent risk is

assessed as High. If the auditor believes that it is less likely that a material

misstatement could occur, inherent risk is assessed as Low.

iii. Preliminary Assess Control Risk

The preliminary evaluation is made after understanding the significant

processes, risks and controls and after performing walkthroughs, but before any

test of controls is performed. Control risk is assessed as Low if controls have

been designed and are operating effectively throughout the period of reliance.

On the other hand, control risk is assessed as High if:

● It is believed that the controls have not been designed appropriately,

implemented effectively, or are unlikely to operate effectively throughout

the period of reliance

● Substantive procedures are identified which are believed to provide the

necessary evidence to support the related account balances or disclosure

● It is believed that testing controls would be inefficient

iv. Make Combined Risk Assessment (CRA)

The auditor combines the assessments on inherent and control risks into one

CRA:

Inhe

rent

Ris

k

Asse

ssm

e

nt

High Low High

Low Minimal Moderate

Low High

Control Risk Assessment

v. Other Material Accounts (OMA)

Other Material Accounts (OMA) refer to material financial statement accounts

that were not considered as significant based on the results of Agency Risk

Assessment and Understanding the Process. The auditor uses high precision


88

analytical procedures for OMAs (but this procedure should not be redundant

with the Analytic Review procedures done in the UTA Template).

b. Performance Audit

In conducting assessment for Performance Audit, the auditor considers the following

factors in evaluating each of the agency’s PAPs:

Quantitative Factor: Budget

Qualitative Factors:

a. Risk to good management

b. Significance

c. Visibility

d. Previous Audit Coverage

The risk assessments for Financial, Compliance and Performance Audits is

documented using the Audit Risk Assessment and Planning Tool (ARAPT) (Form

02-07).

i. Determine Audit Scope and Timing

The auditor defines the audit scope or the boundaries and limitations of the audit.

ii. Determine the need for specialized skills

The auditor determines whether to use the work of an appropriate expert.

The details of the work plan (i.e., scope, audit strategy, timing) as part of the ARAPT.

5.4 Extended Study on SAIs RBA Approach and Practices (Combination of RBA

and Other Approaches)

The research results show that the common actual process in preparing the plan among the

SAIs covers the following steps:

a. Understanding the Entity and Its Business Process (including previous audit

reports);

b. Conducting Initial Analytical Procedures;

c. Understanding the Internal Control System;

d. Initial Risk Identification and Risk Analysis

e. Risk Assessment: IR, CR, DR


89

f. Determining the Audit Materiality, Criteria

g. Preparing Audit Plan Memorandum

Those procedures are in line with ISSAI 1300 (Planning an Audit of Financial Statement),

ISSAI 1315 (Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment), and ISSAI 1320 (Materiality in Planning and

Performing an Audit).

Similar to ISSAI 1300, the research also show that the auditor shall include in the audit

documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant

changes made during the audit engagement to the overall audit strategy or the audit plan,

and the reasons for such changes. The documentation of the overall audit strategy is a

record of the key decisions considered necessary to properly plan the audit and to

communicate significant matters to the engagement team. For example, the auditor may

summarize the overall audit strategy in the form of a memorandum that contains key

decisions regarding the overall scope, timing and conduct of the audit. Planning

memorandum is one form of this kind of documentation. The common approaches in

preparing the planning memorandum include the following information:

a. Basic information of the entity (including related parties and significant

events);

b. Audit objective and scope;

c. Audit methodology (including understanding the internal control system, risk

assessment, materiality, and sampling);

d. Audit resources (team, budget, timeline/timeframe);

e. Targeted area (significant risks); and

f. Audit Program.

Meanwhile, the different approach covers information about audit standard and audit criteria.

5.4.1 Risk Based Audit Plan for Financial Audit

The extended study found that most of the respondents have already implemented them in

the real audit practice. In the perspective of principle-based standard, how to do the

procedure might be different from one SAI to another. But the most important thing is that

each SAI has made appropriate efforts through its own manuals and templates, to comply

with the requirements of ISSAIs. From the analysis, it has been found that there are no

different approaches on all the particular steps (5 steps). The common approached uses

templates, matrix, checklist, or using audit program based on their standards, manuals, and

guidelines.


