AFM 451: Audit Strategy

Estimated study time: 25 minutes

Table of contents

Sources and References

Primary textbook — Messier, W. F., Glover, S. M., Prawitt, D. F., Paisley, S., & Springate, S. Auditing and Assurance Services: A Systematic Approach, 4th Canadian ed. McGraw-Hill Ryerson, 2023. Supplementary — Canadian Auditing Standards (CAS), available through CPA Canada Handbook; Public Company Accounting Oversight Board (PCAOB) Auditing Standards; Minnis, M. (2011). “The Value of Financial Statement Verification in Debt Financing.” Journal of Accounting Research, 49(2), 457–506. Online resources — CPA Canada Audit and Assurance Handbook; PCAOB standards and guidance; IAASB International Standards on Auditing (ISAs); CPAB (Canadian Public Accountability Board) annual inspection reports.

Chapter 1: The World of Assurance

1.1 What is Assurance and Why Does it Exist?

Assurance is the process by which a practitioner evaluates evidence about a subject matter and expresses a conclusion that provides intended users with a level of confidence about that subject matter. In its most common form — the financial statement audit — the auditor evaluates whether financial statements are fairly presented in accordance with an applicable financial reporting framework (e.g., IFRS, ASPE).

Assurance exists because of the demand for credible information in economic transactions. Consider a lender evaluating a loan application from a private company. The company’s management prepares the financial statements, creating an inherent conflict of interest: management has incentives to present the company’s financial position favorably. An independent auditor who examines those statements and attaches an opinion provides the lender with credible evidence that the information can be trusted — reducing information asymmetry and the risk of adverse selection.

The value of financial statement verification: Minnis (2011) demonstrates using data from private US firms that companies with audited financial statements receive significantly lower interest rates on debt (approximately 67 basis points lower) than unaudited firms, holding financial characteristics constant. This provides empirical evidence that audited information has measurable economic value by reducing lenders' uncertainty.

The fundamental reason for auditing is thus reducible to three conditions that, together, create demand:

Conflict of interest: Preparers of information have interests that may diverge from users’ interests.
Consequence: Decisions based on the information have significant economic consequences.
Complexity: The subject matter is complex enough that users cannot easily verify it themselves.

1.2 The Assurance Framework

Any assurance engagement can be understood through a four-pillar framework:

Risk: The risk that the subject matter contains material misstatements or does not conform to the applicable criteria. Risk drives the nature, timing, and extent of evidence-gathering procedures.

Criteria: The standards against which the subject matter is evaluated. For financial statement audits, the criteria are the applicable financial reporting framework (IFRS, ASPE, US GAAP). Criteria must be suitable (relevant and reliable) and available to intended users.

Data/Evidence (Subject Matter): The information being examined — financial statements, sustainability reports, internal controls, performance data. Sufficient and appropriate evidence must be gathered to support the assurance conclusion.

Methodology: The procedures and approaches used to gather and evaluate evidence. For financial audits, methodology encompasses risk assessment, internal control evaluation, substantive testing, and analytical procedures.

1.3 Levels of Assurance

Assurance engagements differ in the level of assurance provided:

Level	Conclusion Form	Evidence Required
Reasonable assurance (Audit)	Positive — “The statements are fairly presented”	Extensive evidence; sufficient to reduce audit risk to acceptably low level
Limited assurance (Review)	Negative — “Nothing has come to our attention suggesting the statements are not fairly presented”	Primarily inquiry and analytical procedures; less evidence than audit
No assurance (Compilation)	No conclusion expressed	Assist management in preparing financial statements using professional competence
Agreed-Upon Procedures	Factual findings only; no conclusion	Specific procedures agreed with client; report lists findings without expressing conclusion

1.4 Types of Auditors

External auditors (chartered professional accountants) provide independent opinions on financial statements for the benefit of shareholders and other external users. External auditors are appointed by (and report to) shareholders, providing structural independence from management.

Internal auditors are employees or contractors serving the organization’s board and management by providing independent assurance and advisory services on risk management, controls, and governance processes. Unlike external auditors, internal auditors serve the organization rather than external parties.

Government auditors (e.g., the Auditor General of Canada) audit government entities and Crown corporations, reporting to legislatures rather than shareholders.

