Anda di halaman 1dari 40

www.pwc.co.

uk

Audit planning
takeaway
Time to Learn 2014

Audit planning takeaway

Table of Contents
Independence ............................................................................................................................................... 4
New audit clients ..................................................................................................................................... 4
Managements processes around non-audit fees .................................................................................. 4
Required assessments and consultation ................................................................................................ 4
Impact of non-audit services ...................................................................................................................5
Role of Service Delivery Centres in AFSs................................................................................................5
Communications with those charged with governance .........................................................................5
Rotation tracking..................................................................................................................................... 6
Consulting with independence ............................................................................................................... 6
Guidance .................................................................................................................................................. 8
Related parties .............................................................................................................................................. 9
Financial reporting framework requirements ....................................................................................... 9
Obtaining a list of related parties ........................................................................................................... 9
Completeness..........................................................................................................................................10
Our risk assessment ...............................................................................................................................10
Communications within the team ......................................................................................................... 11
Professional scepticism..........................................................................................................................12
Representation letter .............................................................................................................................12
Completion procedures..........................................................................................................................12
Communications with management and those charged with governance .........................................12
Updates to EGAs ....................................................................................................................................12
Fraud ............................................................................................................................................................13
Fraud discussions and risk assessment ................................................................................................13
Unpredictable procedures .....................................................................................................................14
Journals ..................................................................................................................................................16
Responding to identified fraud..............................................................................................................19
And finally .......................................................................................................................................... 20
Laws and regulations...................................................................................................................................21
ISA (UK&I) requirements ......................................................................................................................21
What does this mean in practice? .........................................................................................................21
Bribery Act 2010 and Transparency International ............................................................................. 22
Required communications.................................................................................................................... 23
Audit opinion......................................................................................................................................... 23

Time to Learn 2014


PwC

Page 2 of 40

Audit planning takeaway

Materiality................................................................................................................................................... 24
Overall materiality ................................................................................................................................ 24
Performance materiality ....................................................................................................................... 25
De Minimis SUM posting level..............................................................................................................27
Disaggregating materiality ....................................................................................................................27
Materiality in a group audit context..................................................................................................... 28
Reassessing materiality at the final audit ............................................................................................ 29
Reporting to those charged with governance ...................................................................................... 29
Other planning reminders.......................................................................................................................... 30
Planning top tips ................................................................................................................................... 30
Risk assessment..................................................................................................................................... 30
ISA (UK&I) 700..................................................................................................................................... 33
Internal audit......................................................................................................................................... 33
Use of ISAE 3402 controls reports on service organisations ............................................................. 34
Audit of tax ............................................................................................................................................ 34
Estimates ............................................................................................................................................... 34
Confirmations........................................................................................................................................ 35
Referred reporting audit engagements and letterbox audits ............................................................ 35
Group and component audits............................................................................................................... 36
Planning sign-off ................................................................................................................................... 38
Significant matters ................................................................................................................................ 38

Time to Learn 2014


PwC

Page 3 of 40

Audit planning takeaway

Independence
New audit clients
As a result of increased tendering activity in the marketplace, we are seeing a greater number of
proposals and first year audits. This brings about specific independence challenges, and independence
is also a hot topic with our regulators. Engagement teams need to consider non-audit services
previously provided to those entities for which we are proposing for the audit, to ensure that we can
accept the audit if we are appointed. As many are aware, another large audit firm accepted an audit
appointment and had to decline after discovering what were now impermissible services being
provided, causing embarrassment for the entity and the audit firm.
For new audit engagements, non-audit and audit related services are identified by the Relationship
Checking team.
The articulation of the rationale as to why non-audit services previously provided do not impair our
independence, and what safeguards are in place, is absolutely critical and needs to be clearly
documented on the audit file.
Managements processes around non-audit fees
As part of our consideration of independence, and where appropriate, we should understand the
systems and controls management have in place in order to monitor non-audit services provided.
Engagement teams confirm that management have followed these procedures and seek evidence to
corroborate this. If management have robust procedures in place, then we may be able to place some
reliance on these processes.
Required assessments and consultation
Ethical Standards state that a self-interest threat exists when the auditor has financial or other
interests which might cause the auditor to be reluctant to take actions that would be adverse to the
interests of the audit firm or any individual in a position to influence the conduct or outcome of the
audit. In relation to non-audit services, the main self-interest threat concerns fees and economic
dependence and these are addressed in APB Ethical Standard 4.
Where substantial fees are regularly generated from the provision of non-audit services, and the fees
for non-audit services are greater than the annual audit fees, it could be perceived as a loss of our
independence. In these instances, the audit engagement partner considers whether the engagements
giving rise to the substantial fees were:

audit related services;


provided on a contingent fee basis;
consistent with the engagements undertaken in previous years, and fees received on a
consistent basis to previous years;
in the case of a group, disproportionate in relation to any individual group entity;
unusual in size but unlikely to recur; and/or
of such a size and nature that a reasonable and informed third party would be concerned at
the effect that such engagements would have on the objectivity and independence of the
engagement team.

Having made that assessment, the audit engagement partner determines whether the threats to
independence from the level of non-audit fees are at an acceptable level (or can be reduced to an
acceptable level by putting in place appropriate safeguards).
For listed entities, where the fees for non-audit services for a financial year are expected to be greater
than the annual audit fee, the engagement team consults formally with the UK Ethics Partner
(currently Bill Morgan) before the ratio has exceeded 1:1 and, as soon as he/she considers that the
ratio will be exceeded. As this is a consultation under ISA (UK&I) 230, it is required to be
appropriately documented in the file.
For non-listed entities where the non-audit fees are expected to exceed the audit fees, the engagement
leader may also consult with the Ethics Partner if they deem it necessary or useful, although this is not
required.

Time to Learn 2014


PwC

Page 4 of 40

Audit planning takeaway

Impact of non-audit services


Engagement teams need to better assess the impact that non-audit services can have on their
independence. This needs to be an ongoing exercise throughout the audit, and is not to be regarded
solely as a planning or completion activity.
Recent internal and external reviews have identified more complex independence issues that have
developed over a number of years. It is therefore critical that the engagement team understand
enough about the nature of the services that are being performed to be able to make a proper
assessment of threats to their independence and whether the safeguards which have been put in place
remain adequate.
For example, consider the following set of circumstances:

before tendering for the audit, we assist management by building a model to forecast the
companys business;
the auditors review the model as part of their normal audit procedures;
having won the audit, we continue to support the client through its expansion, including
providing assistance to the client in updating the functionality of the forecasting model;
the client encounters some financial difficulties and we are asked by management to update
the forecasting models functionality; and
management use the forecasting model to support going concern, impairment and deferred
tax asset recovery calculations that we subsequently audit.

Does this cause an independence issue?


It is worth taking a step back and considering the non-audit services as a whole (especially those that
are delivered in different phases). Individually, these services might not present an issue, but when
considered as a whole, the team might come to a different conclusion and the threats and safeguards
applicable might also differ.
Role of Service Delivery Centres in AFSs
An engagement team may request the Service Delivery Centre (SDC) to assist with monitoring and
checking the completeness of AFSs that are received from component or other teams. It is important
to note that when performing the completeness checks, the SDC solely checks that all boxes have been
completed. In other words, they do not assess whether what has been written is correct, whether the
right threats have been identified, or whether the right safeguards have been put in place. The SDC
may also prepare a fee summary report which reflects actual billings for services compared to
estimated fees per the AFS request forms, if the engagement team requests this.
Communications with those charged with governance
Communications required by ISAs (UK&I) and UK Ethical Standards
ISAs (UK&I) state that:
In the case of listed entities, the auditor shall communicate to those charged with governance:
(a) A statement that the engagement team and others in the firm as appropriate, the firm and,
when applicable, network firms have complied with relevant ethical requirements regarding
independence; and
(b) (i) All relationships and other matters between the firm, network firms, and the entity that, in
the auditor's professional judgement, may reasonably be thought to bear on independence.
This shall include total fees charged during the period covered by the financial statements for
audit and non-audit services provided by the firm and network firms to the entity and
components controlled by the entity. These fees shall be allocated to categories that are
appropriate to assist those charged with governance in assessing the effect of services on the
independence of the auditor; and
(ii) The related safeguards that have been applied to eliminate identified threats to
independence or reduce them to an acceptable level.

Time to Learn 2014


PwC

Page 5 of 40

Audit planning takeaway

In the case of listed entities, UK Ethical Standards require that:


'The audit engagement partner shall ensure that those charged with the governance of the audit client
are appropriately informed on a timely basis of all significant facts and matters that bear upon the
auditors objectivity and independence.'
The audit engagement partner shall ensure that the audit committee, or those charged with
governance, of a listed entity is provided with:

a written disclosure of relationships that bear on the auditors objectivity and independence,
any safeguards that are in place and details of non-audit services provided to the audited
entity and the fees charged in relation thereto;
written confirmation that the auditor is independent;
details of any inconsistencies between UK Ethical Standards and the companys policy for the
supply of non-audit services by the audit firm and any apparent breach of that policy; and
an opportunity to discuss auditor independence issues.

For all unlisted entities, written communication of these matters is considered best practice, but is not
required. Reporting to an unlisted entity can be done either in writing or verbally providing that if the
latter option is chosen then full details of the conversation with those charged with governance (i.e.
when, with whom and what was discussed) is documented on the audit file.
Communication required by change to International Ethics Standards Board for
Accountants Code of Ethics
The International Ethics Standards Board for Accountants (IESBA) have made changes to their Code
of Ethics which has an impact on the way we respond to breaches of external independence
requirements. The change came into effect on 1 April 2014. This change impacts PwC because of the
networks commitment to follow the IESBA Code of Ethics even though these changes have yet to be
incorporated into the UK Ethical Standards.
The change to the IESBA Code of Ethics now requires the auditor to report all breaches of external
independence rules (i.e. any breaches of UK Ethical Standards, SEC and PCAOB rules, or the IESBA
Code of Ethics) to those charged with governance as soon as possible, unless the firm has agreed a
protocol with those charged with governance in respect of less significant breaches.
As soon as possible is intended to allow the firm reasonable time to investigate the matter and
conduct an evaluation of the significance of the breach but also means without undue delay. It is not
intended to mean immediately. Therefore, audit teams are strongly recommended to engage with
their clients to establish whether they will require all breaches to be reported as soon as possible, or
whether less significant breaches, such as personal independence breaches not relating to members of
the audit team, can be reported on a periodic basis.
Rotation tracking
Remember to keep rotation tracking up to date and reflective of the current team. HPC and other
internal reviews regularly find inaccuracies and/or omissions. Remember to also include Key Audit
Partners, which needs to include overseas engagement leaders of subsidiary entities if they relate to a
significant component.
Consulting with independence
Taking on a new PIE client, or a non-PIE client becomes a PIE
Taking on a new PIE client, or an existing client becoming a PIE are only two situations when
consultation is required. You also need to consult in the following situations (amongst others):

contingent fee arrangements;


significant unpaid fees;
non-audit fees exceed (or are likely to exceed) the audit fee for listed companies;
independence breaches have been identified;
when the Assurance engagement partner or member of the chain of command is considering
employment with the Assurance client
where a listed company is in distress and restructuring services are proposed to be provided.

