The stronger the internal controls the less substantive testing must be performed

journal article

The Effects of Sarbanes-Oxley on Auditing and Internal Control Strength

The Accounting Review

Vol. 82, No. 2 (Mar., 2007)

, pp. 427-455 (29 pages)

Published By: American Accounting Association

https://www.jstor.org/stable/30243472

Abstract

We provide a theoretical investigation of the effects of the Sarbanes-Oxley Act of 2002 on auditing intensity and internal control strength. We propose a model of strategic auditing in which the auditor can use resources for both internal control tests and substantive tests, while the manager can choose the strength of internal controls and the amount of fraud. We find that control tests are a valuable tool for the auditor when control strength is informative about the likelihood of fraud. We find that Sarbanes-Oxley has the desired effect of inducing stronger internal control systems and less fraud, but does not necessarily induce higher levels of control testing. Our model suggests that audit risk increases as a result of the Sarbanes-Oxley Act.

Journal Information

The Accounting Review is the premier journal for publishing articles reporting the results of accounting research and explaining and illustrating related research methodology. The scope of acceptable articles embraces any research methodology and any accounting-related subject. The primary criterion for publication in The Accounting Review is the significance of the contribution an article makes to the literature.

Publisher Information

The American Accounting Association is the world's largest association of accounting and business educators, researchers, and interested practitioners. A worldwide organization, the AAA promotes education, research, service, and interaction between education and practice. Formed in 1916 as the American Association of University Instructors in Accounting, the association began publishing the first of its ten journals, The Accounting Review, in 1925. Ten years later, in 1935, the association changed its name to become the American Accounting Association. The AAA now extends far beyond accounting, with 14 Sections addressing such issues as Information Systems, Artificial Intelligence/Expert Systems, Public Interest, Auditing, taxation (the American Taxation Association is a Section of the AAA), International Accounting, and Teaching and Curriculum. About 30% of AAA members live and work outside the United States.

Rights & Usage

This item is part of a JSTOR Collection.
For terms and use, please refer to our Terms and Conditions
The Accounting Review © 2007 American Accounting Association
Request Permissions

Chapter learning objectives

When you have completed this chapter you will be able to:

  • Discuss the quality and quantity of audit evidence;
  • Explain the purpose of substantive procedures;
  • Explain why an auditor needs to obtain an understanding of internal control;
  • Explain the need to modify the audit strategy and audit plan following the results of tests of control;
  • Define audit sampling and explain the need for sampling;
  • Discuss and provide relevant examples of, the application of the basic principles of statistical sampling and other selective testing procedures;
  • Explain the use of computer-assisted audit techniques;
  • Discuss the extent to which auditors are able to rely on the work of experts; and
  • Discuss the extent to which external auditors are able to rely on the work of internal audit.

1 Why does the auditor need evidence?

Imagine a court case where someone has been accused of theft: a jury could not simply say someone is or is not guilty based upon their appearance. They must consider evidence gathered by both the defence and the prosecution and then, based upon the evidence presented, reach a conclusion.

Similarly, in order for the auditor's opinion to be considered trustworthy it must be based upon more than simple judgement and gut feeling. Auditors must come to their conclusions having completed a thorough examination of the books and records of their clients and they must document the procedures performed and evidence obtained, to support the conclusions reached.

2 Sufficient, appropriate evidence

The overall objective of an auditor, in terms of gathering evidence, is described in audit standards, namely; ISA 500 Audit Evidence.

"The objective of the auditor is to design and perform audit procedures in such a way to enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor's opinion.'

  • Sufficiency relates to the quantity of evidence.
  • Appropriateness relates to the quality and reliability of evidence.

Sufficient evidence

There needs to be ‘enough' evidence to support the auditor's conclusion. What is ‘enough' at the end of the day is a matter of professional judgement. However, when determining whether they have enough evidence on file the auditor must consider:

  • the risk of material misstatement;
  • the materiality of the item;
  • the nature of accounting and internal control systems;
  • the auditor's knowledge and experience of the business;
  • the results of controls tests;
  • the size of a population being tested;
  • the size of the sample selected to test; and
  • the reliability of the evidence obtained.