Regulatory auditors examine regulated entities (banks, insurance companies) for compliance with sector-specific requirements.

Chapter 2: Professional Judgment and Professional Skepticism

2.1 The Auditor’s Role in the Business Environment

Auditing requires the application of professional judgment in conditions of inherent uncertainty. Unlike engineering or law, auditing cannot apply deterministic rules to reach definitive answers — auditors work with evidence that is rarely conclusive, making probabilistic judgments about the likelihood of material misstatement.

The auditor operates within a complex web of relationships: the client (management prepares the financial statements), shareholders and other users (who rely on the audit opinion), and the public interest (auditors serve an important social function in maintaining confidence in capital markets).

2.2 Professional Skepticism

Professional Skepticism: An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. Professional skepticism requires the auditor not to assume that management is dishonest but also not to assume unquestioned honesty.

Professional skepticism is not cynicism (assuming all management is dishonest) nor is it naive trust (accepting management explanations at face value). It is a disciplined, evidence-driven posture that requires:

Questioning the source, reliability, and consistency of evidence.
Following up on inconsistencies or anomalies.
Maintaining alertness to conditions that may signal fraud risk.
Remaining open to the possibility that initial risk assessments were wrong.

In practice, professional skepticism is often compromised by client accommodation pressure (the auditor’s desire to maintain the client relationship), confirmation bias (the tendency to seek evidence confirming prior beliefs), and over-reliance on management representations.

2.3 Cognitive Biases in Auditor Judgment

Behavioral research has identified numerous cognitive biases that affect auditor decision-making:

Confirmation bias: Seeking and weighting evidence that confirms existing hypotheses while downplaying disconfirming evidence. In auditing, this can lead auditors to accept management’s explanations too readily.

Anchoring: Excessive reliance on initial information (e.g., prior-year audit findings or management’s draft financial statements) when making subsequent judgments.

Availability bias: Overweighting risks that are easy to recall (recent or dramatic examples) and underweighting risks that are less salient.

Framing effects: The form in which a question is asked influences the answer. Auditors asked whether an account “could be materially overstated” respond differently than those asked whether it “could be materially misstated in any direction.”

System 1 vs. System 2 Thinking (Kahneman): System 1 thinking is fast, automatic, and intuitive — useful for pattern recognition but susceptible to biases. System 2 thinking is slow, deliberate, and analytical — more robust but cognitively demanding. Auditors must develop the discipline to engage System 2 thinking when assessing complex or high-risk areas, even when System 1 would suggest “this looks fine.”

2.4 Professional Due Care and Auditor Independence

Professional due care requires auditors to perform their work with the diligence, skill, and competence expected of a prudent, qualified practitioner. It does not mean perfection but rather reasonable effort and appropriate professional judgment.

Auditor independence is the cornerstone of auditor credibility. Independence has two dimensions:

Independence in fact: The auditor is actually independent — free from relationships or interests that would impair objectivity.
Independence in appearance: A reasonable observer would conclude the auditor is independent — even if the auditor is actually independent, relationships that appear problematic undermine user confidence.

The expectations gap refers to the difference between what auditors actually provide (reasonable assurance that financial statements are free from material misstatement) and what the public believes auditors provide (a guarantee of financial statement accuracy and detection of all fraud). Bridging this gap requires both clearer communication about audit scope and limitations, and continuous improvement in audit quality.

Chapter 3: Risk Assessment and Audit Planning

3.1 The Nature and Role of Risk in Auditing

The audit process is fundamentally risk-based. Auditors do not test every transaction or balance but rather focus their effort where the risk of material misstatement is highest. Understanding what can go wrong — and why — guides everything from the scope of planned procedures to the composition of the audit team.

Business risk arises from conditions, events, or circumstances that could adversely affect the entity’s ability to achieve its objectives. Business risks can translate into financial statement risks when they affect the amounts, disclosures, or conditions requiring recognition in the financial statements.

Financial statement risk is the risk that a specific account balance, transaction class, or disclosure contains a material misstatement (whether due to error or fraud) that would affect a reader’s decision.