Time to Learn 2014


PwC

Page 6 of 40

Audit planning takeaway

Contingent fees
Where a contingent fee arrangement exists, the non-audit service team is required to include
Compliance Independence as an approver on the AFS form, as well as the engagement leader. If
engagement teams receive an AFS for a contingent fee arrangement and Compliance Independence
hasnt been included as an approver, the AFS should be sent back to the non-audit service team to be
amended.
The Independence team will feed back the outcome of the independence analysis to the audit team
and the team carrying out the work. This may include details of the safeguards required to maintain
our independence, which may include review of key audit judgements and work by ARQ where
appropriate.
Unpaid fees
Audit fees
Prior year audit fees should be agreed before the appointment for the next year is accepted. This fee
should have been paid before any significant work is done in the current year.
Non-audit fees
Where fees for professional services are overdue, and the amount cant be regarded as trivial, consult
with the Independence and Ethics Team. Theres currently no definition of trivial in this context. The
engagement team will use their judgement to decide the level of unpaid fees that are deemed
acceptable based on the individual circumstances. The team needs to be satisfied that the client will
eventually pay and to consider whether theres a legitimate reason fees have not yet been received.
Independence breaches
For all clients in the UK, the Independence and Ethics Team will provide details to the UK audit
engagement leader of all personal independence breaches of Ethical Standards and SEC rules in
respect of:

members of the UK audit engagement team;


any other partner in the firm;
the UK firm;
those in the UK who are in a position to influence the conduct and outcome of the audit; and
for SEC audit clients in the UK, those individuals who are covered persons for the client,
which the Independence and Ethics team are aware of as a result of the annual independence
confirmation process or through other matters reported to them. If the Independence and
Ethics Team does not contact the team, then there are no matters to report.

If the Independence and Ethics Team becomes aware of a significant independence breach during the
year, then the engagement leader will be informed immediately.
Considering employment with an Assurance client
If the Assurance engagement partner or member of the Assurance engagement team is considering
employment with the Assurance client, then they are removed from the engagement immediately.
They do not re-join the engagement until any negotiations have come to an end.
If a member of the chain of command is considering employment with the Assurance client, then the
Independence and Ethics Team would inform the Assurance engagement team, as needed, and
discussions would take place before considering whether this could be accepted.
In all the above instances, consultation with the Independence and Ethics Team is strongly
recommended.
Please refer to section 5.18 of the UK Independence Policy for further guidance.

Time to Learn 2014


PwC

Page 7 of 40

Audit planning takeaway

Entities in distress
There is a partial prohibition on restructuring services for listed clients and their significant affiliates
where the company is in distress. The permissible services are limited to:

preliminary general advice;


assistance with immaterial elements of the overall restructuring plan;
challenging, but not developing, the projections and assumptions used in a financial model;
reporting on a restructuring plan in connection with an investment circular; and
any service specifically permitted by a regulatory body with oversight of the audit client.

Due to the complexities involved, a xLoS acceptance panel is required. This includes representatives
from Consulting Risk and Quality and Assurance Risk and Quality, as well as from Compliance.
Compliance Consultation System (CCS)
CCS is a tool that helps you to consult with, or make enquiries to, the Independence and Ethics Team
on all matters affecting independence. The system acts as a repository for all independence enquiries
and consultations.
A consultation is a query which needs to be agreed and documented with the Independence and Ethics
Team in respect of a client specific set of facts and circumstances.
Remember that if you submit an independence query to Assurance Risk and Quality using IGLO, then
you will be directed to re-log the query on CCS.
Guidance
GAAS requirements:

ISA (UK&I) 220.11 Engagement partner conclusion on compliance with independence


requirements
ISA (UK&I) 260.17 Communication with those charged with governance Auditor
Independence

PwC UK Independence Policy:

PwC UKIP Section 4 Engagement Management and Engagement Team Responsibilities:


o 4.9 Accepting a Non-Audit Engagement for an Existing Audit Client
PwC UKIP Section 5 Individual Financial Interests and Relationships
PwC UKIP Section 6 Member Firm Financial and Business Relationships:
o 6.8 Contingent Fees and Related Matters
o 6.9 Commissions and Fees for Referrals
PwC UKIP Section 7 Non-Assurance Services
PwC UKIP Section 9 Member Firm Processes and Controls

APB Ethical Standards:

ES 1 Integrity, objectivity and independence


ES 4 Fees, remuneration and evaluation policies, litigation, gifts and hospitality Fees (para.
5-43)
ES 5 Non-audit services provided to audit entities

Audit Guide:

2500 Use of a Service Delivery Centre (SDC)


3030 Independence
3060 Engagement team

UK guidance documents from the Independence site

Time to Learn 2014


PwC

Page 8 of 40

Audit planning takeaway

Related parties
Financial reporting framework requirements
In the UK, most of the entities we audit have a legal obligation to prepare financial statements in
accordance with an accounting framework, the most common being IFRS as adopted by the European
Union, UK GAAP and US GAAP. All these accounting frameworks establish related party
requirements. If the entity does not identify its related parties, then it is unable to identify related
party transactions and assess whether disclosure is required. Consequently, the financial statements
may not comply with the relevant accounting framework or legal requirements.
We have a responsibility to perform audit procedures to identify, assess and respond to the risk of
material misstatement arising from the entitys failure to appropriately account for, or disclose,
related party relationships, transactions or balances in accordance with the requirements of the
framework to be able to conclude whether the financial statements achieve a fair presentation (for fair
presentation frameworks) or are not misleading (for compliance frameworks). If we do not have a list
of related parties, then it is difficult to meet the requirements of ISAs (UK&I).
Therefore, in order to meet our responsibilities as auditors, we need to obtain a comprehensive list of
related parties, and related party transactions from management.
Obtaining a list of related parties
ISA (UK&I) 550 requires the auditor to enquire of management regarding:
(a) the identity of the entity's related parties, including changes from the prior period;
(b) the nature of the relationships between the entity and these related parties; and
(c) whether the entity entered into any transactions with these related parties during the period
and, if so, the type and purpose of the transactions.
Some entities, particularly the larger more sophisticated entities, may have systems to record, process
and summarise related party relationships and transactions to enable the entity to meet the
accounting and disclosure requirements of the framework and, hence, management is therefore likely
to have a comprehensive list of related parties and changes from the prior period.
Where this is not the case, which will be the case for the majority of entities, we consider the following
points:

the entitys ownership and governance structures;


types of investment that the entity is making, and plans to make;
the way in which the entity is structured and how it is financed; and
the individuals that constitute key management.

Discussing who the related parties of the entity are is often a sensitive matter with management being
reluctant to provide, sometimes for understandable reasons, details of who the related parties are
(especially in the area of connected persons, which could include the names of children and other
close relatives). We have therefore developed a new pro forma letter on related parties to assist teams.
The letter, which is intended to be sent to the entity at the planning phase of the audit, will:

explain why we have sent the letter;


explain what related parties are under the entitys accounting framework (e.g. IFRS as
adopted by the European Union, UK GAAP, US GAAP); and
clarify the auditors responsibilities around related parties.

We should include a list of all potential categories of related parties under the reporting framework to
assist the entity in identifying related parties in the entity or group. The list will be signed off by a
director as being complete to the best of their knowledge and provided to us for the purpose of the
audit at the planning stage.

Time to Learn 2014


PwC

Page 9 of 40

Audit planning takeaway

We need to be mindful of concerns the entity may have in disclosing some information such as the
names of directors children. We have had situations where a 16 year-old child has been working for
the entity as their sole source of income, which has meant that the transaction has become
disclosable, or where the wife has provided all the catering for business meetings. Conversely, it is
highly unlikely that a three month old baby is going to be transacting with the entity, or in control of
an entity which is a related party. The letter will help to deal with such concerns.
Our discussions with management and those charged with governance in respect of related parties
and related party transactions are documented in full on the audit file.
Completeness
Once we have a list of related parties we need to perform procedures to identify whether that list is
complete. During the planning phase of the audit, we inspect a number of documents as part of our
risk assessment procedures. Reviewing such documents will act as a test for completeness over the
related parties' listing. ISAs (UK&I) require us to look at the following documents:

bank and legal confirmations;


minutes of the meetings of shareholders, and those charged with governance; and
such other records or documents as we consider necessary.

Such other records/documents could include:

payroll listings, accounts receivable and accounts payable listings for similarly named
individuals and entities;
other relevant statutory records such as the register of directors' interests (for information
about material transactions authorised or discussed at their meetings);
filings with, and other information supplied to, the relevant authorities/regulatory agencies
(including tax returns);
prior year working papers;
correspondence and invoices from law firms; and
documents detailing the names of officers and trustees of pension or similar plans.

In addition, other available sources of information, including external data and internet searches,
such as Google, can be used to identify the names of related parties and other businesses in which
officers and directors have ownership interests or hold directorship or management positions (e.g.
Boardex reports).
We also consider the extent and nature of business transacted with major customers, suppliers,
borrowers and lenders.
Our risk assessment
Many related party transactions are in the normal course of business. In such circumstances, they may
carry no higher risk of material misstatement to the financial statements than similar transactions
with unrelated parties. However, the nature of related party relationships and transactions may, in
some circumstances, give rise to higher risks of material misstatement to the financial statements than
transactions with unrelated parties. For example:

Related parties may operate through an extensive and complex range of relationships and
structures, with a corresponding increase in the complexity of related party transactions.
Information systems may be ineffective at identifying or summarising transactions and
outstanding balances between an entity and its related parties.
Related party transactions may not be conducted under normal market terms and conditions;
for example, some related party transactions may be conducted with no exchange of
consideration.

Significant related party transactions outside the entitys normal course of the business give rise to a
significant risk.
During the audit, we also need to remain alert when inspecting records and documents for
arrangements, or other information, that may indicate the existence of related party relationships or
transactions that management has not previously identified or disclosed to us.

Time to Learn 2014


PwC

Page 10 of 40

Audit planning takeaway

If we identify fraud risk factors when performing the risk assessment procedures on related parties,
including circumstances relating to the existence of a related party with dominant influence, we link
this to the appropriate fraud risk and appropriately articulate the rationale on the file together with
documenting our response to that fraud risk.
All the discussions around related parties with management, those charged with governance and
internally amongst the team and with component auditors (in group situations) are documented in
full on the audit file. Sufficient involvement from the engagement leader is expected in this area.
Be aware of the possibility that transactions with related parties may have been motivated solely, or in
large measure, by conditions similar to the following:

lack of sufficient working capital or credit to continue the business;


an urgent desire for a continued favourable earnings record in the hope of supporting the
price of the company's stock;
an overly optimistic earnings forecast;
dependence on one, or relatively few, products, customers, or transactions for the continuing
success of the venture;
a declining industry characterised by a large number of business failures;
excess capacity;
significant litigation, especially litigation between stockholders and management; and
significant obsolescence dangers because the company is in a high-tech industry.

Transactions that because of their nature may be indicative of the existence of related parties include:

borrowing or lending on an interest-free basis or at a rate of interest significantly above or


below market rates prevailing at the time of the transaction;
selling real estate at a price that differs significantly from its appraised value;
exchanging property for similar property in a nonmonetary transaction; and
making loans with no scheduled terms for when, or how, the funds will be repaid.

Finally, if management has made an assertion in the financial statements to the effect that a related
party transaction was made on an arms length basis, then we need to obtain sufficient audit evidence
that this is the case. This is because management need to substantiate that assertion. Management's
support for the assertion may include:

comparing the terms of the related party transaction to those of an identical or similar
transaction with one or more unrelated parties;
engaging an external expert to determine a market value and to confirm market terms and
conditions for the transaction; and/or
comparing the terms of the transaction to known market terms for broadly similar
transactions on an open market.

As ever, remain professionally sceptical when auditing this information, utilising industry knowledge
and verifying the source of the data used in their assertion. Also, evaluate the reasonableness of
significant assumptions on which the assertion has been based.
Communications within the team
Remember that as part of our team fraud discussions, we discuss the risks associated with related
parties, and related party transactions, and specifically whether any fraud risks exist. This discussion
provides the opportunity to communicate the details of who the related parties are and any related
party transactions of which we are already aware. Any team member who could not attend the
meeting is briefed separately and that briefing evidenced on the audit file.
In the context of a group audit, ISA (UK&I) 600 requires the group engagement team to provide each
component auditor with a list of related parties prepared by group management and any other related
parties of which the group engagement team is aware. Obtaining the list from the client and
undertaking completeness procedures will enable a list to be provided to component auditors.