90

Based on the research results, we may conclude that the Audit plan for financial audit should

include description of the nature, timing and extent of planned risk assessment procedures;

the nature, timing and extent of planned further (substantive) audit procedures at the

assertion level; and other planned audit procedures that are required to be carried out in

compliance with other ISSAIs. It means the majority has performed the steps required by

ISSAIs 1315 and 1330 in preparing an audit plan for financial audit.

5.4.2 Risk-based Audit Plan for Performance Audit

In line with requirement of ISSAIs 3000, 3100, and 3200, the research findings also indicate

that, in preparing an audit plan for performance audit, SAIs should implement the following

steps:

a. Understanding the audit topic and identifying problems in the area;

b. Selecting a focus for the audit or the "audit problem";

c. Designing and implementing responses to these assessed risks of material

misstatements;

d. Developing audit memorandum (and/or audit plan).

The majority of the audit plan for performance audit contains the following information:

b. Background knowledge and information needed to understand the entity to be

audited.

c. Initial assessment of the problem and risk, possible sources of evidence, auditability

and the materiality or significance of the area considered for audit.

d. Audit objective, questions or hypotheses, criteria, scope and period to be covered by

the audit.

e. Methodology, including techniques to be used for gathering evidence and conducting

the audit analysis.

f. Overall activity plan which includes staffing requirements, i.e. Sufficient


audit.

g. Estimated cost of the audit, key project timeframes, milestones and the main control

points of the audit.

5.4.3 Risk-based Audit Plan for Compliance Audit

In line with the requirement of ISSAIs 4000, 4100, research findings indicate that, in

preparing an audit plan for compliance audit, SAIs should implement the following steps:

a. Determine subject matter, criteria and scope of compliance audit;


91

b. Understand the entity;

c. Understand the control environment and internal control system;

d. Risk assessment of the subject matter/audited entity;

e. Consideration of risks of fraud;

f. Determine reliance on internal controls; and

g. Link identified risks to audit strategy (audit procedures).

The steps related to risk assessment and responses to assessed risks are the ones that still

need to be performed by ASOSAI Members (below 60% conduct these steps) so as to

comply with ISSAI.

The majority of the audit plan for compliance audit contains the following information:

i. The subject matter, criteria and scope of compliance audit;

ii. Description of the nature, timing and extent of risk assessment procedures sufficient

to assess the risks of non-compliance, related to the various audit criteria;

iii. Description of the nature, timing and extent of planned audit procedures related to

the various compliance audit criteria and risk assessments.

5.5 Summary

Based on the evaluation of documents from those 7 selected SAIs, a general

structured of risk-based audit approaches were accordance to ISSAIs and includes

these following steps:

STEPS FINANCIAL AUDIT PERFORMANCE AUDIT COMPLIANCE AUDIT

1 Understanding the entity

and its environment

Selecting an audit topic as part of the

strategic planning process

Identifying intended

user(s) and responsible

party

2 Understanding the

entity’s internal control

Assessing potential audit topics in terms of

risks, materiality and problems identified

Defining the subject matter

and the corresponding

audit criteria

3 Conducting risk

assessment procedures

Selecting audit topics that are auditable

(assessing auditability)

Understanding the entity

and its environment

4 Determining materiality Understanding the entity and the subject

matter (what is audited)

Understanding the entity’s

internal control

5 Establishing audit

strategy and audit plan

Defining the audit objective(s) and audit

questions

Assess risk


92

STEPS FINANCIAL AUDIT PERFORMANCE AUDIT COMPLIANCE AUDIT

6 -

Defining the scope of the audit Establishing materiality for

planning purpose

7 - Setting the audit criteria Developing audit strategy

and audit plan

8 - Choosing audit methodology, including

techniques to be used for gathering evidence

and conducting the audit analysis.

