This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.
AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable.
Audit Strategy and Plan
To be in compliance with audit standards, you need to develop:
- Your audit strategy
- Your audit plan
Developing Your Audit Strategy
What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:
- The characteristics of the engagement (these define its scope)
- The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
- The significant factors (these determine what the audit team will do)
- The results of preliminary engagement activities (these inform the auditor’s actions)
- Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)
Also, consider the resources necessary to perform the engagement.
Think of the audit strategy as the big picture. You are documenting:
- The scope (the boundaries of the work)
- The objectives (what the deliverables are)
- The significant factors (e.g., is this a new or complex entity?)
- The risk assessment (what are the risk areas?)
- The planned resources (e.g., the engagement team)
Strategy for Walking on the Moon
When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
The strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.
What’s in an Audit Strategy?
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
- Deliverables and deadlines
- A time budget
- The audit team
- Key client contacts
- New accounting standards affecting the audit
- Problems encountered in the prior year
- Anticipated challenges in the current year
- Partner directions regarding key risk areas
- References to work papers addressing risk
Who Creates the Audit Strategy?
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so.
Audit Strategy as the Central Document
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Audit Plan (or Audit Program)
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
- Performed risk assessment procedures
- Developed our audit strategy
Now it’s time to create the audit plan.
The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.
Creating the Audit Program
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
Sufficient Audit Steps
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs.
Integrating Risk Assessment with the Audit Program
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Creating Efficiency in the Audit Plan
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.
Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.
To see my earlier posts in this series, click here.