Audit Planning

During the audit process, the activities of the auditor can be gathered in four stages. These are as follows:
• Accepting the engagement and arrangement
• Audit planning
• Performing audit procedures, and
• Reporting of findings.

At the beginning of the 2000s, with the emergence of large-scale financial scandals (Enron and Worldcom in US, Parmalat in Italy, and Imar Bank in Turkey), the traditional approach in the audit was abandoned and a “risk-based” approach has begun to be adopted. 

In risk-based approach, the audit process consists of three stages (also referred as 3R Audit):

1. Risk Assessment,
2. Responding to the risk, and
3. Reporting

In Turkey, according to the Turkish Commercial Code (TCC), an auditor/audit firm should be chosen in the company’s general assembly. The auditor must be determined for each operating cycle and before the operating cycle ends. If the auditor is not appointed until the 4th month of the operating cycle by the company’s general assembly, the appointment of the auditor is made by the court upon the application of the relevant persons.  

In practice, the audit firms determine the risk level of their clients (such as low risk, medium risk, high risk) with the tests they developed and decide whether to accept and continue the audit accordingly. The main questions that should be asked during this preliminary examination for client acceptance are:

• For which purpose the audit service is requested and the expectations from the audit?
• Is a client’s business operating in a risky sector?
• Who are the people / partners responsible for management?
• The financial situation of the business?
• Whether financial statements are prepared in accordance with the financial reporting framework?
• Whether it is a public company or a company whose activities are in the public eye? 
• The image (reputation) of the company’s executives and partners in the market? 
• The lawyer and other consultants they work with? 
• Whether there is a suspicion of management’s integrity?
• Whether there is a corporate governance approach in the company? 
• Significant litigation (lawsuit) in progress?
• Possibility to encounter any limitations during the audit work. 

The auditor investigates the new client; its position in the sector, its financial position, the integrity of its managers and owners, as much as possible from various sources, such as bank managers. Within the scope of the investigation, the successor auditor may meet with the predecessor auditor. Due to the principle of client secrecy the predecessor auditor may provide information about the client’s business by obtaining permission from it. The auditor evaluates the situation in which the client does not allow the previous auditor, or, if so, the matters that the previous auditor will tell. 

The audit firm should consider its own business risk when accepting the proposal. The business risk (for audit firms or auditors): Possibility of loss of professional reputation of the audit firm or auditor due to acceptance of the audit engagement; the main points that should be considered during the
evaluations by the audit firm are listed below.

• Ensuring compliance with the conditions required by law (such as independence)
• Adequacy of resources and employees’ skills,
• Ability to prepare the audit report to the specified date,
• Considering the conflicts that will occur if the offer is received from the current client,
• A careful approach to proposals, such as using the work of other auditors.

According to the International Standards of Auditing (ISA), an audit engagement letter must be created between the audit firm and the client to solidify the audit arrangement. The main points to be included in the audit engagement letter are listed below. These are as follows: 

• Purpose of the arrangement and audit period, 
• The responsibility of the business management regarding the financial statements,
• Financial reporting standards taken as the basis when preparing financial statements,
• Auditing standards to be complied by the auditors and scope of the audit,
• Other report types to be prepared as per the arrangement at the end of the audit process,
• Audit fee (such as billing, compensation conditions),
• Assistance to be provided by client business personnel in obtaining records and documents,
• No restrictions on the work of the auditor, 
• The completion date of the audit and the delivery date of the report,
• The complaint procedure if the client does not satisfy the service provided.

The audit strategy is a general approach to the audit engagement, which is the specification of the
detailed audit plan, the scope and performance of the audit. The audit plan regulates specific audit
procedures such as risk assessment and details of the structure, scope and timing of the work that
will help the auditor to form an opinion. 

