Auditing a Tier 3 PBE with a Statement of Service Performance (Part 3)

In Part 2 we looked at specific tips around loading the TB, assessing materiality, understanding internal controls, preliminary analytical review, related parties, going concern, fraud etc.

In this article we will pull all this planning together into a strategy and plan, and move into our evidential testing.

Risk Analysis, Strategy and Plan (E4)


  • Everything flagged up to this point is accumulated on this page for analysis:
    • The risk is described
    • The level of risk is identified (low, medium, high or significant)
    • Key assertions relating to the risk are identified (for instance grant income would involve allocation/cut-off, completeness, ownership, value)
    • Tests – a space where potential work may be done to address or possibly reduce the risk to an acceptable level
    • Everything above low also opens a separate area where the auditor identifies reporting level (financial statement or assertion), risk type (inherent, control or audit), potential financial impact (low, medium or high) and likelihood of occurrence
    • Any relevant internal controls may also be listed there
    • In a small job it is efficient to address items directly – for instance we might prove in total items and just add a comment rather than doing a full analysis – wages for instance where there are a few staff on annual salaries
    • Flagging totals of classes of similar income (say grants) may be efficient as similar risks will exist for the whole class – same with classes of expenses
    • These risk assessments will carry through onto lead schedules



  • Strategy is the practical execution of the audit – the what where, when and how – may be summarised in a comment for a small job rather than a page
  • External confirmations also done from here – (page E6):
    • Use if this will make the job more efficient (e.g. Grants confirmations if the evidence on file is not clear)
    • Also, may be useful for related parties’ issues – inter-entity or transactions with individuals

Audit Plan Development:

  • A summary – need not be excessive, just giving a clear overview of what is to be done based on the identified risks

Summary of Risk:

Here we look at all the risks we have identified and aggregate it into an overall inherent risk, overall control risk, and then we set detection risk so that our overall audit risk is acceptable:


  • Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result of factors other than the failure of controls:
    • Generally considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex – so a small entity this may not be high due to complexity but other factors
  • Control Risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control:
    • This is more likely with a small entity where the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override exists perhaps more so than in larger entities
    • Accordingly, some control risk will always exist
    • To be able to assess the control risk as anything but high, we have to identify and test the control(s)
    • Therefore, in a small entity control risk will not be low due to lack of division of duties
  • We set detection risk depending on the assessment of inherent and control risk – so that overall audit risk is acceptable:
    • So in most cases in small jobs the detection risk will be set as low because control risk is high
    • It is possible that a simple entity with good oversight and lack of inherent risk may have detection risk set as medium – however we will always be doing substantive testing
  • When we summarise the nature timing and extent of testing we summarise the reliance being placed on controls, then plan how much we will use analytical review testing and how much transaction sample testing:
    • Some using a weighting system – allocating points out of 10 to the three areas – say 2 to controls because we have identified a good culture and oversight exercised by governance, 4 to analytical review as the entity prepares good budgets and all spending is tightly regulated, and we can see that results are close to budget, so we allocate say 4 to sampling – which means that we have a can reduce the amount of confidence we are placing on sampling and reduce our confidence level in sampling to below 1.0 (say)
    • We don't make specific recommendations or formulas within Audit Assistant as many firms already have this process identified in their internal procedures 


Evidential testing (sections G to V)

Once we have completed planning we come to the body of our audit work:

Lead schedules:

The individual risk assessment on TB items will flow through to lead schedules:

  • We have already covered off much of our income in terms of proof in total
  • There are checklists in the Income and Expenditure sections (repeated in the W presentation section if required) which cover revenue and expenditure recognition rules
  • Based on planning we have decided how we are going to test our risk items
  • We still answer our generic lead schedule questions for example:
    • Review minutes work for evidence of possible unrecorded income sources.
    • Note client discussion regarding any changes to activities during year that may be relevant to income.
    • Look at Preliminary Analytical Review for unusual fluctuations that may indicate anomalies requiring further testing
    • Scan general ledger entries for any unusual or miscoded items and follow up as appropriate.
    • Prove in total regular / expected income.

Transactions testing:

As part of our planning we have decided what we can cover with analytical review/ proof in total work, and how much we will need to cover by way of sampling.


  • In many small entities this will probably not be required for income or wages as high value/risk items will likely be covered by proof in total and analytical review work
  • For expenditure there is likely to be a range of expenditure which will require substantive testing by way of sampling and testing transactions
    • Remember we can use a different testing page for different types of expenditure (versions of H2) for example “costs related to providing service” could be the subject of on H2 version – name may be amended when new version of the H2 page is created
    • Pull the total into the “Balances Included in Testing” area
    • Use “Add detail of method and rationale option to bring up sampling statistical tool – this generates a sample size and random starting number based on performance materiality and a confidence level that we add
    • We can exclude from our sample everything we have adequately already tested (this will be tagged in the lead schedule)
    • When we have developed our audit plan we will have probably planned how much weight we will give to AR and how much to rely on sampling
    • “The more the auditor is relying on other substantive procedures (tests of details or substantive analytical procedures) to reduce to an acceptable level the detection risk regarding a particular population, the less assurance the auditor will require from sampling and therefore, the smaller the sample size can be” (ISA (NZ) 530 appendix 3)
    • If we are relying on controls, or if analytical review is covering part of our audit risk we can reduce our sample confidence level which will increase our sampling interval and so reduce the number of sample items we will pick


  • This result may then be applied to the data (say in Excel) by creating a cumulative total column, and stepping through that column from the generated random starting point using the sampling interval - this should yield a sample of 31 in the above example
    • At this point we do not have a data analytics tool built in to AA to generate samples - Excel may be used or Excel -based tools like TeamMate Analytics are commonly used 
  • Select tests to apply, create table, do testing work on sample and assess results
    • select tests to apply or make your own:


  • If a sample is created in Excel it may be imported into the testing table
  • Columns of import file should match table, or table columns may be changed from edit button on parent page


Other testing:

  • There is a checklist (e.g. H3) to check that specific types of expenditure are allocated correctly according to PBE SFR – A (NFP) – similarly in income
  • Any other testing added at risk assessment in planning stage and already carried out will be shown in totals at top of lead schedule
  • Journals testing (J1) is important for small entities in particular as identified by ISA 315 task force
  • Continue with Balance Sheet items, creating journal adjustments if errors found, management letter points etc.
  • Any items of special importance to bring to partner attention add as key issues – these will be listed at the top of the Audit Summary page (Z2)

These notes are taken from a series of training sessions currently being developed looking at using Audit Assistant for different kinds of entities.

Go to part 4...


Have more questions? Submit a request

Subscribe to our mailing list

We have a regular newsletter which includes the latest updates in the audit and assurance space as well as on to our latest work.

Click here to view previous newsletters, enter your email below to subscribe.