3.2 Understanding the Client

Effective risk assessment requires deep understanding of:

Industry, regulatory, and other external factors: Industry characteristics, applicable laws and regulations, and the broader economic environment.
Nature of the entity: Business operations, ownership and governance structure, investments, financing.
Accounting policies: Appropriateness of the entity’s accounting policies and whether they are consistent with the industry.
Objectives, strategies, and related business risks: What is management trying to achieve, and what could prevent them?
Financial performance: Key ratios, trends, and analyst expectations that create pressure on financial reporting.
Internal control: The entity’s control environment, risk assessment process, information systems, control activities, and monitoring.

3.3 The Fraud Triangle

Fraud risk deserves special attention in risk assessment. The Fraud Triangle (Cressey, 1953) identifies three conditions that are typically present when financial statement fraud occurs:

Pressure/Incentive: The perpetrator faces financial pressure (personal debt, performance targets) or professional pressure (meeting analyst expectations, avoiding covenant breach).
Opportunity: Weak internal controls, inadequate oversight, or complex transactions allow the fraud to occur without detection.
Rationalization: The perpetrator rationalizes the behavior (“I’m just borrowing it,” “The company owes me,” “Everyone does it”).

Brainstorming: CAS 240 (ISA 240) requires audit team members to discuss how fraud could occur in the client’s financial statements. This mandatory discussion is intended to prompt consideration of fraud scenarios that might otherwise be overlooked.

3.4 Financial Statement Assertions

Financial statement assertions are the explicit and implicit claims management makes in presenting financial statements. Assertions link the identified risks to specific audit objectives. The six primary assertions are:

Assertion	Explanation
Existence/Occurrence	Assets, liabilities, and equities exist; recorded transactions actually occurred
Completeness	All transactions and accounts that should be recorded are recorded; no omissions
Accuracy/Valuation	Amounts are correctly computed; assets and liabilities are measured at appropriate amounts
Rights and Obligations	The entity has legal rights to assets and obligations for liabilities
Presentation and Disclosure	Items are classified, described, and disclosed appropriately
Cutoff	Transactions are recorded in the correct accounting period

Risk identification should be assertion-specific. For example, accounts receivable may be at risk of overstatement (fictitious receivables — existence risk) while accounts payable may be at risk of understatement (unrecorded obligations — completeness risk).

Chapter 4: The Audit Risk Model and Materiality

4.1 The Audit Risk Model

The Audit Risk Model is the quantitative foundation for designing an efficient audit. It relates three risk components:

\[ AR = IR \times CR \times DR \]

where:

AR (Audit Risk): The risk that the auditor expresses an inappropriate opinion — specifically, issuing a clean opinion when the financial statements are materially misstated.
IR (Inherent Risk): The susceptibility of an assertion to misstatement (due to error or fraud) assuming no internal controls. Inherent risk is driven by the nature of the account (complex estimates carry higher inherent risk than routine cash receipts), industry conditions, and management characteristics.
CR (Control Risk): The risk that a material misstatement will not be prevented or detected on a timely basis by the entity’s internal controls.
DR (Detection Risk): The risk that the auditor’s procedures will fail to detect a material misstatement.

The auditor sets a target level of audit risk (typically quite low, reflecting the materiality of the opinion) and controls detection risk through the design of audit procedures, since inherent risk and control risk are characteristics of the client that cannot be controlled by the auditor.

\[ DR = \frac{AR}{IR \times CR} \]

When inherent risk and control risk are high (high Risk of Material Misstatement, RMM = IR × CR), the auditor must achieve very low detection risk by performing more extensive, more reliable procedures. When RMM is low, less extensive procedures can achieve the target audit risk.

Example: An auditor sets acceptable audit risk at 5% for a client with high inherent risk (IR = 80%) in the revenue account and weak controls (CR = 70%). Required detection risk = 0.05 / (0.80 × 0.70) = 8.9%. This means the auditor's substantive procedures must be extensive enough to catch 91% of any material misstatement that exists — a high evidentiary bar requiring significant testing.

4.2 Materiality

Materiality is the threshold above which a misstatement is considered significant enough to influence the decisions of a reasonable financial statement user. It is both a quantitative concept (measured in dollar terms) and a qualitative concept (some misstatements may be material regardless of dollar magnitude, such as misstatements that affect regulatory compliance or management compensation).

