Ch 3: Audit Risk and Planning

Unit 2 — Risk, Planning, and Understanding the Entity · Lesson 3 of 6

Unit 2 — Risk, Planning, and Understanding the EntityLesson 3 of 6

Ch 3: Audit Risk and Planning

Study Notes

4 articles in this lesson

Audit Risk and the Risk-Based Mindset

View original article

Learning objectives

By the end of this chapter you should be able to:

Explain audit risk and how it is analysed into inherent risk, control risk and detection risk, and why that analysis matters when planning work.
Apply a risk-based mindset to identify where material misstatements are most likely and most significant, and to prioritise audit effort accordingly.
Link assessed risks to tailored audit responses by adjusting the nature, timing and extent of audit procedures.
Distinguish between misstatements arising from error and those arising from fraud, and apply professional scepticism throughout the audit.
Evaluate how risk and materiality interact when designing audit procedures and when forming the audit conclusion.

Overview & key concepts

Audit work is built around a simple problem: financial statements can be wrong, and an audit can still fail to spot the problem. Audit risk is the umbrella term for that possibility—the risk that the auditor’s conclusion and the underlying reality do not match in a way that matters to users.

A risk-based mindset means you do not try to “cover everything equally.” Instead, you plan and perform the audit by asking two questions repeatedly:

Where could a misstatement arise? (What could go wrong, and why?)
If it did arise, would it matter? (Could it be material—by size or by nature?)

This approach pushes time and effort toward the areas that are both more likely to be misstated and more capable of influencing decisions.

Audit risk components

Audit risk is commonly analysed into three related components:

Inherent risk (IR): how prone an assertion is to misstatement due to the nature of the item or transaction, before considering controls (for example complexity, estimation, judgement, unusual transactions, incentives and pressures).
Control risk (CR): the chance that the entity’s controls do not prevent a misstatement, or do not detect and correct it on a timely basis.
Detection risk (DR): the chance that the audit work performed does not detect an existing misstatement.

The auditor cannot change inherent risk (it is driven by the business and transactions). The auditor does not “fix” controls, but evaluates them and decides whether to rely on them. The component most directly influenced by audit planning is detection risk, because it is managed by choosing more persuasive procedures, performing work closer to the reporting date, and increasing coverage.

Risk of material misstatement (RMM)

The risk of material misstatement is the risk that a material misstatement exists in the financial statements before the auditor performs detailed testing. It is assessed:

at the financial statement level (for example weak governance, poor close processes, integrity concerns, broad system changes), and
at the assertion level for classes of transactions, account balances and disclosures.

For planning purposes, RMM is analysed through inherent risk and control risk. Higher RMM requires the auditor to design responses that manage detection risk to an acceptably low level.

Professional scepticism

Professional scepticism is how an auditor keeps their judgement “switched on” under uncertainty. It shows up in the way evidence is evaluated: you look for what supports management’s explanation and what could contradict it, and you avoid concluding too quickly when the evidence is thin.

In practice, scepticism means you:

cross-check key facts against independent sources where possible,
press for specificity (who, what, when, approved by whom), not general assurances,
watch for bias in estimates and for patterns that consistently favour results, and
treat inconsistencies as a signal to expand work rather than explain them away.

It is not a presumption of dishonesty. It is a refusal to rely on comfort when the evidence needs to be stronger—especially in higher-risk areas.

Fraud vs. error

Misstatements can arise from:

Error: unintentional mistakes (for example posting errors, misinterpretation of policy, careless estimates).
Fraud: intentional acts designed to mislead users (for example deliberate overstatement of revenue, concealment of liabilities, fabricated documents).

Fraud matters because it can involve concealment and deliberate attempts to bypass controls. When fraud risk is higher, audit responses typically become more targeted, less predictable, and more reliant on independent evidence.

Significant risk

A significant risk is an identified higher assessed risk that requires special audit consideration. In practice, it is usually identified at the assertion level and often arises from:

areas involving significant judgement or estimation uncertainty,
significant unusual or complex transactions,
situations where manipulation is more plausible (including performance pressure), and
indicators of management override.

Significant risks should not be addressed only by “general” procedures. The auditor designs specific responses aimed at the particular risk and the relevant assertions.

Assertions

Assertions are the aspects of transactions, balances and disclosures that need to be supported by evidence. A practical way to remember them is to group them by what could go wrong:

What’s there vs what’s missing: existence/occurrence and completeness
Recorded correctly: accuracy (and correct coding/classification in the ledger)
Measured appropriately: valuation and allocation (including estimates)
Belongs to the entity: rights and obligations
Communicated clearly: presentation and disclosure

Audit procedures are planned to target the assertions that are most exposed for each risk area.

Nature, timing, and extent

Audit procedures are tailored through:

Nature: what is done (tests of controls, substantive analytical procedures, tests of details, confirmations, recalculation).
Timing: when it is done (interim vs year-end; later work often gives stronger evidence for year-end balances).
Extent: how much is done (sample size, coverage, number of locations, depth of testing).

As assessed risk increases, the audit response usually becomes more persuasive (nature), closer to year-end (timing), and broader or deeper (extent).

Core theory and frameworks

Audit risk model

The audit risk model is best understood as a conceptual relationship, not a calculation. It helps explain how planning choices should respond to assessed risk:

Audit risk is driven by (1) the risk that the statements are materially misstated and (2) the risk that the auditor’s work fails to detect that misstatement.
The risk of material misstatement is analysed through inherent risk and control risk.

It is often summarised using shorthand expressions such as:

AR is shaped by RMM and DR
RMM is shaped by IR and CR

These are planning aids. Auditors do not “calculate” audit risk; they use the framework to justify why higher assessed risk requires stronger audit evidence and tighter audit procedures.

In practice, auditors start by assessing where misstatements could arise (RMM) and then design procedures so the remaining chance of missing them (DR) is acceptably low.

Inherent risk assessment

Inherent risk increases when an area is more prone to error or bias, for example because of:

complex contract terms or accounting requirements,
significant estimates and judgement,
unusual or non-routine transactions,
volatile conditions (markets, pricing, foreign operations),
incentives and pressure affecting reported results.

The auditor identifies what could go wrong and which assertions are most exposed.

Control risk assessment

Control risk depends on whether controls exist, are designed appropriately, and operate effectively. It often increases where there is:

poor segregation of duties,
weak access controls, override capability, or lack of audit trails,
limited independent review,
delayed reconciliations and weak monitoring,
heavy reliance on manual adjustments.

Where the auditor plans to rely on controls, evidence is obtained over the design, implementation, and operation of those controls.

Detection risk management

Detection risk is reduced by designing work that is more likely to find misstatements, such as:

using evidence from independent sources,
increasing precision (or moving from analytics to tests of details),
performing procedures closer to the reporting date,
increasing sample sizes or broadening coverage,
adding unpredictability in selections and timing.

Detection risk is not eliminated; it is managed through the quality and focus of audit procedures.

Fraud risk considerations

Fraud risk is often easiest to organise as a combination of motive, ability, and mindset: pressures that make manipulation attractive, weaknesses that make it feasible, and an attitude that allows it to be justified. That framework is useful—but it should never become a tick-box exercise.

Even where controls appear strong, auditors remain alert to override risk, because senior management may be able to bypass normal approvals.

When fraud risk rises, the audit plan changes in predictable ways: you increase procedures that are harder to circumvent and you add work that management cannot easily anticipate. Common responses include:

deeper work on manual journals and late adjustments, especially those affecting profit-sensitive accounts,
targeted testing of estimates to look for one-sided judgement or optimistic assumptions,
steps that directly address override risk (for example, challenging the business rationale for unusual postings), and
greater reliance on external or independently generated evidence rather than internal reports alone.

Because revenue is often the area where performance pressure is felt most sharply, it frequently demands a tailored response—particularly around cut-off, contract terms, and variable pricing effects.

Materiality and risk

Materiality is about whether a misstatement could influence users’ decisions. Risk and materiality interact in two important ways:

A smaller misstatement can still matter if it affects a sensitive measure (for example a covenant threshold, regulatory requirement, or turning profit into loss).
Higher-risk areas generally require more persuasive evidence even where balances are not the largest, because the likelihood of misstatement is greater.

Documentation and communication

High-quality work is supported by documentation that clearly shows:

the risks identified and why they matter,
the assertions most exposed,
how the planned procedures respond to the risks,
the evidence obtained and the conclusions reached.

Clear communication within the audit team and with management helps ensure risks are understood early, resolved efficiently, and escalated appropriately.

Worked example

Narrative scenario

Consider a mid-sized manufacturing company, ABC Ltd, which has recently expanded into international markets. The company reports revenue of £665,000 and a profit margin of 14.3%. During planning, the auditor identifies the following matters:

Complex customer contracts that bundle goods, installation and after-sales support.
A new IT system implemented mid-year, with frequent user overrides and manual workarounds.
Weak credit control, with overdue trade receivables increasing.
Inventory levels have risen sharply due to expansion and new product lines.
Management proposes a late journal entry reclassifying certain operating costs as non-current assets.
A bonus scheme for senior management linked to meeting profit targets.
Month-end close is delayed and reconciliations are often completed late.
A small finance team with limited segregation of duties.
High reliance on subcontractors for production and logistics.
A new “buy now, pay later” payment option for customers.

