Section 2

PLANNING PHASE

LEARNING OBJECTIVES

1. Analyze the role of audit planning in minimizing audit risk and enhancing audit quality.
2. Compare and contrast the focus areas between COA Audit and External Audit, evaluating how
their differing orientations shape the audit strategy.
3. Understand the process of determining the appropriate materiality thresholds and analyze
the steps in performing risk assessments during an audit.
4. Analyze and determine the relevant response to the risks identified given the degree of
inherent and control risks involved with the use of the Risk Decision Table.
5. Examine the preparation of the audit engagement plan, emphasizing the integration of audit
strategy and risk assessments.

OVERVIEW OF AUDIT PLANNING

Audit planning involves establishing the overall audit strategy for the engagement and developing
an audit plan, in order to reduce audit risk to an acceptably low level.

Under ISSAI 1300, planning is not a discrete phase of an audit but rather a continual and iterative
process that often begins shortly after the completion of the previous audit and continues until the
completion of the current audit.

STEPS IN AUDIT PLANNING

1. Preparing the Overall Audit Strategy

Overall audit strategy sets the scope, timing and direction of the audit and guides the development
of the more detailed audit plan. The establishment of overall audit strategy involves:

a. Identifying the characteristics of the engagement that define its scope

b. Ascertaining the reporting objectives of the engagement to plan the timing of the audit and
the nature of the communications required
c. Considering the factors that, in the auditor’s professional judgment, are significant in
directing the engagement team’s efforts
d. Considering the results of preliminary engagement activities and, where applicable, whether
knowledge gained on other engagements performed by the engagement partner for the entity
is relevant
e. Ascertaining the nature, timing and extent of resources necessary to perform the
engagement.

COA AUDIT EXTERNAL AUDIT

The overall audit strategy is prepared by the The standard does not specify who is
Audit Team Leader (ATL), reviewed by the responsible in preparation, review and
Supervising Auditor/Regional Supervising approval. However, the engagement partner
Auditor (SA/RSA), and approved by the (or lead auditor) is responsible for audit
Cluster Director/Regional Director planning and may delegate tasks to
(CD/RD). appropriate team members.
Changes in strategy must be recommended The overall audit strategy and the audit plan
by the SA/RSA and approved by the CD/RD, should be updated as necessary during the
ensuring a structured hierarchy in decision- course of the audit. Significant changes must be
making. documented but generally do not require
external approval – the decision remains with
the audit team and engagement partner.
2. Conducting Preliminary Risk Assessment

Risk is the probability of an act or event occurring that would have an adverse effect in the
achievement of an agency’s objectives.

Agency risk is defined as the threat that an event, action or inaction will adversely affect the
agency’s ability to successfully achieve its mandate and objectives and execute its strategies. On the
other hand, the risk that the auditor may express an inappropriate opinion on the FS is known as
audit risk.

Components of Audit Risks

a. Inherent risk is the susceptibility of an assertion, about a class of transaction, account

balance or disclosure to a misstatement that could be material, either individually or when
aggregated with other misstatements, before consideration of any related controls.

Factors that may affect inherent risk assessment:

1. Judgement – a high degree of judgement is involved
2. Estimates – significant estimates are included in transactions
3. Complexity – transactions in which a business engages are highly complex, and so
are more likely to be completed or recorded incorrectly

b. Control risk is the risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either individually or
when aggregated with other misstatements will not be prevented, or detected and
corrected, on a timely manner by the entity’s internal control.

Preliminary assessment of control risk is based on the following:

a. Evaluation of the design of controls done in Understanding the Process activity;
b. Information obtained from prior periods’ engagements, if available; and
c. Information obtained from the results of walkthrough procedures.

c. Detection risk is the risk that the auditor’s procedures will not detect a misstatement that
exists in an assertion that could be material, individually or when aggregated with
misstatements.

Understanding the Audit Entity

COA AUDIT EXTERNAL AUDIT

Resident auditors conduct financial and External auditors must obtain sufficient
compliance audits obtaining broad understanding of the entity and its
knowledge of agency operations summarized environment including its internal control.
in the Understanding the Audit Entity (UTA)
Template.
The UTA template may include the following: Understanding involves obtaining knowledge
a. A general overview of the entity’s about the entity’s:
organization and operations; a. Industry, regulatory and other external
b. The agency’s main activities and critical factors
processes; b. Nature of the entity
c. Projects/Programs/Activities; c. Objectives and strategies and the
d. Results of previous audit; related business risks that may result
e. Auditor’s notes on any component that in a material misstatement of the FS
may be significant to the conduct of d. Measurement and review of the entity’s
financial audit. financial performance
e. Internal control
Updating Information Base for Financial Audit and Conducting Preliminary Risk Assessment