The matters to be considered in the creation of audit strategy are:

a. Scope of the engagement: Specific features of the sector, financial reporting framework, places to visit, utilization of the internal auditor’s work, the impact of information technologies, relations with
group companies.

b. Audit schedule and communication structure: Reporting times of the client business, meeting times with business representatives and team members, meetings between the team members and
third parties. 

c. Identification of important factors related to the audit: the level of materiality, highrisk areas, internal control, the auditor’s professional skepticism, the results of previous audits, and the provision of other services. 

The auditor creates the audit plan in accordance with the audit strategy. The plan includes risk assessment procedures, structure, time, and scope of further audit procedures. Adequate audit plans help the auditor in the following matters. 

• To draw attention to important areas in auditing,
• Solving the problem of time pressure,
• Management and organization of the audit in accordance with the audit engagement,
• To determine the audit team appropriately,
• Supervision and direction of team members and to be able to observe their work,
• Coordination of communication with people to be contacted in the client business and external experts.

• The sector and the environment of the business (market share, suppliers, customers, etc.),
• The sector’s economic conditions and whether the entity is vulnerable to industry specific policy and practice changes, 
• Goods and services produced in the entity, its centers, branches, and features of their activities (such as production and marketing methods), 
• Regulatory institutions and reports submitted concerning the client, 
• Accounting policies and compliance of the business with these policies, 
• Last financial position and performance of the business,
• The business’s internal control system,
• Legal regulations affecting the business,
• Business activities and business processes,
• Management structure of the business, key personnel,
• Performance evaluation and information processing systems of the entity, 
• Whether the business has affiliates and subsidiaries.

The auditor should try to identify and assess business risks and fraud risks that will lead to material misstatement risks in the financial statements. When evaluating the client’s business risk, the auditor should always consider the possibility of the client not reaching its business objectives. Many factors, both internally and externally, can affect the business risk. Today, the factors that threaten businesses the most are; rapidly developing technology, wrong investment and financing policies. Businesses that fail to adapt to technological change and increased competition cannot achieve their goals, so they can prefer to hide their failures in financial statements. Business risks can be classified in a variety of ways, such as financial, operational and compliance risks, internal and external risks, controllable or uncontrollable risks.

Fraud risk can be assessed in the context of an account item, a transaction cycle, a specific auditing goal, or all the auditing works. For example, if a very high profitability target is desired from senior management, this may affect all the auditing works. The auditor should consider fraud risk throughout the entire audit work, including the planning phase. Frauds in businesses are classified into three groups: Misappropriation of assets (also called employee fraud); Fraudulent financial reporting; Corruption. In the process of understanding the client’s business, the auditor tries to recognize the relationship of business and fraud risks with the financial statements and the measures taken by the management (internal controls) against such risks.  The auditor meets with business managers and employees, makes observations, and uses analytical review procedures. 

Analytical Review Procedures are the evaluation studies conducted to investigate the logical relationship between the financial and nonfinancial data, including the comparison of the auditor’s expectations and the amounts recorded in the business.

The objectives of the auditor to benefit from ARPs are:
• To understand the business and the sector in which it operates,
• To evaluate the sustainability (continuity) of the business,
• Attracting management’s attention to expected misstatements,
• To reduce the number of detailed tests.

The auditor tests his expectations regarding the company by the methods listed below:
• Comparing business data with industry data,
• Comparing the current period data of the business with the previous period,
• Comparing the business data with the expected results (budget figures) determined by the business,
• Comparing business data with expected results determined by the auditor,
• Comparing the data of the business with expected results by making use of non-financial data, such as comparing workers’ wages and expenses with the number of employees.

According to ISA, it is obligatory to form an audit team consisting of six persons, at least three
originals and three backups, for each audit work. Therefore, each audit is carried out by a team
of auditors. The size of this team is determined according to the number and quality required by
the job, and it cannot be less than three auditors. In order to increase the effectiveness of the
audit, it is very important to assign an appropriate audit team that knows the client’s business and the sector in which it operates. It is necessary to select the audit team and create an audit work schedule. During the audit, external experts (outside the audit field) can be appointed if needed. In this case, the auditor needs to know the specialist’s qualifications and whether there is a relationship with the client’s business. 

