AUDIT STRATEGY

An audit strategy is a high-level plan that sets the scope, timing, and direction of
the audit. It guides the development of the more detailed audit plan.

In simple terms:

-It answers: What are we auditing? When? How? With what resources?
-it helps auditors focus on key risk areas and ensures efficient use of time and
staff.

Formal definition

According to ISA 300 Planning an Audit of Financial Statements:

“The audit strategy sets the scope, timing and direction of the audit, and guides
the development of the detailed audit plan.”

Key components of an audit strategy

Typically, an audit strategy will address:

-Scope of the audit

 Which locations, accounts, or business units will be audited?

 Which reporting framework is used?

 Are there any special audit requirements?

-Timing

 When will interim work be done?

 When will final fieldwork be scheduled?

 How will deadlines be met?

-Direction

 Overall approach: controls-based, substantive, or mixed?

 Areas of higher risk that need special attention

 Use of internal audit work or experts

-Resources

 Audit team members and roles

 Budgeted hours and costs

 Use of specialists or component auditors

Example

Audit Strategy for ABC Ltd.:

 Scope: Consolidated financial statements under IFRS.

 Timing: Interim audit in November, final in February.

 Direction: Focus on revenue recognition (high risk), test controls over

inventory.

 Resources: Senior auditor to lead, use of IT specialist for system controls.

Importance of an Audit Strategy

-Ensures work is focused on risk.

- Helps manage time and cost.
- Improves communication within the audit team and with the client.
- Forms the basis for the detailed audit plan.

TYPES OF AUDIT (AUDIT APPROACHES)

1. Substantive Approach (Purely Substantive Audit)

Definition:
An audit approach that relies entirely on substantive procedures (tests of details
and analytical procedures) without testing internal controls.

When used:

 When the internal control system is weak or unreliable

 When control risk is assessed as high

Examples of procedures:

 Verifying invoices, receipts, bank statements

 Comparing financial ratios year-to-year

2.Systems Audit Approach (also sometimes called the Systems-Based Audit

Approach).

Definition

The systems audit approach is an audit strategy that evaluates and tests the
client's internal control systems to determine whether they can be relied on
to produce accurate financial statements

In other words:

Auditors study the system of internal controls in place and, if they’re effective,
reduce the amount of detailed checking (substantive testing).

Key Features

 Focuses on understanding and documenting internal controls.

 Involves testing control procedures to ensure they work effectively.

 Based on the principle that good systems = lower audit risk.

 Allows auditors to rely on controls instead of checking every transaction.

Steps in a Systems Audit Approach

-Understand the system:

 Map processes (e.g., sales, purchases, payroll)

 Identify control objectives and procedures

-Document the system:

 Flowcharts, narratives, internal control questionnaires

-evaluate the design:

 Are controls well-designed to prevent/detect errors?

-test the controls:

 Walkthrough tests

 Compliance tests of controls

-Assess control risk:

 Low, medium, or high?

 Decide if you can rely on controls

-Adjust substantive testing:

 If controls are strong, reduce detailed testing

 If controls are weak, increase substantive procedures

-Example

Company XYZ’s purchases system

 Auditor documents the process for ordering, approving, and paying

suppliers.

 Tests that purchase orders require manager approval.

 Checks segregation of duties between ordering and payment.

 Finds controls work well → reduces the number of supplier invoice samples
for year-end testing.

Advantages of the Systems Audit Approach

✔️More efficient: Less transaction testing if controls are strong.

✔️Focuses audit effort on key controls.
✔️Helps identify control weaknesses that management can fix.
✔️Required by many auditing standards (e.g., ISA 315) for risk assessment.

Disadvantages / Limitations

- Relies on controls being properly designed and implemented.

-Can be time-consuming to document complex systems.
-if controls are weak, testing effort may actually increase.

3.Business Risk Audit Approach — Explained Simply

The Business Risk Audit Approach is a modern audit method that focuses on
understanding the entire business environment of the client and identifying
risks that could lead to material misstatements in the financial statements.