Planning materiality (also called overall materiality) is set at the planning stage of the audit and is used to guide the scope of audit procedures. Common quantitative benchmarks:

5% of pre-tax income (for profitable entities)
0.5%–1% of total assets (for financial institutions or asset-intensive entities)
1%–2% of total revenues (for entities with thin margins)
1%–2% of total equity (for some entity types)

Performance materiality (also called tolerable misstatement) is a lower threshold — typically 50%–75% of planning materiality — used in designing individual tests. It provides a buffer: if total misstatements identified in individual accounts each fall below performance materiality, the aggregate misstatement is likely to remain below planning materiality.

Clearly trivial misstatements (typically less than 3%–5% of planning materiality) need not be accumulated or evaluated.

The relationship between risk and materiality: they move in opposite directions in their effect on audit scope. Higher risk requires more extensive procedures. Lower materiality also requires more extensive procedures (the auditor must detect smaller misstatements). The interaction of risk and materiality defines the required level of audit evidence.

Chapter 5: Internal Controls and the Control Environment

5.1 The COSO Internal Control Framework

The COSO Internal Control — Integrated Framework (2013) is the dominant framework for evaluating internal controls over financial reporting. It comprises five components:

Control Environment: The foundation of all other components — the “tone at the top.” Encompasses integrity, ethical values, organizational structure, board oversight, and human resource practices.
Risk Assessment: The entity’s process for identifying and analyzing risks relevant to achieving objectives.
Control Activities: The policies and procedures that help ensure management directives are carried out (approvals, reconciliations, segregation of duties, physical controls).
Information and Communication: Systems that capture and exchange information needed to support the achievement of objectives.
Monitoring Activities: Ongoing and periodic assessments of whether controls are operating effectively.

5.2 Types of Internal Controls

Controls can be classified along several dimensions:

By nature:

Preventive controls: Designed to stop misstatements before they occur. Example: requiring dual authorization for wire transfers above a threshold.
Detective controls: Designed to identify misstatements that have already occurred. Example: monthly bank reconciliations, variance analysis.

By level:

Entity-level controls: Apply broadly across the organization (tone at the top, code of ethics, board oversight, centralized financial reporting processes).
Transaction-level controls: Applied to specific transaction types or account balances (invoice approval limits, three-way matching for purchases).

By mechanism:

Manual controls: Performed by people (supervisor review and sign-off).
Automated controls: Embedded in IT systems (system-enforced validation rules, automated matching).
IT-dependent manual controls (ITDM): Manual controls that rely on IT-generated reports (e.g., supervisor reviewing a system-generated exception report).

5.3 Segregation of Duties

A fundamental control principle is that no single individual should have complete control over all aspects of a transaction from initiation through authorization, recording, and asset custody. Segregation of duties reduces the opportunity for fraud by requiring collusion among multiple parties to commit and conceal unauthorized acts.

Classic segregation: the person who authorizes purchases should not also approve invoices, record payables, or sign checks. In small organizations where complete segregation is impractical, compensating controls (such as enhanced owner oversight or more frequent external review) are necessary.

Chapter 6: Audit Evidence and Substantive Testing

6.1 Sufficient and Appropriate Evidence

Auditors must gather sufficient and appropriate evidence to support their conclusions. These are distinct concepts:

Sufficiency refers to the quantity of evidence — how much is enough? Sufficiency is influenced by the risk of material misstatement (higher risk requires more evidence) and the quality of evidence available.
Appropriateness refers to the quality of evidence — how reliable and relevant is it? Relevance means the evidence speaks to the specific assertion being tested. Reliability relates to the evidence source and nature.