COA AUDIT EXTERNAL AUDIT

COA Audit places significant importance on External auditors often obtain financial
government-specific sources, categorized as information directly from the entity and
1. COA information base assess the risks associated with the business
2. Auditees and other offices environment.
3. Generated based on audit analysis
performed

Updating the Understanding of the Agency’s Internal Control System (AICS)

Internal Control is an integral process that is effected by an agency’s management and personnel,
and is designed to address risks and provide reasonable assurance that in pursuit of the agency’s
mission, the general objectives are being achieved.

Components of Internal Control (CRIME)

1. Control Environment – sets the tone of an organization, influencing the control

consciousness of its staff. It is the foundation for all other components of internal control,
providing discipline and structure.
2. Risk Assessment – process of identifying and analyzing relevant risks to the achievement
of the agency’s objectives and determining the appropriate response.
3. Control Activities – The policies and procedures established to address risks and to
achieve the agency’s objectives. The procedures that an organization puts in place to treat
risk.
4. Information & Communication – effective processes and systems that identify, capture
and report operational, financial and compliance-related information in a form and
timeframe that enable people to carry out their responsibilities.
5. Monitoring – the process that assesses the quality of the internal control system’s
performance over time

Test of Internal Control Design

The Control Design may be tested in the following manner:

1. Inquiring – ask appropriate people

2. Observing – watch them do the operation or do the particular steps
3. Inspecting relevant documents – get a copy of the report, look through the pages or items
and the comments that

Types of Controls

1. Preventive Controls are designed to discourage errors or irregularities from occurring.

2. Detective Controls are designed to find errors or irregularities after they have occurred.

Considering the Work of Internal Auditors

External auditors, in this case COA Auditors, can also use the works of Internal Auditors, when they
have determined that the internal audit function is likely to be relevant to the audit. The internal
auditor is sufficiently removed from political pressure to conduct audits and report observations,
opinions, and conclusions objectively without fear of political reprisal.
Testing Compliance with the General Accounting Plan (GAP)

COA AUDIT EXTERNAL AUDIT

The GAP shows the overall accounting system The external audit aims to increase confidence
of the agency/unit including the standard in the information mentioned in its financial
source documents, the flow of transactions and statements and ensure its integrity. It also aims
recording in the books of accounts, and their to improve that information by detecting its
conversion into financial information/data errors, early modification, and detecting any
presented in the financial reports. manipulation that occurs

Financial Statements Analysis

1. Variance analysis – The auditor can compare the latest set of FS and the corresponding
period of the preceding year’s FS balances.
2. Tie in analysis – The auditor compares the figures of the accounts or group of accounts or
contra accounts in the FS and reported in Notes to FS.

Assessing Other Matters for Consideration

Understanding Fraud Risks

Misstatements in the FS can rise from either fraud or error. Although fraud is a broad legal concept,
the auditor is concerned with fraud that causes a material statement in the FS.

Two Types of Intentional Misstatements

1. Misstatements resulting from fraudulent financial reporting

2. Misstatements resulting from misappropriation of assets

Understanding Risks from Noncompliance with Laws, Rules and Regulations

Non-compliance by the entity with laws and regulations may result in a material misstatement of
the FS. Detection of noncompliance, regardless of materiality, may affect other aspects of the audit.

COA AUDIT EXTERNAL AUDIT

COA Audit focuses on compliance with External Audit primarily assesses the financial
government laws and regulations. impact of noncompliance.
COA’s findings may result in legal actions or External Auditors primarily report findings to
financial disallowances. stakeholders without direct enforcement
power.
COA audits cover operational, financial, and External Audits focus mainly on financial
regulatory risks. statement accuracy.

Assessing Related Parties

Related parties pertain to

a. Persons or other entities that have control or significant influence, directly or indirectly
through one or more intermediaries, over the reporting entity.
b. Entities over which the reporting entity has control or significant influence, directly or
indirectly through one or more intermediaries.
c. Other entities under common control with the reporting entity through having common
controlling ownership and common key management.
Summarizing the Results of Preliminary Identification of Risks

In summarizing the information gathered, focus is on conditions which will facilitate identification
of risk of misstatements due to errors or fraud on the FS as a whole or to specific accounts at the
assertion level during the risk assessment process.