Consider, for example, the audit of a bank balance:

Auditors will confirm year-end bank balances directly with the bank. This is a good source of evidence but on its own is not sufficient to give assurance regarding the completeness and final valuation of bank and cash amounts. The key reason is timing differences. The client may have received cash amounts or cheques before the end of the year, or may have paid out cheques before the end of the year, that have not yet cleared the bank account. For this reason the auditor should also perform a bank reconciliation.

In combination these two pieces of evidence will be sufficient to give assurance over the bank balances.

Appropriate evidence

Appropriateness of evidence breaks down into two important concepts:

  • reliability; and
  • relevance.

Reliability

Auditors should always attempt to obtain evidence from the most trustworthy and dependable source possible. Evidence is considered more reliable when it is:

  • obtained from an independent external source;
  • generated internally but subject to effective control;
  • obtained directly by the auditor;
  • in documentary form; and
  • in original form.

Broadly speaking, the more reliable the evidence the less of it the auditor will need. However the converse is not necessarily true: if evidence is unreliable it will never be appropriate for the audit, no matter how much is gathered.

Relevance

To be relevant audit evidence has to address the objective/purpose of a procedure. For example:

Attendance at an inventory count provides us with a good example of the relevance of procedures. During counting the auditor considers the relationship between inventory records and physical inventories, as follows:

  • identifying items of physical inventory and tracing them to inventory records to confirm the completeness of accounting records; and
  • identifying items on the inventory record and tracing them to physical inventories to confirm the existence of inventory assets.

Whilst the procedures are perhaps similar in nature their purpose (and relevance) is to test different assertions regarding inventory balances.

ISA 330 The Auditor's Responses to Assessed risks requires the auditor to design and perform audit procedures whose "nature, timing and extent are based on and are responsive to the assessed risks of material misstatement".

  • Nature refers to the type of audit procedure that is carried out and the source of audit evidence.
  • Timing refers to the decision to carry out procedures during an interim and final audit, just a final audit (see planning chapter), or continuously throughout the year using Computer Assisted Audit Techniques (CAATs).
  • Extent is about sampling.

3 Sources of audit evidence

The stronger the internal controls the less substantive testing must be performed

Auditors can obtain assurance from:

The stronger the internal controls the less substantive testing must be performed
Tests of control: Tests of control are designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting material misstatement.

and/or

The stronger the internal controls the less substantive testing must be performed
Substantive procedures: Substantive procedures are designed to detect material misstatement.

Tests of controls

Audit risk = inherent risk x control risk x detection risk

In order to design further audit procedures the auditor must assess the risk of material misstatement in the financial statements.

Internal controls are a vital component of this risk model; they are the mechanisms that clients design in an attempt to prevent, detect and correct misstatement. This is not only necessary for good financial reporting it is necessary to safeguard the assets of the shareholders and is a requirement of corporate governance.

The fundamental principle is: the stronger the control system the lower the risk of material misstatement in the financial statements.

Therefore auditors can seek to place some reliance on internal control systems and, as a result, reduce the substantive testing performed. In order to be able to do this they need to:

  • Ascertain how the system operates;
  • Document the system in audit working papers;
  • Test the operation of the system;
  • Assess the design and operating effectiveness of the control system; and
  • Determine the impact on the audit approach for specific classes of transactions, account balances and disclosures. 

We will learn more about the systems themselves and tests of controls in the chapter 'Systems and controls'.

Substantive procedures

Substantive procedures consist of both:

  • Tests of detail: tests of detail verify specific transactions and balances; and
  • Substantive analytical procedures: analytical procedures (as seen in an earlier chapter) involve the evaluation of financial information through analysis of plausible relationships among both financial and non-financial data.

4 The impact on the audit approach

If the risk assessment indicates significant risk of material misstatement due to deficiencies in internal controls the auditor should respond by:

  • increasing procedures conducted at and after the year-end;
  • increasing substantive procedures; and
  • increasing the locations included in the audit scope.

An effective control environment may allow the auditor to place more reliance on internal controls and evidence generated internally within the entity. Typically this increases the appropriateness of interim testing and allows the auditor to reduce the quantity of detailed substantive procedures performed. Whilst this is true to a certain extent the auditor can never eliminate the need for substantive procedures entirely because there are inherent limitations to the reliance that can be placed on internal control due to:

  • human error in the use of judgement;
  • simple processing errors and mistakes;
  • collusion of staff in circumventing controls; and
  • the abuse of power by those with ultimate controlling responsibility.