Required

Assess inherent risk and control risk for each matter.
Design audit procedures to address the assessed risks.
Explain the resulting nature, timing and extent of work.
Explain how the risks could affect the audit conclusion.

Solution

The assessments below are indicative. In practice, the auditor justifies ratings using knowledge of the business, systems, and prior-year experience.

1) Complex customer contracts (bundled obligations)

Inherent risk:High
Contract complexity increases judgement over when revenue is earned, cut-off, and the split between goods, installation and support.
Control risk:Medium to high
Depends on whether contract review, approval, and revenue set-up controls are consistent and evidenced.
Audit procedures (tailored):
Nature, timing, extent:
More tests of details and recalculation; increased sample sizes focused on higher-risk contract types; emphasis near year-end.

2) New IT system with overrides and manual workarounds

Inherent risk:High
System implementation increases risk of processing errors, incomplete data migration and inconsistent application of rules.
Control risk:High
Frequent overrides suggest weaknesses in access restrictions, workflow controls and monitoring.
Audit procedures (tailored):
Nature, timing, extent:
Combination of IT-focused procedures and increased substantive testing; key reconciliations and bridges updated to year-end; wider coverage of manual interventions.

3) Weak credit control and increasing overdue receivables

Inherent risk:Medium
Receivables are exposed to overstatement where collectability is uncertain.
Control risk:High
Weak follow-up increases the chance overdue debts are not highlighted and impairment is understated.
Audit procedures (tailored):
Nature, timing, extent:
Testing at year-end and post year-end; increased sample sizes in older age bands; more direct evidence from cash and third parties.

4) Significant increase in inventory levels

Inherent risk:Medium to high
Increased volume and new products raise risks over existence, obsolescence and costing.
Control risk:Medium
Depends on the effectiveness of count procedures, access restrictions, movement controls and costing discipline.
Audit procedures (tailored):
Nature, timing, extent:
Strong year-end presence; increased coverage for new locations and new product lines; more valuation testing where obsolescence risk is higher.

5) Late journal entry reclassifying operating costs as assets

Inherent risk:High
Late reclassifications can indicate earnings management and may misstate profit, assets, and future depreciation/amortisation.
Control risk:High
Elevated if journal approval is weak or access rights allow posting without independent review.
Audit procedures (tailored):
Nature, timing, extent:
Targeted year-end tests of details; broader journal review; heightened scepticism due to override indicators.

6) Bonus scheme linked to profit targets

Inherent risk:High
Performance incentives increase the risk of bias and deliberate manipulation in profit-sensitive areas.
Control risk:Medium to high
Depends on governance oversight and whether profit measures are independently reviewed and challenged.
Audit procedures (tailored):
Nature, timing, extent:
More detailed testing in judgemental areas; increased unpredictability and corroboration; emphasis close to year-end.

7) Delayed close and late reconciliations

Inherent risk:Medium
Late close processes increase error risk, especially around cut-off, accrual completeness and reconciliation differences.
Control risk:High
Untimely reconciliations reduce the chance that errors are detected and corrected.
Audit procedures (tailored):
Nature, timing, extent:
More substantive work near year-end and after year-end; increased attention to completeness and cut-off; expanded coverage of reconciling items.

8) Small finance team and limited segregation of duties

Inherent risk:Medium
Smaller teams are more vulnerable to error and undue influence.
Control risk:High
Limited segregation increases the risk that errors or irregularities are not prevented or detected.
Audit procedures (tailored):
Nature, timing, extent:
Reduced reliance on controls; increased tests of details; more independent evidence.

9) Reliance on subcontractors

Inherent risk:Medium
Risks include completeness and accuracy of costs, cut-off, and exposure to claims, penalties or disputes.
Control risk:Medium to high
Depends on contract management, approval controls, and evidence of service completion.
Audit procedures (tailored):
Nature, timing, extent:
More completeness and cut-off testing at year-end; focus on largest suppliers and unusual charges.

10) “Buy now, pay later” customer payment option

Inherent risk:High
This can affect revenue, receivables classification, credit risk, fees, chargebacks and presentation.
Control risk:Medium to high
Depends on how reconciliations to the provider are performed and reviewed, and whether the accounting for fees and settlements is understood.
Audit procedures (tailored):
Nature, timing, extent:
Strong external evidence from provider statements; year-end and post year-end testing; expanded coverage during the first year of the new process.

Interpretation of the results

The planning response for ABC Ltd should concentrate on areas where both likelihood and impact of misstatement are greatest: complex revenue, system change, receivables impairment, inventory valuation, and late journals linked to performance pressure.

As RMM increases, detection risk is managed by:

using more persuasive evidence (third-party statements, confirmations, independent recalculation),
shifting key procedures closer to the reporting date,
increasing coverage in the most exposed populations, and
adding unpredictability, especially where fraud risk indicators exist.

If sufficient appropriate evidence cannot be obtained in a high-risk area, or if identified misstatements are material and uncorrected, this affects the audit conclusion and may lead to a modified opinion.

Common pitfalls and misunderstandings

Blurring inherent risk and control risk: Inherent risk relates to the nature of the item; control risk relates to whether controls prevent or detect misstatements.
Treating the risk model as arithmetic: The framework structures judgement; it does not produce a computed audit risk.
Listing generic procedures: Procedures must clearly respond to the specific risk and the exposed assertions.
Relying on explanations without evidence: Explanations are not evidence unless supported by documentation or independent corroboration.
Failing to adjust the plan: System changes, new products, new markets and incentives often require updating the audit response.
Under-responding to override indicators: Late journals and reclassifications require targeted testing and heightened scepticism.
Using materiality as a simple threshold: Qualitative factors can make smaller misstatements significant.
Weak linkage to nature, timing and extent: High-risk areas usually require stronger procedures, later timing, and broader coverage.

Summary and further reading

Audit risk describes the chance that the audit opinion does not line up with what is really going on in the financial statements in a way that could influence users—because the statements are misstated, the audit work does not detect the misstatement, or both. A risk-based approach deals with this by identifying where misstatements are most likely and most significant, and then tailoring procedures so the remaining risk of not detecting them is kept to an acceptably low level.

This chapter links closely to internal controls, audit evidence, substantive procedures, analytical review, and audit reporting. To deepen understanding, consult high-level guidance and introductory texts on audit planning, internal control evaluation, and professional judgement in obtaining audit evidence.

FAQ

What is the difference between inherent risk and control risk?

Inherent risk is about the item itself—how easily it could be misstated because of complexity, judgement, estimation or susceptibility to bias. Control risk is about the entity’s safeguards—whether the controls in place are capable of preventing or picking up misstatements in time. Together, they explain why some areas start the audit as higher-risk than others.

How does professional scepticism influence audit procedures?

It drives the auditor to critically assess evidence, challenge weak explanations, and seek corroboration—especially in judgemental or high-risk areas. It also encourages attention to contradictory evidence and possible bias in estimates.

Why is the audit risk model not a precise mathematical tool?

The inputs are judgemental and not measured with precision. The model is used to structure thinking and to justify why higher assessed risk requires stronger audit procedures; it is not used to calculate audit risk.

What role does materiality play in assessing audit risk?

Materiality helps determine what could influence users’ decisions. It affects both planning (which areas require more work) and evaluation (whether identified misstatements matter). Qualitative factors can make smaller misstatements significant.

How should auditors respond to identified fraud risks?

By designing targeted procedures that increase the likelihood of detection: expanded journal testing, scrutiny of estimates for bias, greater use of independent evidence, more work at year-end, and adding unpredictability.

What are significant risks, and how are they addressed?

Significant risks are identified higher assessed risks requiring special audit consideration, typically at the assertion level. They are addressed with procedures specifically designed for the particular risk and the relevant assertions, not only with general testing.

How do auditors determine the nature, timing, and extent of audit work?

They respond to assessed risk. Higher risk typically leads to more persuasive procedures (nature), testing closer to the reporting date (timing), and greater coverage or larger samples (extent), so that the remaining risk of not detecting misstatements is kept acceptably low.

Summary (Recap)

This chapter explained audit risk and the risk-based mindset used in planning and performing an audit. It showed how audit risk is analysed into inherent risk, control risk and detection risk, and how assessed risk drives the audit response. It emphasised professional scepticism and the different implications of misstatements arising from error versus fraud. A worked example demonstrated how to assess realistic risk factors and link them to tailored procedures through clear adjustments to nature, timing and extent.

Glossary

Audit risk The possibility that the auditor’s conclusion does not match the underlying position in a way that matters to users of the financial statements.

Inherent risk (IR) How prone an assertion is to misstatement because of the nature of the item or transaction, before considering controls.

Control risk (CR) The chance that the entity’s controls do not prevent a misstatement, or do not detect and correct it on a timely basis.

Detection risk (DR) The chance that audit procedures do not detect an existing misstatement; it is managed through the design and performance of audit work.