Assertions in considering misstatements

The potential misstatements may be groups into three categories considering the following
assertions:

1. Transaction level assertions

a. Occurrence
b. Completeness
c. Accuracy
d. Cutoff
e. Classification

2. Account level assertions

a. Existence
b. Rights and Obligations
c. Accuracy, valuation and allocation
d. Classification

3. Presentation and Other Disclosures

a. Presentation
b. Understandability
c. Accuracy
d. Completeness
e. Occurrence

3. Conducting Final Risk Assessment

Materiality

ISSAI 1320 and PSA 320 explains that misstatements and omissions are considered to be material if
they, individually or in aggregate, could reasonably be expected to influence the economic
decisions of users of the FS.

Materiality Levels

a. Overall materiality is an amount set to establish whether or not the financial statements can
be regarded as materially misstated.
b. Performance materiality is the amount set at less than the overall materiality to lower the
risk of not being able to detect uncorrected and undetected misstatements which in the
aggregate, may be considered material for the overall financial statements.
c. Specific materiality refers to the amount or amounts set at less than overall materiality for
particular classes of transactions, account balance or disclosures which may reasonably be
expected to influence the economic decisions of users taken on the basis of FS.
Materiality Threshold

Materiality threshold pertains to the amount of materiality set as benchmark to evaluate the
significance of misstatements or omissions noted during audit.

COA AUDIT EXTERNAL AUDIT

The Audit Team Leader shall determine the The engagement partner shall determine the
materiality thresholds particular to the audited appropriate materiality threshold.
entity, subject to the review of the Supervising
Auditor and to the approval of the Cluster
Regional Director concerned.

Calculating Materiality

COA AUDIT EXTERNAL AUDIT

Step 1: Selecting an appropriate benchmark
The Audit Team Leader shall determine the Examples of benchmarks that may be
benchmark to be used, either total appropriate, depending on the circumstances of
expenditures or total assets or total the entity, include categories of reported
revenues, subject to the review of the income such as profit before tax, total
Supervising Auditor/Regional Supervising revenue, gross profit and total expenses,
Auditor and approval of the Cluster total equity or net asset value.
Director/Regional Director.
Step 2: Identifying appropriate financial data for the selected benchmark
The benchmark figures shall be based on the Relevant financial data ordinarily includes
unaudited FS for the current year-end unless prior periods’ financial results and financial
the same is not available. In such case, the positions, the period-to-date financial
audited FS figures for the past year-end are results and financial position, and budgets
used to be adjusted upon availability of the or forecasts for the current period.
current year-end unadjusted FS.
Step 3: Calculating materiality based on established percentages
The levels of materiality thresholds are set and Determining a percentage to be applied to a
applied in the following manner, unless a chosen benchmark involves the exercise of
different materiality benchmark/computation professional judgment.
is required thru the issuance of a materiality
circular or guidelines:
a. The overall materiality shall be set at 1
percent of the total selected
benchmark.
b. The performance materiality shall be
set at 50 percent of the overall
materiality. Testing threshold for high
value items shall be set at 25 percent of
performance materiality.
c. The specific materiality shall be set at
0.20 percent for the chosen class of
transactions, account balances or
disclosures.
Assessing Risks and Determining Risk Responses

Performing Risk Assessment

COA AUDIT EXTERNAL AUDIT

Step 1: Inherent Risk Identification
There are two major classifications of inherent In standard, inherent risk is one of the
risk: agency risk and fraud risk. components of risks of material
misstatement together with control risk.
For identifying risks, the auditor considers
factors like the nature of the operation, Identify risks of material misstatement based
accounting policies, and objectives. on understanding the entity and its
environment, including the entity’s relevant
internal control.
Step 2: Inherent Risk Assessment
Risk assessment involves consideration of two Assess the level of inherent risk such as low,
attributes about inherent risks: medium, or high.
a. the likelihood of a misstatement
occurring as a result of the risk with the Sources of assessment include knowledge of
probability rated as high, moderate or the entity and its environment, and
low; and preliminary analytical procedures.
b. the magnitude (monetary impact) if
the risk would occur.

