Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

4031 Develop and document an audit plan
Dec-2023

In This Section

Difference between audit strategy and plan

Starting, preparing and finalizing the audit plan

Risk assessment procedures

Planning procedures to address the risk of material misstatement at the assertion level

Planned direction, supervision and review as it relates to the audit plan

Documentation requirement

Difference between audit strategy and plan

CAS Guidance

The audit plan is more detailed than the overall audit strategy in that it includes the nature, timing and extent of audit procedures to be performed by engagement team members. Planning for these audit procedures takes place over the course of the audit as the audit plan for the engagement develops. For example, planning of the auditor’s risk assessment procedures occurs early in the audit process. However, planning the nature, timing and extent of specific further audit procedures depends on the outcome of those risk assessment procedures. In addition, the auditor may begin the execution of further audit procedures for some classes of transactions, account balances and disclosures before planning all remaining further audit procedures (CAS 300.A14).

OAG Guidance

For detailed guidance on developing the controls test plan see OAG Audit 7010. For detailed guidance on developing the substantive test plan see OAG Audit 7020. For detailed guidance on developing a test plan to respond to significant risks, see OAG Audit 4027.

Starting, preparing and finalizing the audit plan

OAG Guidance

Starting the audit plan

As we work through the various elements of the OAG Risk Assessment Process (see OAG Audit 5011 for more details), including identifying risks, relevant assertions and significant FSLIs, we can begin to develop the audit plan by determining tailored responses to the assessed risks of material misstatement. OAG Audit 5034 provides further guidance on our understanding of business processes.

Once we have identified the significant FSLIs, we begin the process of designing the audit procedures to obtain sufficient appropriate audit evidence to address the assessed risks of material misstatement at an assertion level. We document our testing strategy in respect of risks of material misstatement in the Audit Planning Template, and then develop the detailed audit plan for each significant FSLI in the Summary of Comfort by appropriately tailoring procedures to address the risks at the FSLI assertion level.

Preparation of the audit plan

We prepare the audit plan before we undertake any significant audit procedures (controls or substantive).The process of the audit plan preparation:

  • Commences as we work through the understand, identify and assess phases of the OAG Risk Assessment Process (OAG Audit 5011), including as we use our understanding of the entity, its environment and its systems of internal control to identify and assess risks of material misstatement.

  • Continues at the team planning meeting(s) when the engagement team further discusses the audit strategy and plan, including the nature, timing and extent of audit procedures to be performed to respond to identified risks of material misstatement.

  • Is refined as the engagement team performs further risk assessment activities, e.g., by finalizing our evaluation of the entity’s system of internal control.

  • Is agreed and reviewed as part of the planning sign-off. All planned controls and substantive testing procedures are documented in the audit file with appropriate tailoring before the planning sign-off procedure is prepared and reviewed since, by that time, the team manager and engagement leader need to be satisfied with the planned procedures.

Completing and reviewing the planning sign-off procedure “Engagement leader and team manager—Planning sign-off” provides evidence that the audit plan was prepared as part of the planning phase of the audit. There may be a need to revise the audit plan as the audit progresses, see the related guidance in OAG Audit 4051.

Finalization of the audit plan

The SoC sheet of the Audit Planning Template assists us in developing and finalizing the audit plan. For example, the SoC sheet allows us to conclude if the risks of material misstatement at an assertion level have been properly addressed. Updating the SoC sheet of the Audit Planning Template is done prior to the issuance of the audit report to reflect the actual audit procedures performed. The engagement leader reviews the finalized SoC sheet of the Audit Planning Template as part of the completion sign-off.

Risk assessment procedures

CAS Requirement

The auditor shall develop an audit plan that includes a description of the nature, timing and extent of planned risk assessment procedures, as determined under CAS 315 (CAS 300.9(b)).