🧠 It goes beyond just looking at financial data or internal controls — it looks at

the client’s strategies, operations, industry risks, and how those might affect
the accuracy of the financial statements.
Definition

A business risk audit approach is an audit method where the auditor

identifies, understands, and evaluates the risks that arise from the client’s
business environment and operations, and assesses how those risks could lead
to material misstatements in the financial reports/statements

Key Features

 Focuses on business risks (not just financial risks)

 Understands client’s goals, challenges, market, and operations

 Ties business risks directly to financial reporting risks

 Leads to more focused and effective audit procedures

Steps in the Business Risk Audit Approach

1.Understand the Entity and Its Environment

 Industry, regulation, competitors, customers,suppliers

 Business model, strategies, performance indicators

2.Identify Business Risks

 E.g., changes in technology, poor cash flow, supply chain issues, aggressive
expansion, legal disputes

3.Assess the Impact on Financial Statements

 Which business risks might lead to misstatements in F/S?

 E.g., rapid growth → risk of revenue recognition errors

4.Develop the Audit Plan

 Focus testing on high-risk areas (e.g., revenue, goodwill, inventory

valuation)
5.Design Specific Audit Procedures

 More targeted testing based on risk areas

Example

A company is expanding rapidly into new international markets.

 Business risk: Misunderstanding foreign laws, overvaluation of new assets

 Audit risk: Inaccurate disclosures, errors in consolidation, misstatement of

foreign currency transactions

 Auditor response: More testing in areas like revenue, FX accounting, and

legal compliance

Advantages

✔️Focuses audit on what really matters

✔️helps detect risks early and efficiently

✔️promotes a deep understanding of the client’s business

✔️aligns with modern risk-based auditing standards (like ISA 315)

Disadvantages

❌ requires experienced auditors with strong business knowledge to apply

❌ More time-consuming during planning stage
❌ May be harder to apply in small/simple businesses

4.Risk-Based Audit Approach (RBAA) —

The Risk-Based Audit Approach is a modern auditing method that focuses audit
resources on the areas of highest risk of material misstatement in the financial
statements.

Instead of testing everything equally, the auditor assesses risks and allocates
more time and procedures to high-risk areas, while reducing effort in low-risk
areas.

Definition

A Risk-Based Audit Approach involves identifying and assessing the risks of

material misstatement (at the financial statement and assertion levels) and then
designing audit procedures to respond to those risks.

It is required by International Standards on Auditing (especially ISA 315 and ISA

330).

Key Principles

Principle Meaning

Understand the client Industry, operations, internal controls, objectives, risks

Identify risks Find where material misstatements might occur

Assess risks Judge the likelihood and impact of each risk

Respond to risks Plan audit work to address those specific risks

Focus on high-risk areas Spend more time on complex or vulnerable areas

Steps in a Risk-Based Audit Approach

1. Understand the Entity and Its Environment

 Business operations, industry, financial condition, governance

 Evaluate internal controls

2. Identify and Assess Risks of Material Misstatement

 At both financial statement and assertion level(transaction)

 Use tools like analytical procedures, inquiries, and risk assessment

procedures

3. Determine Significant Risks

 Risks that require special audit attention (e.g., revenue recognition,

accounting estimates)

4. Design Audit Procedures to Address Each Risk

 Control testing or substantive procedures based on the risk level

5. Perform Audit Procedures and Evaluate Evidence

 High-risk areas: more testing and tests of detail

 Low-risk areas: less effort needed

6. Reassess and Adjust as Needed

 If new risks are discovered during the audit

Example

Client: A company has complex revenue recognition due to bundled contracts.

 Risk Identified: High risk of revenue misstatement

 Auditor Action: Spend more time testing contracts, cut-off, and disclosures

 Other areas: Low-risk accounts like petty cash may receive minimal testing

Advantages

✔️More efficient audit – time spent where risk is greatest

✔️Better chance of detecting material misstatements
✔️Promotes deep understanding of the client’s business
✔️Aligns with ISA standards

Disadvantages

❌ requires skilled and experienced auditors

❌ High reliance on professional judgment
❌ Time-consuming in planning stage
❌ May miss low-risk but high-impact errors if not carefully considered

Risk Levels in RBAA

Risk Level Audit Response

High Risk Detailed substantive testing, possibly test controls

Medium Risk Some substantive tests, possibly use analytics

Low Risk Minimal substantive procedures, possibly rely on tests of controls

Question:1
Explain what is meant by the risk-based audit approach (RBAA) and outline TWO
advantages of using this approach in auditing financial statements.

Sample answer

Meaning of RBAA:
The risk-based audit approach is a method of planning and performing an audit by
identifying and assessing the areas in the financial statements that have the
highest risk of material misstatement. The auditor then designs and performs
audit procedures focused on these high-risk areas to obtain sufficient and
appropriate audit evidence.

