[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Principles
Audit procedures are designed by the auditor, in order to:
- carry out an appropriate audit test, at the right time and covering the right period;
- obtain sufficient, relevant and reliable audit evidence; and
- reach the appropriate confidence level to support audit conclusions.
Instructions
Elements to consider
Audit procedures, which aim to obtain the required assurance in the most cost-effective way, are designed on the basis of the knowledge acquired by the auditor and should take into account important aspects, such as materiality and risk .
Contents of an audit procedure
An audit procedure should include the following elements:
- the audit objective(s) of the procedure and/or audit test(s);
- the output expected from the procedure;
- the assertion, rule, regulation, or requirement to be addressed;
- the assessed risk;
- the related key control(s);
- the audit step(s): evidence to obtain, work to perform, type of procedure to use (enquiry, re-performance, etc), documents to obtain, staff to interview, etc.;
- the audit conclusion on the test’s objective(s) or, in the event of a negative conclusion, further possible testing or impact on the audit approach and related audit procedures.
How to design audit procedures
When designing audit procedures, the auditor should determine
1. Audit approach
The audit approach may consist of:
a reliance or systems-based approach: Tests of controls are undertaken in those instances where the preliminary assessment has indicated that controls are excellent or good, supported by substantive procedures; or
a substantive approach. Substantive procedures are employed where the preliminary assessment shows controls to be poor, or where testing shows that the controls have not operated continuously and effectively during the period being audited, or where controls (even if deemed to be good or excellent) are not tested (whether due to lack of resources, expertise, etc.)
Materiality, together with the auditor’s assessment of inherent risk and his/her preliminary evaluation of internal control, provide the basis for the appropriate audit approach. The combined assessment of inherent risk and evaluation of internal control helps to determine the nature and extent of the audit procedures to be designed and performed. In practice, ECA relies primarily on its direct testing of transactions.
Irrespective of the audit approach selected, the auditor should always design and perform substantive procedures. No matter how strong the controls are found to be, some substantive procedures need to be carried out due to the risk of management override of controls, collusion, etc.
Where the preliminary assessment of control risk is high, the auditor should not rely on systems but may test the controls to support findings to be reported to management or the [a-glossary term="Discharge%20authority"]discharge authority[/a-glossary]
concerning system weaknesses.
ECA's deadlines for issuing compliance audit opinions regarding the legality and regularity of the underlying transactions, as set out in the [link new-window title="Financial%20Regulation" link="https%3A%2F%2Feur-lex.europa.eu%2Flegal-content%2FEN%2FTXT%2F%3Furi%3DCELEX%3A32018R1046%23258" icon="external-link" /]
, make it difficult to follow the traditional audit process. In this context, the same transactions may be used for both tests of controls and tests of details ("dual purpose tests"). In such cases, the auditor considers whether the audit results are consistent with the audit hypothesis and whether additional audit procedures need to be performed.
2. Level of assurance to be derived from audit procedures
The 95% assurance generally required from ECA's audit tests may be derived mostly from controls, or mostly or entirely from substantive procedures, depending on the auditor's assessment of both inherent and control risk.
3. Nature of audit procedures (how and where to obtain required evidence)
The nature of audit procedures refers to their:
purpose: tests of controls or substantive procedures (including tests of details and analytical procedures) and
type, i.e. analytical procedures, inspection, observation; enquiry (including confirmation), computation, and re-performance.
The auditor selects the audit procedure that is most appropriate in order to reduce the assessed audit risk to an acceptably low level. The auditor should exercise his professional judgement to select the procedures, by considering the objectives of the test (i.e. the assertions to cover), the nature of the population, the assessed risk and the level of reliance on internal controls.
4. Timing of audit procedures
Timing refers to time at which the audit procedures are performed or the period or date to which the audit evidence applies. When considering the timing of audit procedures, the auditor also considers the following elements:
the relevant internal controls in place;
the time at which relevant information is available;
the nature of the risk (e.g. cut-off);
specific times where the risk is increased, e.g. peaks of activity, absence of or changes in key personnel, system updates, etc.
The auditor may perform tests of control or substantive procedures at a certain date or period (interim date) or at period end. Certain audit procedures can be performed only at or after period end, e.g. agreeing the financial statements to the accounting records for reliability audits. The higher the risk, the more effective it is to perform substantive procedures nearer to, or at, period end rather than at an earlier date.
Performing audit procedures before period end may help to identify significant matters at an early stage of the audit, and consequently resolve them with the assistance of management or develop an effective audit approach to address them. If the auditor performs tests of controls or substantive procedures prior to period end, (s)he should obtain additional evidence for the remaining period.
5. Extent of audit procedures
The auditor decides on the extent of an audit procedure, i.e. the quantity to test, based on:
the materiality level and assessed risk;
the degree of assurance the auditor plans to obtain;
the most appropriate sampling technique for the audit procedure;
the use of Computer-Assisted Audit Techniques (CAATs), which may enable more extensive testing of electronic transactions and account files.
The auditor usually increases the extent of an audit procedure as the risk of material misstatement or non-compliance increases. Minimum sample sizes for 2% materiality and 95% assurance are set out in the assurance model.
6. Design efficient audit procedures
The auditor ensures that there is a clear link between the risk assessment, the evaluation of internal control, and the nature, timing and extent of audit procedures. Audit procedures, which should be derived from the audit approach and thus be consistent with it, reflect the decision taken by the auditor as to whether or not to rely on internal controls and the extent of substantive procedures.
The auditor should design mutually exclusive and collectively exhaustive audit steps and audit procedures. The audit steps within an audit procedure must be mutually exclusive, meaning that the objectives are different from one another and do not overlap. At the same time, the full range of relevant objectives for the audited area must together be comprehensive in order to gather the evidence needed and cover the related assertion. In this sense, they are collectively exhaustive.
Lastly, audit procedures should be specific. In order to maximise efficiency, the auditor can coordinate similar audit procedures. For audit procedures that involve sampling, the auditor can perform numerous tests on the same sample (multipurpose testing), including testing controls, e.g. the auditor can test the amount and test the controls for that area/account.
All auditors performing audit procedures should understand how each individual section links to the overall audit approach and contributes to the overall audit assurance to be reached for the audit.
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]
[standards]
[link new-window title="ISA%20330" link="https%3a%2f%2fwww.ifac.org%2fsystem%2ffiles%2fpublications%2ffiles%2fIAASB-2020-Handbook-Volume-1.pdf%23INTERNATIONAL%2520STANDARD%2520ON%2520AUDITING%2520330" /]
[/standards]
[rules]
[link new-window title="Art%20258%20FR" link="https%3A%2F%2Feur-lex.europa.eu%2Flegal-content%2FEN%2FTXT%2F%3Furi%3DCELEX%3A32018R1046%23258" /]
[/rules]
[/panel]
[/column]
[/row]
[row]
[column 12][/column]
[/row]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]