Audit risk (AR) is the possibility of encountering significant misstatements in the financial statements, although the audit has been completed and an unqualified opinion is issued. AR also tells the level of confidence of an audit. For example, if AR is 2%, the confidence level of the audit is 98%.

There are three different types of risks. These are a) Inherent Risk (IR), b) Control Risk (CR) and c) Detection Risk (DR). Audit risk is found by multiplying these three types of risk probabilities.  The auditor may determine AR at the level of the account balance and at the level of financial statement (the overall level).

Inherent Risk is the evaluation of the probability of material misstatements in an account balance or a class of transaction, regardless of the effectiveness of the internal control structure. In the assessment of inherent risk, the sensitivity of financial statements to material misstatements is evaluated. The main factors that the auditor will consider in inherent risk assessment at an overall level are:
• The structure of the client’s business (whether it is an affiliate or a subsidiary),
• Factors related to errors arising from corruption in financial reports,
• Results of the previous audit,
• Unusual transaction (non-routine operations),
• Whether the audit has been carried out for the first time,
• Related parties,
• Suspected misappropriation of assets,
• Structuring of sampling

Control Risk is a function of the effectiveness of the internal control designed for financial reporting. It is the auditor’s assessment of the probability of failure in the client’s business internal controls to prevent or reveal the misstatements in an account balance or class of transaction that exceed the  acceptable limit. If the client does not have an effective internal control system, the auditor will evaluate CR at a high level (100%) and plan the audit accordingly. Effective internal controls reduce the risk of control. However, it can never eliminate CR because internal controls cannot give  absolute assurance due to the “human” factor.

The probability of an auditor to miss misstatements in the financial statements of the client’s business with the collected audit evidence (regarding the account balances) is called “Detection Risk” or “Planned Detection Risk”. The auditor tries to determine the real level of DR by paying attention to the following points: 

• Appropriate planning, guidance, surveillance, and inspection,
• Determining the structure, scope, and time of the audit procedures correctly,
• Performing audit procedures effectively and evaluating the results.

There are various levels of inherent risks in businesses. Internal controls are created in the business to reduce those risks to an acceptable level. The lower the CR, the lower the remaining risk for the auditor. DR is a function of the effectiveness of supportive audit procedures (tests) to be performed by the auditor. Because DR is affected by the other two types of risks and there is an inverse proportional relationship between DR and the other two types of risks. If the auditor wants to keep AR at a low level when CR and IR are high, DR should be determined very low. In order to reduce detection risk, the auditor should obtain sufficient evidence with sufficient tests so that the auditor can indirectly reduce the audit risk. If CR and IR are evaluated too high, BR will be determined to be quite low. There is also an inverse relationship between the amount of evidence the auditor will need and the target audit risk. If the targeted audit risk is low, the auditor needs to collect more evidence. 

Materiality in accounting; “If hiding or misrepresenting information can affect users who will make their economic decisions using financial statements, that information is material. In order to
decide whether there is materiality in cases of lack or inaccuracy of the information, it is necessary
to look at the size of the item that was provided incorrectly or not provided at all”. The auditor should try to reveal not all misstatements but material misstatements, that may affect the financial statements, and correct them. If the client business is not willing to correct mistakes, the auditor should express his opinion accordingly in the audit report. 

In financial statements, misstatements may be made individually or in total for purposes such as not complying with standards, hiding the truth, or avoiding disclosing necessary information. Since it will affect the audit procedures to be applied, the level of materiality must be determined correctly. Materiality judgment is assessed based on both the amount and nature of the misstatements. When deciding whether the sum of an item is important or not, it is necessary to compare the amount with the balance sheet or income statement items.

In order to collect evidence, the auditor should set a materiality limit for each account balance. At this stage, there are three main types of difficulties the auditor may encounter. These are:
• The auditor may expect more misstatements in some accounts than others,
• The auditor should consider both abnormalities; lower and higher values than they should be,
• Relatively, the cost of audit also has an impact on the materiality judgment. In response to the assessed risks, the auditor may set a lower level than the preliminary materiality level to design further audit procedures and evaluate the risks of material misstatement. Therefore, there is
an inverse relationship between the level of materiality and the number of evidence to be collected. For example, as the materiality limit decreases in sales invoices, it will be necessary to examine more invoices. 