Risk of material misstatement (RMM) The risk that a material misstatement exists in the financial statements before detailed audit testing, analysed through inherent and control risk.

Professional scepticism A questioning, critically alert approach to evaluating evidence, especially where judgement, bias or inconsistency is present.

Fraud Intentional acts designed to mislead users of the financial statements, resulting in a misstatement.

Error Unintentional misstatements arising from mistakes, misunderstanding, or oversight.

Significant risk An identified higher assessed risk requiring special audit consideration, typically at the assertion level.

Assertions The aspects of transactions, balances and disclosures that need to be supported by evidence (for example completeness, valuation, existence, rights and obligations, and presentation).

Nature, timing and extent How audit procedures are tailored: what is done, when it is done, and how much work is performed, adjusted in response to assessed risk.

Practice Questions

Understanding the Entity and Its Environment

View original article

Learning objectives

By the end of this chapter, you should be able to:

Explain how understanding an entity and its environment supports the identification and assessment of risks of material misstatement at financial statement and assertion level.
Analyse how incentives, financing pressures, and performance targets can increase the risk of misstatement and influence the auditor’s overall responses.
Evaluate how accounting policies and accounting estimates affect audit risk and shape further audit procedures.
Perform a walkthrough of a transaction process to understand the design of controls and identify where misstatements could arise.
Translate business understanding into specific risks (linked to assertions) and planned audit responses, updating them as evidence is obtained.

Overview & key concepts

Understanding the entity and its environment sits at the start of the audit risk model. It is not background reading: it is the basis for identifying and assessing risks of material misstatement (RoMM) at:

Financial statement level (pervasive risks affecting the financial statements as a whole), and
Assertion level (risks affecting specific account balances, classes of transactions, and disclosures).

Those assessed risks then drive:

Overall responses (audit-wide actions addressing FS-level risks), and
Further audit procedures (tests of controls and/or substantive procedures targeted at assertion-level risks).

A helpful way to think about the flow is:

Understand business & environment → Identify/assess RoMM (FS + assertions) → Plan responses (overall + further procedures) → Perform procedures & revise as evidence emerges.

This understanding is built from the entity’s business model, industry conditions, regulatory pressures, governance, related parties, and areas of judgement in accounting policies and estimates.

Core theory and frameworks

Building an understanding of the entity

The auditor gathers information from internal and external sources and considers reliability and consistency.

Internal sources may include:

management accounts and performance measures,
budgets and forecasts,
board and committee minutes,
process narratives and systems documentation,
accounting papers and policy manuals,
internal reports on control issues.

External sources may include:

industry and competitor information,
regulatory communications and enforcement themes,
market indicators (pricing, demand, input costs),
press coverage and public filings (where relevant).

The objective is to identify what could drive material misstatement and to locate it in the financial statements.

Business model

A business model explains how the entity turns activity into revenue and cash, and what resources and obligations build up as a result. Audit focus is on points where the model creates accounting sensitivity, for example:

how goods/services are delivered (point-in-time vs over a period),
how pricing works (discounts, bundles, variable elements),
how and when cash is collected (upfront vs credit),
cost behaviour (direct vs indirect, fixed vs variable),
balance sheet exposures (receivables, inventories, contract liabilities, provisions, financing).

Illustration (subscriptions): When customers pay at the start of a subscription, the entity may owe future service at the reporting date. In that case, cash received can create a contract liability (deferred income) which reduces as the service is provided over time.

Industry risk

Industry conditions can increase misstatement risk, particularly where they create pressure on margins, sales volumes, or liquidity. Typical drivers include:

intense competition and price reductions,
rapid obsolescence,
supply constraints,
seasonality,
aggressive sales incentives (discounts, extended credit),
sector practices affecting cut-off and valuation.

The auditor links these conditions to plausible RoMM (for example, margin pressure increasing risk of inappropriate cost capitalisation or incomplete discount recording).

Regulatory environment

Regulatory change can affect the financial statements directly (disclosures, provisions, asset valuation) and indirectly (compliance costs, fines, operational disruption).

Audit focus includes:

whether new requirements create obligations requiring recognition or disclosure,
whether management’s disclosures explain the impact clearly,
whether systems and controls support compliance.

Governance and culture

Governance and culture influence whether reporting is disciplined, transparent, and open to challenge. Indicators include:

quality of oversight and challenge by those charged with governance,
tone at the top and ethics culture,
history of control issues and remediation,
openness in responding to audit requests,
indicators of override risk (late journals, unusual adjustments, weak audit trails).

Link to FS-level RoMM: Weak governance can create a pervasive risk affecting multiple balances and disclosures. This may lead to stronger overall responses such as:

assigning more experienced staff and greater partner/senior involvement,
increasing professional scepticism and the level of corroboration required,
using more unpredictable procedures,
expanding journal entry testing and review of accounting estimates.

Related parties

Related parties can increase risk because transactions may be non-routine, structured, or not at market terms, and disclosures may be incomplete.

Audit focus areas:

completeness of related party identification (including indirect relationships),
commercial rationale for significant transactions,
whether terms are reasonable and consistently applied,
appropriate accounting treatment and disclosure.

Accounting policies and accounting estimates

Accounting policies are the methods selected for recognition, measurement, and presentation. Audit risk increases where policies are complex, changed during the year, or have a material effect on results.

Accounting estimates arise where amounts cannot be measured precisely. Common areas include:

expected credit losses (allowance against receivables),
impairments,
provisions,
fair values,
useful lives and residual values,
variable consideration (rebates, refunds, discounts).

The auditor evaluates whether assumptions are consistent with available evidence and whether there is bias, particularly where incentives exist to achieve targets.

Turning pressure into specific risks

A practical approach is:

Identify what outcome management cares about (growth targets, covenant compliance, fundraising).
Identify which reported numbers drive that outcome (revenue, EBITDA, net assets).
Identify the simplest accounting lever that could be used (timing, classification, estimation).

Examples:

if bonuses depend on revenue growth, risk often concentrates on revenue cut-off, completeness of discounts/credits, and completeness of deferred income;
if the entity must meet covenants, risk often concentrates on completeness/classification of liabilities and expenses, including accruals and capitalisation judgement;
if investors are being courted, risk often concentrates on estimates and forward-looking assumptions (impairments, provisions, fair values).

Preliminary analytical procedures

Preliminary analytics are performed early to identify patterns that do not fit expectations and to help focus audit effort. Effective analytics:

compare against prior periods, budgets, and non-financial drivers,
use ratios linked to the business model,
investigate anomalies rather than explaining them away.

Examples:

gross margin movements explained by price, discounting, or cost inflation,
receivable days and ageing changes (credit risk and revenue cut-off),
movements in deferred income for subscription businesses,
marketing spend compared with sales growth.

Walkthroughs

Walkthroughs (following the evidence trail)

A walkthrough is a “show me” exercise. Rather than relying on a process description, the auditor selects one real transaction and follows the documents, system records, and approvals that should exist if the process is operating as described. The purpose is to understand how transactions actually flow, where errors could be introduced, and which controls matter most for preventing or detecting misstatements.

A useful structure is four phases:

Start point (initiation): how the transaction begins (order/contract approval, credit check). What evidence shows it was authorised?
Processing: what the system does (pricing rules, discount logic, tax calculations, interfaces). Where can users override the process?
Recording: how entries reach the ledger (timing rules, account codes, automated postings, manual journals). What logs/reports support completeness and accuracy?
Reporting impact: which balances/disclosures are affected (for example, revenue, receivables, deferred income) and which assertions are most exposed (accuracy, cut-off, completeness, classification).

During the walkthrough, the auditor notes who performs each step, what evidence is produced, how exceptions are handled (refunds, credit notes), and any gaps (for example, one individual can set discount codes and approve credit notes).

Important limitation: a walkthrough helps confirm understanding of the process and the design/implementation of controls. It does not, by itself, demonstrate operating effectiveness, which requires further testing.

Translating understanding into risks, assertions, and responses

A strong audit plan links:

Risk: what could go wrong and why.
Location: which account/disclosure and which assertions are affected.
Effect: likely overstatement/understatement/misclassification.
Response: overall responses (FS-level) and further procedures (assertion level).

A useful exam-writing format for risks is:

Account/disclosure + assertion + why (entity-specific) + effect on the financial statements.

Example structure:

Revenue – cut-off/accuracy: pressure to meet growth targets may lead to recognising subscription income too early; revenue overstated and deferred income understated.
Trade receivables – valuation: rapid expansion into a new market may weaken credit control; allowance understated and receivables overstated.

Materiality context: risk assessment and planned procedures are performed in the context of materiality (including performance materiality). Higher assessed risk typically leads to more persuasive evidence, larger sample sizes, and stronger corroboration.

Worked example

Narrative scenario

Tech Solutions Inc. sells annual software subscriptions online. Customers generally pay at the start of the subscription period, but some corporate customers are invoiced on 30-day terms. During the year, the company entered a new market and offered heavy introductory discounts.