Hierarchy of evidence reliability:

External evidence obtained directly by the auditor (physical inspection, bank confirmation obtained directly)
External evidence obtained from the entity (externally generated documents like supplier invoices)
Internal evidence with strong controls (internally generated documents with good controls)
Internal evidence with weak controls
Oral representations from management (least reliable — must be corroborated)

6.2 Evidence-Gathering Techniques

Auditors employ a portfolio of evidence-gathering techniques, selected based on the assertion being tested and the available evidence:

Technique	Description	Strengths
Inspection of documents	Examining records, contracts, invoices	Direct evidence of terms and existence
Physical inspection	Counting inventory, verifying fixed assets exist	Strong for existence assertion
Confirmation	Obtaining third-party written responses	External, reliable; strong for existence and accuracy
Recalculation	Recomputing mathematical figures	Reliable for accuracy of calculations
Reperformance	Executing a control or process independently	Reliable for control effectiveness
Observation	Watching a process being performed	Only valid at the moment of observation
Inquiry	Asking management or employees questions	Efficient but low standalone reliability
Analytical procedures	Comparing actual figures to expectations	Efficient; useful for completeness

Confirmation (sending requests to third parties such as banks, customers, or lawyers) is particularly valued for its external, independent nature. The auditor controls the confirmation process — sending requests directly and receiving responses directly — to prevent client interception.

6.3 Tests of Controls vs. Substantive Tests

The audit strategy choice of whether to rely on internal controls determines the balance between two fundamental test types:

Tests of controls: Procedures designed to evaluate whether controls are operating effectively. If controls are effective, the auditor gains assurance that misstatements are prevented or detected — allowing for reduced substantive testing. Control testing typically involves:

Inspection of documents for evidence of control performance.
Reperformance of the control.
Observation of control execution.
Inquiry supplemented by corroborating evidence.

The size of control testing samples is driven by the desired level of reliance on the control and the tolerable deviation rate. A control tested with a larger sample that shows zero deviations provides more assurance than a smaller sample.

Substantive tests: Procedures designed to detect material misstatements in specific account balances, transaction classes, or disclosures. They fall into two categories:

Substantive analytical procedures: Comparing recorded amounts to independent expectations (based on prior year, industry, or internally consistent data). The strength of an SAP depends on the precision of the expectation — if a revenue model can predict monthly revenue within 5%, a material misstatement would be detectable.
Tests of details: Direct examination of individual items — testing a sample of transactions or confirming balances with third parties.

Example: For accounts receivable at a manufacturing company, the auditor might: (1) send confirmation requests to a sample of customer balances (test of details — existence and accuracy assertions); (2) review the aged trial balance and calculate the allowance for doubtful accounts using historical collection rates (substantive analytical procedure — valuation assertion); and (3) test a sample of revenue transactions near year-end for proper cutoff (test of details — cutoff assertion).

6.4 Audit Sampling

Auditors rarely test entire populations — sampling allows efficient audit coverage with controlled risk. Two categories of risk arise from sampling:

Sampling risk: The risk that the sample is not representative of the population — leading the auditor to wrong conclusions about the population. This risk can be controlled through sample size and selection method.
Non-sampling risk: The risk of error not related to sampling — misapplying a procedure, misinterpreting evidence, or failing to recognize a deviation. This is controlled through training, supervision, and review.

Sampling methods:

Statistical sampling: Uses probability theory to quantify sampling risk and determine sample sizes. Results can be projected to the population with measurable confidence.
Non-statistical (judgmental) sampling: Relies on professional judgment without formal statistical measurement. Appropriate when statistical measurement is impractical.
Stratified sampling: Divides the population into homogeneous subgroups (strata) and samples each stratum separately — often used when a few large items account for most of the balance.

Chapter 7: Auditing Specific Accounts and Year-End Procedures

7.1 Revenue and Receivables

Revenue is one of the highest-risk areas in any audit, due to the strong incentive for management to overstate revenues to meet targets or analyst expectations.

Key assertions at risk:

Occurrence/Existence: Is revenue real? Were the underlying sales transactions genuine? Fictitious revenue (recording sales that never occurred) is a common form of financial statement fraud.
Cutoff: Is revenue recorded in the correct period? “Channel stuffing” (shipping goods at year-end to meet targets with the understanding customers will return them) and bill-and-hold arrangements require careful cutoff analysis.
Accuracy/Valuation: Are revenues recorded at the correct amounts? Are discounts, returns, and allowances properly accounted for?

Common audit procedures for revenue:

Revenue cutoff testing (examining transactions close to period-end to verify correct period attribution)
Confirmation of significant receivable balances
Detailed analytical procedures comparing revenues by product, geography, and period
Review of significant contracts for proper revenue recognition under IFRS 15

7.2 Purchases, Payables, and Inventory

For purchases and payables, the primary risk is understatement — management may omit liabilities to improve the apparent financial position.