-

9 - Determining overall activity plan which

includes staffing requirements, i.e. sufficient

competencies, human resources, and

possible external expertise required for the

audit

-

10 - Estimating cost of the audit, key project

timeframes, milestones and the main control

points of the audit

-

Source: RBA Documents from the 7 selected SAIs

Even though there are differences of audit approach among participants but the

majority of SAIs agreed that RBA Plan benefits the auditors.


93

PART 6 CONCLUSION AND IMPLICATIONS

6.1 Introduction

This part discusses the conclusion in relation to the research objectives, implications and

limitations of the research. It proposes some suggestions for future research.

6.2 Conclusion of Research This study explores the methods used by the ASOSAI members in developing risk-based

audit plans for financial, performance and compliance audits in compliant with ISSAIs. It also

identifies the practices of the members in developing the plans for the three types of audits.

The study stems from the survey of ASOSAI members’ preferences on the topic for the 11th

research project. It focuses on the risk-based audit planning and data are collected using

survey questionnaires and documentation reviews.

6.2.1 Adoption of Risk-Based Audit Approach The conclusion that can be drawn is that not all SAIs adopted the risk-based approach either

fully or partially in planning the audit. This suggests that the differences in their legal status,

mandates and authorities influence their adoption of the approach. Further analysis showed

that although the percentage of adoption is slightly than half of the respondents, majority of

the SAIs recognised that risk analysis is important in improving their audit effectiveness as

well as improving risk management and governance processes by reporting its assessment

of the risks of the audited entity. This is also supported by the results showing that most of

them agreed on the benefits of preparing the risk-based audit plan.

Slightly half of the SAIs whether they adopted the risk-based audit approach fully or partially

has structured guidelines for preparing the audit plans. In terms of the audit plan, most of the

SAIs prepare a separate audit plan for each type of audit.

6.2.2 Methods for Developing Risk-Based Audit Plan It can be concluded that the methods in developing risk-based audit plan in terms of the

audit procedures and steps as well as the information of the plan for the financial,

performance and compliance audits generally comply with ISSAIs 1300, 4000 and 3000.

SAIs’ compliance to ISSAIs varies according to their mandates and regulatory requirements.

Some SAIs use their own standards in carrying out the audits.

i. Financial Risk-Based Audit Plan Most of the SAIs comply with ISSAI 1315 (Identifying and assessing the risks of material

misstatement through understanding the entity and its environment) and ISSAI 1330 (The


94

auditor’s responses to assessed risks) on the inclusion of the nature, timing and extent of

planned risk assessment as well as substantive audit procedures in the audit plan. More

than 70% of the SAIs performed ISSAIs five steps in developing the financial audit plans

which include understanding the entity and its environment; identifying and assessing the

risks; designing and implementing responses, identifying specific procedures and

determining the audit procedures and extent of testing. The SAIs used models/ programmes/

forms/ tables/matrices/guides for all the steps in developing the audit plan.

ii. Performance Risk-Based Audit Plan It can be concluded that most of the SAIs comply with the ISSAIs 3 steps for developing the

performance audit risk-based audit plan. The three steps are understanding the audit topic

and identifying problems; selecting the focus area or the audit problem; and designing and

implementing responses to the assessed risks.

Most of the SAIs’ audit plan contained the background knowledge and information regarding

the audited entity; initial assessment of the problem risks, sources of evidence, auditability

and materiality/significance audit area; objective, questions/hypothesis, criteria, scope and

duration of audit; and methodology including audit gathering techniques and audit analysis.

The information on staffing requirements, estimated cost of audit, key project timeframes

and milestone is only included by some SAIs.

iii. Compliance Risk-Based Audit Plan As compared to the financial and performance audits, SAIs’ compliance to the steps outlined

in ISSAI 4100 for developing an audit plan for compliance audit is lower i.e 13-17 SAIs. The

steps required are determining the subject matter, criteria and scope; understanding the

entity; understanding the control environment and internal control system; risk assessment,

consideration of fraud risks; extent of reliance on internal control; and linking the identified

risks to audit procedures. The study showed that that only 13 SAIs linked the identified risks

to audit procedures.