The extent of substantive testing to be carried out will depend on the auditor's assessment of the internal control system and the auditor's assessment of the risk of material misstatement.

In some circumstances the auditor may rely solely on substantive testing:

  • The auditor may choose to rely solely on substantive testing where it is considered to be a more efficient or more effective way of obtaining audit evidence, e.g. for smaller organisations.
  • The auditor may have to rely solely on substantive testing where the client's internal control system cannot be relied on.

The auditor must always carry out some substantive procedures on material items, and also carry out specific substantive procedures required by ISA 330.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Required minimum substantive procedures

ISA 330 The Auditor's Response to Assessed Risks requires the auditor to carry out the following substantive procedures:

  • Agreeing the financial statements to the underlying accounting records;
  • Examination of material journals; and
  • Examination of other adjustments made in preparing the financial statements.

The stronger the internal controls the less substantive testing must be performed

5 Types of audit procedures

ISA 500 identifies eight types of procedures, listed below, that the auditor can adopt to obtain audit evidence.

In the chapter ‘Audit procedures' we will look in detail at how these procedures are applied in specific circumstances.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Explanation of techniques

Inspection of documents and records

  • May give evidence of ownership (rights and obligations), e.g. title deeds
  • May give evidence that a control is operating, e.g. invoices stamped paid or authorised for payment by an appropriate signature.
  • May give evidence about cut-off, e.g. the dates on invoices, despatch notes, etc.
  • Confirms sales values and purchases costs (i.e. by inspecting the invoice)

Inspection of tangible assets

  • Will usually give pretty conclusive evidence of existence!
  • May give evidence of valuation, e.g. obvious evidence of impairment of inventory or non-current assets.

Observation

  • Involves looking at a process or procedure.
  • May well provide evidence that a control is being operated, e.g. double staffing or a cheque signatory.

You need to remember that this is only evidence that the control was operating properly at the time of the observation, and the auditor's presence may have had an influence on the client's staff's behaviour.

Observation of a one-off event, e.g. an inventory count, may well give good evidence that the procedure was carried out effectively.

Enquiry

Whilst a major source of evidence, the results of enquiries will usually need to be corroborated in some way through other audit procedures. This is because responses generated by the audit client are considered to be of a low quality due to their inherent bias.

The answers to enquiries may themselves be corroborative evidence. In particular they may be used to corroborate the results of analytical procedures.

Management representations are part of overall enquiries. These involve obtaining written responses from management to confirm oral enquiries. These are considered further in chapter on completion and review.

Confirmation

  • This refers to the auditor obtaining a direct response (usually written) from an external, third party.
  • Examples include:
    • circularisation of receivables;
    • confirmation of bank balances in a bank letter;
    • confirmation of actual/potential penalties from legal advisers; and     
    • confirmation of inventories held by third parties.
  • May give good evidence of existence of balances, e.g. receivables confirmation.
  • May not necessarily give reliable evidence of valuation, e.g. customers may confirm receivable amounts but, ultimately, be unable to pay in the future.

Recalculation

This involves checking the arithmetical accuracy of the client's calculations, e.g. depreciation amounts.

Reperformance

This involves reperforming client procedures, e.g. test checking inventory counts.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Analytical procedures - again!

Analytical procedures as substantive tests

We have already come across analytical procedures as a significant component of risk assessment at the planning phase of an audit. Later in the text we will also see that they are a critical component of the completion of an audit. Here we consider their use as substantive procedures, i.e. procedures designed to detect misstatement.

Analytical procedures are used to identify trends and understand relationships between sets of data. This in itself will not detect misstatement but will identify possible sources. As such, analytical procedures cannot be used in isolation and should be coupled with other, corroborative, forms of testing, such as enquiry of management.

In order to perform a thorough analytical review auditors do not simply look at current figures in comparison to last year. Auditors may consider other points of comparison, such as budgets and industry data. Other techniques are also available, including:

  • ratio analysis;
  • trend analysis; and     
  • proof in total, for example: an auditor might create an expectation of payroll costs for the year by taking last year's cost and inflating for pay rises and changes in staff numbers.