Management has historically recognised subscription revenue at the point of sale. Senior management bonuses are linked to revenue growth. During the year, a new IT system was implemented, and marketing spend increased significantly. A new regulatory requirement relating to data security became effective during the year. There is also a related party transaction with a key supplier.

Transactions and balances for the year include:

Annual subscriptions sold at list prices of $1,335,000.
Introductory discounts granted of $120,000 (reducing amounts billed).
Cost of sales for the year: $1,170,000.
Trade receivables at year-end: $200,000.
Opening deferred income: $0.
At year-end, some subscriptions relate to months of service after the reporting date, giving rise to closing deferred income of $120,000.

Required

Compute the gross margin percentage for the year.
Prepare a reconciliation of deferred income.
Identify and explain two risks of material misstatement.
Perform a walkthrough of the sales transaction process.
Evaluate the impact of the new IT system on financial reporting.

Solution

1) Gross margin percentage

Step 1: Net billings (after discounts) List price sales: $1,335,000 Less: discounts: ($120,000) Net billings: $1,215,000

Step 2: Revenue recognised for the year Closing deferred income represents the portion of billed/received amounts relating to service after year-end.

Revenue recognised = Net billings − Closing deferred income + Opening deferred income = $1,215,000 − $120,000 + $0 = $1,095,000

Step 3: Gross margin Gross margin = Revenue recognised − Cost of sales = $1,095,000 − $1,170,000 = ($75,000) (gross loss)

Gross margin % = (Gross margin ÷ Revenue recognised) × 100 = (−75,000 ÷ 1,095,000) × 100 = −6.85% (rounded)

2) Deferred income reconciliation

Opening deferred income: $0 Add: net billings in advance during the year: $1,215,000 Less: revenue recognised during the year: ($1,095,000) Closing deferred income: $120,000

3) Two risks of material misstatement (with assertion links and responses)

Risk 1: Subscription revenue recognised too early

Account/disclosure: Revenue and deferred income
Assertions:Cut-off, accuracy, completeness (deferred income)
Why (entity-specific): Management historically recognises revenue at sale; bonuses depend on revenue growth; year-end occurs partway through service periods.
Likely effect: Revenue overstated; deferred income understated; profit overstated.

Further audit procedures (examples):

Cut-off/accuracy: Select a sample of subscriptions around year-end and agree start dates, service periods, and billing to contracts/system records; recalculate revenue recognised to year-end and the deferred portion.
Completeness (deferred income): Use system reports of active subscriptions spanning year-end and reperform the deferral calculation; reconcile totals to the ledger and investigate differences.
Override risk: Perform journal entry testing focused on revenue/deferred income postings near period end (manual journals, unusual account combinations, late postings).

Risk 2: Discounts not correctly reflected in revenue measurement and presentation

Account/disclosure: Revenue, receivables, disclosures about pricing/discounting (if material)
Assertions:Accuracy, classification, completeness
Why (entity-specific): Heavy introductory discounting in a new market increases complexity (promo codes, manual overrides, credit notes).
Likely effect: Revenue and receivables overstated if discounts/credits are omitted or incorrectly calculated; misclassification risk if presentation is inconsistent.

Presentation nuance: In many cases, discounts and price concessions reduce revenue. Only treat an amount as an expense where, in substance, it represents payment for a distinct good or service received from the customer (uncommon in straightforward subscription discounting).

Further audit procedures (examples):

Accuracy: Test a sample of discounted sales: agree list price, authorised discount, and net billed amount to invoices and system pricing rules; reperform calculations.
Completeness: Review credit notes and refunds issued after year-end relating to pre-year-end sales (returns/price adjustments) and assess whether they indicate incomplete discounting or cut-off errors.
Classification: Inspect accounting entries for discounts (contra-revenue vs expense) and evaluate whether the classification is consistent with the substance of arrangements.

4) Walkthrough of the sales transaction process

Select one subscription transaction (ideally one with a discount and one on invoice terms) and follow the evidence trail:

Initiation: customer order/contract; verify authorisation and customer details.
Processing: confirm pricing and discount logic applied; identify any manual override points and approvals.
Recording: trace automated postings to revenue and deferred income; identify any manual journals and who can post them.
Reporting impact: confirm affected balances (revenue, deferred income, receivables) and note the key assertions exposed (cut-off, accuracy, completeness, classification).
Exceptions: observe how refunds/credit notes are initiated, approved, processed, and recorded.

Document the people involved, evidence produced, and gaps identified. Note that this supports understanding of control design and implementation, not operating effectiveness.

5) Impact of the new IT system on financial reporting

A new system can introduce RoMM across multiple balances due to implementation and data risks.

Key considerations and responses include:

Data migration (completeness/accuracy): reconcile migrated customer, contract, receivable, and deferred income data to prior system totals and ledgers; test a sample of migrated items back to source records.
Interfaces and completeness: test that sales platform/billing feeds to the general ledger are complete and that exception reports are reviewed and resolved.
Access controls and override risk: review privileged access, segregation of duties, and audit trails for pricing, discount codes, and credit notes; increase journal testing if override opportunities exist.
Report reliability: test key system reports used for revenue recognition and deferral (logic, parameters, and reconciliation to the ledger).

Common pitfalls and misunderstandings

Confusing cash with revenue: cash received in advance commonly creates deferred income until service is provided.
Ignoring the effect of discounting: incomplete or inaccurate discount recording can overstate revenue and receivables.
Assuming a walkthrough proves controls work: walkthroughs support understanding and control design assessment, but operating effectiveness needs further testing.
Overlooking FS-level implications of weak governance: pervasive risks may require stronger overall responses (senior involvement, unpredictability, extended journal testing).
Missing related party disclosures: identification and disclosure completeness are frequent weaknesses.
Underestimating system change risk: migration and interface failures can create widespread completeness and accuracy issues.
Over-reliance on explanations: corroborate management statements with documents, system evidence, and independent sources where feasible.

Summary and further reading

Understanding the entity and its environment is the starting point for identifying and assessing RoMM at financial statement and assertion level. That assessment drives overall responses and further audit procedures. Key inputs include the business model, industry and regulatory pressures, governance and culture, related parties, and areas of significant judgement in policies and estimates. Walkthroughs and preliminary analytics help confirm how transactions flow and identify unusual patterns early, with risk assessments refined as evidence is obtained.

For wider reading, use introductory financial reporting and auditing texts and guidance on risk assessment, internal control evaluation, and professional judgement. Focus particularly on subscription revenue models, deferred income movements, and the audit impact of system implementations.

FAQ

Why is understanding the entity and its environment crucial?

Because it is the basis for identifying and assessing RoMM and for designing responses that directly address those risks. Without it, procedures become generic and may miss the main causes of misstatement.

How do accounting policies and estimates affect audit risk?

They are areas where judgement and uncertainty are concentrated. The risk increases when assumptions are optimistic, inconsistent with evidence, or influenced by incentives and pressures.

What is the purpose of a walkthrough?

To confirm how a transaction actually flows, identify where misstatements could arise, and understand the design and implementation of controls. A walkthrough alone does not prove that controls operate effectively throughout the period.

How do incentives and pressures increase misstatement risk?

They can influence both deliberate manipulation and optimistic judgement. The auditor links pressures to specific accounts and assertions (for example, revenue cut-off, completeness of accruals, valuation of receivables, or optimism in estimates).

Why are preliminary analytical procedures important?

They highlight relationships and movements that do not fit expectations and help focus audit work on the most likely misstatement areas early in the audit.

Summary (Recap)

This chapter explains how understanding an entity and its environment feeds into the identification and assessment of risks of material misstatement at financial statement and assertion level, and how those assessed risks drive overall responses and further audit procedures. It shows how incentives and pressures can shape specific risks, why policies and estimates are common hotspots, and how walkthroughs and preliminary analytics support focused risk assessment. The worked example demonstrates how subscription revenue, discounting, receivables, and deferred income interact, and how to express risks and responses with clear assertion links.

Glossary

Business model How the entity generates value and cash: what it sells, how it delivers, how it prices, how it collects cash, and what costs and balance sheet exposures arise.

Industry risk External sector conditions and practices that can affect performance and increase the likelihood of misstatement (competition, pricing pressure, obsolescence, supply disruption).

Regulatory environment The legal and oversight framework affecting operations and reporting, including compliance obligations and the potential impact of changes.

Governance Oversight structures and behaviours that influence accountability, control discipline, and the reliability of financial reporting.

Related parties People or entities with relationships that can influence transactions or reporting and create heightened risk of non-routine arrangements or incomplete disclosure.

Accounting policies The recognition, measurement, and presentation approaches selected and applied in preparing the financial statements.

Accounting estimates Amounts determined using judgement because outcomes are uncertain (such as expected credit losses, provisions, impairments, fair values).

Management bias A tendency—intentional or unintentional—to prefer assumptions or outcomes that improve reported results or financial position.

Incentives and pressures Forces such as targets, bonuses, covenants, or funding needs that can increase the risk of aggressive reporting or optimistic judgement.

Deferred income (contract liability) An obligation arising when amounts are billed/received before the related goods or services have been provided.