Control, unlike the concept of audit, has the power to influence events, activities, and people. The main differences between control and audit are:

• Control is an issue that comes before the audit and should be considered more broadly.
• While control is a continuous activity, the audit is carried out in a certain period. 
• While the control is carried out simultaneously, the audit is retroactive.
• While mechanical tools can be used in the control, the audit is carried out by people.
• While it is not necessary to be independent of the company in the control, independence is essential in the audit.

Risks are evaluated according to changing conditions in the enterprise and precautions are taken against them. These precautions are called control and the system consisting of controls is
called Internal Control System (ICS). Therefore, ICS is the response of business management to risk. 

Disclosures related to internal control are included in the COSO (The Committee of Sponsoring Organizations of the Treadway Commission) report. According to the definition of COSO;
• Internal control is a process (It has an end but not an end in itself)
• Internal control is influenced by people (Internal control is not only a document or form, it is influenced by employees at all levels in the organization)
• Internal control provides reasonable assurance to the management of the business.
• Internal control is concerned with achieving goals in separate but overlapping groups. 

In the COSO report, internal control consists of five parts: Control environment, Risk assessment, Control activities, Information and communication and Monitoring activities. 

Control Environment: The control environment consists of actions, policies, and procedures that reflect the attitudes of the senior managers, managers, and partners regarding the internal control system and importance given to it. The control environment has a widespread effect. The culture and history of the organization directly affect the control environment. The control environment penetrates all areas of the organization and affects individual internal control approaches. 

Risk Assessment: All organizations face risks threatening to reach its targets. All internal and external risks should be evaluated. Internal controls help reduce risks in achieving the goals set in a business but do not eliminate all risks. The auditor collects information on how management assesses risks specifically for financial reporting, through questionnaires and interviews. 

Control Activities: These are the actions taken by management and other parties to increase the probability of achieving the business objectives and to reduce risks. Control activities, or simply controls, are present at all levels of the business. Some common control activities are segregation of duties; performance reviews, job-tracking activities; authorization; information technologies access controls; certification; access to assets; information technology application control activities; and independent verifications (reconciliation).

Information and communication: The main purpose of an enterprise’s accounting information and communication system is to ensure that the responsibility for initiating, executing, recording, and reporting transactions are maintained. Internal reporting is essential for effective ICS. It can also provide critical information about the functionality of controls in communication with third parties (such as customers, suppliers, service providers, regulators, auditors, partners). 

Monitoring activities: Monitoring is the process of evaluating the performance quality of the system over time. These are carried out in the form of continuous monitoring activities or periodic evaluations, or a combination of both. The quality of the internal control performance should be monitored continuously or at certain time intervals in order to determine whether the controls operate according to the purpose of the management and what needs to be done according to dynamic conditions. 

The most common approach used by the auditor is as follows:

1. To discover the control environment, risk assessment procedures, accounting information and communication system, monitoring methods as detailed as possible,
2. To get familiarized with the specific controls that reduce CR, and
3. To test the effectiveness of the controls. 

The auditor can only conclude that the client entity “has low CR” after the third stage. The auditor documents the collected information in three ways: a. Story-Taking (Note-Taking) Method, b. Flow Chart, c. Internal Control Survey Form.

The procedures performed to support the low-valued CR level and test the effectiveness of the controls are called “Test of Controls (TC)”. Especially, the auditor needs to determine whether controls are being used effectively. If TC results support controls as expected, the auditor will continue to use the same CR level. However, if the auditor finds out that the controls were not implemented effectively, CR level should be reevaluated. The methods used by the auditor to learn the effectiveness of internal controls are: Making interviews with the operating personnel in the appropriate position, Examining documents, reports, and records, Observing control activities, and Re-performing business procedures.