Analytical procedures are useful for assessing several assertions at once as the auditor is effectively auditing a whole accounting balance or class of transaction to see if it is reasonable.

They can be used to corroborate other audit evidence obtained, such as statements by management about changes in cost structures, such as energy savings.

By using analytical procedures the auditor may identify unusual items that can then be further investigated to ensure that a misstatement doesn't exist in the balance.

However, in order to use analytical procedures effectively the auditor needs to be able to create an expectation. It would be difficult to do this if operations changed significantly from the prior year. If the changes were planned, the auditor could use forecasts as a point of comparison. Although these are inherently unreliable due to the amount of estimates involved. In this circumstance it would be pointless comparing to prior years as the business would be too different to be able to conduct effective comparison.

It would also be difficult to use analytical procedures if a business had experienced a number of significant one-off events in the year as these would distort the year's figures making comparison to both prior years and budgets meaningless.

Key ratios

The stronger the internal controls the less substantive testing must be performed

Profitability ratios

Gross margin: gross profit / sales revenue × 100%

Net margin: profit before tax /sales revenue × 100%

Auditors would expect the relationships between costs and revenues to stay relatively stable. Things that can affect these ratios include: changes in sales prices, bulk purchase discounts, economies of scale, new marketing initiatives, changing energy costs, wage inflation.

Efficiency ratios

Receivables days: receivables / sales revenue × 365

Payables days: payables / purchases × 365

Inventory days: inventory / cost of sales × 365

These ratios show how long, on average, companies take to collect cash from customers and pay suppliers and how long they hold inventory for. Ultimately companies should strive to reduce receivables and inventory days to an acceptable level and increase payables days because this strategy maximises cash flow.

Any changes to this mix can impact upon the business and can indicate significant issues to the auditor, such as:

  • worsening credit control and increased need for bad debt provisions;
  • ageing and possibly obsolete inventory that could be overvalued; and
  • poor cash flow leading to going concern problems (see later notes).

Liquidity ratios

Current ratio: current assets / current liabilities

Quick ratio: current assets – inventory / current liabilities

These ratios indicate how able a company is to meet its short term debts. As a result these are key indicators when assessing going concern.

Investor ratios

Gearing: borrowings/share capital + reserves.

Return on capital employed (ROCE): profit before interest and tax / share capital + reserves + borrowings.

Gearing is a measure of external debt finance to internal equity finance. ROCE indicates the returns those investments generate.

Any change in either the gearing or ROCE could indicate a change in the financing structure of the business or it could indicate changes in overall performance of the business. These ratios are important for identifying potentially material changes to the statement of financial position (new/repaid loans or share issues) and for obtaining an overall picture of the annual performance of the business.

The suitability of analytical procedures as substantive tests

The suitability of this approach depends on four factors:

  • The assertion/s under scrutiny;
  • The reliability of the data;
  • The degree of precision possible; and
  • The amount of variation which is acceptable.

Some examples.

(1)Suitability

  • Analytical procedures are clearly unsuitable for testing the existence of inventories.
  • They are, however, suitable for assessing the value of inventory in terms of the need for provisions against old inventories, identified using the inventory holding period ratio.

(2)Reliability

  • If controls over financial data are weak then it is likely to contain misstatement and is therefore not suitable as a basis for assessment. This may be true of manually prepared forecasts and industry data from unknown sources.

(3)Precision

  • There is likely to be greater consistency over time in information such as gross margins than in discretionary expenditure that is subject to change, like advertising or R&D.

(4)Acceptable variation

  • Variations that could have a minor impact on the results for the year (such as cleaning costs, utility accruals) will be regarded differently from variations in balances such as receivables, which could significantly affect the need for bad debt provisions.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Proof in total

You are auditing a restaurant chain for the year ended 31st December 20X1. Total revenue for the year ending 20X0 was $1,200,000. At this time the chain owned three restaurants.

From initial discussions with directors this year you understand that a new restaurant was opened on 1st October 20X1. You also understand that the chain has been hit by the recession and customer numbers have fallen by approximately 20% on last year.

Create an expectation of what total revenue will be for year ending 31st December 20X1?