Completeness is the primary assertion at risk for accounts payable. Procedures include searching for unrecorded liabilities (examining invoices received after year-end, reviewing significant payments made after year-end, confirming outstanding amounts with major suppliers).

Inventory carries multiple assertion risks: valuation (is inventory carried at the lower of cost and net realizable value?), existence (is the inventory actually present?), and cutoff (are purchases and sales near year-end recorded in the correct period?). The auditor typically observes the client’s physical inventory count to obtain evidence about existence.

7.3 Year-End Completion Activities

Contingent liabilities: Events whose financial outcome is uncertain at year-end (pending litigation, warranty obligations, tax disputes). The auditor reviews legal correspondence, minutes of board meetings, and obtains legal letters from the entity’s lawyers confirming the status and estimated exposure of known disputes.

Subsequent events: Events occurring between the balance sheet date and the audit report date that may require adjustment or disclosure. “Adjusting events” (providing evidence of conditions at year-end) require adjustment of the financial statements; “non-adjusting events” (indicating new conditions arising after year-end) require disclosure only if material.

Related-party transactions: Transactions between the entity and its owners, management, or related entities (subsidiaries, affiliates). These carry elevated risk because they may not be conducted on arm’s-length commercial terms. The auditor must identify related parties, determine whether transactions have been properly disclosed, and assess whether amounts are reasonable.

Letter of representation: A written confirmation from management acknowledging responsibility for the financial statements and confirming certain representations made to the auditor. This does not substitute for other evidence but provides an additional layer of accountability.

Chapter 8: Audit Opinions and Reporting

8.1 Types of Audit Opinions

The auditor’s report is the primary output of the audit engagement — the formal expression of the auditor’s conclusion. Four types of modified opinions are available:

Opinion Type	When Issued	Nature
Unmodified (clean)	Financial statements are fairly presented in all material respects	No qualification
Qualified	Material misstatement that is not pervasive, or scope limitation not pervasive	“Except for…” language
Adverse	Material misstatement that is pervasive — the statements as a whole are misleading	Outright rejection of fair presentation
Disclaimer	Scope limitation so significant that the auditor cannot express an opinion	Refusal to opine

A material misstatement is pervasive if it affects many elements of the financial statements or, even if concentrated in a single area, represents a substantial portion of the statements or is fundamental to users’ understanding.

8.2 Other Types of Assurance Reports

Review engagement: Provides limited (not reasonable) assurance. The practitioner performs primarily inquiry and analytical procedures, issuing a conclusion in negative form. Less costly than an audit, appropriate for private companies or interim periods.

Compilation engagement: No assurance is provided. The practitioner assists management in preparing financial statements using professional knowledge, but does not evaluate the information. Required disclosure: the practitioner does not express an opinion.

Agreed-upon procedures: The practitioner performs specific procedures agreed with the engaging party and reports the factual findings only — no conclusion or assurance is expressed. Used for targeted verification of specific items (e.g., verifying a particular account balance for a transaction).

8.3 Technology in Auditing

Audit data analytics (ADA) and AI are transforming audit methodology:

Full-population testing: Rather than sampling, auditors can now analyze entire transaction populations using data analytics tools — identifying anomalies, unusual patterns, or outliers that would not emerge from sampling alone. This improves both efficiency and effectiveness.

Machine learning applications: Anomaly detection algorithms can flag unusual journal entries, identify suspicious transactions, or highlight accounts with unexpected characteristics — directing auditor attention more precisely to high-risk areas.

Limitations: AI and analytics cannot replace the auditor’s professional judgment — they surface patterns but cannot determine whether anomalies represent errors, fraud, or legitimate unusual transactions. Cybersecurity risks embedded in the client’s systems become relevant audit considerations when auditing IT-dependent financial reporting processes.

ESG assurance: As ESG reporting gains regulatory traction (IFRS S1/S2, SEC climate disclosure rules), the demand for independent assurance over non-financial information is growing. ESG assurance applies the same fundamental assurance framework but faces challenges around criteria specificity, data reliability, and practitioner competence in environmental and social measurement.