Analysis on the information included by the SAIs in the audit plan revealed that slightly half

of the SAIs described the subject matter, criteria, scope, nature of the timing and extent of

planned audit procedures to the audit criteria and risk assessment. Only some SAIs

described the nature of the timing and extent of risk assessment procedures.

6.2.3 Assessing Risk, Materiality and Internal controls It can be concluded that materiality in planning and performing the audit is very much

emphasised in the financial audit, followed by the performance and compliance audits. The

COSO framework on internal control is used by less than half of the SAIs. Even though other

SAIs did not formally adopt the framework, they considered the components of the COSO

framework to understand or assess the entity’s internal control. The components include

control environment, risk assessment, control activities, information and communication and


95

monitoring activities. The survey research showed that most of the SAIs considered the

control and inherent risks rather than the detection risk in preparing the audit plan.

6.2.4 Practices in Developing Risk-Based Audit Plan Based on the extended study by reviewing the documents submitted by the respondent, it

can be concluded that majority of the SAIs do not fully adopt the risk-based audit approach.

Only SAI of Australia, SAI of Indonesia, SAI of Philippines and SAI of Nepal adopted the

approach fully. The four SAIs have structured and detailed risk-based audit planning

guidelines. The financial risk-based audit plans for SAI Australia and SAI Nepal include the

compliance audit. SAI Indonesia has a specific risk-based plan for compliance audit. SAI

Philippines has an integrated audit plan for financial, performance and compliance audits.

i. Financial Risk-Based Audit Plan The practices in developing the risk-based audit plan for the financial audit are in

accordance to ISSAI 1300. In developing the financial risk-based audit plan, the common

practices conducted by the SAIs which fully or partially adopted the risk-based audit

approach involve firstly, the auditor must thoroughly understand the audited entity in terms of

the business, associated risks and internal control. This can be done by reviewing the

documents or walk through the business/accounting process or discussion with the audited

entity. Secondly, the auditor must perform risk identification and assessment so that the

audit procedures will be focused on high risk areas caused by misstatements or fraud.

Thirdly, in developing the audit strategy, the auditor must consider the materiality threshold

to identify the topics/areas to be audited and to determine the nature, timing and extent of

audit procedures. Lastly, the auditor develops the risk-based plan including the audit

programmes.

ii. Performance Risk-Based Audit Plan The practices carried out by the SAIs who fully and partially adopt the risk-based audits in

developing the risk-based performance audit plan are in accordance to ISSAI 3000. Based

on ANAO practices, the steps involve are:

a. The auditor must gain an in-depth understanding of the programme/activity/project and

its context. The appropriate information to be gathered which include objectives of the

entity; external and internal accountability relationships, resources, management

processes, performance goals, methods of programme delivery, external environment

and other publicly available information on the programme.

b. The auditor must consider materiality and risk so that the risk is reduced to an

acceptable level. Materiality must be considered in the context of qualitative and

quantitative factors. The auditor must assess the performance engagement risk and

the performance audit operational risk.


96

c. Lastly, the auditor develops the audit planning memorandum. The content includes the

rationale for undertaking the audit, background for the audit, the audit objective (s),

scope and criteria, audit method, likely impacts, identification and consultation with

internal and external stakeholders, audit budget, milestones, target dates and overall

performance audit engagement risk and operational risk rating.

iii. Compliance Risk-Based Audit Plan The practices carried out by the SAIs who fully and partially adopt the risk-based audits in

developing the risk-based plan for the compliance audit are in accordance to ISSAI 4000.

The five stage practices in developing risk-based plan for compliance audit include

understanding the audit objectives and engagement expectation, understanding the entity,

assessing risk and internal control, setting audit criteria and preparing audit programme and

individual audit programme (Indonesia).