Solution

We know that the total sales for the previous year was $1,200,000. It would be reasonable to assume that the sales for this year were going to be in the region of $1,200,000 (before adjustments).

We know that there were three restaurants throughout 20X0. In 20X1 there were three restaurants for nine months and four restaurants for the remaining three months. As such, we can project revenue for 20X1 as $1,200,000 + three months worth of sales for one restaurant.

One restaurant earns $400,000 revenue per annum = $100,000 revenue for three months, therefore we can estimate total revenue (before adjustments for the fall in customer numbers) of $1,300,000.

We then need to reduce this by 20% to take account of the fall in numbers due to the recession.

Therefore, our expectation for sales revenue for the year ending 31st December 20X1 is $1,040,000.

The stronger the internal controls the less substantive testing must be performed

6 Sampling

The stronger the internal controls the less substantive testing must be performed

The need for sampling

It will usually be impossible to test every item in an accounting population because of the costs involved. Consider a manufacturer of fasteners (i.e. nuts, bolts, nails and screws); they will have many thousands, maybe millions, of items of inventory. It would simply be impossible to test the valuation of every single one.

It is also important to remember that auditors give reasonable not absolute assurance and are therefore not certifying that the financial statements are 100% accurate.

Audit evidence is gathered on a test basis. Auditors therefore need to understand the implications and effective use of sampling.

The definition of sampling, as described in ISA 530 Audit Sampling is:

The stronger the internal controls the less substantive testing must be performed
"The application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population."

Statistical or non-statistical sampling

The stronger the internal controls the less substantive testing must be performed
Statistical sampling means any approach to sampling that uses:

  • random selection of samples; and
  • probability theory to evaluate sample results.

Any approach that does not have both these characteristics is considered to be non-statistical sampling.

The approach taken is a matter of auditor judgement.

Designing a sample

When designing a sample the auditor has to consider:

  • the purpose of the procedure;
  • the combination of procedures being performed;
  • the nature of evidence sought; and
  • possible misstatement conditions.

The principle methods of sample selection are:

  • Random selection - this can be achieved through the use of random number tables;
  • Systematic selection - where a sampling interval is used (e.g. every 50th balance);
  • Monetary unit selection - selecting items based upon monetary values (usually focussing on higher value items);
  • Haphazard selection - auditor does not follow a structured technique but avoids bias or predictability; and
  • Block selection - this involves selecting a block of contiguous (i.e. next to each other) items from the population. This technique is rarely appropriate.

When non-statistical methods (haphazard and block) are used the auditor uses judgement to select the items to be tested. Whilst this lends itself to auditor bias it does support the risk based approach, where the auditor focuses on those areas most susceptible to material misstatement. This usually leads to a focus on the higher value items within a population and is a common method in practice.

The sample size depends upon the level of sampling risk that the auditor is willing to accept.

Sampling risk

We saw in the audit risk chapter that sampling risk is a component of detection risk, the other component being non-sampling risk, and that sampling risk arises from the possibility that the auditors' conclusion, based on a sample, may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure.

Auditors are faced with sampling risk in tests of controls and in substantive procedures. Sampling risk is essentially the risk that the auditor's sample from a population will not be representative. In other words it will, by chance, include too many or too few errors to give a realistic impression of the population as a whole.

In order to reduce sampling risk the auditor needs to increase the size of the sample selected.

7 Computer assisted audit techniques (CAATs)

The stronger the internal controls the less substantive testing must be performed

The use of computers as a tool to perform audit procedures is often referred to as a 'computer aided auditing technique' or CAAT for short.

There are two broad categories of CAAT:

(1)Audit software; and

(2)Test data.

Audit software

Audit software is used to interrogate a client's system. It can be either packaged, off-the-shelf software or it can be purpose written to work on a client's system. The main advantage of these programs is that they can be used to scrutinise large volumes of data, which it would be inefficient to do manually. The programs can then present the results so that they can be investigated further.

Specific procedures they can perform include:

  • Extracting samples according to specified criteria, such as:
    • Random;
    • Over a certain amount;
    • Below a certain amount;
    • At certain dates.
  • Calculating ratios and select indicators that fail to meet certain pre-defined criteria (i.e. benchmarking);
  • Check arithmetical accuracy (for example additions);
  • Preparing reports (budget vs actual);
  • Stratification of data (such as invoices by customer or age);
  • Produce letters to send out to customers and suppliers; and
  • Tracing transactions through the computerised system.