Walkthrough Following a real transaction through initiation, processing, recording, and reporting impact to understand how it works in practice and where misstatements could arise.

Preliminary analytical procedures Early analysis of trends and relationships to identify unusual movements and guide risk assessment.

Professional scepticism A questioning mindset and critical evaluation of audit evidence, remaining alert to indicators of error, bias, or intentional misstatement.

Practice Questions

Planning the Audit: Strategy, Plan, and Team Resources

View original article

Learning objectives

By the end of this chapter you should be able to:

Distinguish clearly between the overall audit strategy, the detailed audit plan, and area-specific audit programmes, and explain how they fit together.
Identify and assess risks of material misstatement, link them to relevant financial statement assertions, and design proportionate audit responses.
Use planning analytical procedures to pinpoint unusual trends or relationships and refine audit focus.
Plan team resourcing, supervision, and review so that higher-risk and more complex areas receive appropriate expertise and scrutiny.
Document planning judgements and decisions so the audit approach is clear, traceable, and defensible.

Overview & key concepts

Audit planning turns an understanding of the entity into a focused approach for obtaining sufficient, appropriate evidence. Good planning improves audit quality, reduces wasted work, and helps the team respond quickly when issues emerge.

Three planning outputs and how they relate

Audit planning usually produces three usable outputs, each answering a different question:

Overall audit strategy: What is our overall route and why? It sets scope decisions, timing, the headline approach, and resourcing. It is written for engagement-level control and review.
Audit plan: What will we do in response to the risks we’ve identified? It translates risk assessment into specific audit responses and sets the intended nature, timing and extent at a workable level.
Audit programmes: What exact steps will the team perform in each area? These are the procedure lists the team executes and signs off for cycles and balances, tailored to the entity’s systems and risks.

The strategy sets direction, the plan turns direction into responses, and programmes turn responses into executable work.

Planning is not a one-off exercise. It should be refreshed when new information becomes available (for example, unexpected results from analytical procedures, changes in the business, or issues identified during interim work).

Overall audit strategy

The overall audit strategy sets the engagement’s direction. It explains:

Scope: what is being audited (entities, components, locations, significant classes of transactions and disclosures).
Reporting framework and timetable: the applicable framework and the deadlines for completion, approval, and filing.
Audit approach: the planned balance between reliance on controls and substantive work, and whether any areas require a more unpredictable approach.
Resourcing: how the work will be staffed (skills, seniority, specialists), and key review points.

The strategy should be proportionate to the entity and should highlight the main drivers of risk, complexity, and judgement.

Audit plan

The audit plan converts the strategy into a practical, risk-led set of actions. It sets out the planned nature, timing, and extent of audit responses to assessed risks.

A strong audit plan will:

List the identified risks and show which accounts/disclosures they affect.
Link each risk to relevant assertions.
Specify the planned responses, including:
Indicate who will perform the work, when it will be performed (interim/year-end), and how much evidence will be obtained (extent, sample sizes, coverage).

Audit programme

An audit programme is the detailed procedure list used to perform work in a particular area. It is the operational tool that the team executes and signs off.

Programmes should be tailored. A generic checklist is rarely sufficient on its own because it may not reflect the entity’s specific risks, systems, or estimates.

Audit programmes are primarily internal working tools that support consistent execution and documentation. They are not the “big picture” planning output (that is the strategy and plan), and they should be adjusted when risks or findings change.

Assertions used in audit planning

When planning and designing procedures, auditors link risks to assertions. For clarity, it helps to keep the list consistent and to match assertions to what is being tested.

Assertions for classes of transactions and events

Occurrence: recorded transactions happened and relate to the entity.
Completeness: all transactions that should be recorded are recorded.
Accuracy: amounts and other data are recorded correctly.
Cut-off: transactions are recorded in the correct accounting period.
Classification: transactions are recorded in the proper accounts.
Presentation and disclosure: transactions are appropriately described and disclosed.

Assertions for account balances

Existence: recorded assets, liabilities, and equity interests exist.
Rights and obligations: the entity controls the rights to assets and has obligations for liabilities.
Completeness: all balances that should be recorded are recorded.
Accuracy, valuation and allocation: balances are recorded appropriately and measured on a suitable basis, including any allocations required (for example, provisions, impairments, and accrual estimates).
Classification: balances are appropriately classified (e.g. current/non-current).
Presentation and disclosure: balances are appropriately described and disclosed.

Assertions for presentation and disclosure (notes)

Occurrence and rights and obligations: disclosed events occurred and relate to the entity, and disclosed rights/commitments reflect the entity’s position.
Completeness: all required disclosures are included.
Classification and presentation: disclosures are appropriately organised and clearly described (clarity and understandability are part of effective presentation).
Accuracy and valuation: amounts and other information are stated correctly and consistently with underlying records.

Professional scepticism

Professional scepticism (planning perspective)

In planning, scepticism is about how readily the team is prepared to believe what it is told, and how quickly it looks for independent support. Explanations are treated as starting points, not conclusions—especially where incentives, judgement, or complexity are present.

Practically, a sceptical plan will:

identify where management could be unintentionally wrong (error) and where they might be motivated to present results favourably (bias or fraud);
require corroboration for unusual movements (for example, linking a margin change to pricing files, production data, or supplier invoices—not just verbal explanations);
build in extra challenge around estimates (methods, key inputs, and whether alternative outcomes are plausible); and
include some unpredictability in testing so the work is not entirely easy to anticipate or “manage”.

Risk assessment procedures

Risk assessment procedures help the team understand the entity and identify where misstatements could arise. Common procedures include:

discussions with management and relevant staff
observation and inspection (process walk-throughs, site visits, review of documents)
preliminary analytical procedures
understanding key processes and relevant controls
considering external factors (market conditions, regulation, supply chain, technology)

The output should be a clear set of assessed risks that drive audit responses.

Planning analytical procedures

Planning analytical procedures are performed early to identify unexpected relationships, unusual movements, or inconsistencies. They typically involve:

trend analysis (current vs prior period)
ratio analysis (e.g. gross margin, inventory days)
comparisons to budgets, forecasts, or non-financial information (units produced, headcount, capacity)

These procedures are used to direct attention and refine the audit plan; they are not performed to “prove” balances are correct at the planning stage.

Expectations should be built on reliable data (for example, reconciled management information, consistent non-financial metrics, or stable historical relationships). Planning analytics may be performed at overall financial statement level and then drilled down to assertion level (or vice versa) depending on the data available and the risks identified.

Investigation thresholds should reflect materiality and the volatility of the line item: stable balances justify tighter thresholds than highly variable lines. Follow-up should be proportionate—a small variance in a volatile area may need limited work, while a modest variance in a stable area may require deeper corroboration.

Nature, timing, extent

These three terms describe how audit procedures are designed:

Nature: what type of procedure is performed (inspection, observation, recalculation, confirmation, enquiry, analytical procedures).
Timing: when the work is done (interim, year-end, or after year-end) and the period covered.
Extent: how much work is done (sample sizes, number of locations tested, level of coverage, thresholds for investigation).

Higher-risk areas generally require more persuasive evidence, later timing, and greater extent.

Significant risk

A significant risk is a risk identified as requiring special audit consideration. In practice, these risks often arise where misstatement is more likely or could be more serious because the underlying area is particularly complex, judgemental, unusual, or susceptible to manipulation.

Significant risks commonly involve:

fraud risk factors (including incentives and opportunities to manipulate results)
complex accounting or estimation uncertainty
unusual or non-routine transactions
significant management judgement and potential bias
major business change (new systems, rapid expansion, acquisitions, restructures)

When a significant risk is identified, the audit plan typically changes in visible ways: more senior involvement, more robust and targeted tests, and reduced reliance on analytical procedures alone as the primary response.

Materiality in planning

Materiality in planning (how auditors use it)

Materiality helps the team decide what deserves attention and how much evidence is enough. Typically, the audit file will document:

Planning materiality: the headline benchmark used to plan work for the financial statements overall.
Performance materiality: a working “safety buffer” set below planning materiality to address the risk that smaller misstatements add up across many areas.
Materiality for particular items or disclosures (where needed): a lower threshold for classes of transactions, account balances, or disclosures where users may be especially sensitive, or where small errors could matter in context.

In addition, teams often set a clearly trivial threshold for accumulating misstatements identified, to support consistent documentation and evaluation. Materiality should be revisited if the numbers or circumstances change materially during the audit.

Engagement team, supervision, and review

Planning includes ensuring that the engagement team has the competence and time needed for the risks identified. This includes:

assigning experienced staff to high-risk areas (estimates, revenue, inventory valuation)
involving specialists where necessary (IT, valuations, tax)
setting clear supervision and review points (including increased focus on significant risks)
ensuring the team understands documentation expectations and how judgements will be evidenced in the audit file

Strong review is not a final-stage activity; it should be built into the timetable.

Core theory and frameworks

Building the overall audit strategy

The overall strategy is developed by moving from understanding to direction-setting:

Confirm scope and reporting requirements
Identify what drives risk and complexity
Set the broad audit approach
Set materiality levels
Plan resourcing and review
Plan communications

The strategy should be documented clearly so it can be traced to assessed risks and the detailed plan.