6.3 Implications of Research i. ASOSAI ASOSAI should promote all the members to adopt/follow the risk-based audit approach. The

implementation of risk-based audit methodology in accordance with ISSAIs will enable the

auditors to perform the audits more efficiently and effectively. ASOSAI could conduct training

programmes or workshops on risk-based audit approach. SAIs with in-depth knowledge of

the facet of risk may contribute to the implementation of risk-based audit plans at the

regional or sub regional levels. ASEAN Supreme Audit Institutions (ASEANSAI) has recently

completed the long term training programme on ISSAIs implementation (2013 – 2018) on

financial risk-based audit which resulted in a creation of a pool of experts/trainers.

ii. SAI The support and commitment of the Heads of SAIs are critical for the adoption of the risk-

based audit approach at the SAI level. To implement the approach, SAIs need to revise or

align their auditing guidelines or manuals. There should be a structured and detailed

guidelines or manuals on risk-based audit planning. The SAIs should conduct their training

programmes on ISSAIs risk-based auditing. The exchange of knowledge and experiences

on the approaches of risk-based audit planning is useful for the auditors.

6.4 Limitations of Research Some limitations should be considered when interpreting the results of this study. Firstly, the

results are based on 25 SAIs respondents and thus limit the generalizability of the results to

the 48 ASOSAI members SAI. Secondly, there is insufficient empirical study on the risk-

based audit planning practised in the public sector as compared to the private sector. This

limits the discussion of the findings. Thirdly, this study’s research method uses samples of

audit engagement among ASOSAI member countries in developing the risk-based audit


97

plans. Comparison with the private sector practices is not made due to time constraint.

Lastly, the accuracy of the responses given by the SAIs also affect the validity and reliability

of the study results.

6.5 Suggestions for Future Research In spite of the limitations, this study’s findings provide evidence of the methods and practices

conducted by the SAIs in developing the risk-based audit plan for the financial, performance

and compliance audits. Future research is warranted to look into private sector practices in

developing the risk-based audit plan which can be emulated by ASOSAI members SAI. The

research scope could be expanded to include the execution and implementation stages

besides the planning stage. Comparison with the practices of the internal auditors will assist

the public sector auditors to understand the risk-based audit approach and prepare the audit

plan.


98

REFERENCES

Arun District Council (2009). Risk-Based Auditing. Retrieved April 29, 2009

Arens A, Elder RJ, Beasley (2012). Auditing and Assurance Services: An Integrated

Approach. 14thed. Pearson Prentice Hall.

Bell, T. B., M. E. Peecher, and I. Solomon. 2005.The 21st Century Public Company Audit.

Conceptual Elements of KPMG’s Global Audit Methodology. University of Illinois at Urbana–

Champaign, IL:

Bowlin, K. 2011. Risk-Based Auditing, Strategic Prompts and Auditor Sensitivity to the

Strategic Risk. The Accounting Review. Vol.86,No.4.pp.1231-1253.

Burk,J.A., & Hendry, J.A. 2014. Risk-Based Auditing Developing a Comprehensive View of

Risk. www.asse.org

Cooper, H.M. 1998. Synthesizing Research: A Guide for Literature Reviews. Sage

Publications, Inc.

Domokos, L., Nyeki,M., Jakovac, K., Nemeth, E., Hatvani, C. 2015. Risk Analysis and Risk

Management in the Public Sector and in Public Auditing. Public Finance (Quarterly)

Etikan, I., Musa, S., & Alkassim, R. (2015, December 22). Comparison of Convenience

Sampling and Purposive Sampling. American Journal of Theoretical and Applied Statistics,

1-4. Retrieved December 1, 2016, from

http://article.sciencepublishinggroup.com/pdf/10.11648.j.ajtas.20160501.11.pdf.

Fellingham, J. C., and D. P. Newman. 1985. Strategic considerations in auditing.The

Accounting Review60

IFAC. (2011b, November 09). Guide to Using ISAs in the Audits of Small- and Medium-Sized

Entities, Vol. 2 - Practical Guidance. Retrieved April 2016, from International Federation of

Accountants: https://www.ifac.org/system/files/publications/files/SMP-ISA-Audit-Guide-

Volume-2-3e_0.pdf

Internal Audit Community of Practice. (2014, April). Risk Assessment in Audit Planning: A

guide for auditors on how best to assess risks when planning audit work. Retrieved January

17, 2017, from Public Expenditure Management Peer Assisted Learning:

https://www.pempal.org/sites/pempal/files/event/attachments/cross_day-2_4_pempal-iacop-

risk-assessment-in-audit-planning_eng.pdf

Knechel, W. R. 2007. The business risk audit: Origins, obstacles and

opportunities.Accounting, Organizations and Society32 (4–5): 383–408

Kinney, W. R. 2005. Twenty-five years of audit deregulation and re-regulations: What does it

mean for 2005 and beyond? Auditing: A Journal of Practice & Theory24: 89–109.

