4021 Establish an audit strategy
Apr-2018

Overview

This section explains:

  • The requirement to establish the overall audit strategy for the engagement
  • Key considerations when establishing the audit strategy

This topic deals with CAS requirements and related guidance in respect of CAS 300. OAG Audit 4022 explains key stages in developing strategy in OAG Audit, how our planning Procedure steps/ steps guide teams through the process, and where the various elements of the audit strategy will be documented in our audit files.

Establish an audit strategy

CAS Requirement

The auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit, and that guides the development of the audit plan (CAS 300.7).

CAS Guidance

Once the overall audit strategy has been established, an audit plan can be developed to address the various matters identified in the overall audit strategy, taking into account the need to achieve the audit objectives through the efficient use of the auditor’s resources. The establishment of the overall audit strategy and the detailed audit plan are not necessarily discrete or sequential processes, but are closely inter-related since changes in one may result in consequential changes to the other (CAS 300.A12).

OAG Guidance

Audit Tip

The continual and iterative nature of the process allows the engagement team to regularly update its knowledge of the business objectives and goals of the entity, demonstrating to the entity such objectives and goals remain top‑of‑mind with the engagement team. Consider creating an audit calendar that maps out what touch points occur each month to keep the engagement top‑of‑mind all year round.

Characteristics of the engagement

CAS Requirement

In establishing the overall audit strategy, the auditor shall consider the information obtained from complying with the requirements of CAS 220 and identify the characteristics of the engagement that define its scope (CAS 300.8(a))

CAS Guidance

Examples of matters the auditor may consider, include (CAS 300.Appendix):

  • The financial reporting framework on which the financial information to be audited has been prepared, including any need for reconciliations to another financial reporting framework.

  • Industry-specific reporting requirements such as reports mandated by industry regulators.

  • The expected audit scope, including the components at which audit work is expected to be performed for the purposes of a group audit, and the extent to which component auditors will be involved.

  • The nature of the control relationships between a parent and its entities or business units that determine how the group is to be consolidated.

  • The nature of the business segments to be audited, including the need for specialized knowledge.

  • The reporting currency to be used, including any need for currency translation for the financial information audited.

  • The requirement for an audit of financial statements for statutory, regulatory or other reasons in addition to audit work performed for the purposes of the group audit.

  • Whether the entity has an internal audit function, and if so, whether, in which areas, and to what extent the work of the function can be used, or internal auditors can be used to provide direct assistance, for purposes of the audit.

  • The entity’s use of service organizations and how the auditor may obtain evidence concerning the design or operation of controls performed by them.

  • The expected use of audit evidence obtained in previous audits, for example, audit evidence related to risk assessment procedures and tests of controls.

  • The effect of information technology on the audit procedures, including the availability of data and the expected use of computer-assisted audit techniques.

  • The coordination of the expected coverage and timing of the audit work with any reviews of interim financial information and the effect on the audit of the information obtained during such reviews.

  • The availability of client personnel and data.

Ascertain reporting objectives

CAS Requirement

In establishing the overall audit strategy, the auditor shall consider the information obtained from complying with the requirements of CAS 220 and ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required (CAS 300.8(b)).

CAS Guidance

Examples of matters the auditor may consider, include (CAS 300.Appendix):

  • The entity’s timetable for reporting, such as at interim and final stages.

  • The organization of meetings with management and those charged with governance to discuss the nature, timing and extent of the audit work (OAG Audit 2214).

  • The discussion with management and those charged with governance regarding the expected type and timing of reports to be issued and other communications, both written and oral, including the auditor’s report, management letters and communications to those charged with governance.

  • The discussion with management regarding the expected communications on the status of audit work throughout the engagement.

  • Communication with component auditors regarding the expected types and timing of communications in connection with the audit work performed for the purposes of the group audit.

  • The expected nature and timing of communications among engagement team members, including the nature and timing of team meetings and timing of the review of audit work performed.

  • Whether there are any other expected communications with third parties, including any statutory or contractual reporting responsibilities arising from the audit.

OAG Guidance

Engagement teams use the Audit Timetable Template to help plan the timing of the audit.

Audit Tip

Understanding the upcoming internal and external deadlines associated with the audit will allow the engagement team to anticipate issues related to deadlines and timing and recommend appropriate actions, thus exceeding the client’s expectations for responsiveness.

Factors significant to directing the team’s efforts

CAS Requirement

In establishing the overall audit strategy, the auditor shall consider the information obtained from complying with the requirements of CAS 220 and consider the factors that, in the auditor’s professional judgment, are significant in directing the engagement team’s efforts (CAS 300.8(c)).

