The document outlines the key steps in conducting an audit: 1. Planning the audit including understanding risks, determining materiality, and developing an audit program. 2. Assessing risks through evaluating inherent risk, internal controls, and determining a combined risk assessment. 3. Performing audit procedures including analytical procedures, tests of details on samples, and obtaining other evidence. 4. Concluding the audit by evaluating results, summarizing findings, and issuing an audit report with an opinion.

1. Preparation
of
the
mission
Execution
of
the
Audit
1.
Reception
of
the
engagement
letter
=
contract
between
the
auditor
and
the
client
that
has
to
be
signed
before
the
start
of
the
audit.
It
includes:
v the
fees,
v the
number
of
hours
that
are
going
to
be
spend
on
the
audit,
v the
way
the
audit
is
going
to
be
done,
v the
responsibilities
of
the
management,
of
the
board
of
director
and
of
the
auditor,
v the
applicable
laws,
v the
general
terms
and
conditions,
v the
applicable
laws,
v the
general
terms
and
conditions,
v the
time
when
the
audit
is
going
to
be
done,
v the
output
of
the
auditor
(the
audit
report)
v the
standards
of
auditing
that
are
going
to
be
used
v the
framework
used
2.
Confirmation
of
the
date
of
performance
of
the
audit
within
the
audited
entity
3.
Secure
logistics
and
make
practical
arrangements
4.
Starting
date
of
the
fieldwork
(including
opening
meeting)
Step
1:
Planning
the
audit
Step
2:
Assessment
of
the
activity
and
its
risks
+
Determination
of
the
audit
strategy
Step
3:
Performance
of
the
audit
procedures
Step
4:
Assessment
of
the
results
and
conclusion
on
the
audit
Generally
performed
before
and
at
the
beginning
of
the
audit
fieldwork
(or
during
identification
visit)
Performed
during
the
first
two
days
of
the
audit
fieldwork
Performed
throughout
the
audit
fieldwork
Performed
at
the
end
of
the
fieldwork
1.
Understand
the
auditee’s
activities
in
order
to
identify
main
risk
areas:
-­‐ Internal
factors
of
risk
-­‐ External
factors
of
risk
AR
=
IR
x
ICR
x
NDR
Objectives:
perform
audit
procedures
determined
in
step
2
(NDR)
in
order
to
hold
the
AR
at
a
low
level
by
decreasing
the
NDR.
è
It’s
the
basis
for
the
formulation
of
the
Audit
Opinion
Objective:
-­‐ summarise
and
quantify
audit
findings
-­‐ verify
the
general
coherence
of
the
audit
-­‐ prepare
the
debriefing
memorandum
è
basis
in
order
to
prepare
the
audit
report
AR
=
Audit
Risk
-­‐ IR
=
Inherent
Risk
-­‐ ICR
=
Internal
Control
Risk
-­‐ NDR
=
Non
Detection
Risk
2.
Assess
the
control
environment
in
order
to
understand
the
structure
of
the
company
to
be
audited
and
to
identify
elements
of
risks
linked
to
the
internal
control
structure
è
it’s
done
through
interviews
and
reading
report
and
minutes.
Audit
risk
=
risk
that
the
auditor
concludes
that
the
financial
statements
he
has
audited
contain
no
significant
errors,
although
they
do
contain
such
errors.
The
auditor
will
fix
the
AR
himself:
he
usually
accepts
an
Audit
Risk
of
5%.
1.
General
audit
Procedures
=
audit
procedures,
general
in
nature
and
necessary
to
verify
certain
contractual
aspects
or
to
comply
with
professional
standards.ènot
specific
to
some
accounts.
Ex:
getting
an
engagement
letter
or
a
representation
letter.
Analysis
&
quantification
of
findings:
-­‐ The
errors
identified
with
analytical
review
procedures
can’t
be
used
to
estimate
the
error.
There’s
a
need
for
further
investigation/analysis.
-­‐ The
errors
identified
on
key
items
can’t
be
extrapolated
and
need
to
be
reported
individually
in
the
audit
report
-­‐ The
errors
identified
on
representative
samples
may
be
extrapolated
to
the
sub-­‐
population.
Rules
for
extrapolation:
-­‐ only
allowed
for
representative
sample
-­‐ extrapolation
method
//
sampling
method
-­‐ the
qualitative
aspect
of
errors
must
be
taken
into
account
-­‐ separate
extrapolation
for
each
account
3.
Determine
the
materiality:
that’s
the
level
of
error/change
under
which
a
user
of
the
financial
statement
is
not
going
to
change
is
opinion,
his
decision
making.
This
concept
is
connected
to
the
principle
of
true
and
fair
view,
it
determines
the
sample
size
for
substantive
testing
and
it’s
the
basis
for
interpretation
of
audit
results
è
it
helps
determining
the
“vouching
limit”.
There
are
3
levels:
-­‐ the
materiality
(whole
F/S)
-­‐ the
tolerable
error(significant
accounts)
-­‐ the
adjustment
level
(error
accumulation)
1.
Determine
the
Inherent
Risk:
It’s
the
likelihood
of
significant
inaccuracies
due
to
a
fraud
or
error
independently
of
the
existing
specific
internal
control
procedures.
The
Inherent
Risk
depends
on:
-­‐ quality
of
the
personnel
responsible
-­‐ general
internal
organisation
-­‐ econ.
&
financial
situation
of
the
country
-­‐ general
risk
//the
type
of
transaction
2.
Analytical
&
Data
Analysis
Procedures
=
logical
tests
of
relationships
between
numbers,
aimed
at
reviewing
whether
the
numbers
reported
in
the
financial
statements
are
reasonable.