Advantages:

1. Efficiency: It allows auditors to allocate resources to the areas that matter

most, reducing unnecessary work on low-risk areas.

2. Improved Detection: By concentrating on high-risk areas, the approach

increases the chance of detecting material misstatements or fraud.

Question:2
Describe the key steps an auditor would follow when applying a risk-based audit
approach (RBAA) to a client engagement.

Sample Answer:
The key steps in applying a risk-based audit approach include:

1. Understanding the Entity and Its Environment:

o The auditor gains knowledge about the client's industry, operations,

regulatory environment, and internal control systems.

2. Identifying and Assessing Risks of Material Misstatement:

o Risks are assessed at both the financial statement level and at the
assertion level for classes of transactions, account balances, and
disclosures.

3. Determining Significant Risks:

o The auditor identifies any risks that require special audit

consideration due to their complexity or likelihood of causing
material misstatement.

4. Designing Audit Responses:

o Audit procedures are planned to address assessed risks. High-risk
areas require more detailed and extensive testing.

5. Performing Audit Procedures:

o Substantive procedures and tests of controls are carried out based on

the planned approach.

6. Evaluating Evidence and Concluding:

o The auditor reviews the evidence obtained to determine if sufficient

assurance has been achieved and if the financial statements are free
from material misstatement.

Case Study Scenario

You are part of the audit team for Sunrise Electronics Ltd, a company that
manufactures and sells consumer electronics.

During planning, you learn:

 The company has recently expanded into three new countries.

 There is a new ERP (accounting) system implemented mid-year.
 Rapid growth in online sales, which now make up 40% of revenue.
 The internal audit department has identified weak controls over online
sales returns and refunds.
 The company is under pressure from investors to show strong profit
growth.

Question

As the auditor applying a risk-based audit approach (RBAA), identify THREE

specific risks of material misstatement in Sunrise Electronics Ltd.’s financial
statements based on the above scenario.

For each risk you identify, explain how it could impact the financial statements
and outline an appropriate audit response.

Model Answer
1.Risk: Revenue Recognition Errors from Online Sales

Risk Explanation:

 Rapid growth in online sales and known control weaknesses over

returns/refunds increase the risk of overstated revenue.

 Refund liabilities may be understated, misrepresenting profit.

Financial Statement Impact:

 Revenue and profit may be materially overstated.

 Liabilities (refund provisions) may be understated.

Audit Response:

 Perform detailed substantive testing of online sales and refund

transactions.

 Review and test the accuracy of refund provisions.

 Evaluate cut-off procedures to ensure sales are recorded in the correct

period.

2.Risk: Errors from New ERP System Implementation

Risk Explanation:

 Changing systems mid-year increases risk of data migration errors or

incorrect transaction processing.

 Controls over transaction recording may be disrupted.

Financial Statement Impact:

 Misstatements across multiple accounts (sales, payables, inventory).

 Potential loss of data integrity.

Audit Response:

 Review and test controls over ERP migration and new processes.

 Perform reconciliation of opening balances in the new system.

 Increase substantive testing of transactions processed during the

transition.

3.Risk: Management Bias Due to Profit Pressure

Risk Explanation:

 Pressure to meet investor expectations increases the risk of intentional

misstatement (e.g., aggressive estimates, premature revenue recognition).

Financial Statement Impact:

 Possible overstatement of revenue, understatement of expenses, or

manipulation of provisions.

Audit Response:

 Conduct professional skepticism-focused reviews of management

estimates.

 Perform analytical procedures to identify unusual trends.

 Challenge significant accounting judgments (e.g., warranty provisions,

impairment testing).

Summary Table of Risks and Responses

Risk Area Impact on FS Audit Response

Online sales returns Overstated revenue, Substantive testing of sales,

control weakness understated liabilities refunds, provisions

New ERP system Errors in recording Test migration controls,

implementation transactions reconcile opening balances
Risk Area Impact on FS Audit Response

Pressure to show profit Aggressive revenue Test estimates, challenge

growth recognition management judgments

Tips for Answering Case Questions on RBAA

✔️Always link the risk to a potential misstatement in the financial statements.

✔️Be specific in audit response (not just “do more testing” but what kind of
testing).
✔️Use clear structure: Risk → Impact → Response.