CAS Guidance

Determining the nature, timing and extent of planned risk assessment procedures, and the further audit procedures, as they relate to disclosures is important in light of both the wide range of information and the level of detail that may be encompassed in those disclosures. Further, certain disclosures may contain information that is obtained from outside of the general ledger and subsidiary ledgers, which may also affect the assessed risks and the nature, timing and extent of audit procedures to address them (CAS 300.A15).

Consideration of disclosures early in the audit assists the auditor in giving appropriate attention to, and planning adequate time for, addressing disclosures in the same way as classes of transactions, events and account balances. Early consideration may also help the auditor to determine the effects on the audit of (CAS 300.A16):

  • Significant new or revised disclosures required as a result of changes in the entity’s environment, financial condition or activities (for example, a change in the required identification of segments and reporting of segment information arising from a significant business combination);

  • Significant new or revised disclosures arising from changes in the applicable financial reporting framework;

  • The need for the involvement of an auditor’s expert to assist with audit procedures related to particular disclosures (for example, disclosures related to pension or other retirement benefit obligations); and

  • Matters relating to disclosures that the auditor may wish to discuss with those charged with governance.

OAG Guidance

The risk assessment procedures required by CAS 315 Identifying and Assessing the Risks of Material Misstatement are performed and documented when executing specific planning procedure steps, e.g.:

  • performing risk assessment analytics,
  • making inquiries of management during client meetings, and
  • understanding the components of the entity’s system of internal control.

Documentation of the risk assessment procedures performed (as required by CAS 315.38) will address the requirement of CAS 300.9(b).

Related Guidance

Guidance on risk assessment procedures is included in OAG Audit 5011.

Guidance on documentation is included in OAG Audit 5011.

Planning procedures to address the risk of material misstatement at the assertion level

CAS Requirement

The auditor shall develop an audit plan that shall include a description of (CAS 300.9):

  1. the nature, timing and extent of planned further audit procedures at the assertion level, as determined under CAS 330.
  2. other planned audit procedures that are required to be carried out so that the engagement complies with CASs.

The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level (CAS 330.6).

CAS Guidance

The auditor’s assessment of the identified risks of material misstatement at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. For example, the auditor may determine that (CAS 330.A4):

  1. Only by performing tests of controls may the auditor achieve an effective response to the assessed risk of material misstatement for a particular assertion.

  2. Performing only substantive procedures is appropriate for particular assertions and, therefore, the auditor excludes the effect of controls from the assessment of the risk of material misstatement. This may be because the auditor has not identified a risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence and therefore is not required to test the operating effectiveness of controls. Therefore, the auditor may not plan to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures; or

  3. A combined approach using both tests of controls and substantive procedures is an effective approach.

The auditor need not design and perform further audit procedures where the assessment of the risk of material misstatement is below the acceptably low level. However, as required by paragraph 18, irrespective of the approach selected and the assessed risk of material misstatement, the auditor designs and performs substantive procedures for each material class of transactions, account balance, and disclosure.

The nature of an audit procedure refers to its purpose (that is, test of controls or substantive procedure) and its type (that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedure). The nature of the audit procedures is of most importance in responding to the assessed risks (CAS 330.A5).

Timing of an audit procedure refers to when it is performed, or the period or date to which the audit evidence applies (CAS 330.A6).

Extent of an audit procedure refers to the quantity to be performed, for example, a sample size or the number of observations of a control (CAS 330.A7).

Designing and performing further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level provides a clear linkage between the auditor’s further audit procedures and the risk assessment (CAS 330.A8).

Not all assertions within a material class of transactions, account balance or disclosure are required to be tested. Rather, in designing the substantive procedures to be performed, the auditor's consideration of the assertion(s) in which, if a misstatement were to occur, there is a reasonable possibility of the misstatement being material, may assist in identifying the appropriate nature, timing and extent of the procedures to be performed (CAS 330.A44).

OAG Guidance

Related Guidance

For further guidance on developing the controls test plan see OAG Audit 6050. For further guidance on developing the substantive test plan see OAG Audit 7010. For further guidance on developing a test plan to respond to significant risks, see OAG Audit 4027.