Converting strategy into a detailed audit plan

A detailed audit plan is built by linking risks to assertions and responses:

Risk statements in entity-specific terms (what could go wrong and why).
Affected areas: accounts, transactions, and disclosures impacted.
Assertions: which assertions are most exposed (e.g. occurrence and cut-off for revenue; valuation for inventory; rights and obligations for goods held by third parties).
Planned responses:
Nature, timing, extent: set clearly and proportionately.
Responsibilities: assign staff, reviewers, and specialists.
Contingencies: plan for delays in client schedules, inventory counts, system access, or overseas locations.

Performing planning analytical procedures

A robust approach to planning analytics typically includes:

selecting meaningful benchmarks (prior year, budgets, rolling forecasts, non-financial data)
building expectations using a simple, explainable basis (e.g. volume × price; margin trends; production output)
setting thresholds for investigation (linked to materiality, volatility, and risk)
documenting the follow-up required (including corroboration for explanations)
updating assessed risks and planned procedures where analytics reveal unexpected patterns

Planning team resources, supervision, and review

Resourcing should follow risk:

allocate senior input to significant risks and complex judgements
plan specialist involvement early (especially IT and valuation issues)
schedule reviews soon after work is performed, not just at the end
define escalation triggers (e.g. unexpected margin movements, count discrepancies, control failures)

Risk assessment and response

Audit responses should be proportionate and targeted:

higher risk → more persuasive evidence (more reliable sources and more direct testing)
greater estimation uncertainty → deeper challenge of assumptions and alternative outcomes
reliance on controls → confirm the controls are relevant to the risk and assertion, test design and implementation first, and then test operating effectiveness to decide how far substantive work can be reduced
fraud risks → increased unpredictability and procedures that address the possibility of override

Documentation and communication

Planning documentation should enable a reviewer to understand:

what risks were identified and how they were assessed
why the chosen approach is appropriate
how materiality was set and how it influences planned work
how procedures respond to significant risks and other assessed risks
how resourcing and review align with risk

Communication planning should ensure the entity understands key deliverables, timing expectations, and the importance of timely access to records and personnel.

Worked example

Narrative scenario

ABC Ltd is a manufacturing company that launched a new product line during the year and began selling into several overseas markets. The supply chain now includes multiple freight providers and overseas warehouses. Inventory is tracked through an integrated system that links purchasing, production, dispatch, and invoicing.

The audit team is planning the year-end audit. Early discussions and preliminary information suggest increased risk in inventory valuation, revenue cut-off, and disclosures about the new product line and international expansion. The team also expects reliance on system-generated reports, making the design and operation of IT-related controls particularly important.

Required

Identify key risks arising from the expansion and new product line.
Develop an audit plan addressing these risks, including the nature, timing, and extent of procedures.
Allocate team resources appropriate to risk and complexity.
Document planning decisions clearly.
Perform planning analytical procedures to refine audit focus.

Solution

1) Key risks

Inventory valuation, existence, and rights/obligations

A new product line may have limited sales history, increasing judgement in net realisable value and obsolescence provisions (valuation).
Overseas warehousing and longer transit times increase the risk of goods in transit being misstated and of inventory being held by third parties under arrangements that affect rights and obligations (existence; rights and obligations; cut-off).
System reliance and complex flows increase risk of incomplete or inaccurate inventory records (completeness; accuracy; valuation).

Revenue occurrence and cut-off

Overseas delivery terms may vary by customer, increasing risk of revenue recorded in the wrong period (cut-off) or without the underlying dispatch/delivery event (occurrence).
System interfaces between dispatch, shipping documentation, and invoicing may fail or be overridden (occurrence; accuracy; cut-off).

Disclosures

Expansion and a new product line may require additional disclosures (for example, accounting judgements and estimates, key uncertainties, significant events during the year, and risk exposures). Certain disclosures apply only where the entity falls within the scope of the relevant reporting requirements (completeness; presentation and disclosure).

IT controls and system-generated information

Heavy reliance on integrated reporting increases the risk that unreliable system outputs are used as audit evidence.
Rapid change increases the risk of weak access controls, poor change management, or interface failures affecting financial reporting (accuracy; completeness).

2) Detailed audit plan (nature, timing, extent)

Inventory

Controls testing (interim, with roll-forward where appropriate)

Test key controls over:
Evaluate controls over system changes and key automated interfaces that feed inventory records where system reports will be used for audit evidence.

Substantive procedures (primarily year-end)

Attendance at inventory counts at significant locations, with coverage based on value and risk:
Cut-off testing around year-end:
Rights and obligations focus:
Valuation testing:

Extent

Increase sample sizes and widen location coverage where:

Revenue

Controls testing (interim)

Test controls over:

Substantive procedures (year-end focus)

Occurrence and cut-off testing:
Substantive analytical procedures:
Tests of details:

Extent

Increase testing for:

Disclosures

Substantive procedures (year-end)

Use a disclosure review tailored to the year’s changes (new product line, overseas markets, key estimates).
Perform a completeness review of:
Review board minutes, major contracts, and post year-end events for disclosure implications.

IT controls and system-generated reports

IT-focused work (early planning and interim)

Identify key reports used in financial reporting (inventory listings, margin reports, dispatch-to-invoice reports).
Test relevant IT controls (access, change management) and key application controls or automated interfaces underpinning those reports.
Where a report will be used as audit evidence, evaluate how it is generated: confirm the report parameters, confirm completeness of the population included, and test the accuracy of key fields back to underlying data.
If controls are weak, plan alternative substantive procedures (independent recalculations, expanded testing, and greater use of external evidence).

3) Team resources, supervision, and review

Assign an experienced senior to lead inventory work, including count attendance planning and valuation challenge.
Allocate a team member with IT controls capability (or an IT specialist) to evaluate system reliance, key reports, and interfaces.
Schedule manager-level review of:
Plan partner involvement for:

4) Documentation of planning decisions

Document in the planning file:

entity understanding and key changes in the year
assessed risks and linked assertions (including rights and obligations and occurrence where relevant)
materiality decisions (planning, performance, and any particular items/disclosures) and rationale
planned responses with nature, timing, extent
planned use of controls testing and justification
resourcing plan, supervision, and review timetable
key client deliverables and agreed deadlines
planned communications and escalation triggers

Documentation should allow a reviewer to see the logic from risk identification through to planned work.

5) Planning analytical procedures and how they refine the plan

Perform early analytics such as:

Revenue by month, product line, and region:
Gross margin by product line:
Inventory ageing and inventory days:
Freight and duty costs as a percentage of sales:

Using results

If analytics show unexpected margin decline in the new product line, increase valuation testing and challenge costing and pricing assumptions.
If revenue spikes occur in the final weeks of the year, extend occurrence and cut-off testing and expand journal entry testing.
If inventory days increase materially, expand procedures around slow-moving and obsolete inventory and increase the use of post year-end sales evidence.

Common pitfalls and misunderstandings

Blurring strategy and plan: The strategy sets direction; the plan specifies detailed responses. Keep them distinct and linked.
Listing risks without designing responses: Risks must be tied to assertions and specific procedures, not left as standalone statements.
Superficial planning analytics: Comparisons without expectations, thresholds, and follow-up rarely identify the real risk areas.
Overreliance on enquiry: Explanations for anomalies should be corroborated, especially in higher-risk areas.
Resourcing not aligned to risk: Complex judgements and system reliance require experience and timely review.
Ignoring system-generated evidence risks: If key reports cannot be relied upon, the plan must shift to more independent evidence.
Not revisiting the plan: Planning should be updated when new risks emerge or interim work identifies weaknesses.

Summary and further reading

Audit planning converts business understanding into a structured, risk-led audit approach. The overall audit strategy sets direction and resourcing, the audit plan translates assessed risks into specific responses (defined by nature, timing, and extent), and audit programmes turn those responses into executable work. Planning analytical procedures highlight where misstatement risk may be higher, helping the team focus effort efficiently. Clear documentation and appropriate supervision ensure that the approach is coherent, proportionate, and defensible.

FAQ

Overall audit strategy vs audit plan — what’s the difference?

Think of the strategy as the engagement’s route-map: it records the big decisions (scope, timing, headline approach, and resourcing). The audit plan is the risk response blueprint: for each assessed risk it sets out what work will be done, by whom, and with what nature, timing and extent. In practice, the strategy helps you control the engagement; the plan helps you execute it.

How do planning analytical procedures improve audit planning?

They highlight unusual movements or relationships that may indicate higher misstatement risk. This allows the team to refine risk assessment, adjust procedures, and concentrate effort where it is most likely to matter. Expectations should be based on reliable data and followed up with corroboration where anomalies are identified.

Why does professional scepticism matter during planning?

Planning involves judgement about what could go wrong and how evidence will be obtained. A sceptical mindset encourages independent corroboration, stronger challenge of estimates, and procedures designed to test the risks rather than simply confirm management’s narrative.

What should an effective audit plan contain?