The auditor should gather information from the

concerned management officials about their
risk assessment process and as to how risks are
identified and managed.
Step 3: Identification of Significant Risks
A significant risk is where the assessed risk of material misstatement is so high that in the auditor’s
judgment, it will require special audit consideration as in these cases:
a. large non-routine transactions
b. matters requiring judgment or management intervention
c. error or fraud is high
d. non-compliance with laws and regulations
e. unreliable internal control
Step 4: Understanding Internal Control
Since not all control activities are relevant to The auditor should obtain an understanding of
the audit, an understanding of the controls the accounting and internal control system
related to the risk of misstatement is necessary sufficient to plan the audit and develop an
to ensure that the relevant control is effective audit approach.
identified.
Step 5: Evaluation of Internal Control Design and Implementation of Internal Controls
The operating effectiveness of internal control There is no specified Internal Control Design in
design can be tested in the following manner: the Standard but there are Five (5)
a. Identifying appropriate controls to be Consideration of Internal Control, which are:
tested. a. Obtaining understanding of the internal
b. Deciding on the appropriate testing control.
technique. b. Documenting the understanding of
c. Determining the appropriate accounting and internal control
documents to be tested. systems.
d. Determining the level of the test c. Assessing the level of control risk
(period to be covered, representative d. Performing the test of controls.
sample, extent). e. Documenting the assessed level of
e. Examining evidence/documents to control risk.
determine whether controls have been
properly implemented.
f. Summarizing and documenting the
results of evaluation.
 Step 6: Final Risk Assessment
The final step in the risk assessment phase of The Standard does not specify a guideline for
the audit is to review the results of the risk the final risk assessment.
assessment procedures performed, and
assess the risks of material misstatements
at the FS level and the assertion level for
classes of transactions and disclosures guided
by the Risk Decision Table.

Determining Risk Responses

COA AUDIT EXTERNAL AUDIT

Responses to the results of the risk assessment The acceptable level of detection risk depends
are based on the decision model setting the on the assessed level of inherent risk and
nature of audit procedure/s and extent of audit control risk (Inverse relationship). The
to be performed given the results of a risk auditor’s reaction to level of detection risk:
assessment and depending on the level of risk a. Lower acceptable level of detection risk,
of material misstatement established for higher assurance.
specific audit objectives, accounts and b. Higher acceptable level of detection
assertions. risk, low assurance.

4. Preparing the Audit Engagement Plan

Updating the Overall Audit Strategy

ISSAI 1450 requires the auditor to revise the overall audit strategy if:

a. the nature of identified misstatements and the circumstances of their occurrence indicate
that other misstatements may exist that, when aggregated with misstatements accumulated
during the audit, could be material; or
b. the aggregate misstatements accumulated during the audit, approaches the materiality
level determined in accordance with ISSAI 1320.

Audit activities or requirements that must be included in the strategy:

a. Special considerations: Related Parties; Litigation and Claims; Segment Reporting and
Subsequent Events with procedures discussed in Section 3, Execution Phase;
b. Other accounts determined falling within the performance materiality level not covered in
the risk assessment;
c. In the case of nationwide audits, the strategy should consider synchronization of timelines
for group planning, execution and reporting; setting materiality thresholds in a uniform
manner; scheduling of audit inspections; confirmations from external parties, among
others.

Preparing the Audit Program

The audit program contains the audit procedures to be performed for a specific audit objective for
the financial account and the risks identified by assertion. Audit Program for each audit area
included in the overall audit strategy should be prepared.
Preparing the Engagement Planning Memorandum

Engagement Planning Memorandum (EPM) is a planning tool that sets out the objectives of the
audit and spells out how the auditor aims to achieve these objectives. As a supervision and
monitoring tool, it tracks the progress of the audit and promotes high quality and professional audit
work.

Engagement Planning Memorandum contains:

Part 1 – Audit Coverage, Objective and Methodology

a. Audit Scope/coverage – should be clearly described;
b. Audit objectives – should be clearly defined; and,
c. Audit methodology – should be clearly established and supported with audit programs.

Part 2 – Significant contents of the Overall Audit Strategy

a. Materiality thresholds;
b. The number of staff to conduct the audit;
c. The major timelines: entrance conference, exit conference, securing management
representation letter, audit report issuance;
d. Coordination activities relative to a nationwide audit;
e. Inspections to be conducted; and,
f. External confirmations to be performed.

Part 3 – Summary of major accounts and assertions for audit considerations

a. Accounts and Assertions with high risks of material misstatements and significant risks
identified in the final risk assessment template.
b. Other Material Accounts (OMA) refer to financial statement accounts above or equal to the
performance materiality but were not considered as significant based on the results of the
Final Risk Assessment.
c. Special Considerations: Related Parties, Litigation and Claims, Segment Reporting and
Subsequent Events

Part 4 – Audit Program

COA AUDIT EXTERNAL AUDIT

There is no specified EPM in the standard. Uses EPM for planning, monitoring, and
supervision.
Multiple Choice Questions

1. How does the audit team assess the inherent risk during the planning phase?
a. By reviewing internal controls
b. By considering the industry and business environment
c. By analyzing financial statements
d. By setting materiality thresholds

