ICAEW.com works better with JavaScript enabled.

Audit planning and risk assessment

Effective planning of an audit is essential to ensure that auditors focus on the areas of greater risk and carry out their audits efficiently. This section has support tools to assist you in achieving audit objectives.


Practical guidance and learning material

Support materials on achieving audit objectives and audit materiality.

Risk assessment and internal controls

Risk assessment and internal controls: continuing challenges for auditors

Risk assessment is critical to the conduct of all financial statement audits. The idea of a ‘risk-based’ approach to auditing has been around for at least 20 years, and it is not a difficult concept: it refers to the focus of the audit process on those areas that are most at risk of material misstatement. But both auditors and regulators report problems in in applying the relevant auditing standards consistently.

The last major revision to the auditing standards governing risk assessment in an audit (the ‘risk ISAs’ referring to ISAs 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment and 330 The auditor’s procedures in response to assessed risks) was finalised in 2003. Firms of all sizes initially struggled to apply the new requirements and there was general agreement that while there was nothing inherently difficult about the new ISAs, they were unwieldy, not an easy read, and that they were particularly hard to apply to smaller, less complex audits.

A ‘clarification’ process in 2010 was intended to eliminate unnecessary complexity in the structure of the ISAs, to make them clearer. Despite this, some believe that the risk ISAs are still unnecessarily lengthy, still hard to apply to smaller less complex audits and that they may be conceptually flawed, as well as being out of date.

International Standards on Auditing (ISAs) apply to audits of all sizes and they must accommodate the largest of audits, in all of their complexity, as well as smaller ones. While they are intended to be capable of proportionate application to smaller, less complex audits, problems in applying them persist and many auditors continue, after over a decade, to struggle to apply them efficiently to such audits. There are a number of reasons for this. Part of the issue is a lack of understanding of the standards themselves among some auditors. But extensive educational efforts by professional bodies and others have not eliminated these problems, some of which seem intractable. Part of the problem inevitably lies in the ISAs themselves, and some problems almost certainly pre-date all of the changes.

For example, for auditors of smaller, less complex entities, there are continuing problems with the work required on internal controls as part of understanding the business, even when a wholly substantive approach is taken. In many audits there are problems with the linkages between risk assessment and the auditors’ response, and both regulators and auditors complain about inconsistences in how risks, and particularly ‘significant risks’, which require additional audit work, are defined in the ISAs and assessed in practice.

The risk ISAs are being revised. IAASB’s post-implementation review of the clarified ISAs highlighted a number of significant issues that need to be addressed, and the IAASB now has these ISAs on its agenda. An initial discussion is scheduled for the March 2016 meeting.

Risk assessment and internal controls: continuing challenges for auditors is a contribution to the debate. It is a series of three articles intended to stimulate and inform debate in this singularly critical area. Some of these issues highlighted are relevant to larger audits, but many are disproportionately problematic in smaller, less complex audits.

These articles are not a comprehensive review of issues with the risk ISAs. Rather, they focus on areas from the auditors’ perspective, and in particular on the application of the risk ISAs to smaller, less complex audits. All three articles have been written with extensive input from ICAEW auditors.

The three articles cover:

  • aspects of risk assessment and the auditor’s response thereto that continue to present challenges to auditors, and IAASB’s plans to address them;
  • continuing challenges arising from required audit work on documenting and testing internal controls; and
  • required audit work on the design and implementation of internal control components in smaller and less complex audits: this article first appeared in the May 2014 edition of Audit & Beyond.
Relevant articles

Practical articles written by practitioners and ICAEW staff in the area of audit planning and risk assessment.

  • First year audit challenges
    This article discusses some of the practical issues auditors face when taking on new audit clients.
  • Materiality in audits
    This article looks at how auditors can improve judgements and communications on materiality and highlights available resources from ICAEW.
  • Audit quality insights from False Assurance
    This article looks at the lessons that can be learned about audit quality from the False Assurance film
  • On your marks
    This article looks at IAASB’s project to revise ISA 315, the issues being tackled by the taskforce and pointers for what may be ahead.
  • Leaping into action: identifying risks, sound assessments and the right responses 
    This article looks at how to better identify, assess and respond to risk.
  • Behind the scenes 
    This article looks at how auditors of small entities need to understand the design and implementation of internal controls, even when they take a fully substantive approach to risk assessment.

  • Crafting Cooperation
    This article looks the benefits of an effective collaboration between internal and external auditors together with the necessary safeguards.

  • Devil in the detail
    ISA 200 overall objectives of the independent auditor and the conduct of an audit in accordance with international standards on auditing includes an explicit requirement for an auditor to plan and perform an audit with professional scepticism. Demonstrating professional scepticism that has been applied in the audit can provide challenges such as fraud, related parties and accounting estimates.

  • Big questions small audits
    These Q&As discuss some of the issues associated with the idea of proportionality as it is applied to audits that are conducted using International Standards on Auditing (ISA).

IAASB guidance, support tools and news

Guidance and support from the IAASB in the area of audit planning.

FAQs in Audit Planning