These procedures can simplify the auditor's task by selecting samples for testing, identifying risk areas and by performing certain substantive procedures. The software does not, however, replace the need for the auditor's own procedures.

Test data

Test data involves the auditor submitting 'dummy' data into the client's system to ensure that the system correctly processes it and that it prevents or detects and corrects misstatements. The objective of this is to test the operation of application controls within the system.

To be successful test data should include both data with errors built into it and data without errors. Examples of errors include:

  • codes that do not exist, e.g. customer, supplier and employee;
  • transactions above pre-determined limits, e.g. salaries above contracted amounts, credit above limits agreed with customer;
  • invoices with arithmetical errors; and
  • submitting data with incorrect batch control totals.

Data maybe processed during a normal operational cycle ('live' test data) or during a special run at a point in time outside the normal operational cycle ('dead' test data). Both has their advantages and disadvantages:

  • Live tests could interfere with the operation of the system or corrupt master files/standing data;
  • Dead testing avoids this scenario but only gives assurance that the system works when not operating live. This may not be reflective of the strains the system is put under in normal conditions.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Advantages and disadvantages of CAATs

Advantages of CAATs

CAATs allow the auditor to:

  • Independently access the data stored on a computer system without dependence on the client;
  • Test the reliability of client software, i.e. the IT application controls (the results of which can then be used to assess control risk and design further audit procedures);
  • Increase the accuracy of audit tests; and
  • Perform audit tests more efficiently, which in the long-term will result in a more cost effective audit.

Disadvantages of CAATs

  • CAATs can be expensive and time consuming to set up, the software must either be purchased or designed (in which case specialist IT staff will be needed);
  • Client permission and cooperation may be difficult to obtain;
  • Potential incompatibility with the client's computer system;
  • The audit team may not have sufficient IT skills and knowledge to create the complex data extracts and programming required;
  • The audit team may not have the knowledge or training needed to understand the results of the CAATs; and
  • Data may be corrupted or lost during the application of CAATs.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Other techniques

There are other forms of CAAT that are becoming increasingly common as computer technology develops, although the cost and sophistication involved currently limits their use to the larger accountancy firms with greater resources. These include:

Integrated test facilities - this involves the creation of dummy ledgers and records to which test data can be sent. This enables more frequent and efficient test data procedures to be performed live and the information can simply be ignored by the client when printing out their internal records; and

Embedded audit software - this requires a purpose written audit program to be embedded into the client's accounting system. The program will be designed to perform certain tasks (similar to audit software) with the advantage that it can be turned on and off at the auditor's wish throughout the accounting year. This will allow the auditor to gather information on certain transactions (perhaps material ones) for later testing and will also identify peculiarities that require attention during the final audit.

Auditing around the computer

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
The practical implications of CAAT's

Further audit procedures

As previously mentioned CAAT's will be extremely useful for assisting with sample selections through stratification and other techniques. For example, identification of:

  • receivable, payable or inventory balances over a certain age;
  • individually material assets and liabilities;
  • transactions over agreed limits (e.g. customer's credit limits);
  • changes to standing data, e.g. authorised supplier lists;
  • credit balances within receivables and debit balances in payables;
  • non-current asset purchases over a certain amount;

CAAT's can also be used to perform certain substantive procedures, such as:

  • ratio calculations;
  • recalculation of non-current asset depreciation;
  • recalculation of employee taxes, state pension schemes and employment pension scheme balances;
  • confirmation of batch totals to individual records, e.g. wages and salary payments to payroll records;
  • casting of all ledger balances.

The stronger the internal controls the less substantive testing must be performed

8 Relying on the work of others

The stronger the internal controls the less substantive testing must be performed

Why rely on the work of other people?

  • In certain circumstances auditors may need to rely on the work of, or consult parties not involved in the audit process.
  • Auditors may also choose to rely on the work of others because they find it effective and efficient to do so.