2. In the Financial Audit Manual, what is the significance of understanding the client's internal
control system during the planning phase?
a. To determine the audit fees
b. To identify potential audit procedures
c. To assess client profitability
d. To finalize financial statements

3. What role does materiality play in the planning phase of financial auditing?
a. It determines the audit fees
b. It helps in assessing the audit team's competence
c. It guides the auditor in focusing on significant items
d. It influences the client's financial reporting requirements

4. What is the primary purpose of obtaining an understanding of the client's accounting system
during the planning phase?
a. To recommend changes to the system
b. To assess the client's IT infrastructure
c. To identify potential misstatements in financial statements
d. To establish audit team communication channels

5. An analysis that will show whether the figures presented and disclosed are reliable and
properly presented
a. Vertical Analysis
b. Horizontal Analysis
c. Tie-in Analysis
d. Variance Analysis

6. Statement 1: Tie-in analysis ensures consistency between figures reported in the FS and
their corresponding notes, preventing discrepancies that could mislead financial statement
users.
Statement 2: External audits are primarily conducted to detect fraudulent activities within
an organization, making fraud detection their main objective. (incorrect)
Statement 3: The assertion of occurrence ensures that transactions recorded in the financial
statements actually happened and were not fabricated or duplicated.
Statement 4: COA audits cover financial, operational, and regulatory risks but do not assess
compliance with national government accounting policies. (incorrect)
a. All statements are true.
b. Three statements are true.
c. Two statements are true.
d. Only one statement is true.

7. Which of the following actions would best minimize audit risk during the audit planning
phase?
a. Conducting a thorough understanding of the entity’s industry and regulatory
environment
b. Focusing on a detailed analysis of prior year’s audit findings and adjusting audit
procedures accordingly
c. Allocating resources primarily based on client preferences and timelines
d. Emphasizing the use of automated audit tools and software for all audit procedures

8. Opportunities to misappropriate assets increase when there are

a. Known or anticipated future employee layoffs.
b. Promotions, compensation, or other rewards inconsistent with expectations.
c. Recent or anticipated changes to employee compensation or benefit plans.
d. Inventory items that are small in size, of high value, or in high demand.
9. Why are no tests of controls needed when control risk is high?
a. Because control risk does not affect the overall risk assessment process.
b. Because high control risk means controls cannot be relied upon.
c. Because substantive tests are not required in such cases.
d. Because inherent risk is always low in such situations.

10. In which situation is no reliance placed on controls, meaning no test of controls are
necessary, but a high level of substantive test is required?
a. When inherent risk is high and control risk is low.
b. When inherent risk is low but control risk is high.
c. When both inherent and control risks are high.
d. When both inherent and control risks are moderate.

11. What is the purpose of the Engagement Planning Memorandum (EPM)?

a. To guide auditors in developing the financial statements.
b. To replace the audit program in assessing material risks.
c. To serve as a planning tool that outlines the audit objectives, strategy, and key
activities.
d. To summarize findings after the completion of the audit.

12. To enhance the Auditor’s understanding of the audit entity, the following steps shall be
undertaken except?
a. Creating a general overview of the entity’s organization and operations
b. Assessing related party transactions
c. Assessing other matters for consideration
d. Updating information base for financial audit and conducting preliminary risk
assessment

13. It is an integral process that is effected by an agency’s management and personnel, and is
designed to address risks and provide reasonable assurance that in pursuit of the agency’s
mission, the general objectives are being achieved.
a. Test of data
b. Substantive test
c. Internal control
d. Analytical procedure

14. Which statement is incorrect regarding the components of internal control?

a. Information & Communication is effective processes and systems that identify,
capture and report operational, financial and compliance-related information in a
form and timeframe that enable people to carry out their responsibilities.
b. Monitoring is the process that assesses the quality of the internal control system’s
performance over time.
c. Risk Assessment is process of identifying and analyzing relevant risks to the
achievement of the agency’s objectives and determining the appropriate response.
d. Control activities set the tone of an organization, influencing the control
consciousness of its staff. It is the foundation for all other components of
internal control, providing discipline and structure.

15. Which of the following is the most critical element in the audit planning phase to ensure an
effective and efficient audit?
a. Identifying the overall audit strategy, including scope, timing, and resource
allocation
b. Assigning audit team members based on their familiarity with the client’s industry
c. Understanding the entity’s internal controls and assessing risks related to financial
reporting
d. Ensuring that the audit plan meets the specific needs and preferences of the client