Time to Learn 2014


PwC

Page 11 of 40

Audit planning takeaway

Professional scepticism
Being sceptical and thinking about fraud risks is essential in auditing related parties and related party
transactions. For example, team members need to take a wider view and consider the commercial
rationale for any transactions (i.e. Why is this transaction taking place? What is the purpose of the
transaction? Why has it been structured in the way it has? Does the transaction make sense?) and
whether they have been conducted at arm's length. It is important to have an understanding of the
industry so as to be able to identify any unusual transactions, based on price, nature, terms, etc.
Have any team members identified transactions during their audit work which indicate that related
parties might be involved that are not on the list? Are the entitys controls sufficient to identify and
monitor relationships and transactions?
Representation letter
We have updated the representation letter in respect of related parties such that the list of related
parties provided by the client at planning, plus any subsequent updates, is attached to the letter and
those charged with governance confirm that it is a complete list in respect of the period audited.
Completion procedures
The following procedures are performed upon completion:

obtain a representation that management has disclosed the identity of related parties,
relationships and transactions of which they are aware and that related parties and
transactions have been appropriately accounted for and disclosed this representation
incorporates the list of related parties provided by the client;
communicate significant related party matters arising during the audit to those charged with
governance unless all of them are involved in its management;
check that the accounting for, and disclosure of, related parties and related party transactions
are appropriate.
consider the implications of the findings from work performed on related parties and related
party transactions for the audit opinion.

Communications with management and those charged with governance


We may identify a number of matters that we want to communicate to management. For example, a
lack of controls to monitor related parties, or transactions with related parties that have not been
appropriately authorised.
There are a number of matters that, if identified, we are required to communicate to those charged
with governance. These include, but are not limited to:

non-disclosure of related parties by management;


significant related party transactions that have not been appropriately authorised and
approved;
disagreements with management regarding accounting and disclosure of related party
transactions;
non-compliance with applicable law or regulations; and
difficulties in identifying related parties.

Updates to EGAs
We have enhanced the planning EGA Understand related parties to include:

sending the letter to the client to obtain a list of related parties;


performing completeness procedures over that list; and
documenting procedures you will take to refresh the list throughout the audit

We have also enhanced the related parties procedure in the completion activities EGA Update
preliminary assessment of fraud, going concern, laws and regulations, related parties, accounting
estimates and other assertion level risks to confirm that the list of related parties has been updated.

Time to Learn 2014


PwC

Page 12 of 40

Audit planning takeaway

Fraud
Fraud discussions and risk assessment
PwC Audit 5503 states that the engagement leader (i.e. the individual who is the signing engagement
leader if aspects of the engagement leader role have been delegated) uses professional judgement,
prior experience with the entity, and knowledge of current developments to determine which other
members of the engagement team are included in the fraud discussion. The discussion will include
participation by most, if not all, engagement team members including:

the engagement leader;


all other engagement and quality review partners (if applicable);
other members of the engagement team, including managers and staff;
any forensic specialists, where heightened risk exists; and
key members from other relevant lines of service (Tax, Risk Assurance, Consulting, Deals,
etc.).

The engagement leader will need to ensure that any members of the team who could not attend the
team fraud discussion are appropriately briefed and that evidence of those briefings is also retained on
the audit file.
The team fraud discussion includes, as a minimum, the following:

the identification and assessment of fraud risk factors, examples of which can be found at
PwC Audit 5502;
the identification of the potential risks of material misstatement due to fraud (which includes
both the misappropriation of assets and fraudulent financial reporting); and
the planned audit approach in response to the risks identified, including the planned
approach to journals testing and unpredictable procedures and how both of these procedures
address the fraud risks identified.

The discussion may include such matters as:

an exchange of ideas amongst engagement team members about how and where they believe
the entitys financial statements may be susceptible to material misstatement due to fraud,
how management could perpetrate and conceal fraudulent financial reporting, and how assets
of the entity could be misappropriated;
a consideration of circumstances that might be indicative of earnings management and the
practices that might be followed by management to manage earnings that could lead to
fraudulent financial reporting;
a consideration of the known external and internal factors affecting the entity that may create
an incentive or pressure for management or others to commit fraud, provide the opportunity
for fraud to be perpetrated, and indicate a culture or environment that enables management
or others to rationalise committing fraud;
a consideration of managements involvement in overseeing employees with access to cash or
other assets susceptible to misappropriation;
a consideration of any unusual or unexplained changes in behaviour or lifestyle of
management or employees which have come to the attention of the engagement team;
an emphasis on the importance of maintaining a proper state of mind throughout the audit
regarding the potential for material misstatement due to fraud;
a consideration of the types of circumstances that, if encountered, might indicate the
possibility of fraud;
a consideration of how an element of unpredictability will be incorporated into the nature,
timing and extent of the audit procedures to be performed;
a consideration of the audit procedures that might be selected to respond to the susceptibility
of the entitys financial statements to material misstatement due to fraud and whether certain
types of audit procedures are more effective than others;
a consideration of any allegations of fraud that have come to the auditors attention; and
a consideration of the risk of management override of controls.

Time to Learn 2014


PwC

Page 13 of 40

Audit planning takeaway

But the discussion would ordinarily also cover:

review with the entire team of any fraud risk conditions identified in the acceptance and
continuance process;
qualitative and quantitative factors to be considered in assessing risk of fraud;
the need for professional scepticism at all times and sufficient appropriate audit evidence to
support the audit opinion;
determination of specific procedures to be conducted as part of the audit to address any fraud
risks identified in this meeting, including determination of the use of fraud experts, and the
plan for reviewing results with engagement leadership;
discussion of evidential fraud risk factors to be aware of at all times during the audit (for
examples of evidential risk factors see PwC Audit 5502);
the importance of the tone at the top;
the need to assess the risk of fraud at each stage of the audit and for engagement team
members to communicate about the risks of material misstatement due to fraud;
a discussion regarding fraud and new issues arising since the date of the last audit that may
potentially affect the entity (such discussion may include recent frauds in the industry in
which the company operates).

Our fraud discussions may also usefully consider fraud schemes that could occur given the entitys
control system. Fraud schemes are numerous and will vary from industry to industry. However,
thinking about potential schemes will put us in the best position to design audit procedures. See PwC
Audit 5504 for related guidance.
The Aura file clearly evidences that the engagement leader led the team discussions on fraud.
It is expected that teams are specific with their fraud discussions and identify where, and how, a fraud
could be perpetrated. As noted earlier, teams consider both misappropriation of assets and fraudulent
financial reporting at the FSLI or even transaction level.
To date we have focussed on fraud discussions within the team but remember to also hold fraud
discussions with:

management and those charged with governance, including the audit committee where one
exists; and
internal audit, where such a function exists (including where the function is outsourced by the
entity).

These discussions also need to be documented together with how any fraud risks identified have been
responded to.
Finally, it is important that the various discussions lead to action on our part and that this is
evidenced. ARQ see files where the discussion has happened, but there is no linkage to what was
agreed as needing to be done to address the fraud risks identified. Therefore, it is critical to link the
fraud risks identified from our discussions to the procedures to be performed which address them.
Unpredictable procedures
We need to incorporate an element of unpredictability in the nature, timing and extent of audit
procedures in order to respond to an assessed risk of material misstatement due to fraud at the
financial statement level. It is this connection between a specific fraud risk and an unpredictable
procedure that teams often omit and simply perform an unpredictable procedure for the sake of it.
Remember that the whole point of performing such procedures is to address a specific fraud risk.
Unpredictable procedures are important, because management may be familiar with audit procedures
normally performed by us and hence they may be more able to conceal fraud in the areas which they
think would not be tested by us, either in the way we test them, or when we test them. Incorporating
unpredictability throughout the course of the audit helps us to address the risk of fraud.
No specific level of unpredictability is required; however, engagement teams document those
procedures that are deemed to be unpredictable in nature.

Time to Learn 2014


PwC

Page 14 of 40

Audit planning takeaway

The engagement team discusses how to incorporate unpredictability into the audit during the fraud
discussion. Remember that an unpredictable procedure is one where the nature and/or timing and/or
extent of the test varies from what we have historically performed.
Some examples of unpredictable procedures which may address specific fraud risks are as follows:
Audit area
Inventory

Examples of unpredictable procedures that might be appropriate


Conduct meetings and enquiries with client staff with whom we
have not had much previous contact (e.g. key personnel in the
purchasing department, quality control managers).
Attend inventory counts performed at locations not attended in the
past, and without advance notice at the planning phase.
Work in progress or recording of transit items: we may consider
testing at a more detailed level.

Sales / Accounts
receivable

Purchases /
Accounts payable

Cash

Property, plant
and equipment

Multi-location
audits

Time to Learn 2014


PwC

Conduct meetings with client staff with whom we have not had
much previous contact (e.g. sales staff responsible for handling
major customer accounts).
Change the nature of substantive analytical procedures (e.g. use
different basis for disaggregating revenue).
Extend cut-off testing beyond the periods normally covered,
including sales and sales returns.
Accounts receivable confirmations: we may alter the selection
criteria for the sample of accounts receivable balances to confirm.
Perform other procedures which were not previously considered.
For example:
o Confirm sales terms and/or amounts for a selection of
customers.
o Test classes of sales transactions not previously tested (e.g.
export sales).
o Perform more detailed analytical procedures (e.g. by using
CAATs to scan sales accounts or customer accounts).
o Change the date used for confirmations (i.e. confirm as of
an earlier or later date).
o Perform work to verify intercompany sales and related
balances beyond confirming details with component
auditors.
If not normally performed, obtain confirmations of outstanding
amounts directly from suppliers. If this is already performed, vary
the scope and/or timing of the confirmation process.
Test areas of expense not previously tested in detail.
Use CAATs to scan purchase accounts/payments to look for
unusual items (e.g. suppliers with similar bank details).
Select additional month(s) to perform work on bank
reconciliations.
Where there are large numbers of bank accounts and selective
testing is performed, change the basis of selection.
Perform work on property, plant and equipment not previously
considered (e.g. consider inspecting existence of lower value assets
such as company cars and equipment).
We may alter the extent of physical verification procedures.
Change scope or locations of overseas work (e.g. more work in
smaller locations, visiting overseas locations).

Page 15 of 40

Audit planning takeaway

Finally, for the avoidance of doubt, sampling is not an unpredictable procedure; just because we do
not know which invoices we will select for testing does not make it an unpredictable procedure.
Journals
We have made considerable progress over the years with regards to journals testing, but a few areas
continue to be identified for improvement. These are documenting how we obtained evidence as to the
completeness of the population, why we are selecting the journals we have selected and, in situations
where Computer Assisted Audit Techniques (CAATs) have been used, how we rationalised testing only
a proportion of those which the CAAT identified.
Remember that we test journals to respond to a specific risk, or risks, of fraud. As such, we need to
clearly link our journals testing to the risk of fraud identified.
To effectively plan and perform testing over journal entries, we need to:

understand and evaluate the entity's financial reporting process and the controls over journal
entries and other adjustments, which includes evaluating the design of controls and
determining whether they have been implemented. Without an understanding of how the
entity uses journals, we cannot effectively design our journals testing;
use professional judgement in determining the nature, timing and extent of testing of journal
entries and other adjustments and assess completeness of the populations of entries subject to
testing. Consider our fraud risk assessment in our analysis, in particular regarding the risk of
management override of internal controls and place additional emphasis on identifying and
testing items processed outside of the normal course of business; and
document our rationale for what we are doing.