Planned direction, supervision and review as it relates to the audit plan

CAS Requirement

The auditor shall develop an audit plan that shall include a description of the nature, timing and extent of the planned direction and supervision of engagement team members and the review of their work (CAS 300.9(a)).

CAS Guidance

 CAS 220 deals with the engagement partner's responsibility for the nature, timing and extent of direction and supervision of the members of the engagement team and the review of their work (CAS 300.A18).

The nature, timing and extent of the direction, supervision and review are required to be planned and performed in accordance with the firm's policies or procedures, as well as professional standards and applicable legal and regulatory requirements. For example, the firm's policies or procedures may include that (CAS 220.A94):

  • Work planned to be performed at an interim date is to be directed, supervised and reviewed at the same time as the performance of the procedures rather than at the end of the period, so that any necessary corrective action can be taken in a timely manner.
  • Certain matters are to be reviewed by the engagement partner and the firm may specify the circumstances or engagements in which such matters are expected to be reviewed.

OAG Guidance

CAS 220 requires that the engagement leader determines that the nature, timing and extent of direction and supervision of engagement team members and the review of their work is appropriately planned. Further, CAS 300 requires that our audit plan includes a description of the planned direction and supervision of engagement team members, and the review of their work.

This means that we need to develop and document a plan for direction, supervision and review, as part of our documentation of the audit plan, that reflects the specific engagement circumstances. Our audit files provide the functionality needed to facilitate the development and documentation of our plan for direction, supervision and review activities as follows:

  • The template Budget and Workload Allocation allows for the documentation of agreed roles and responsibilities.
  • TeamMate allows for the assignment of working papers to specific members of the audit team.
  • Progress of the engagement team can be monitored using Procedure Viewer and Signoff Status views in TeamMate.

As explained in CAS 220.A85, direction of the engagement team may involve more experienced members of the engagement team helping less experienced engagement team members to understand the objectives of the work to be performed and the detailed instructions regarding the nature, timing and extent of planned audit procedures as set forth in the audit strategy and plan.

Discussions at the team planning meeting, specifically in respect of the overall risk assessment, audit strategy and the assignment of preparer/reviewer responsibilities, relate to these topics as well. Refer to OAG Audit 4011 for further guidance related to team planning meeting(s).

Documentation requirement

CAS Requirement

The auditor shall include in the audit documentation the audit plan (CAS 300.12(b)).

The auditor shall include in the audit documentation:

  1. The overall responses to address the assessed risks of material misstatement at the financial statement level, and the nature, timing, and extent of the further audit procedures performed (CAS 330.28(a));
  2. The linkage of those procedures with the assessed risks at the assertion level (CAS 330.28(b)).

CAS Guidance

The documentation of the audit plan is a record of the planned nature, timing and extent of risk assessment procedures and further audit procedures at the assertion level in response to the assessed risks. It also serves as a record of the proper planning of the audit procedures that can be reviewed and approved prior to their performance. The auditor may use standard audit programs or audit completion checklists, tailored as needed to reflect the particular engagement circumstances (CAS 300.A20).

The form and extent of audit documentation is a matter of professional judgment, and is influenced by the nature, size and complexity of the entity and its system of internal control, availability of information from the entity and the audit methodology and technology used in the audit (CAS 330.A65)

OAG Guidance

We use the Audit Planning Template to document the audit plan for the engagement during the planning phase of the engagement. The audit plan for the FSLIs or business processes can then be viewed in the SoC sheets. SoC sheets sets out the testing strategy for the assessed risks in the form of our expected levels of controls reliance and planned level of substantive evidence, and reflect the detailed planned audit responses for the assessed risk (i.e., the specific controls we intend to test for operating effectiveness, as well as the planned nature, timing and extent for both tests of controls and substantive procedures).

The team manager evidences their review of the audit plan by marking the Audit Planning Template as reviewed. The engagement leader evidences their review of the audit plan as part of planning sign-off. Refer to OAG Audit 4041 for further guidance on planning sign-off.