Ex:
trends,
ratios,
examination
of
variations.
Levels
of
confidence
in
Analytical
Review:
-­‐ minimal:
the
analytical
review
is
not
sufficient
to
give
confidence
-­‐ corroborative
-­‐ persuasive
The
+
data
you
have,
the
-­‐
confidence
analytical
review
gives
you
è
need
for
+
precise
analysis
in
order
to
have
+
confidence
2.
Determine
the
Internal
Control
Risk:
this
is
the
likelihood
that
the
internal
control
system
does
not
prevent
or
detect
significant
inaccuracies
due
to
a
fraud
or
error.
The
ICR
depends
on:
-­‐ organisational
structure
followed
for
project
management
and
connected
potential
risks
-­‐ main
aspects
related
to
personnel
management
-­‐ accounting
system
used
to
record
and
report
the
expenses
and
revenues
-­‐ supervision/governance
measures
-­‐ prevention><detection
IC
put
in
place
2
options
in
order
to
test
internal
controls:
-­‐ test
of
controls
-­‐ final
assessment:
no
test
of
the
internal
controls:
straight
to
the
audit
Type
of
errors
&
consequences:
-­‐ Intentional
errors:
it
coves
potential
fraud
and/or
irregularities
and
should
be
reported
to
governance
ASAP
-­‐ Formal
errors:
due
to
insufficient
documentation,
lack
of
clarity,
incompliance
with
contractual
basis,
etc.
If
recurring
errors,
it
might
be
necessary
to:
-­‐ extend
audit
procedures
in
risky
area
-­‐ revise
the
risk
assessment
-­‐ enlarge
the
sample
for
risky
sub-­‐
population
è
High
error
rate
+
recurrent
errors
=
sign
of
internal
control
weakness
ç
-­‐ reassessment
of
the
CRA
-­‐ Calculation
of
revised
sample
size
4.
Determine
the
significant
accounts
in
order
to
determine
whether
some
specific
procedures
should
be
applied
to
those
accounts.
The
criteria
are:
-­‐ the
amount
-­‐ the
nature
of
the
account
-­‐ the
complexity
and
homogeneity
-­‐ the
predisposition
to
manipulations
or
proneness
to
losses
-­‐ the
problems
or
errors
identified
in
previous
audits
3.
Substantive
tests
applied
on
financial
data
=
verification
of
the
supporting
documents.
è
Example:
-­‐ physical
observation
(ex:inspect
fixed
assets)
-­‐ check
of
payments
-­‐ review
of
the
invoices
-­‐ testing
the
respect
of
tendering
and
awarding
procedures
for
a
sample
of
contracts
-­‐ testing
the
expenses
to
the
invoices
and
bank
documents
-­‐ recalculation,
etc.
5.
Prepare
the
audit
programme
by
making
a
complete
description
of
the
work
that
is
to
be
performed;
aiming
to
justify
the
appropriateness
of
the
auditor’s
work.
It
needs
to
be
prepared
by
the
audit
team,
based
on
the
info
collected
and
the
requirements
of
the
client,
and
to
be
approved
by
the
audit
partner.
Assertions
for
each
account:
-­‐ existence
:
physical
observation
-­‐ valuation
(transactions
well
valued)
-­‐ cut-­‐off
(recorded
in
the
proper
period:
when
delivered)
-­‐ classification
(recorded
in
the
right
account)
-­‐ completeness
(all
transactions
recorded)
Key
items:
items
selected
by
the
auditor
on
a
judgmental
basis
because
of:
significant
amount,
risky
transaction,
unusual
transaction,
etc.
In
this
case,
no
extrapolation
is
allowed.
Representative
sample:
items
selected
on
statistical
sampling.
In
this
case,
extrapolation
is
allowed
è
The
NDR
can
be
reduced
by
performing
analytical
review
procedures
and
by
performing
substantive
tests
on
key
items
(see
above).
It
must
be
completed
by
performing
tests
on
a
representative
sample.
3.
Combined
risk
assessment
(IR
+
ICR):
-­‐ if
CRA
=
low
è
accept
high
NDR
and
do
less
audit
procedures
-­‐ if
CRA
=
high
è
lower
the
NDR
by
doing
a
lot
of
audit
procedures
Audit
report
The
objective
of
an
audit
is
to
enable
the
auditor
to
express
an
opinion
and
issue
a
report
in
accordance
with
the
requirements
of
the
Commission
Different
possible
opinions:
-­‐ Unqualified
opinion:
“the
Financial
Report
gives
a
true
and
fair
view,
in
all
material
respects,
of
the
results
and
financial
position”
-­‐ Qualified
opinion:
“The
FR
gives
a
true
and
fair
view,
in
all
material
respects,
of
the
results
and
financial
position
except
for
an
error
on
a
specific
account…”
-­‐ Adverse
opinion:
“The
FR
doesn’t
give
a
true
and
fair
view
(…)”
-­‐ Disclaimer
of
opinion:
“…
The
auditor
is
unable
to
express
an
opinion…”
4.
Non
Detection
Risk:
This
is
the
likelihood
that
the
external
auditor
does
not
detect
significant
inaccuracies
by
means
of
audit
procedures.
=
Only
criteria
that
can
be
influenced
by
the
auditor
depending
on
the
extent
of
substantive
procedures
(see
CRA)è
it
allows
a
reduction
of
the
audit
risk.
Statistical
sampling
aims
at
determining
the
sample
size
needed
to
further
reduce
the
NDR.
è
see
how
it
works
page
27
Audit
strategy:
set
the
scope,
the
timing,
the
type
of
audit
procedures
and
the
extent
of
substantive
tests.