In audits of entities with complex IT systems, Risk Assurance involvement is likely to be needed, in
which case the approach to journal entries will be discussed with them. In addition, the use of Data
Assurance has greatly enhanced our work on journals enabling us to deal with a number of the issues
we face.
We may consider the following procedures related to journal entry testing as part of planning our
approach:

In order to obtain an understanding of the entity's financial reporting process and controls
over journal entries and other adjustments, consider the following:
o the entitys written, and unwritten, policies and procedures regarding the initiation,
recording and processing of standard, and non-standard, journal entries and other
adjustments;
o the sources of significant debits and credits to an account;
o individuals responsible for initiating entries to the general ledger, transaction
processing systems, or consolidation;
o approvals and reviews required for such entries and other adjustments;
o how journal entries and other adjustments are recorded (e.g. whether entries are
initiated and recorded online with no physical evidence, or created in paper form and
entered in batch mode);
o controls, if any, designed to prevent and detect fictitious entries and unauthorised
changes to journals and ledgers; and
o controls over the integrity of the process used to generate journals reports which we
use for audit purposes.
If not already doing so, determine whether you can use journals CAATs.
During planning, consider performing enquiry of individuals involved in the financial
reporting process about inappropriate or unusual activity related to the processing of journal
entries and other adjustments to provide input into determining the timing, nature and extent
of testing, and then update enquiries at year end. This is documented in the EGA Respond to
the risk of material misstatement involving management override of controls.
Consider including an element of unpredictability regarding the value, amount and types of
journal entries and other adjustments tested.

Time to Learn 2014


PwC

Page 16 of 40

Audit planning takeaway

Manage multilocation audit planning, if applicable, for the testing of journal entries and other
adjustments by including the following in instruction letters:
o the group engagement teams assessment of the risk of material misstatement due to
fraud;
o if appropriate, identification of any specific classes of journal entries for testing and
the extent of testing (or provide a list of journal entries to test if selections are made
by the group engagement team); and
o a contact for fraud related questions on the group engagement team.

Controls over journals


Effective controls over the preparation and posting of journal entries and other adjustments may
reduce the extent of substantive testing necessary, provided that we have tested the operating
effectiveness of the controls and consider that they are effective. However, even though controls might
be implemented and operating effectively, our procedures for testing journal entries and other
adjustments include the identification and testing of specific items. In other words, we may be able to
justify obtaining partial reliance on controls over journals, but, due to the risk of management
override of controls, we do not seek high controls reliance in respect of journal entries. Where controls
over journal entries and other adjustments, including segregation of duties (restricted access), are
dependent on automated controls, we also need to test the relevant ITGCs.
Completeness of the population
Before we begin to test a sample of journals, we need to ensure that we are selecting from a complete
population. Ordinarily, we are now utilising Risk Assurance to use CAATs to assist us in our testing of
journals. CAATs enable a complete output of journals to be populated through extraction from a
transactional listing which is reconciled to the trial balance. While obtaining the population of journal
entries electronically is the preferred method of ascertaining completeness when auditing journal
entries, it is also acceptable to use other manual auditing procedures. This can be done by, for
example, using accept-reject testing (agreeing balances from a detailed account breakdown reconciled
to the general ledger, to the journals listing).
Further guidance with regards to obtaining evidence as to the completeness of the population can be
found in PwC Audit 5509.
Substantive testing
Substantive testing can include scanning analytics and tests of details.
Scanning analytics can be performed on detailed lists of journal entries to identify unusual or
unexpected entries (e.g. accounts, amounts, individuals approving the entry, times of day, dates the
entry was recorded). The unusual or unexpected entries are identified and then tested substantively,
for example by agreement to source documentation.
Substantive tests of details are the typical means of testing journal entries or other adjustments. Since
we are testing entries which represent a fraud risk, target testing (manual or CAATs) based on fraud
risk is the appropriate approach for selecting items which are then substantively tested, again by
agreement to source documentation for example.
Remember that, in addition to agreeing journal entries to supporting documentation, part of our
evidence is understanding the purpose and appropriateness of the journal and documenting that on
the audit file.
Sorting down large populations
We will often provide Data Assurance with a list of risk-based criteria and ask that they isolate a
subset of non-standard journal entries based on, for example, unusual general ledger account
combinations (this example demonstrates only one risk-based criteria, but consider other criteria
when testing).This may identify a total population of 1,000 journal entries for example.
In identifying this population of 1,000 journal entries that potentially require 100 per cent
examination, we may, after additional analysis, be able to further refine our initial definition of
'unusual account combinations' or other criteria used in selecting journal entries. This process might
be thought of as an iterative 'sorting down' until we conclude we have the remaining population that
in our judgement represents the risk of material misstatement due to fraud and has to be examined
100 per cent.
Time to Learn 2014
PwC

Page 17 of 40

Audit planning takeaway

It would be rare that we have to test each of the 1,000 items initially identified in this example. The
fact that the 1,000 items were identified is more likely indicative that certain account combinations
are not, in fact, unusual and may be valid in certain circumstances (i.e. they do not represent a
significant risk of material fraud).
Sorting down the 1,000 items by account combination and then researching the reasons for
combinations of a significant number of items or monetary value may lead to a conclusion based on
our knowledge and existing audit evidence that no further testing of a particular combination is
necessary (i.e. the account combination is not unusual).
Alternatively, the client may provide a plausible explanation why the classes of entries or other
adjustments do not represent a risk of fraud, We need to obtain additional evidence to support this
explanation, and could perform this testing on a targeted basis (based on monetary amount or some
other criteria). In situations where the client is providing a plausible explanation for a large number of
similar items, use accept-reject testing on the attributes of the journal entries and underlying
transactions to support the clients explanation and the appropriateness of the entry. If accept-reject
test results corroborate the client's explanation that the entries do not represent risk of fraud, then the
entries can be filtered out of our selection for testing. Accept-reject testing would only be used to
further 'sort down' the population to better identify the targets that represent the risk of material
misstatement. Once identified, those entries that represent the risk of material misstatement would
then be tested 100 per cent.
Finally, the team document clearly their rationale for how they got from 1,000 possible items down to
the number actually tested.
Criteria for journal selection
At the planning stage, once we have a detailed understanding of how and why the entity uses journal
entries, we need to agree the criteria we will use to select journal entries for substantive testing. Below
are examples of the criteria which could be used to select journals for substantive testing. It is
important to remember that each entity is different and requires some combination of the examples
below:

largest journal entries (manual and/or automated);


unusual general ledger account combinations (e.g. entries to revenue that do not impact cash,
accounts receivable, or deferred revenue);
journal entry activity that is reversed in a subsequent period (e.g. month end, quarter end);
this test will identify whether one or both sides of the journal entry are reversed in the
subsequent period;
unusual intercompany and/or related party transactions;
unusual ratios and changes for sales/assets, debt/equity, etc., including those that are too
consistent, or conflict with our knowledge of the business;
journal entries not documented in the general ledger (such as reclassification made to a
reporting system, where general controls over the general ledger may not apply);
journal entries with a net P&L impact over a certain amount;
items just under a threshold (e.g. if any posting over 10,000 required an approval process,
entries in the amount of 9,999.99 or 9,999.00);
infrequently used general ledger accounts;
missing or duplicate journal numbers (where the general ledger system has logical numbering
system);
entries made at unusual times (e.g. off-peak/overnight) or days (e.g. weekends/holidays);
large volume of non-standard entries in accounts where there are likely primarily standard
entries;
unusual volume of entries at certain times of the month (last 5 days, first 5 days), quarter, or
year; and
unexpected individuals posting entries (e.g. IT staff, senior management or non-finance
personnel).

Time to Learn 2014


PwC

Page 18 of 40

Audit planning takeaway

When determining the appropriate journals to test, engagement teams need to consider the specific
risk conditions/factors identified at the entity. What may be an appropriate approach for one entity
might not be appropriate for another. Consider carefully whether the risk conditions/factors you
identify are genuinely the risky ones (e.g. do you really think the fraud risk lies with round sum
journals posted out of hours?).
The criteria applied for selecting journals have to be at a level such that potentially fraudulent journals
would be tested. However, clearly there is a balance to be sought and this remains a matter of
significant professional judgement. Once we have identified our risk criteria, we are required to test
all journals that fall within those criteria.
Year end testing or testing journals throughout the period
ISAs (UK&I) require that we test journal entries at the end of the reporting period, including
consolidation journals, because fraudulent journal entries are often made at that time. However,
fraudulent adjustments could arise during the period. Therefore we need to consider whether to test
journals throughout the period (e.g. if our journal testing is a response to the risk of fraud in revenue
recognition, then we test journals posted to revenue throughout the period).
Responding to identified fraud
When our work indicates that fraud has or may have taken place:

the engagement leader calls OGC to discuss the matter;


any advice provided by OGC is followed; and
the engagement team will also need to complete a suspicious activity report and submit the
report to Compliance.

Further consultations may then be required (e.g. with ARQ).


The engagement leader and team then discuss and agree a course of action. This may include seeking
the advice or involvement of a forensic specialist, for example with regard to:

the most appropriate approach to determine the full facts and extent of the fraud and its
impact on the financial statements;
the communication of the problem and of recommendations for dealing with it to the client;
wider legal and regulatory issues; and
remedial and asset recovery options.

The engagement leader will assess whether sufficient additional work has been performed either to
ascertain the impact of the fraud on the financial statements, or to gain reasonable assurance that
there is no material impact.
The actual and potential magnitude of the fraud, its nature, the extent of concealment, and the staff
involved are all factors to consider when determining the appropriate course of action.
In situations where adequate information about a suspected act of fraud cannot be obtained, consider
the effect of the lack of evidence on our audit report. If we conclude that the effect of the suspected act
of fraud on the financial statements might be material, then consider expressing a qualified, or
adverse, opinion. If we are precluded by the entity from obtaining sufficient appropriate audit
evidence to evaluate whether fraud that may be material to the financial statements has occurred, then
consider qualifying our opinion on the basis of a scope limitation, or deny any opinion on the financial
statements, following the necessary consultation procedures with ARQ.
Teams often struggle to identify and articulate the impact of an actual fraud on our audit strategy and
plan. Have we considered whether the fraud is isolated to a specific transaction or process? Have we
adequately designed procedures to mitigate the risks that have arisen? Does this yield wider concerns
around the control environment and managements integrity?
Consider whether the circumstances surrounding the fraudulent act affect our ability to rely on
management's representations or suggest that we should not continue our association with the entity.
In reaching decisions on these matters, carefully evaluate whether top management, including the
board of directors or its audit committee, gives appropriate consideration to the act after it has been
brought to their attention. As ever, consultation is critical in such situations.
Time to Learn 2014
PwC

Page 19 of 40

Audit planning takeaway

And finally
Remember that our assessment of the risk of fraud does not stop at the planning phase of the audit,
but continues throughout the audit process until we sign. Consider whether any:

fraud risk factors changed or whether there are new risk factors which have arisen;
of the uncorrected misstatements are indicative of fraud, or fraud risks; and
of the control deficiencies identified are indicative of fraud, or fraud risks.

We need to be alert to the possibility of additional fraud risks being identified as the audit progresses
as well as applying professional scepticism throughout the audit process. Where further risks of fraud
are identified during the audit, we design an appropriate response to those fraud risks and document
full details on the audit file.
At the end of the audit we need to step back and consider whether:

all fraud risks have been identified;


fraud risks have been appropriately responded to;
sufficient audit evidence has been obtained; and
our work is fully documented on the audit file.

Time to Learn 2014


PwC

Page 20 of 40

Audit planning takeaway

Laws and regulations


ISA (UK&I) requirements
The requirements in ISA (UK&I) 250A are designed to assist the auditor in identifying material
misstatement of the financial statements due to non-compliance with laws and regulations. However,
the auditor is not responsible for preventing non-compliance and cannot be expected to detect noncompliance with all laws and regulations (i.e. the auditor is not meant to go hunting for noncompliance with laws and regulations but we are required to make an informed risk assessment and
design a response to any risk of material misstatement of the financial statements due to noncompliance).
The auditor is responsible for obtaining reasonable assurance that the financial statements, taken as a
whole, are free from material misstatement, whether caused by fraud or error. In conducting an audit
of financial statements, the auditor takes into account the applicable legal and regulatory framework.
Owing to the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements in the financial statements may not be detected, even though the audit is properly
planned and performed in accordance with the ISAs (UK&I). In the context of laws and regulations,
the potential effects of inherent limitations on the auditors ability to detect material misstatements
are greater for such reasons as the following:

there are many laws and regulations, relating principally to the operating aspects of an entity
that typically do not affect the financial statements and are not captured by the entitys
information systems relevant to financial reporting;
non-compliance may involve conduct designed to conceal it, such as collusion, forgery,
deliberate failure to record transactions, management override of controls or intentional
misrepresentations being made to the auditor;
whether an act constitutes non-compliance is ultimately a matter for legal determination by a
court of law; and
ordinarily, the further removed non-compliance is from the events and transactions reflected
in the financial statements, the less likely the auditor is to become aware of it or to recognise
the non-compliance.

