News & Insights

Tailoring Your PPC Audit Programs

August 21st, 2025
|
By Dave Nielsen |
Audit |
Audit & Assurance |
Peer Review
Facebook Twitter LinkedIn Email

It’s critical that your audits focus more effort on higher-risk assertions and less effort in responding to lower-risk assertions. Your PPC audit guides provide three sets of programs:

  • Core Audit Programs
  • Initial Audit Programs
  • Specified Risk Programs (not included in all PPC audit guides)

These programs provide starting points for you when developing an audit response and determining the nature, timing, and extent of further audit procedures that need to be per-formed in response to the risk assessment at the relevant assertion level.

Modifying audit programs is necessary to ensure that substantive procedures are clearly linked to assessed risks. Both the core and specified risk audit programs need to be tailored to respond to the individual risk assessment. It is important for the auditor to perform a careful review of the procedures in each program when deciding which program to start with for a significant audit area. We anticipate that auditors will tailor all the PPC audit programs for individual significant audit areas to respond to an entity’s specific risks and circumstances.

Tailoring Core Audit Programs

Core audit programs include general audit programs and audit programs for individual financial statement audit areas.

General Audit Programs

The audit programs for general procedures include the general steps performed in any audit. Tailoring typically involves removing or adding procedures to fit the specific circumstances of the engagement.

Programs for Significant Audit Areas

The audit programs for significant audit areas are designed to correspond with the auditor’s risk assessments and decisions about the audit approach at the assertion level, as documented on the “Risk Assessment Summary Form” (CX-7.1). On that form, the auditor documents significant audit areas, the risks of material misstatement affecting relevant assertions (including fraud risks or other significant risks), the assessment of those risks at the assertion level, the planned audit approach that is appropriately tailored to respond to the assessed level of risk, and the linkage of the assessed risks to the audit procedures that respond to those risks.

You might recall that the basic procedures section of the audit programs includes primarily substantive analytical procedures and certain tests of details, many of which are required by specific AU-C sections. The basic procedures might be sufficient when the risk of material misstatement has been assessed as low or moderate for relevant assertions. These procedures are supplemented in areas of greater risk by selected extended procedures (procedures for additional assurance).

Selecting Extended Procedures (Procedures for Additional Assurance)

An auditor needs to select procedures that are most appropriate to respond to the risk assessment. To help auditors in selecting appropriate extended procedures and to show linkage between the assessed risk and the further audit procedures performed to respond to the risk, each procedure on the audit programs indicates the assertions that are primarily and secondarily addressed by that procedure.

If the auditor determines that the risk of material misstatement hasn’t been responded to adequately after performing procedures or if there isn’t a procedure in the audit program that responds to the identified risk, the auditor needs to develop an appropriate response by editing or adding audit program steps.

The selection of extended procedures needed to respond to a particular risk is a matter of auditor judgment. In some cases, selected steps in extended procedures can replace steps in the basic procedures. The auditor need not apply certain procedures in the basic procedures section if planned extended procedures are sufficient to reduce the risk of material misstatement to an appropriately low level. been developed based on a predefined set of risk assumptions and include procedures that are typical in a less complex, nonpublic engagement. If the risk assessment for a particular assertion differs from the assumed underlying risk assumptions, the auditor considers how to modify the audit program for that assertion to adequately respond to the risk assessment. If additional procedures are needed, they can be selected from the basic, extended, and other procedures included within the core audit programs.

Questions? Reach Out to Maner’s Audit Team

If you have questions about how to tailor your PPC audit programs or need additional support modifying your approach, the Maner audit and assurance team is here to help. Contact us today, and we’ll help you review the procedures and find a plan that works best for your organization’s highest priorities.

Recent Posts

From Policing to Partnering: Rethinking How We Enforce Controls
November 19th, 2025
New Itemized Deduction Limitation will Affect High-Income Individuals Next Year
November 18th, 2025
Minimize Your Business’s 2025 Federal Taxes by Implementing Year-End Tax Planning Strategies
November 18th, 2025
Occupational Fraud Still Affects Many Businesses
November 17th, 2025
Maner Costerisan Strengthens West Michigan Presence Through Baker Holtz Merger
November 17th, 2025
What’s the Right Inventory Accounting Method for Your Business?
November 14th, 2025
Strengthen Organizational Performance with a Process Review
November 14th, 2025
The Right Board for Your Nonprofit
November 12th, 2025