The need to consult others

Auditors do not need to be experts in all aspects of their clients' businesses. Where they lack the technical knowledge and skills to gather evidence about transactions, balances and disclosures they should seek the assistance of an expert. For example:

  • property valuation;
  • construction work in progress.
  • assessment of oil reserves;
  • specialist inventory – livestock, food and drink in the restaurant trade, jewellery; oil reserves; and
  • actuarial valuations for pension schemes.

Using an Auditor's Expert

ISA 620 Using the Work of an Auditor's Expert states that the auditor should obtain sufficient and appropriate evidence that the work of the expert is adequate for the purpose of the audit.

In making this assessment the external auditor must assess the expert's:

  • independence and objectivity; and
  • competence (i.e. qualifications, memberships of professional bodies and experience)

Before any work is performed by the expert the auditor should agree in writing:

  • The nature, scope and objectives of the expert's work;
  • The roles and responsibilities of the auditor and the expert;
  • The nature, timing and extent of communication between the two parties; and
  • The need for the expert to observe confidentiality.

Once the work has been completed the auditor must then assess it to ensure it is appropriate for the purposes of the audit. This involves consideration of:

  • the consistency of the findings with other evidence;
  • the significant assumptions made; and
  • the use and accuracy of source data.

Relying on internal audit

An internal audit department forms part of the client's system of internal control. If this is an effective element of the control system it may well reduce control risk, and therefore reduce the need for the auditor to perform detailed substantive testing. This will obviously be taken into account during the planning phase of the audit.

Additionally, auditors may be able to co-operate with a client's internal audit department and place reliance on their procedures in place of performing their own.

ISA 610 Using the Work of Internal Auditors states that before relying on the work of internal auditors, the external auditor must determine whether it is likely to be adequate for the purposes of the audit. This involves an evaluation of:

  • the objectivity of the internal audit function;
  • the technical competence of the internal audit function;
  • whether the internal audit function is carried out with due professional care; and
  • whether there is likely to be effective communication between the internal and external auditor.

If the auditor considers it appropriate to use the work of the internal audit function they then have to incorporate this into their planning to assess the impact on the nature, timing and extent of further audit procedures. They also have to plan adequate time to review the work of the internal audit function to evaluate whether:

  • the work was performed by people with adequate technical training and proficiency;
  • the work was properly supervised, reviewed and documented;
  • sufficient and appropriate evidence has been obtained to be able to draw reasonable conclusions;
  • the conclusions reached are appropriate in the circumstances; and
  • any unusual matters are properly resolved.

Service organisations

The client may outsource certain functions to another company – a service organisation, e.g.

  • payroll
  • receivables collection
  • the entire finance function
  • internal audit.

Advantages from the auditor's point of view

  • The independence of the service organisation may give increased reliability to the evidence obtained;
  • Their specialist skills tend to make them more reliable at processing information; and
  • The auditor may be able to place a high degree of reliance on the reports they produce as a result (reduced control risk).

Disadvantages

  • The auditor may not be able to obtain information from the service provider;
  • The auditor may not be allowed to test controls at the service provider;
  • This would lead to difficulties in assessing the accuracy and reliability of the information produced by the service provider; and
  • Ultimately this could lead to a lack of sufficient appropriate evidence and a modified audit report.

References to the work of others in the audit report

It is the auditors' responsibility to obtain sufficient and appropriate audit evidence in order to arrive at their audit opinion. Therefore, no reference should be made in the audit report regarding the use of others during the audit. This might be considered as some form of modifying statement, deflecting responsibility from the auditor to a third party.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 1

ISA 500 Audit Evidence requires audit evidence to be reliable.

Required:

List FOUR factors that influence the reliability of audit evidence.

Real exam: December 2009 (4 marks)
The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 2

List and explain FOUR methods of selecting a sample of items to test from a population in accordance with ISA 530 Audit Sampling.

Real exam question: June 2009 (4 marks)

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 3

List and explain FOUR factors that will influence the auditor's judgement regarding the sufficiency of the evidence obtained.

Real exam question: June 2008 (4 marks)

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 4

ISA 620 Using the Work of an Auditor's Expert explains how an auditor may use an expert to obtain audit evidence.

Required:

Explain THREE factors that the external auditor should consider when assessing the competence and objectivity of the expert.