Engagement teams need to focus on the specific laws and regulations that have a direct impact on the
financial statements. Further, where teams identify such applicable laws and regulations, they need to
identify how the entity has complied with those laws and regulations (e.g. the Companies Act); it is not
sufficient just to say that nothing has come to their attention.
For other laws and regulations, we need to perform specific procedures to help identify instances of
non-compliance which may have a material effect on the financial statements including, where an
entity is regulated, inspecting any correspondence with the regulatory authorities and considering,
and documenting, the impact, if any, on the audit strategy and plan.
What does this mean in practice?
We need to have discussions within the team and with the management of the entity, including the
audit committee where one exists, as to what laws and regulations impact them, focussing on those
which, if there was non-compliance, could have a material impact on the financial statements. In our
team discussions, this will utilise prior year knowledge and experience of similar entities within the
same industry.
We also discuss with the individuals at the entity responsible for compliance matters how they ensure
that the entity complies with relevant laws and regulations as well as enquiring whether there has
been any non-compliance and obtaining details. In larger clients, an in-house legal or compliance
department may be responsible for managing the entitys compliance with laws and regulations. In
smaller organisations, this is often more informal and may be performed by someone in the finance
team.
Consider disclosures made in the annual report such as in the principal risks and uncertainties
section. Has the entity identified laws and regulations which we have not considered and, if so,
document our consideration of these areas. Some areas which are often covered in the principal risks
and uncertainties in annual reports include the Bribery Act, compliance with operating permits,
health, safety, environmental and security risks and infringement of intellectual property of others.

Time to Learn 2014


PwC

Page 21 of 40

Audit planning takeaway

As ever, document the team discussions as well as those with management.


We also consider correspondence with legal advisers and may also need to discuss issues arising with
an entitys in-house and/or external legal counsel. If this happens after we have performed our initial
assessment, then we need to update and revise our assessment of the risk of non-compliance
accordingly.
In regulated industries, we read correspondence with regulators; it is worth noting that regulators are
becoming more active. We also check whether there are press reports of regulatory action within the
industry to consider whether the same issues could impact our entity and discuss the matter with
those charged with governance.
The procedures below may help identify instances of non-compliance with other laws and regulations
that may have a material effect on the financial statements:

use our existing understanding of the entitys industry, regulatory and other external factors;
read board minutes;
read last years annual report or the latest draft;
review the whistleblowing log;
enquire of management and the entitys in house legal counsel, or external legal counsel
regarding litigation claims and assessments;
enquire of management as to other laws and regulations that may impact them;
enquire of management as to the entitys policies and procedures regarding compliance with
laws and regulations;
enquire of management as to the entitys policies for accounting for litigation claims;
inspect correspondence, if any, with the relevant licensing or regulatory authorities; and
perform internet searches on competitors to see if there have been any significant fines or
penalties enforced as a result of non-compliance with laws and regulations; determine and
assess if similar situations could be applicable for your client.

The above procedures enable us to assess the risk of non-compliance with laws and regulations and
more effectively document our rationale in this area.
In addition, we document our evaluation of the design and implementation of controls at the entity in
respect of the risk of non-compliance with laws and regulations. We also clearly document our
responses to identified risks of non-compliance with laws and regulations.
We also include in our representation letter a representation from those charged with governance that
all known instances of non-compliance or suspected non-compliance with laws and regulations whose
effects should be considered when preparing the financial statements have been disclosed to us.
Finally, remember to consider the potential impact of the Bribery Act 2010 see below for more
information.
Written representations also provide audit evidence about managements knowledge of identified, or
suspected, non-compliance with laws and regulations, whose effects may have a material impact on
the financial statements.
Bribery Act 2010 and Transparency International
We need to assess whether there is a risk of the financial statements being materiality misstated as a
result of the entity making questionable payments which might be deemed to be bribes, and
consequently result in non-compliance with the Bribery Act 2010; this could have significant financial
consequences for the entity. This means, for example, considering the culture and business practices
with the industries and countries in which the entity operates, to understand the risks of such
payments, and also the consequences to the entity in the event of non-compliance.

Time to Learn 2014


PwC

Page 22 of 40

Audit planning takeaway

Transparency International has produced resources that can help in our audits. They are the UKs
leading anti-corruption organisation and you might be aware of the Corruptions Perception Index and
Bribe Payers Index which they update periodically. These indices can help us identify countries where
there may be a heightened risk, and these can be useful as part of our risk assessment:

the 2013 Corruptions Perception Index measures the perceived level of public sector
corruption in 176 countries and territories around the world; and
the 2011 Bribe Payers Index ranks the likelihood of companies from 28 leading economies
winning business abroad by paying bribes.

These indices can be used to assess how the country that your entity is based in, or trades with, ranks
in terms of public sector corruption and the likelihood that they might win business abroad by paying
bribes.
In addition, if we use the work of auditors in countries with a low index (i.e. in a country where there
is a high risk of bribery and corruption), then we carefully consider what procedures we need to
perform to satisfy ourselves about the quality of their work and document our considerations and
findings.
Please refer to the 2013 corruption perceptions index and bribery index for detailed information about
different countries and then document the impact on your audit.
Where we have assessed risks in the area of questionable payments being made, we understand how
the client has responded to the Bribery Act 2010 to enable us to complete our assessment of the risk of
non-compliance with laws and regulations. Therefore, as part of our discussions with management,
those charged with governance, etc., we discuss what processes and controls they have in place to
ensure compliance with the Bribery Act 2010, including the results of any whistle-blowing by
employees or others.
Required communications
It is likely we will identify matters that we want to communicate with management (e.g. deliberate
instances of non-compliance by management need to be communicated to the entitys legal counsel,
the audit committee and the board of directors as appropriate).
If we suspect that members of senior management are involved in the non-compliance, then you need
to consult with ARQ and, where appropriate, OGC.
When we audit the parent company, and another office audits a component, matters related to the
component need to be communicated to the group engagement team, and vice versa.
Audit opinion
We need to consider the impact on the audit opinion of any non-compliance. What action we take
depends on the results of our work and whether sufficient audit evidence has been obtained, what
actions the entity has taken, what has been disclosed in the financial statements, and any
uncertainties.
For example, where the entity has paid an illegal dividend, if the entity has made appropriate
disclosures and taken action to recover, or has recovered, the dividends, then we may conclude that
there is no impact on the audit report. If no disclosures are made and the matter is material, then we
have a disagreement with management and would issue a modified opinion.
Remember, if you are thinking about issuing an emphasis of matter or modified opinion, then you are
required to consult with ARQ.

Time to Learn 2014


PwC

Page 23 of 40

Audit planning takeaway

Materiality
Overall materiality
Our assessment of materiality for the financial statements as a whole is termed overall materiality. We
apply professional judgement to determine overall materiality when establishing the overall strategy
for the audit based on the results of risk assessment analytical procedures, our understanding of the
entity and its environment and discussions within the engagement team. Overall materiality is also
considered in evaluating the effect of identified uncorrected misstatements on the financial
statements as a whole and the opinion in our audit report (PwC Audit 9015). When the determination
of materiality is particularly complex or judgemental, ARQ is consulted.
We determine a single quantitative level (that is, one number) of overall materiality based on a
selected benchmark (e.g. profit before tax) that is relevant to users of the financial statements. Overall
materiality based on this benchmark is applied to the financial statements as a whole and forms the
basis for calculating performance materiality. Applying separate quantitative levels of overall
materiality (e.g. a certain materiality level for the profit and loss account and a different materiality
level for the balance sheet) will not enable us to plan our audit effectively to detect material
misstatements. See PwC Audit 2104 for further guidance on materiality for particular classes of
transactions, account balances or disclosures.
Professional judgement
Engagement teams apply their professional judgement in determining materiality levels rather than
defaulting to a mechanical calculation based on PwC Audit 2102. Engagement leaders often know,
based on their experience and knowledge of the entity, what an appropriate materiality level should be
and are able to articulate their thought process in determining that materiality. In such instances,
teams can use this as a starting point to fit it into the framework guidance in PwC Audit 2102. We
need to balance the materiality framework set out in the Audit Guide with the application of
judgement in light of the specific circumstances of the entity for the period being audited.
Total assets
Where total assets is used as the benchmark in determining overall materiality, there is a distinction
between PIEs which are not-for-profit and those PIEs which are other than not-for-profit. For notfor-profit entities we can use up to 0.5% of total assets, whereas for other than not-for-profit entities
we can use up to 1% of total assets for PIEs and up to 2% for non-PIEs.
Alternative benchmarks
When alternative benchmarks are used (e.g. total revenue for a profit-oriented entity), it is normally
expected that the alternative benchmark, together with the generally accepted benchmark, will be
evaluated and materiality would be set using professional judgement and based on the most
appropriate benchmark in the circumstances of the entity being audited.
When using an adjusted profit-based benchmark, it is necessary to consider whether the benchmark is
relevant to the users of the financial statements and that the benchmark has been identified by the
directors as a financial key performance indicator in the annual report. It is difficult to argue that a
benchmark should be used on the basis that it is relevant to users of the financial statements if it is not
talked about in the annual report and does not appear in the financial statements in a prominent
position (e.g. on the face of the income statement). If you do consider a measure to be appropriate
which has not been identified by the directors as a financial key performance indicator in the annual
report, then include a clear and robust rationalisation of your decision on the audit file. Consultation
with ARQ is also recommended in such situations.
Common adjustments to profit may include interest, tax, amortisation, depreciation and exceptional
items or, in the context of owner-managed businesses, remuneration. In the case of exceptional items,
exceptional credits, which are often ignored, as well as debits need to be taken into consideration.
Whilst other adjustments may be made, they can only be regarded as appropriate if the adjustedprofit measure is demonstrably of interest to users as outlined above as may be the case in
determining an underlying profit measure. However, remember that in some cases we will need to
explain our benchmark in the audit report or to others. For example, do you think that using a
measure of PBT adding back x, y and z and averaging over three or five years would look sensible?

Time to Learn 2014


PwC

Page 24 of 40

Audit planning takeaway

Where adjustments to profit other than those listed above are being considered, contact ARQ by
logging an enquiry on IGLO to discuss whether the proposed adjustments are appropriate in the
circumstances. Whatever adjustments are made to profit, the documentation in the audit file needs to
clearly set out the factors considered in using that benchmark and hence why the adjustments were
considered to be appropriate adjusting items.
Once the benchmark has been determined, consideration of the appropriate rule of thumb is required.
In the scenario of a profit-oriented PIE where 5% of PBT could be used, using 5% of an adjusted profit
benchmark may not always be appropriate. In considering whether the rule of thumb applied is
appropriate, the proposed overall materiality as a percentage of PBT is calculated to assess whether it
remains reasonable. In other words, taking 5% of an adjusted profit measure which equates to 30% of
PBT may not be a sensible option as we have to have regard to PBT as users will not ignore PBT
totally. The documentation will therefore include the rationale for the rule of thumb being applied.
In the situation where the adjustments to PBT represent genuinely one-off exceptional items (debits
and/or credits), a 5% rule of thumb is normally considered acceptable.
We also need to bear in mind situations where we are required to disclose the basis on which overall
materiality has been determined in the audit report. In such situations, consider how you will describe
your overall materiality to users of the financial statements.
Performance materiality
The AQR teams thematic review on materiality identified that auditors should demonstrate
consideration of risk in setting performance materiality and avoid, as a default, simply setting this at
the highest level allowed under the firms guidance.
The Audit Guide has been updated to provide three specific levels of haircut (10%, 25% and 50%)
which can be applied as appropriate. Rather than using any haircut percentage within the range of
10% to 50%, engagement teams are encouraged to choose between the three haircut percentages
based on evaluating relevant risk factors, although we expect the 10% haircut to be used in rare
circumstances.
Engagement teams currently using other haircut percentages (e.g. 33%, 40%) need to consider the
appropriateness of continuing to do so and are encouraged to select one of the specific percentages
above to promote further consistency across our audit engagements and increase efficiency of our
documentation. Consider whether changing the haircut (e.g. from say 33% to 25%) is appropriate and
document the rationale. However, it is generally not expected to result in significant changes in the
aggregation risk, as long as the engagement team appropriately consider the related factors. Teams
may consider consulting when the factors affecting the haircut percentage have changed significantly.