It should document assessed risks, link them to assertions (including occurrence and rights and obligations where relevant), and set out tailored responses with clear nature, timing, and extent. It should also capture materiality decisions, team responsibilities, review points, and how system reliance (where relevant) will be addressed.

How should work be allocated across the audit team?

Higher-risk and more judgemental areas should be led and reviewed by more experienced staff, and specialists should be used where needed (for example, IT controls or complex valuations). Review should be scheduled early enough to resolve issues without last-minute pressure.

What is the role of materiality in planning?

Materiality helps focus audit work on matters likely to influence user decisions. Performance materiality provides headroom so that several smaller issues across different areas do not unexpectedly add up to a material total. Where relevant, a lower threshold may also be set for particular transactions or disclosures that are sensitive in context, and a clearly trivial threshold may be used for accumulating misstatements identified.

Summary (Recap)

This chapter explained how audit planning is structured and documented. It distinguished between the overall audit strategy (direction and resourcing), the audit plan (risk-led responses defined by nature, timing, and extent), and audit programmes (detailed area procedures used to execute and document work). It emphasised consistent use of assertions, linking risks to procedures, using planning analytical procedures to refine focus, and allocating resources and review in line with risk and complexity. It also highlighted common pitfalls that weaken planning quality and audit defensibility.

Glossary

Glossary (exam-focused, “what it answers”)

Overall audit strategy Purpose: sets the engagement’s route-map. Answers: “Where are the big risks, what’s our broad approach, and who/when is needed?” Typically covers: scope decisions, timing (interim vs year-end), headline approach (controls vs substantive), resourcing and review points.

Audit plan Purpose: turns risks into planned responses. Answers: “What procedures will we do for each risk, and how much work is enough?” Typically covers: risks, linked assertions, responses (controls testing and/or substantive), and the planned nature/timing/extent.

Audit programme Purpose: the team’s step-by-step worklist for a specific area. Answers: “What do I actually do on revenue/inventory/payroll—and how do I evidence it?” Note: an internal execution tool; update it when risks or findings change.

Assertions Meaning: the implied claims made when financial statements are prepared (about transactions, balances, and disclosures). Use in planning: match each risk to the assertion(s) most exposed, then design procedures that directly test those assertions.

Professional scepticism Meaning: a questioning approach that looks for independent support, especially where judgement, incentives, or complexity exist. Planning impact: pushes the team to corroborate explanations, challenge estimates, and build in some unpredictability.

Risk assessment procedures Meaning: the work done to understand the entity and pinpoint where misstatements could arise. Output: assessed risks that drive the audit plan.

Planning analytical procedures Meaning: early comparisons and relationships used to spot where results don’t “make sense” and where audit effort should concentrate.

Nature, timing, extent Nature: what kind of test (inspection, confirmation, recalculation, etc.). Timing: when it’s performed (interim/year-end). Extent: how much work (coverage, sample sizes, thresholds).

Significant risk Meaning: a risk needing special attention due to complexity, judgement, unusual features, or susceptibility to manipulation. Planning effect: more senior focus and more robust, targeted responses.

Planning materiality / Performance materiality / Materiality for particular items Planning: overall benchmark for planning work. Performance: a lower working level so many small issues do not unexpectedly add up. Particular items: lower threshold where context makes smaller misstatements important.

Clearly trivial threshold Meaning: a practical cut-off below which items aren’t accumulated because they are clearly inconsequential.

Engagement team / Supervision and review Meaning: who does the work and how it’s directed and checked so the file supports the conclusions.

Practice Questions

Materiality: Setting Thresholds and Using Them

View original article

Learning objectives

By the end of this chapter, you should be able to:

Calculate planning materiality using a suitable benchmark and a transparent method.
Set performance materiality and a clearly trivial threshold to guide testing and evaluation.
Explain how materiality influences sampling, testing scope and the design of audit procedures.
Identify situations where a small misstatement is significant because of its nature.
Evaluate misstatements individually and in aggregate, and determine the appropriate audit response.

Overview & key concepts

Materiality is the audit team’s practical threshold for deciding what matters in the financial statements overall. It helps determine where to focus work, how much evidence to obtain, and how to evaluate differences found during the audit.

A simple materiality map

Materiality is often applied as a ladder of related thresholds:

Overall (planning) materiality: top-level tolerance for misstatement in the financial statements overall.
Performance materiality: a lower working limit used to design testing and reduce the risk that remaining differences add up to something significant.
Clearly trivial threshold: a posting cut-off for the audit difference schedule so the team does not spend time documenting items that are plainly inconsequential on their own.
Specific materiality: a separate (often lower) threshold for particular balances, classes of transactions or disclosures that are especially sensitive.

Core theory and frameworks

Setting planning materiality

Planning materiality is set early and acts as the anchor for audit planning. It reflects the point at which a misstatement—by size or nature—would be likely to change how a typical user interprets performance, financial position, liquidity, or stewardship.

Step 1: Choose a benchmark

Pick a benchmark that best matches what users are most likely to focus on:

Profit before tax (PBT): often used where profitability is the main focus and profits are stable.
Revenue: may be more useful where profits are volatile, margins are thin, or revenue size drives attention.
Total assets / net assets: often relevant for asset-based entities or where balance sheet strength is central.

Step 2: Choose a percentage

The percentage is a judgement. It is shaped by factors such as:

stability and predictability of results,
strength of controls and governance,
extent of estimates and judgemental areas,
history of misstatements and adjustments,
incentives and pressures that could create bias.

A higher risk profile generally supports a lower percentage; a stable, low-risk entity may justify a higher percentage within common practice.

Step 3: Calculate

Planning materiality = benchmark × percentage.

Calculating performance materiality

Performance materiality is the audit team’s working tolerance for planning tests at account-area level. It is set below overall materiality to reflect practical realities: findings are identified in separate cycles, some issues may remain unadjusted, and small differences can accumulate across the statements. Setting a lower working limit helps keep the total of remaining differences within the overall level the auditor is prepared to accept.

Performance materiality is commonly set as a percentage of planning materiality (for example, 50%–80%), adjusted for:

expected level of misstatements,
quality of internal controls,
subjectivity of estimates,
number and complexity of locations/systems,
changes in management or finance function capability.

Establishing a clearly trivial threshold

The clearly trivial threshold is a posting/recording cut-off for the audit difference schedule. It helps the team avoid spending time documenting items that are plainly inconsequential on their own.

However, very small items may still be noted where they point to a wider issue, such as:

repeated errors suggesting control weakness,
a pattern of one-directional bias,
sensitivity around particular disclosures,
signs that management judgement is consistently optimistic or conservative.

In many approaches, clearly trivial is set at around 1%–3% of planning materiality, though it varies by firm methodology and the expected volume of differences.

Specific materiality for particular areas

Some areas can influence user judgement even when amounts are small. In those cases, auditors may set a specific (lower) materiality for:

sensitive disclosures (e.g., related parties, key management matters),
items affecting compliance with key contractual terms (e.g., covenants),
disclosures central to the narrative users rely on (e.g., going concern and liquidity commentary),
areas of heightened regulatory or reputational sensitivity.

Specific materiality does not replace overall materiality. It sits alongside it, ensuring that important areas are evaluated using a threshold that fits their importance.

How materiality drives sampling and scope

Materiality affects both what is tested and how much is tested.

Tolerable misstatement is often derived from performance materiality and may be allocated across significant balances and disclosures.
Where tolerable misstatement is lower, the auditor typically increases sample sizes or performs more substantive procedures to obtain sufficient appropriate evidence.
Materiality also influences whether the approach emphasises:

At completion, misstatements from sampling are considered in terms of known differences and any projection to the wider population before forming an overall conclusion.

Evaluating misstatements (including presentation and disclosure)

A misstatement includes any error in:

measurement (wrong amount),
classification/presentation (wrong line item or wrong category),
disclosure (missing or misleading information).

The conclusion step looks at the statements together, including the notes. A misclassification that does not affect profit can still be significant if it changes how users read liquidity, solvency, or risk.

Where misstatements consistently increase profit or assets, the auditor considers whether this suggests management bias or a fraud risk requiring further response.

Revising materiality during the audit

Materiality may need revision if new information makes the original benchmark or assumptions inappropriate (for example, profit changes significantly, or the business experiences an unexpected impairment or restructuring).

If revised, the audit plan and evaluation work should be updated, and the basis for revision clearly documented.

Documentation and communication

Materiality decisions should be recorded in a way that another experienced auditor could follow: what benchmark was chosen, why the percentage makes sense for this engagement, how performance materiality and the posting threshold were derived, and whether any lower thresholds were set for sensitive areas. The audit file should also show how uncorrected differences were discussed with management and how key points were reported to the people responsible for overseeing the financial reporting process.

Worked example

Narrative scenario

ABC Ltd is a manufacturing company with the following results for the year ended 31 December 2025:

Revenue: £700,000
Profit before tax (PBT): £101,500 (14.5% margin)
Total assets: £500,000

ABC Ltd has been stable and profit-focused. Users concentrate mainly on profitability. The company has historically produced accurate figures, but recent management changes add uncertainty about the risk of error.