Laudato, M. (2016, November 16). Performing effective (and efficient) audits - the

importance of planning and materiality. Retrieved January 17, 2017, from Association of

Chartered Certified Accountants: http://www.accaglobal.com/an/ en/member/discover/cpd-

articles/audit-assurance/effective-audits.html

http://article.sciencepublishinggroup.com/pdf/10.11648.j.ajtas.20160501.11.pdf

https://www.pempal.org/sites/pempal/files/event/attachments/cross_day-2_4_pempal-iacop-risk-assessment-in-audit-planning_eng.pdf

https://www.pempal.org/sites/pempal/files/event/attachments/cross_day-2_4_pempal-iacop-risk-assessment-in-audit-planning_eng.pdf


99

Lord. A.T. (1992). Pressure: a methodological consideration for behavioral research in

auditing. Auditing: A Journal o f Theory and Practice(11)2: 90-108.

McNamee, D. (1997) Risk-based Auditing. The Internal Auditor; Aug 1997; 54, 4; 22-27

Michael, R. 2009. Risk-Based Audit Best Practices. Journal of Accountancy; Dec 2009; 208,

6; ABI/INFORM Collection. pg. 32.

O’Donnell, E., and J. J. Schultz. 2005. The halo effect in business risk audits: Can strategic

risk assessment bias auditor judgment about accounting details? The Accounting Review 80

(3):

Peecher, M.E. (1996) The influence o f auditor's justification processes on their decisions: a cognitive model and experimental evidence. Journal o f Accounting Research(34)1: 125- 140.

Pickett, S. (2003). Internal Auditing Handbook. New Jersey: Wiley.

Pickett, S. (2006). Audit Planning: A Risk-Based Approach. New Jersey: John Wiley & Sons,

Inc.

Quilliam, W.C. (1993). Examining the effects o f accountability on auditors’ valuation

decisions. Working Paper, University o f South Florida.

Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing

Environment, 5e. Mason,

Salehi, M., & Khatiri, M. (2011, May 18). A study of risk based auditing barriers: Some

Iranian evidence. African Journal of Business Management, 5(10), 3923-3934. Retrieved

January 18, 2017, from http://www.academicjournals.org/journal/AJBM/article-full-text-

pdf/AE4412739929

Zacchea, N.M. 2003. Risk-based audit target selection can increase the probability of

conducting value-added audits. The Journal of Government Financial Management; Spring

2003; 52, 1; ABI/INFORM Collection

Rittenberg and Schwieger 2005; Knechel 2007 (4): 634–650.

Rittenberg, L. E., and B. J. Schwieger. 2005.Auditing: Concepts for a Changing

Environment, 5e. Mason, OH: Thomson South-Western.

Yates, J.F. (1992). Risk-Taking Behavior. New York: John Wiley & Sons.921–939.


100

Appendix 1

11th ASOSAI Research Project Survey Questionnaire

[The questionnaire is prepared to obtain information for developing Risk Based audit plan

under ARP]

Background: As per ASOSAI Strategic Plan 2016 – 2021, the ASOSAI Secretariat on the

basis of survey among SAIs of the region has taken the topic “Methods for developing

Risk-Based Audit Plan” as 11th ASOSAI Research Project (ARP) as selected at the 49th

Governing Board meeting held in Kuala Lumpur, Malaysia in February 2015.

In this regard, you are humbly requested to provide the following information:

I. Basic Information of your SAI;

II. Information pertaining to the preparation of audit plan (or risk-based audit

plan);

III. How the internal control system and risk are being assessed; and

IV.Documentation in the preparation of Risk-Based audit plan

The information will be used in the research project that can be used by the auditors as

reference in the preparation of a Risk-Based Audit Plan which may sufficiently increase the

audit qualities given the low level or scarce resources.

