Technical Spotlight: How to Develop an Audit Plan on the CFE

(Posted July 2025)

Audit planning, in some form, has appeared on most CPA Common Final Examinations (CFE) since the first CFE in September 2015. Candidates often struggle with ensuring proper depth and technical accuracy in their audit planning responses. In this blog, we answer many of the frequently asked questions about audit planning on the CFE so you can write with confidence.

How is audit planning tested on the CFE?

Audit planning can be tested in a variety of ways on both the Day 2 Assurance role and Day 3. Therefore, you need to adapt to the case rather than apply the same templated approach each time. We have seen:

  • Development of a full audit plan, which entails assessing each of risk of material misstatement, materiality, and overall audit approach. The requirement will generally either ask you to provide an audit planning memo or will specify each of the three areas noted above.
  • Development of a partial audit plan, which includes assessing one or two of risk of material misstatement, materiality, and overall audit approach. The required will specify which area(s) are to be addressed.
  • Revision of an audit plan already completed by another staff member, which can include assessing the work done for each of risk of material misstatement, materiality, and overall audit approach, or only some of these elements, depending on the required.

The information provided below relate to the development of an audit plan. If a revision of an audit plan is requested, the same “depth” expectations exist for each area, although the nature and context by which the various concepts are assessed may differ.

How do you develop a reasonable risk of material misstatement assessment?

Risk of material misstatement should be assessed at an overall financial statement (F/S) level in an audit planning role. The following steps should be applied to gain depth:

Use case facts to identify the specific risk factor
  • Use case facts to tailor the risk to the company’s specific situation. Avoid general risk factors that can apply to most companies as these may not be awarded (e.g., being privately held and therefore, having fewer external users).
Explain how the risk factor can lead to material misstatements at an overall F/S level
  • This is where most candidates fall short in gaining depth in their response. Provide an explicit statement that explains how errors can occur (or can be reduced) based on the risk factor noted. Simply listing a risk factor with case facts and concluding that it increases or decreases risk is not sufficient. You should avoid focusing on explaining how business risk will be impacted – for example, revenues will decline, the business could go bankrupt, etc. The context needs to be clearly linked to a F/S perspective. If the concept of control weaknesses is being assessed as a relevant risk factor, ensure to provide an example and go beyond simply saying “Controls are weak, which increases risk”. An explicit statement tied to error risk is key. For example, “A number of control weaknesses exist, including a lack of segregation of duties in the accounts payable and accounts receivable departments. This can result in fraud and errors impacting several accounts, which increases overall F/S risk.”
  • Diversify the risk factors provided. For example, the concept of control weaknesses is generally considered as one overall risk factor. Providing multiple individual risk factors with examples of different control weaknesses is generally not awarded more than once.
  • Focusing on account-specific concepts is not awarded. For example, individual accounting errors tied to assertions. At the overall F/S level, the concept of accounting errors in totality is important to address. If referencing examples of errors from your response,  take this further and explicitly note that these errors could mean that other undetected errors exist impacting several areas of the F/S.
Conclude on the risk level as a whole after assessing the individual risk factors
  • Ensure that the assessment ends with an explicit and definitive conclusion on the risk level. This cannot just be implied. The marker cannot assume what the risk level is unless explicitly told. This is especially important when both increasing and decreasing risk factors are provided, when the risk level from prior year has been provided, or when you are revising a risk assessment that has deficiencies.
  • It is also important that your conclusion match your analysis. For example, if five risk factors are assessed, with four of them increasing risk, an overall conclusion of moderate risk is likely not supported.

It is ideal to use a bulleted list when assessing risk factors. You can more easily track volume (breadth) of coverage, while being more efficient in your writing, as opposed to using paragraphs. For the marker, this clearly conveys how many different risk factors have been assessed and differentiates each one. Each bullet point should be a complete thought and point form should be avoided.

How do you develop a reasonable materiality assessment for an audit engagement?

A reasonable materiality assessment should include the following steps:

Identify the relevant F/S users

Identify the relevant F/S users using case facts. As a general guideline, aim to consider at least two of them (with more needed on Day 2 for the Assurance role). These often include, but are not limited to, the existing shareholders, prospective investors, existing lenders, prospective lenders, and management (e.g., if a bonus is linked to F/S results). Avoid identifying users that may exist but who are not explicitly mentioned in the case.

Explain the users’ needs from a F/S perspective

You then need to explain each F/S user’s needs, including the most relevant F/S area(s). For example, if the bank has requested an audit be performed, a reasonable explanation of their needs would include: “The bank is interested in the company’s ability to generate cash flows and repay the loan, which means profitability and net income are important to them.” This provides a clear connection to the F/S.

Select and support an appropriate materiality basis and threshold

Select an appropriate basis to be used for materiality and support why it is most relevant. The basis used should consider all F/S user’s needs and how to best satisfy them. Typically, pre-tax income from continuing operations is a relevant basis that satisfies most F/S user needs, although this is not always the most relevant one. Judgment will be required based on the situation presented and individual needs of the F/S users. In some instances (e.g., when there is a loss), revenue, total assets, or another base may be more relevant.