During the audit, the following matters are identified:

£20,000 overstatement of inventory.
£15,000 understatement of revenue.
£10,000 misclassification of a bank overdraft as cash.
£5,000 error in depreciation calculation.
£3,000 omission in related-party transaction disclosure.
£2,000 error in accruals.
£1,500 overstatement of trade receivables.
£1,000 understatement of trade payables.
£500 error in VAT calculation.
£250 error in payroll tax calculation.

Required

Calculate planning materiality using PBT as the benchmark.
Set performance materiality and a clearly trivial threshold.
Evaluate the identified misstatements and determine their impact on the financial statements.
Consider qualitative factors and decide on necessary adjustments.

Solution

1) Planning materiality

Benchmark: Profit before tax (PBT) = £101,500

Because management changes increase uncertainty, a lower percentage is used to reflect the higher risk of misstatement than in a fully settled, long-stable environment.

Percentage: 4%

Planning materiality = £101,500 × 4% = £101,500 × 0.04 = £4,060

2) Performance materiality

Performance materiality factor: 75%

Performance materiality = £4,060 × 75% = £4,060 × 0.75 = £3,045

A 75% factor remains appropriate here because, despite management change, the entity has a strong track record of accurate reporting and there is no evidence (at this stage) of widespread control failure.

Rounding principle: thresholds are commonly rounded for practical use, provided the basis and rounding approach are documented consistently.

Rounded performance materiality: £3,050 (nearest £50)

3) Clearly trivial threshold

To avoid learners treating a high percentage as a default, a lower rate is used here given the likelihood of multiple small differences.

Clearly trivial: 2% of planning materiality

Clearly trivial = £4,060 × 2% = £4,060 × 0.02 = £81.20

Rounded clearly trivial threshold: £80 (nearest £10)

In practice the threshold is set to balance workload and risk; here it is kept deliberately low for training discipline and because multiple differences are expected.

4) Evaluate the misstatements

4.1 Profit effect (measurement misstatements)

Assumed directions for teaching purposes (because the scenario lists several “errors” without stating whether they increase or decrease profit):

Depreciation error is an undercharge of £5,000 (expense understated; profit overstated).
Accruals error is an underaccrual of £2,000 (expense understated; profit overstated).
Trade payables understatement of £1,000 relates to unrecorded invoices (expense/cost of sales understated; profit overstated).
Payroll tax error is an underaccrual of £250 (expense understated; profit overstated).

Profit impact schedule

Net overstatement of profit = 20,000 − 15,000 + 5,000 + 2,000 + 1,000 + 250 = £13,250

Comparison to materiality

Net profit misstatement £13,250 exceeds planning materiality £4,060.
Individual items (e.g., £20,000 inventory; £15,000 revenue) far exceed performance materiality and would drive extensive audit work and proposed adjustments.

4.2 Presentation/classification misstatement (no profit effect)

Bank overdraft misclassified as cash (£10,000)

Profit impact: nil
Presentation impact: cash and cash equivalents overstated and liabilities understated (or overdraft omitted from liabilities).

Even with no profit effect, this can distort working capital, liquidity and cash metrics. It is therefore evaluated as a potentially significant misstatement in presentation and is normally corrected.

4.3 Balance sheet misstatements that may indicate a profit issue

Trade receivables overstated (£1,500)

An overstatement of receivables often points to an underlying cause that may affect profit, for example:

revenue cut-off / revenue recognition errors, or
insufficient impairment/allowance for uncollectible amounts.

In this scenario it is presented as a receivables overstatement; in practice, the audit response would be to determine why the receivable is overstated and whether an income statement effect should also be recognised.

4.4 VAT error (£500)

VAT often does not affect profit where it is recoverable/payable to the tax authority and correctly excluded from income and expense captions. This assumption holds unless VAT is irrecoverable, the error is embedded within revenue/expenses, or penalties/interest arise. The audit response should confirm which applies.

4.5 Disclosure misstatement and specific materiality

Related-party disclosure omission (£3,000)

This is primarily assessed by nature, not size. Related-party information can be important because it affects how users interpret transparency, governance and whether transactions were conducted appropriately.

This is a strong candidate for specific materiality, using a lower threshold than overall materiality for related-party disclosures. Even if the amount is below planning materiality, the omission can still require correction due to sensitivity.

5) What to do next (exam-focused actions)

Discuss with management and request adjustments for:
Extend testing where needed (especially where misstatements exceed performance materiality):
If management refuses to correct:

Common pitfalls and misunderstandings

Using a percentage without linking it to risk: management change, weak controls or significant estimates usually justify a lower percentage.
Treating a high “clearly trivial” percentage as normal: lower thresholds are common where many small differences are expected.
Assuming VAT never affects profit: confirm recoverability and whether the VAT error is embedded in income/expense lines.
Overlooking causes of receivable misstatements: receivables often connect to revenue recognition or impairment.
Ignoring presentation and disclosure: misclassification (e.g., overdraft vs cash) and missing disclosures can matter even where profit is unchanged.
Relying on offsetting as a justification: aggregated evaluation is required, but offsetting should be understood, not assumed, and bias should be considered.
Weak documentation of judgements: benchmark choice, percentages, rounding and revisions must be clearly explained and consistently applied.

Summary and further reading

Materiality converts professional judgement into practical audit thresholds. Overall materiality anchors planning; performance materiality provides a buffer for designing procedures; the clearly trivial threshold prevents time being spent documenting items that are plainly inconsequential on their own. Specific materiality ensures sensitive areas—especially disclosures—are evaluated using an appropriately low threshold.

Materiality is applied to both numbers and narrative: measurement, classification, presentation and disclosures are all capable of being materially misstated. Differences are assessed individually and in aggregate, with thresholds revisited when circumstances change.

FAQ

How is planning materiality determined?

Planning materiality is set by selecting a benchmark that reflects what users focus on (often profit, revenue or assets) and applying a percentage that fits the entity’s risk profile and stability. The result provides a clear anchor for planning and scaling audit work.

What is the difference between planning materiality and performance materiality?

Planning materiality is the top-level tolerance for misstatement in the financial statements overall. Performance materiality is a lower working limit used to design testing, providing a buffer so that remaining differences are less likely to add up to something significant overall.

Why can a small misstatement still be significant?

Some matters are sensitive because of their nature—such as covenant-related items, liquidity presentation, and related-party disclosures. Even small differences in these areas can change how users interpret the financial statements.

How should items below the clearly trivial threshold be handled?

They are generally not posted to the formal audit difference schedule. However, very small items may still be noted where they suggest repeated errors, bias, control weaknesses or sensitivity around particular disclosures.

When should materiality be revised during the audit?

When new information makes the original benchmark or assumptions inappropriate—such as major changes in profit, unexpected impairments, or significant volatility. Any revision should be documented and its effect on testing and conclusions considered.

Summary (Recap)

This chapter explained how to set and apply materiality thresholds in audit work. It introduced a practical “materiality map” covering overall materiality, performance materiality, clearly trivial thresholds and specific materiality for sensitive areas. It also showed how materiality influences sampling and testing scope, and how misstatements are evaluated across measurement, presentation and disclosure. The worked example demonstrated how misstatements can exceed overall materiality, why presentation/disclosure issues may still matter without profit impact, and what actions follow when differences remain uncorrected.

Glossary

Materiality A practical threshold used to judge whether a difference in the financial statements could change how users interpret performance, position, liquidity or stewardship.

Planning materiality An overall tolerance for misstatement in the financial statements as a whole, set early to anchor planning and scale audit work.

Performance materiality A lower working limit used to plan and perform audit procedures, providing a buffer so remaining differences are less likely to add up to something significant overall.

Clearly trivial threshold A posting cut-off for the audit difference schedule used to avoid documenting items that are plainly inconsequential on their own, while still noting very small items that indicate wider issues.

Specific materiality A separate (often lower) threshold for particular balances, classes of transactions or disclosures that are especially sensitive or important to users.

Misstatement Any error in measurement, classification, presentation or disclosure, including omissions.

Corrected misstatement A misstatement adjusted by management so it does not remain in the final financial statements.

Uncorrected misstatement A misstatement identified during the audit that remains unadjusted at completion and must be evaluated individually and in aggregate.

Aggregation Considering the combined effect of uncorrected differences across the financial statements, alongside their causes and qualitative significance.

Projected misstatement An estimate of misstatement in a full population derived from results found in a sample, used when evaluating the overall impact of sampling results.

Revision of materiality Updating thresholds when the original benchmark or assumptions no longer reflect the entity’s circumstances, requiring the audit plan and evaluation to be updated accordingly.

Users of financial statements People who rely on the financial statements for decisions; understanding their likely focus helps in choosing benchmarks and setting sensible thresholds.

Practice Questions

Ready to continue?

Mark this lesson complete and move to the next.

Ch 2: Professional Ethics and Independence

Next Lesson

Ch 4: Internal Control Fundamentals

Developed by Accounting Body Editorial Team · Written and reviewed by qualified accountants · Always free