CAS Guidance

Examples of matters the auditor may consider, include (CAS 300.Appendix):

  • The determination of materiality in accordance with CAS 320 and, where applicable:

    • The determination of component performance materiality and communication thereof to component auditors in accordance with CAS 600;
    • The initial expectations about the classes of transactions, account balances and disclosures that may be significant.
  • Preliminary identification of areas where there may be a higher risk of material misstatement.

  • The impact of the assessed risk of material misstatement at the overall financial statement level on direction, supervision and review.

  • The manner in which the auditor emphasizes to engagement team members the need to maintain a questioning mind and to exercise professional skepticism in gathering and evaluating audit evidence.

  • Results of previous audits that involved evaluating the operating effectiveness of internal control, including the nature of identified deficiencies and action taken to address them.

  • The discussion of matters that may affect the audit with firm personnel responsible for performing other services to the entity.

  • Evidence of management’s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.

  • Changes within the applicable financial reporting framework, such as changes in accounting standards, which may involve significant new or revised disclosures.

  • Volume of transactions, which may determine whether it is more efficient for the auditor to rely on internal control.

  • Importance attached to internal control throughout the entity to the successful operation of the business.

  • The process(es) management uses to identify and prepare the disclosures required by the applicable financial reporting framework, including disclosures containing information that is obtained from outside of the general and subsidiary ledgers.

  • Significant business developments affecting the entity, including changes in information technology and business processes, changes in key management, and acquisitions, mergers and divestments.

  • Significant industry developments such as changes in industry regulations and new reporting requirements.

  • Other significant relevant developments, such as changes in the legal environment affecting the entity.

Results of preliminary activities and knowledge gained from previous and other engagements

CAS Requirement

In establishing the overall audit strategy, the auditor shall consider the information obtained from complying with the requirements of CAS 220 and consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant
(CAS 300.8(d)).

OAG Guidance

Developing the audit strategy involves the engagement leader and manager using their cumulative knowledge and updated understanding of the entity and its industry, reviewing results of risk assessment analytics and assessment of going concern, reviewing management’s risk assessment and considering other risks to make a preliminary risk assessment from the top-down and establish the expected audit approach. Strategic planning does not have to be a lengthy or detailed exercise, but rather a concentrated effort whereby the most experienced members of the engagement team, the engagement leader and manager, provide overall direction on the audit approach specific to the entity circumstances.

Nature, timing and extent of resources

CAS Requirement

In establishing the overall audit strategy, the auditor shall consider the information obtained from complying with the requirements of CAS 220 and ascertain the nature, timing and extent of resources necessary to perform the engagement (CAS 300.8(e)).

CAS Guidance

The process of establishing the overall audit strategy, subject to the completion of the auditor’s risk assessment procedures, may include such matters as (CAS 300.A9):

  • The nature of resources (human, technological or intellectual) to be deployed for specific audit areas. For example, the deployment of experienced team members for high risk areas or the assignment of experts to address complex matters.

  • The amount of resources to be allocated to specific audit areas. For example, the number of team members assigned to attend the physical inventory count at multiple locations, the extent of review of other auditors’ work in the case of group audits, or the audit budget in hours to allocate to high risk areas.work in the case of group audits, or the audit budget in hours to allocate to high risk areas.

  • When these resources are to be deployed, such as whether at an interim audit stage or at key cut-off dates.

  • How such resources are directed, supervised or used. For example, when team briefing and debriefing meetings are expected to be held, how engagement partner and manager reviews are expected to take place (for example, on-site or off-site).

Examples of matters the auditor may consider, include (CAS 300.Appendix):

  • The human, technological and intellectual resources assigned or made available to the engagement (e.g., assignment of the engagement team and the assignment of audit work to the team members, including the assignment of appropriately experienced team members to areas where there may be higher risks of material misstatement).

  • Engagement budgeting, including considering the appropriate amount of time to set aside for areas where there may be higher risks of material misstatement.

OAG Guidance

Audit Tip

Early consideration of the resources required and to be deployed on the engagement facilitates alignment of individual and team performance goals with key skills and the client service plan.

Considerations specific to smaller entities

CAS Guidance

In audits of small entities, the entire audit may be conducted by a very small engagement team. Many audits of small entities involve the engagement partner (who may be a sole practitioner) working with one engagement team member (or without any engagement team members). With a smaller team, coordination of, and communication between, team members are easier. Establishing the overall audit strategy for the audit of a small entity need not be a complex or time‑consuming exercise; it varies according to the size of the entity, the complexity of the audit, and the size of the engagement team. For example, a brief memorandum prepared at the completion of the previous audit, based on a review of the working papers and highlighting issues identified in the audit just completed, updated in the current period based on discussions with the owner-manager, can serve as the documented audit strategy for the current audit engagement if it covers the matters noted in paragraph 8 (CAS 300.A13).

OAG Guidance

For the audits of smaller entities, engagement leaders apply their professional judgement in determining the appropriate coordination and communication among team members and documentation of the audit strategy.