Time to Learn 2014


PwC

Page 25 of 40

Audit planning takeaway

The following table summarises the factors supporting various haircut percentages:
Factors supporting the haircut*
History of
misstatements

10%

25%

50%

History of limited, or
no, booked or proposed
audit adjustments

History of limited, or
no, booked or proposed
audit adjustments

History of frequent
audit adjustments.
Significant
management turnover
that suggests a
potential increase in
the frequency of audit
adjustments

Risk assessment
and aggregation
risk

The characteristics of
the company being
audited result in low
aggregation risk related
to potential
misstatements arising
from environmental
factors (e.g. sufficient
qualified management
resources are present,
there is low pressure to
achieve targeted
results, the company
does not operate in a
high risk industry).

The characteristics of
the company being
audited result in low to
medium aggregation
risk related to potential
misstatements arising
from environmental
factors (e.g. sufficient
qualified management
resources are present,
there is low pressure to
achieve targeted
results, the company
does not operate in a
high risk industry).

The characteristics of
the company being
audited result in high
aggregation audit risk
related to potential
misstatements arising
from environmental
factors (e.g. insufficient
qualified management
resources are present,
the initial audit of a
company having never
been audited before,
there is unusually high
pressure to achieve
targeted results, the
company operates in a
high risk industry).

Where testing of
operational
effectiveness of
controls is part of the
overall audit strategy,
the controls have
historically been
determined to be
operating effectively.

Expected or known
significant deficiencies
in controls.

Aggregation risk is low


related to potential
misstatements because
there are a limited
number of significant
accounts and a limited
number of locations.
Effectiveness of
controls

Where testing of
operational
effectiveness of
controls is part of the
overall audit strategy,
the controls have
historically been
determined to be
operating effectively.

*A haircut lower than 25% may not be used on PCAOB engagements or those subject to PCAOB
inspection and would include work performed in support of such an engagement. See below for
further restrictions.
Using one of the haircut percentages above will generally be appropriate and facilitate standardisation
and effective execution of our audit engagements, as well as efficient audit documentation. We
determine an appropriate haircut based on the evaluation of the factors above and considering
whether all or some of the factors are present on the engagement. In situations when a combination of
various factors is present (e.g. the engagement is considered high risk, but there is no history of
adjustments and controls are operating effectively), we would normally select an appropriate haircut
using professional judgement and considering which factors are most important to the engagement.
Time to Learn 2014
PwC

Page 26 of 40

Audit planning takeaway

However, in limited circumstances we may consider using percentages other than those above. For
example, a percentage between 25% and 50% may be appropriate in some circumstances (e.g. if the
risk assessment concludes that the entity has a predominant factor at the higher and lower end of the
range and we consider these factors to be equally important). When in doubt, consider consulting
ARQ.
Using a 10% haircut
It is expected that the 10% haircut will be used in rare circumstances. Engagement teams carefully
consider the factors identified in the table above to determine whether it is appropriate to apply a 10%
haircut, together with the following:

A 10% haircut must only be used where there are a limited number of significant accounts and
a limited number of locations.
A 10% haircut must not be used for:
o PIEs or full scope components of PIEs; and
o First year audit engagements.
A haircut lower than 25% must not be used on PCAOB engagements or those subject to
PCAOB inspection, and would include work performed in support of such an engagement.

If you are considering using a 10% haircut, then you need to consult with ARQ first.
Using a 50% haircut
Determine if all the factors above have been appropriately evaluated, and consider consulting ARQ.
Consider using a 50% haircut only when the risk factors described above are pervasive across the
entity rather than related to specific risks. For those engagements where there are specific risks,
consider using a 25% haircut and varying the nature, timing, and extent of testing to address the
specific risk items (documenting this as materiality for particular classes of transactions, account
balances or disclosures). For example, if there is a history of misstatements and significant risk in a
particular account, we may apply a higher haircut to that account (based on our judgement) and apply
a 25% haircut for performance materiality to be used for all other accounts.
Documenting in Aura
In Aura v5, the Materiality view has been updated to provide a pre-populated choice of haircut values
(10%, 25%, 50% and other). PwC Audit 2103 includes factors to consider when selecting the haircut
percentage. If we wish to use an other haircut percentage, we can do so, but in such cases Aura will
display a warning message and will generally necessitate further documentation of the rationale for
doing so. We clearly demonstrate our consideration of risk when setting performance materiality with
reference to the factors identified in the table above.
De Minimis SUM posting level
We normally select a de minimis SUM posting level of 0, 3, 5 or 10% of overall materiality, applying
professional judgement and considering the engagement circumstances. In particular, we consider our
experience of the number and amount of misstatements, our risk assessment and the expectation of
management and the audit committee. In practice, we generally select a SUM posting level of 5% of
overall materiality.
Disaggregating materiality
When is it necessary to disaggregate materiality?
Within an FSLI, performance materiality may be applied to each sub-component and there is no need
to disaggregate performance materiality to perform tests of details on each sub-component. However,
there are certain considerations to be made. For example:

We need to test FSLIs which are immaterial, but consist of material debit and credit elements
(e.g. a net pension surplus/deficit).
If we target test each element for coverage, or use risk based characteristics based on our
performance materiality, then we need to aggregate the untested balances in each element of
the FSLI to determine the untested balance for the whole FSLI and consider if we have a
material untested balance left what further evidence is needed, if any.
We need to complete some substantive work on all material FSLIs, so where every sub-FSLI
element is immaterial, but the FSLI is material, some substantive testing is still required.

Time to Learn 2014


PwC

Page 27 of 40

Audit planning takeaway

If substantive analytical review is being completed, further consideration is required to


disaggregate materiality when assessing an acceptable threshold for exceptions.
In areas of significant risk where the test of details is the only source of audit evidence,
consider whether you need to disaggregate materiality (e.g. when testing multiple revenue
streams).

Disaggregating materiality when performing substantive analytical procedures


Where we have determined that substantive analytical procedures are appropriate, we need to
determine an appropriate threshold; this is the level above which we will need to investigate
differences from our expectation.
The threshold that we determine for substantive analytical procedures will depend on a number of
factors:

desired level of evidence from the analytical procedures the greater the evidence sought
from the procedure, the lower the threshold;
the precision of the expectation the more precise the expectation is, the lower the threshold
should be;
overall materiality and performance materiality, including the impact of disaggregation; and
the type of analytical procedures and the rigour with which it is applied.

Materiality, and hence disaggregating materiality due to the disaggregation of data, is just one
component in determining an appropriate threshold for the substantive analytical procedure.
Materiality in a group audit context
PwC Audit 2333 and PwC Audit 2334 set out the basis on which group materiality is determined and
outline the optional component materiality framework which many teams apply.
If materiality is being determined for group reporting, then it will be determined or approved, and
advised to the component auditor, by the group engagement team. If materiality is being determined
for the purposes of group reporting and local statutory reporting, then materiality is determined at the
component level, whilst considering group requirements and agreeing the amount with the group
engagement team. In most situations, component materiality will exceed local statutory materiality,
but this is not always the case and hence both materialities need to be assessed.
The component team should alert the group engagement team if, for example, their statutory
materiality is higher than their allocated component materiality. This can happen in a group where
there are components making significant profits and losses. The component auditor is also required to
communicate their performance materiality to the group engagement team, because the group
engagement team is required to evaluate its appropriateness.
Teams are reminded of the ISA (UK&I) 600 requirement that materiality at the component level
should be lower than overall materiality for the group financial statements as a whole. ARQ have
identified, through a matter raised by the AQR and also through the HPC reviews, that there may be a
number of teams who have set component materiality equal to group overall materiality.
Where group teams identify that component materiality has been set equal to group overall
materiality, materiality will need to be revised downwards for those components to a level that is
below group overall materiality. It is the engagement leader's judgement as to what would be
considered an acceptable level, taking into account the materiality and risk profile of the component
and the level of aggregation risk within the group; ISA (UK&I) 600 is not prescriptive in this respect.
Further, it would be reasonable to expect that, for certain larger components, materiality would
remain at a level that is approaching group overall materiality, but at a level that leaves some
headroom to accommodate misstatements arising elsewhere in the group.
Remember that you need to be clear when advising component auditors whether you are advising
them of the overall materiality to be applied, the performance materiality, or both. This is to avoid any
confusion between the group engagement team and component audit team.

Time to Learn 2014


PwC

Page 28 of 40

Audit planning takeaway

Reassessing materiality at the final audit


We reassess our determination of overall materiality, performance materiality and group and
component materiality at the final audit.
Where materiality has reduced since the original assessment made at planning, we need to evaluate
the impact on our audit plan. Do not panic and assume that this will mean that significant amounts of
additional testing is now required. Instead, carefully evaluate the impact of the change in materiality
on an FSLI by FSLI basis and assess whether the audit evidence we currently have remains sufficient
or whether additional audit evidence needs to be obtained. In some cases you may be able to
rationalise that no further audit evidence is required based on the risk assessment and the totality of
audit evidence already obtained. Where non-statistical sampling has been used, if the change in the
sample size is insignificant, again you may be able to rationalise that no further audit evidence is
required based on the risk assessment and the totality of audit evidence already obtained. However in
other instances, further audit evidence will be required. Before we undertake further work, the nature
and extent of further testing is discussed and agreed with the engagement leader.
Our assessment of the impact of the change in materiality and revisions to the audit plan are
documented on the audit file and, where significant, are approved by the engagement leader and QRP,
where one has been appointed.
Reporting to those charged with governance
ISA (UK&I) 260 requires the auditor to communicate with those charged with governance an overview
of the planned scope and timing of the audit. Matters communicated would ordinarily include the
application of materiality in the context of an audit.
Our communication may include a general explanation of how materiality is applied on the audit and,
if the engagement leader considers it appropriate, it may also include:

an indication of the broad quantitative range within which our overall materiality judgement
will lie;
the broad impact that this will have on our performance materiality; and
the de minimis SUM posting level.

In the UK, it is becoming common to be more transparent in our communication of materiality, partly
as a result of the requirement in our audit of certain companies to disclose materiality in the audit
report. Therefore, our communication may include the amount of overall materiality, performance
materiality and the de minimis SUM posting level. However, we need to make clear that there are also
qualitative factors that will impact on our assessment of whether misstatements identified during the
audit are material.
Refer to PwC Audit 2210 for further guidance on communicating our summary audit strategy.
If we have communicated our materiality assessments to the client and our approach to materiality
changes significantly during the course of the audit, then communicate the change to the entity and
the impact on our plan, if any. Further, if there are significant changes between the presentation of the
audit strategy and plan and the final audit clearance meeting, then these changes are communicated
to those charged with governance.

Time to Learn 2014


PwC

Page 29 of 40

Audit planning takeaway

Other planning reminders


Planning top tips
The audit needs to tell the whole story and hence all the different parts of the audit have to link
together. As a starting point, do you understand the business processes, transaction flows, systems
and, in effect, how the FSLI comes into existence? Whilst you may understand the accounting policy
for the FSLI, do you understand how the accounting policy for the FSLI is actually effected into the
books and records? The benefits of this understanding can be huge. It will help you perform an
effective and focussed risk assessment, specifically:

understanding precisely what within the FSLI is driving the risk;


what the relevant assertions are; and
to develop a focussed, effective and efficient planned audit response to the identified risks and
assertions within that FSLI.