Please submit the filled-in questionnaire to ___________ at_________ by________ (should

be typewritten in English and prepared in Microsoft Word format).

Country of your SAI:

Name and Position of respondent:

I. Basic Information of your SAI

a) Establishment year:

b) Constitutional/Legal status:

c) Mandate (functions/ responsibilities)

(d) Type of SAI (Westminster, Judicial, or Board/Collegiate):


101

II. Information pertaining to the preparation of Audit Plan or Risk-

Based Audit Plan (please tick in the answer boxes)

Questions Answers

Yes No Not

Applicable

1. Types of Audit Conducted and Audit Approach/Methodology

(a) What are the types of audit conducted by your SAI?

(i) Financial Audit

(ii) Performance Audit

(iii) Compliance Audit

(iv) Others (Please specify)

_________________________

_________________________

(b) Do you prepare separate Audit Plan for each type of audit conducted?

(c) What is the audit approach/methodology being adopted by your SAI?

(i) Risk-Based Audit Approach

(ii) Systems-Based Audit Approach

(iii) Others (Please specify)

_________________________

(d) If you adopt risk- based audit approach, do you have a structured guideline in preparing a risk-based audit plan?

If yes, please describe the process briefly

(e) Do you use risk analysis for the preparation of the Audit Plan?

(f) Do you prepare a Planning memorandum for financial, compliance and performance audit?

If yes, please enumerate and describe briefly the contents of your planning memorandum


102

(g) Do you think the following benefits were achieved in preparing a Risk-Based Audit Plan? (As Per paragraph 2 of ISSAI 1300)

(i) Helping the auditor to devote appropriate attention to important areas of the audit

(ii) Helping the auditor in identifying and resolving potential problems on a timely basis

(iii) Helping the auditor properly to organize and manage the audit engagement so that it is performed in an effective and efficient manner

(iv) Assisting in the selection of engagement team members with appropriate level of capabilities and competence to respond to anticipated risks, and the proper assignment of work to them

(v) Facilitating the direction and supervision of engagement team members and the review of their work

2. Preparing Audit Plan for Financial Audit

(a) Does your Audit Plan for financial audit includes description of the following:

(i) Nature, timing and extent of planned risk assessment procedures (ISSAI 1315)

(ii) Nature, timing and extent of planned further (substantive) audit procedures at the assertion level (ISSAI 1330)

(iii) Other planned audit procedures that are required to be carried out in compliance with other ISSAIs

(b) Do you perform the following steps in developing an audit plan for financial audit?

(i) Obtain an understanding of the entity and its environment, including the entity’s internal control

If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description). ___________________ ___________________


103

(ii) Using the understanding of the entity to identify and assess the risks of material misstatement at the financial statement and assertion levels (Risk Assessment)

If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________

(iii) Designing and implementing responses to these assessed risks of material misstatements

If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________ ___________________

(iv) Identify specific procedures required for material financial statement areas

If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________

(v) Determine what audit procedures and the extent of testing required

If the answer is Yes, please indicate the name and contents of the template/s used (You may use separate sheet of paper for description if needed). ___________________ ___________________

Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed).

(vi)

____________________ _____________________ _____________________


104

3. Preparing Audit Plan for Performance Audit

(a) Do you perform the following steps in developing an audit plan for performance audit?

i. Understanding the audit topic and identifying problems in the area

ii. Selecting a focus for the audit – “the audit problem”

iii. Designing and planning the audit engagement

- Methodological planning (audit design)

- Administrative planning

iv. Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed).