After selecting the appropriate basis, an appropriate threshold must be set for calculating materiality. The threshold used should be consistent with CAS guidelines (e.g., 3-7% for pre-tax income from continuing operations), and should be justified by integrating F/S user sensitivity. Typically, the more sensitive users are to misstatements, the lower the threshold that should be applied. Do not support the threshold by linking to risk of material misstatement (e.g., using a lower threshold because risk is high), as this is technically inaccurate.

Calculate materiality

Calculate materiality  when F/S figures are provided. If accounting errors exist and can be quantified, based on other requirements in the case, you should integrate the adjustments into your materiality calculation, to the extent they impact the basis chosen.

Consider performance materiality

Assessing performance materiality involves using case facts to support a threshold for the calculation, linking to your risk assessment provided (unlike overall materiality, the higher the risk, the lower the performance materiality percentage). Then, compute the amount based on the overall materiality amount derived earlier.

How do you develop a reasonable audit approach assessment?

A reasonable audit approach assessment should include the following steps:

Assess the control environment using case facts

Use specific case facts to assess the control environment, including areas where control weaknesses exist and/or where effective controls may exist. This may include an analysis of specific control areas in certain departments, as well as higher-level oversight mechanisms, such as the existence and usefulness of an Audit Committee, Internal Audit function, Board of Directors, etc. Specific examples should be provided in this section of your response. A statement is provided in the audit approach area indicating in general that controls are weak based on the risk assessment and/or control weakness assessment provided is insufficient.

Conclude on whether a combined or substantive approach should be adopted

A specific and definitive conclusion should be provided as to whether a combined or substantive approach should be taken (or perhaps a combination of both approaches for different areas of the company, depending on the nature of the situation). The conclusion should be consistent with the control environment assessment. For example, a combined approach should not be suggested if controls are deemed to be weak.

You should also convey the concept of relying on and testing controls, if relevant. For example, in a fully substantive approach, controls will not be relied upon or tested.

Are there additional considerations that should be assessed in an audit planning role?

If it is the first time that a company is being audited, consider the following when assessing the audit approach:

  • The need to understand and evaluate the design of controls, even if not planning to rely on them
  • Possible scope limitations relating to opening balances such as inventory
  • Whether the comparative figures need to be audited

Other possible considerations may exist, including but not limited to:

  • This may be the first time that your audit firm is auditing the company, as the previous auditor is no longer engaged, leading to a need to contact the predecessor auditor and fulfill certain other obligations (e.g., reviewing working papers, etc.)
  • Independence concerns may be triggered
  • The implementation of a new accounting system during the year may lend itself to a discussion of work required in this area, including the need to understand and/or test the system and to consider the implications of data conversions and system testing completed by the client
  • The audit approach requirement may be linked explicitly to the use of Computer Assisted Audit Techniques (CAATs) and how that fits into the overall audit strategy
  • The overall audit approach requirement may be linked to the component auditor concept (if another audit firm is also involved in the audit), leading to a discussion of relevant roles and responsibilities

Each area above could also be a directed requirement on its own, separate from audit planning.

Can I memorize an audit planning template and always apply it?

While the general steps explained above are useful to memorize and apply consistently, it may not always be effective to apply common concepts to certain areas. Audit planning is never tested in exactly the same way twice. For example:

  • Certain risk factors may be valid in general, but not necessarily the most relevant. For example, focusing on a private company having fewer users in general is not a tailored concept. Also, while a first-time audit typically increases risk, if the company has previously had review engagements performed, this may lessen the risk involved, since the opening balances have had some assurance provided over them.
  • For materiality, pre-tax income from continuing operations is often the default basis chosen. However, it may not always be the most relevant based on specific user needs and/or whether a loss exists. Further, while lenders are often a valid user, they should only be considered if they are explicitly mentioned in the case.
  • While inventory tends to be the most common account considered for scope limitation concerns, not all companies maintain inventory or the balance could be very small, making this point irrelevant.   

Instead, as you debrief your practice cases, understand why each element of the audit plan is present. Where did the information come from in the case? Why is it relevant? This will help fine-tune your skills for each part of the audit plan so you can adapt to the unique case facts presented instead of just applying a memorized template.

How much detail is needed for each audit planning aspect?

The amount of detail will depend on the nature of the requirement, the company’s situation, and the type and volume of facts presented. For example, if you are specifically asked to focus only on materiality or the overall audit approach as part of the CFE Day 2 Assurance role, a more detailed assessment of those area(s) is required than if all three areas are required. Judgment is necessary when planning your audit planning response. 

While commonly tested, audit planning is an area where candidates continue to struggle to score Competent.  To help you prepare, we have designed approach and technical materials in the Densmore Scenario Flowcharts Workbook and in our Skill Drills, both of which are included in our CFE Prep course.