When developing the audit plan, think holistically by considering all evidence planned to be obtained
from the business process as well as evidence from the corresponding double entry; never plan the
audit of an FSLI in isolation. A poor understanding at the planning stage leads to poor quality and
inefficient audits.
Invest the time in understanding the entity and planning our audit and involve the engagement leader
throughout, as it will ensure that we do the right work and save time later on.
Risk assessment
Risk assessment analytics
It is an ISA (UK&I) requirement for risk assessment analytics to be performed for every entity for
which we sign an audit opinion, but what is the point of performing risk assessment analytics?
Whilst they do not provide direct audit evidence, when performed well, they help us identify potential
risks and where to focus our audit effort. At a basic level, risk assessment analytics confirm whether
there are any risks we have missed or whether there is anything unusual, or something which does not
appear consistent with our knowledge of the business, or which simply does not make sense. This
enables us to make further enquiries to help determine what work, if any, is required.
The effectiveness of risk assessment analytics depends on our understanding of the entity and its
environment, the level of disaggregation of the data and the use of our experience and professional
judgement. Therefore, you need to involve suitably experienced members of the team.
When performing risk assessment analytics, we may set a threshold in terms of an absolute number or
a percentage and simply review for what is unusual:

Risk assessment analytics do not need to be performed at the same level of precision and
disaggregation as substantive analytics since risk assessment analytics are not designed as a
source of audit evidence. Hence, the threshold is generally higher than the threshold used for
disaggregated substantive analytics and generally will be performance materiality.
In defining what may be unusual, we do not necessarily need to define it at the start of the
process. Auditors, using their experience and knowledge of the entity, will generally know
when something is unusual or odd when they see it and it is at that stage that they can
articulate why it is unusual or odd. However, it is always useful to document the factors you
may be looking for.

Remember not to fall into the trap that just because a number is the same as last year, then it is OK.
Ask yourself should it be?. Sometimes, the fact that a number is the same is wrong and needs further
investigation.
Also remember that, just because the risk assessment analytics indicate that further work may be
required, this may just be further investigation to get a better understanding of the facts and once we
have that enhanced understanding, we are able to conclude that no further work is needed.
The EGA for risk assessment analytics in each FSLI has been updated in the 2014 Aura libraries. Refer
to PwC Audit 5012 for further guidance on risk assessment analytics.
Time to Learn 2014
PwC

Page 30 of 40

Audit planning takeaway

Assess risks
Being clear as to why a risk is normal, elevated or significant is essential and ensuring that the file
reflects that rationale is critical. In documenting your rationale it can be helpful to think in terms of
nature, likelihood and magnitude. This is particularly helpful in being able to rationalise why an
elevated risk is not a significant risk or why a significant risk is not an elevated risk. Having the
documentation on file to explain why the risk has been classified as it is will also help you determine
your response.
Also remember to be as specific as you can as to where or what in the FSLI is driving the risk. When
considering the risk of fraud in revenue recognition we are very good and precise at stating that the
risk is in manual journals within the X revenue stream with the relevant assertion being occurrence.
Outside of the risk of fraud in revenue recognition, we tend not to get to that level of granularity yet,
by doing so, we can better focus our audit effort to where it really matters.
If you describe elevated risks, dont use words such as high or significant as this implies the risk is
a significant risk. Where there is a need to use these words to describe the risk concerned, you need to
consider whether this risk is actually significant rather than elevated. Pay particular attention where
you have previously categorised a risk as significant and you are now classifying it as elevated that you
do change the terminology such as high or significant in your description of the risk and that your
explanation supports the classification.
How we explain our risks to those charged with governance needs to align t0, and be consistent with,
the audit file. Avoid discussing risks with those charged with governance using different language. We
frequently have regulatory findings where the audit file indicates we have say three significant risks,
but the audit planning document implies we have many more due to the language we have used. This
clarity and consistency is even more important in light of the new enhanced audit report.

Time to Learn 2014


PwC

Page 31 of 40

Audit planning takeaway

Risk slider settings


Getting the slider settings right is essential in determining the audit strategy and then the audit plan.
As a reminder, there are six recommended optimal risk slider combinations which will be applicable
in the majority of scenarios; remember that this does not mean that other slider settings are wrong,
but you should challenge yourself as to whether you have the optimal approach. These are detailed in
PwC Audit 4024 and are as follows:
Inherent
risk

Slider settings
Expected
Planned
controls substantive
reliance
evidence
N

Scenario
This strategy would be typical for a normal risk where
either tests of details and/or properly designed substantive
analytical procedures are expected to provide all the
required evidence.
This strategy would be expected where a largely controls
based approach is adopted. The substantive work will
frequently be leveraged from another risk and may include
substantive analytical review.
This strategy would be typical for an elevated risk where
either controls are not in place or we cannot effectively or
efficiently rely upon those controls.
This strategy would be typical for an elevated risk where
effective controls exist and can be efficiently tested.
This strategy would be typical for a significant risk where
either effective controls do not exist or they exist, but
cannot be efficiently tested (note that you are required to
evaluate the design effectiveness of relevant controls and
determine whether they have been implemented).
Substantive testing is required to include tests of details.
It is often the case that a significant risk arises because of
circumstances where controls can be overridden (e.g.
related party transactions) or do not exist due to the
nature/frequency of the risk. However, where controls over
a significant risk can be identified and their effectiveness
can be efficiently tested, this would be an acceptable testing
plan. The substantive testing will normally include tests of
details.

When the slider settings are not consistent with common testing strategies based on ISAs (UK&I) and
PwC Audit, Aura displays an alert. You would either need to change the sliders, or document in the
system-prompted explanation why the setting is appropriate. As you know, without doing this, the risk
cannot be marked as prepared.
When setting the risk sliders, set the slider based on the level of planned substantive evidence you
need, not the level of substantive evidence the testing will provide. Lets consider bank and cash as an
example. The typical slider settings will be normal risk, no controls reliance and low planned
substantive audit evidence. However, sending bank confirmation requests actually gives you a high
level of substantive evidence. But we do not change the slider setting to high planned substantive
evidence as we only need to obtain a low level of substantive evidence.

Time to Learn 2014


PwC

Page 32 of 40

Audit planning takeaway

The risk is that we end up over-auditing as we do not challenge the work we are planning to do.
Therefore, never set the sliders to match the work we are planning to do, but instead challenge where
we are getting more audit evidence than we need and ask whether we actually need that level of audit
evidence. If we conclude that we do need a higher level of audit evidence, ask why that is and whether
we need to change our risk assessment.
Another example where you need to carefully consider risk slider settings is where you plan to
perform the two-step approach for auditing revenue. One of the criteria which needs to be met to
apply the two-step approach is that the level of evidence related to the existence of accounts receivable
from confirmations or from liquidation testing (i.e. after-date cash procedures) is either moderate or
high. Where the risk relating to accounts receivable is normal, we recommend creating another risk
for accounts receivable relating solely to existence and set the planned substantive evidence slider as
moderate or high depending on the planned level of evidence gathered. The original RoMM would
then address the remainder of the assertions.
ISA (UK&I) 700
ISA (UK&I) 700 was revised in 2013 and now requires, amongst other things, the following
information to be provided in the audit reports of companies which are either required to, or
voluntarily choose to, comply with the UK Corporate Governance Code, or explain where they do not:
1.

describe those assessed risks of material misstatement that were identified by the auditor and
which had the greatest effect on the overall audit strategy, the allocation of resources in the
audit, and directing the efforts of the engagement team;
2. provide an explanation of how the auditor applied the concept of materiality in planning and
performing the audit. Such explanation shall specify the threshold used by the auditor as
being materiality for the financial statements as a whole; and
3. provide an overview of the scope of the audit, including an explanation of how the scope
addressed the assessed risks of material misstatement disclosed in accordance with item 1 and
was influenced by the auditors application of materiality disclosed in accordance with item 2.
As we are now disclosing the overall materiality and how it has been calculated, it is even more
important that our rationale for the determination of materiality is clear and robust. It is also more
important than ever that the risks in the audit file, our various communications to management or the
audit committee, the significant issues which the audit committee have identified in the preparation of
the financial statements and the areas of focus in the audit opinion are reconciled. Whilst we do not
expect them to be identical, we need to have documentation on file which reconciles these items and
explains any differences. To assist teams in their documentation, the EGA 'Other auditing and
completion procedures' was updated to include what you need to do in relation to drafting the new
look PwC audit report, including mapping the significant risks in your Aura file to:

the matters communicated to the audit committee in our audit committee report (and audit
plan if different);
the 'areas of particular audit focus' in the audit report; and
the significant issues described by the audit committee in the front half of the annual report.

Internal audit
Enquiries of internal audit
ISA (UK&I) 315 requires risk assessment procedures to include enquiries of appropriate individuals
within the entity which include, amongst others, the internal audit function who may have
information that is likely to assist in identifying risks of material misstatement due to fraud or error.
This means that audit teams need to enquire of internal audit and document this on the Aura file even
if they dont plan to use any of the internal audit functions work. In addition, where an internal audit
function exists, we are required to read their reports as part of our risk assessment and audit planning
process.
Direct assistance
ISA (UK&I) 610 (revised) no longer permits the use of internal audit staff as members of the external
audit engagement team and hence they are not allowed to perform audit procedures (referred to as
direct assistance) with effect for periods ending on or after 15 June 2014.

Time to Learn 2014


PwC

Page 33 of 40

Audit planning takeaway

Direct assistance refers to situations where, for example, a member of internal audit works as part of
our audit team directly under our control, or where we select a sample of items and internal auditors
test those items and provide the resulting working papers directly to us. It would not include
situations where we discuss the scope of internal audits work at the planning stage. This is because
the work is subject to internal audits usual direction, supervision, review and reporting procedures
and processes.
Remember that the prohibition of the use of direct assistance extends to component teams as well
where their work contributes to an ISA (UK&I) opinion. Therefore, as the group engagement team,
you will need to communicate this prohibition to component teams because the international version
of ISA 610 does not include such a prohibition and hence they may be planning to use internal audit in
a direct assistance capacity.
Use of ISAE 3402 controls reports on service organisations
Clients use service organisations for a variety of services (e.g. to process the payment of payroll) and
many have ISAE 3402, or equivalent, controls reports which we can obtain. Often we see files where
the report is attached but there is no documentation as to what we have used it for or there are
references to reliance on the controls report without a clear articulation as to how we have used the
report or any evidence that the report has been read.
Where we decide to obtain a copy of a service organisations controls report we have to be clear as to
the purpose for getting the report and document clearly on the audit file how the report will be used
and incorporated in the audit plan (i.e. if all we are doing is to understand the service organisations
processes and controls, then just state that). If we are planning on relying on controls, then:

be clear that is what we are doing;


be clear as to which controls you are planning to place reliance on and check that they are
mapped in the Aura file and linked to the controls report;
consider any gap period and determine what further procedures are needed;
appropriately deal with any exceptions identified in the controls report (PwC Audit 6043
contains the relevant guidance to help you determine what needs to be done); and
determine what further controls testing or other audit procedures are needed at our client.

Audit of tax
In 2013, the Planning for the Audit of Tax elective at the classroom day introduced new tools to help
audit teams plan more effectively for the audit of tax, thereby driving quality and efficiency.
If you did not attend the classroom session or you would like to refresh your knowledge, then a remote
access version is available to complete. Further information is also available by reading Technical
Alert 109.
We also launched the tax benchmarking web enabled tool in late 2013. It is strongly recommended
that the scores gathered as part of the completion of the Understanding the tax control environment
tool are input into the tool which provides insights by enabling benchmarking of clients against both
peers and best practice.
There is also a risk assessment tool to assist teams to determine whether tax on their client is
straightforward or complex. The tool assists in identification and documentation of the tax risks
relevant to clients which drives the build of the work plan and the correct use of tax specialists.
Remember to involve tax specialists if you have a complex tax engagement and ensure that they
document their work in Aura in the new EGAs.
Estimates
Remember that our risk assessment needs to cover all FSLIs where estimates arise. Needless to say,
whilst some estimates will have a bigger impact on the financial statements than others, teams often
forget other estimates when performing their risk assessment.