______________________________ _______________________________

(b) Does your Audit Plan for performance audit contain the following information:?

i. Background knowledge and information needed to understand the entity to be audited.

ii. Initial assessment of the problem and risk, possible sources of evidence, auditability and the materiality or significance of the area considered for audit.

iii. Audit objective, questions or hypotheses, criteria, scope and period to be covered by the audit.

iv. Methodology, including techniques to be used for gathering evidence and conducting the audit analysis.

v. Overall activity plan which includes staffing requirements, i.e. sufficient competencies, human resources, and possible external expertise required for the audit

vi. Estimated cost of the audit, key project timeframes, milestones and the main control points of the audit


105

4. Preparing Audit Plan for Compliance Audit

(a) Do you perform the following steps in developing an audit plan for compliance audit?

i. Determine subject matter, criteria and scope of compliance audit

ii. Understand the entity

iii. Understand the control environment and internal control system

iv. Risk assessment of the subject matter/audited entity

v. Consideration of risks of fraud

vi. Determine reliance on internal controls

vii. Link identified risks to audit strategy (audit procedures

viii. Please specify other steps not enumerated above (You may use separate sheet of paper for description if needed).

____________________ _____________________

(b) Does your Audit Plan for compliance audit contain the following information:?

i. A description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework

ii. Description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria

iii. Description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments

5. Determining Materiality at Planning Stage

(a) Do you determine materiality in planning and performing the audit for:

i. Financial Audit

ii. Performance Audit

iii. Compliance Audit


106

III. Internal Control System and Risk Assessment

Questions Answers

Yes No Remarks

a) Do you use the COSO Framework in understanding the entity’s internal control?

i. If the answer is No, please indicate the framework followed? (You may use separate sheet of paper for description if needed).

____________________________

b) Do you consider the following components in understanding/assessing the entity’s internal control?

(i) Control Environment

(ii) Risk Assessment

(iii) Control Activities

(iv) Information and Communication

(v) Monitoring Activities

c) Do you consider the assessment of the following risks in the preparation of the Audit Plan?

(i) Inherent Risk

(ii) Control Risk

(iii) Detection Risk


107

IV. Documentation (Contents/Elements of the Audit Plan)

[Audit planning documents contain an overall activity plan which includes staffing

requirements i.e. sufficient competencies, human resources and possible external

expertise required for the audit, an indication of the sound knowledge of the auditors

according to the type of audit, background information of the auditee organization etc.]

1. Please enumerate the elements/contents of your Audit Plan for Financial Audit giving brief

description of each element:

Your answer: (You may use separate sheet of paper for description if needed).

2. Please enumerate the elements/contents of your Audit Plan for Performance Audit giving

brief description of each element:


3. Please enumerate the elements/contents of your Audit Plan for Compliance Audit giving

brief description of each element:


4. If you have any other relevant comments regarding the whole issue, please specify below

(You may use separate sheet of paper for description if needed).


108

Appendix 2

RESEARCH TEAM MEMBERS

NO. COUNTRY TEAM MEMBERS

1. Bangladesh

Mr. Anisur Rahman

2. Mr. Gour Chandra Roy

3. Indonesia

Mr. Endra Noviandy Sujadi

4. Mr. Dedi Suprianto

5. Iran

Mr. Hadi Favachi

6. Mr. Abbas Ghaderiazad

7.

Iraq

Mr. Khalid Hussein Ali

8. Ms. Najah Suhail Abed

9. Mrs. Israa Ezziddeen Ali

10.

Kuwait

Ms. Eman E Kh A Alhuwaidi

11. Mr. Abdullah Ahmed AlSubaie

12. Mr. Talal Tareq Alwaheeb

13.

Malaysia (Chair)

Ms. Patimah Ramuji

14. Ms. Jannaatu ‘Adnin Maslan

15. Ms. Ivy K Yon

16. Philippines

Ms. Sofia Cabides Gemora

17. Ms. Abigael Jamille Paraiso Julao

18.

Russia

Mr. Vadim Dubinkin

19. Mr. Vladimir Kuleshov

20. Mr. Mikhail Karev

21. Mrs. Ekaterina Nikitina

22. Saudi Arabia

Mr. Abdulrahman Mohammed

23. Mr. Mohammad Falah Al Wahby

24. South Korea

Ms. Joo Yean Cho

25. Mr. Soowan Hong

26. Vietnam

Mr. Nam Hoai Le

27. Mr. Bach Xuan Do