Developing an audit plan

Jump to:

Audit planning is the bedrock of a successful audit. It is a crucial first step in the audit process that, when done properly, helps auditors conduct efficient audits, ensure compliance with standards, and mitigate risk. This is especially important in today’s environment as businesses face ever-growing complexities and evolving risks.

Audit planning, however, is not a simple, check-off-the-box process. Several factors must be considered, like the client’s business environment, their operations and system of internal controls, and timing of the engagement.

To help auditors gain a clearer understanding of audit planning, this article takes a closer look at what is typically included in an audit plan, how it differs from an audit strategy, how to develop an audit plan, and more.

What is audit planning?

Audit planning is the development of a detailed plan, or blueprint, for conducting an audit.

Audit planning, which is based on the overall audit strategy, involves the risk assessment procedures that will be executed, as well as the anticipated responses to the risks of material misstatements for a particular audit. In addition to risk assessment activities, the audit plan should also indicate the audit procedures needed to ensure compliance with the professional audit standards applicable to the engagement.

While audit planning is a vital first step in the audit process, the Public Company Accounting Oversight Board (PCAOB) points out at AS 2101.05 that, “Planning is not a discrete phase of an audit but, rather, a continual and iterative process that might begin shortly after (or in connection with) the completion of the previous audit and continues until the completion of the current audit.”

Audit strategy versus audit plan

Audit planning involves the establishment of the overall audit strategy. The audit strategy sets out, in general terms, the scope of the engagement, how the audit is to be conducted, the direction of the audit, as well as the timing. The audit plan, on the other hand, is much more detailed as it outlines the steps to be followed in conducting the audit and details the responses to the auditor’s risk assessment.

What is included in an audit plan?

As previously noted, the audit plan is designed to ensure that the audit is conducted efficiently, effectively, and in accordance with auditing standards. Therefore, it is important to develop an audit plan that includes a comprehensive framework outlining the scope, reporting objectives, and focus of the audit.

More specifically, most firms’ audit plans:

• Detail the nature, timing, and extent of audit procedures to be performed.

• Identify significant audit areas and risks of material misstatement and describe the allocation of tasks among audit team members.

• Consider the company’s business environment, system of internal controls, and applicable financial reporting framework and the related accounting policies.

• Set materiality thresholds and establish deadlines for different stages of the audit.

7 steps to develop an audit plan

Developing an audit plan typically involves several key steps, which include:

1. Gain knowledge of the client

It is important to have a clear understanding of the client when developing an effective audit plan. This involves knowing the following:

• The client’s legal structure, ownership, governance, and related parties;  
• The client’s industry, regulatory, and other external factors;  
• Their business model;  
• The objectives and strategies and related business risks; and 
• The measurement and assessment of the entity’s financial performance.

The auditor also needs to understand the reporting objectives, nature of communications with management and those charged with governance, reporting deadlines, and any statutory or contractual reporting responsibilities.

For an audit of a continuing client, much of this documentation can be pulled forward from the previous year with more emphasis placed on changes that may have occurred during the current year.

2. Understand the system of internal controls

It is essential that the audit team understands, evaluates, and documents the components of the entity’s system of internal controls relevant to the audit. It is also important to know and indicate the sources of information used and procedures performed in obtaining the understanding.

Book PPC’s Guide to Internal Control and Fraud Prevention This PPC guide contains the essential tools you need to assist clients in fulfilling their responsibility to design and implement programs and controls to prevent, deter, and detect fraud.

3. Determine materiality

To focus on areas with the greatest potential impact on the financial statements, establish materiality levels. This is part of establishing the overall strategy for the audit. In this step, the auditor also considers whether lower materiality amounts are appropriate for particular classes of transactions, account balances, or disclosures based on the financial statement user’s’ perceptions of the particular items.

4. Conduct risk assessment

When making a risk assessment, audit teams take the following actions:

• Identify significant audit areas; 
• Document the risks of material misstatement affecting the relevant assertions for each significant audit area (including fraud risks or other significant risks); 
• Assess those risks; 
• Select an audit approach that is appropriately tailored to respond to the assessed level of risk; and  
• Document the linkage of the assessed risks to the audit procedures that respond to those risks.

There are several factors that are taken into consideration when making risk assessments. Such factors include the materiality of reported amounts, the results of preliminary analytical procedures, information obtained about the entity and its environment (including its system of internal controls), the consideration of fraud, engagement team discussions, and results of engagement acceptance or continuance procedures.

It is important to also consider other engagements performed for the entity, and any other sources that provide information relevant to identifying and assessing risks.

5. Establish audit strategy

As noted earlier, developing an audit plan includes the formulation of an audit strategy. The audit strategy outlines the nature, timing, and extent of the audit procedures. These decisions consider the auditor’s plans to obtain evidence regarding the operating effectiveness of internal control.

6. Allocate resources

To help deliver an effective audit, it is important to assign audit team members based on their skills and experience. This includes management and supervision of personnel.

7. Document

Prepare a written audit plan that outlines the planned audit procedures and serves as a guide for the audit team.

How long does audit planning take?

Audit planning is not a simple process, and the duration varies from client to client depending on the size and complexity of the company being audited, as well as the auditor’s prior experience with the client.

Generally, for a small to medium-sized company, audit planning may take a few days to a couple of weeks. For a larger, more complex organization, or when the audit team has no prior experience with the company, planning can take several weeks.

Regardless, it is important for the audit team to allocate sufficient time for planning to ensure a thorough understanding of the client and to develop an effective audit approach.

Executing the audit plan

In today’s complex and tech-driven environment, executing the audit plan involves having the right training and tools and resources in place to drive efficiencies and to streamline workflows.

For those audit firms that have not yet done so, leveraging the cloud is a critical initial step. In fact, many would argue that the cloud is table stakes for firms looking to maintain their competitive edge in today’s market.

Having the right cloud-based technology enables auditors to work from anywhere and complete audits faster and with greater confidence through real-time data updates, secure online confirmations, and integration with third-party analytics.

Let your firm focus on what it does best and rely on Thomson Reuters AuditWatch to deliver training for audit and accounting staff. Specialized courses include Accounting and Auditing Updates, Optimization for Small Audit Teams, Peer Review Remediation, and more.