Time to Learn 2014


PwC

Page 34 of 40

Audit planning takeaway

An ISA (UK&I) requirement which teams often forget is the need to review the outcome of prior year
accounting estimates or review the re-estimation for the purpose of the current year. As a reminder,
the results of these procedures performed need to be documented on the Aura file together with:

our understanding of the basis for the estimate;


why we consider it reasonable or not; and
what we have done or plan to do to audit the estimate.

Further guidance on auditing estimates can be found in PwC Audit 7070.


Confirmations
When requesting a confirmation about assets such as investment securities from an investment
manager and custodian, do you understand what evidence the confirmation will give you and does it
achieve what you want it to? These questions apply to any confirmation being requested. Typically, the
investment manager will provide evidence over valuation and the custodian evidence over existence.
Sometimes a custodian confirmation will include a valuation but this may not always be the latest upto-date valuation and hence further confirmations and/or testing may be required.
Where the investment manager and custodian are part of the same group, you need to consider
whether the investment manager and custodian are actually independent of each other. Audit teams
may need to perform procedures to conclude that they are independent. Further procedures are
required where they may not be independent of each other as this could indicate a heightened risk of
fraud. Refer to PwC Audit 7052 for further guidance.
Finally, a new electronic confirmation tool is currently in development with the aim of being available
for December 2014 audits. Watch out for future communications from Assurance Transformation.
Referred reporting audit engagements and letterbox audits
Referred reporting audit engagements (RRAEs) are scenarios where a significant part of the audit
work on the financial statements is undertaken by another network member firm (the overseas
supporting firm). RRAEs can either be entity audits or group audits (often also referred to as
letterbox audits).
To be able to perform any audit, we have to be competent in the GAAP, and the laws and regulations,
of the country in which the entity is incorporated and operates. Therefore, problems arise when the
financial statements are prepared in accordance with a local GAAP (UK GAAP, Dutch GAAP,
Luxembourg GAAP, or other similar local GAAPs) as member firms do not train staff in local GAAPs
of other territories. Hence, overseas supporting firms may not have the relevant competence to be
able to issue an RRAE opinion on whether financial statements have been prepared in accordance
with the relevant local GAAP, or with the applicable laws and regulations.
Under previous guidance, the ability of an overseas supporting firm to issue an appropriate RRAE
opinion in these circumstances was restricted and alternative reporting options explored on a case-bycase basis.
New globally approved reporting guidance and illustrative reports have been agreed that should
facilitate overseas supporting firms being able to issue an RRAE opinion on financial statements
prepared under a local GAAP; the aim being to provide clarity as to what work has been performed by
the overseas supporting firm and what work remains the responsibility of the engagement team in the
territory where the external report is being issued, such that a quality audit is performed and that
nothing has been overlooked.
This new approach allows a number of options for the type of report issued by the overseas supporting
firm, including:

utilising staff from the network firm issuing the external audit report to bring the relevant
competence in local GAAP financial reporting onto the team, enabling a local GAAP RRAE
opinion to be issued by the overseas supporting firm;
issuing an RRAE opinion based on having audited the financial statements with reference to a
group accounting manual (in the correct GAAP) or accounting policies disclosed in the
financial statements and an appropriate disclosure checklist;

Time to Learn 2014


PwC

Page 35 of 40

Audit planning takeaway

issuing an RRAE opinion based on having audited the financial statements with reference to
IFRS as a base framework, except for certain line items or disclosures where the instructions
communicate areas of GAAP difference and how they should be audited. In doing so, it
recognises that, in many of these RRAE scenarios, the financial statements are not complex
and that, although the local GAAP itself is not considered sufficiently close to IFRS, the
impact of preparing the financial statements in accordance with that local GAAP, including
local laws impacting the financial statement presentation and disclosure, may not result in
extensive differences had those financial statements been prepared in accordance with IFRS,
and any such differences that do arise can be readily identified).

Updated guidance and reporting templates have been included in the UK Reporting Manual and
Template Manager. PwC Audit 2400 has also been updated to include the following reminders when
conducting a RRAE:

The UK engagement team members responsibility to have sufficient involvement at each


stage of the audit: planning, execution and completion, when the UK firm issues the external
audit report; and guidance on what 'sufficient involvement' means in practice.
Responsibilities of UK members of the engagement team when the UK firm issues an audit
opinion on group financial statements, including:
o responsibilities for issuing the group audit instructions in addition to RRAE
instructions (see PwC Audit 2425); and
o responsibility for conducting audit procedures on the consolidation (see PwC Audit
2434).
Considerations for file structures and access by engagement team members from an overseas
network firm that is issuing the external audit opinion.

Group and component audits


Now a few reminders on group and component audits...
Determine components
The first step when scoping a group audit is to really understand the group and its structure (i.e. how
do the numbers come together). Then we need to determine what a component is. A component is
typically the entity or business activity for which management prepares financial information that is
included in the group financial statements. For example, this may be based on organisational
structure, geographical location, function, process, product or service. Key considerations include:

How does the entity manage the business?


At what level are there discrete sets of auditable financial information?
How is the business consolidated?
How do the management level / consolidation level / legal entity level overlap?

Remember that you can have components at different levels within a group; in some instances subconsolidations may exist which may be a more appropriate component.
But, whatever you determine to be the components, it is important to clearly define what a component
is in the context of the group and its structure on the Aura file and to explain your rationale for the
decisions taken.
Evidence required from components
Once the components have been identified, the group engagement team needs to work out what
evidence is required from each of the components:

For financially significant components, a full scope audit of its financial information is
required.
For significant components which are significant as they include significant risks, the
procedures can vary from a full scope audit, an audit of one or more FSLIs, or specified audit
procedures.

Group engagement teams consider if they can focus on components where local statutory audits are
performed in the group reporting timeline to be more efficient and effective in gathering audit
evidence.

Time to Learn 2014


PwC

Page 36 of 40

Audit planning takeaway

Remember that for insignificant components, we need to perform group level analytical procedures;
these are risk assessment analytical procedures in nature and are aimed at identifying whether there
are any further risks of material misstatement in the group financial statements, and need to be
performed by someone with the appropriate knowledge and experience.
For each component, the group engagement team documents clearly and concisely the planned
evidence to be obtained by component and why; this is especially important where we have similar
components, but are adopting different approaches. This will also help teams to identify any
components over which no work is being performed and to then justify why no work is required or to
document the evidence required.
In addition to the assessment of components, we also need to look at each FSLI to assess the level of
audit evidence being obtained compared to the materiality of the FSLI and the risks of material
misstatement. This will help identify those components where we want an audit of an FSLI or
specified procedures to be performed over the FSLI to ensure that we have sufficient audit evidence.
We want to avoid a situation where a component is insignificant and the group level analytics did not
highlight anything, but it has an FSLI which is material to the group.
The Assurance Transformation guide on scoping, the Centre of Excellence and ARQ are there to help
you get the scoping right so consult as needed. But remember that the audit file reflects all your
scoping decisions including your rationale for what you are doing.
Group auditors involvement
The group engagement team needs to direct and control the group audit. They need to evidence this in
the Aura file during the planning phase by scoping, performing risk assessments and planning the
procedures to be performed by the component team.
At the planning stage, they also consider how they are going to review and evidence their involvement
in the component auditors work. This can be documented for example in a summary that shows the
components, the audit evidence required (i.e. full scope audit) and also the planned involvement (e.g.
engagement leader visiting x number of components, the director x number of components and
conference call for the other components). When considering visiting the components, the group
engagement team focuses on those components which they are most concerned about.
Clearly document on the audit file your planned involvement in the component auditors work, why
you are planning to do what you are doing and discuss your plans with those charged with governance.
If plans change, inform them of the change and why the change was made. Remember you have to
justify what you did and why you consider that you were sufficiently involved in their work and that it
also enabled you to adequately understand the group, the audit and the results of the audit work in
those components.
Refer to Audit methodology volume 4: Group scoping component selection for further guidance.
Materiality
Guidance on setting component materiality can be found in PwC Audit 2334. When determining
component materiality:

carefully consider which components need to be included in the component materiality


calculation and which to exclude (i.e. do not include those components where we are
performing audits of FSLIs only);
component materiality needs to be less than group materiality this is an ISA (UK&I) 600
requirement;
rather than allocating the entire multiple to the components, leave yourself some headroom in
case of changes to materiality and/or components

Audit teams are reminded of the requirement at the year end stage of the audit to reassess materiality
as determined at the planning stage for final year end results. This reassessment may mean that the
component materiality calculations need to be reworked and may result in lower materialities needing
to be advised to component auditors. Allowing headroom in the initial allocations may help mitigate
the impact where group materiality is lower at the year end than originally planned.

Time to Learn 2014


PwC

Page 37 of 40

Audit planning takeaway

Finally, communicate any changes in materiality to those charged with governance together with the
impact on our audit strategy and plan and document your judgements on the Aura file in all instances
where judgement has been applied.
Planning sign-off
Signing off planning as soon as possible helps to minimise the risk that the fieldwork is misdirected.
However, in some situations the planning sign-off is postponed by engagement teams due to a
perception that it is not appropriate to do so before all planning activities have been completed,
especially in relation to understanding and evaluating an entitys internal control.
PwC Audit 4025 has been clarified to explain that we may consider it inefficient and/or impractical to
perform procedures other than enquiry in determining implementation of control activities prior to
planning sign-off. For example, this may be the case when a single audit visit is planned at the end of
the financial year and it is not considered practical to perform another visit solely for the purpose of
evaluating control activities. Delaying the point of planning sign-off in such situations will be
undesirable, as it may discourage other planning procedures from being performed on a timely basis
and is generally unsupportive of timely, effective planning, including resource planning.
In such cases it may be appropriate to perform further internal control evaluation procedures in
addition to enquiries after the planning sign-off. We need to consider if we have obtained sufficient
understanding of internal controls to be able to sign off planning, so that we can effectively and
efficiently move forward with our engagement. However, where we plan to perform further internal
control evaluation procedures after the planning sign-off, we need to remain alert to the increased
likelihood of the need to modify the audit strategy and plan as a result of the finalisation of the
internal control evaluation procedures.
Significant matters
Think before you write a simple structure for a significant matter can be:

state what the risk or issue is;


state what our judgement or conclusion is;
explain the rationale for our judgement or conclusion; and
articulate the evidence we have to support our judgement or conclusion.

Here are some top tips for writing and reviewing significant matters:

Start drafting early do not leave it to the last minute


Consider the structure
Tell the story from start to finish document relevant content as it evolves
Document all key discussions
Demonstrate how we have applied professional scepticism especially to show how we have
challenged managements decisions
Explain the rationale and logic for our conclusion
Walk the reader through the evidence obtained
Consider whether we have obtained sufficient audit evidence
Ensure our conclusion is clear start with the conclusion as you may need to sign-post the
judgement upfront where the significant matter is long to enable the reader to focus their
review
Write clearly, concisely and avoid jargon
Be precise in the language used
Allow plenty of time for engagement leader and QRP review, time to deal with their comments
and time for their re-review do not deliver it just before you expect them to approve it
Allow time for central consultation if needed
Step back at the end and cold read the significant matter:
o Does it make sense?
o Does it stand-alone?
o Are the judgements supported?

Time to Learn 2014


PwC

Page 38 of 40

Audit planning takeaway

There are some good examples of significant matters available on PwC Audit 1143 covering:

management override of controls;


professional scepticism; and
goodwill.

Time to Learn 2014


PwC

Page 39 of 40

Audit planning takeaway

This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers
LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by
anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document
relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance.
2014 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a
limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers
International Limited, each of which is a separate and independent legal entity.

Time to Learn 2014


PwC

Page 40 of 40