Real exam question: December 2008 (3 marks)

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 5

Explain the factors that the external auditor should consider when deciding whether to place reliance on internal audit work.

(5 marks)

The stronger the internal controls the less substantive testing must be performed

9 Chapter summary

The stronger the internal controls the less substantive testing must be performed

Test your understanding answers

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 1

The following five factors that influence the reliability of audit evidence are taken from ISA 500 Audit Evidence:

(i)Audit evidence is more reliable when it is obtained from independent sources outside the entity.

(ii) Audit evidence that is generated internally is more reliable when the related controls imposed by the entity are effective.

(iii)Audit evidence obtained directly by the auditor (for example, observation of the application of a control) is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about the application of a control).

(iv)Audit evidence is more reliable when it exists in documentary form, whether paper, electronic, or other medium. (For example, a contemporaneously written record of a meeting is more reliable than a subsequent oral representation of the matters discussed.)

(v) Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies or facsimiles.

Other examples are:

(vi)Evidence created in the normal course of business is better than evidence specially created to satisfy the auditor.

(vii)The best-informed source of audit evidence will normally be management of the company (although management's lack of independence may reduce its value as a source of such evidence).

(viii)Evidence about the future is particularly difficult to obtain and is less reliable than evidence about past events.

Only four examples are required.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 2

Sampling methods

Methods of sampling in accordance with ISA 530 Audit Sampling and Other Means of Testing:

  • Random selection. Ensures each item in a population has an equal chance of selection, for example by using random number tables.
  • Systematic selection. In which a number of sampling units in the population is divided by the sample size to give a sampling interval.
  • Haphazard selection. The auditor selects the sample without following a structured technique – the auditor would avoid any conscious bias or predictability.
  • Sequence or block. Involves selecting a block(s) of contiguous items from within a population.

Note: Only four sampling methods were asked for. Another method of sampling is:

  • Monetary Unit Sampling. This selection method ensures that each individual $1 in the population has an equal chance of being selected.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 3

Sufficiency of evidence

  • Assessment of risk at the financial statement level and/or the individual transaction level. As risk increases then more evidence is required.
  • The materiality of the item. More evidence will normally be collected on material items whereas immaterial items may simply be reviewed to ensure they appear correct.
  • The nature of the accounting and internal control systems. The auditor will place more reliance on good accounting and internal control systems limiting the amount of audit evidence required.
  • The auditor's knowledge and experience of the business. Where the auditor has good past knowledge of the business and trusts the integrity of staff then less evidence will be required.
  • The findings of audit procedures. Where findings from related audit procedures are satisfactory (e.g. tests of controls over receivables) then substantive evidence will be collected.
  • The source and reliability of the information. Where evidence is obtained from reliable sources (e.g. written evidence) then less evidence is required than if the source was unreliable (e.g. verbal evidence).

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 4

Competence and objectivity of experts

The expert's professional qualification. The expert should be a member of a relevant professional body or have the necessary licence to perform the work.

The experience and reputation of the expert in the area in which the auditor is seeking audit evidence.

The objectivity of the expert from the client company. The expert should not normally be employed by the client.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed
Test your understanding 5

Reliance on internal audit work

The technical competence of internal audit should be considered.  In particular, whether the internal auditor has had adequate training and has appropriate qualifications.

Consideration should be given to the quality of work produced by the internal audit and whether it is adequate for the purposes of the audit. This will involve the review of the internal auditor's working papers. The objectivity of internal audit should be assessed. If the internal auditor reports to an audit committee their independence would be stronger than if they reported to the executive directors.

Whether there is likely to be effective communication between the internal and external auditor by considering how exceptions and unusual matters have been disclosed and resolved in previous audits.

The scope of the work performed by internal audit should be assessed. This will include considering extent to which the external auditor was involved in developing the testing performed by internal audit.

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

Created at 5/24/2012 2:36 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 10/3/2012 6:34 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

The stronger the internal controls the less substantive testing must be performed

The stronger the internal controls the less substantive testing must be performed

Rating :

The stronger the internal controls the less substantive testing must be performed
Ratings & Comments
 (Click the stars to rate the page)
The stronger the internal controls the less substantive testing must be performed

Tags:

The stronger the internal controls the less substantive testing must be performed

Recent Discussions

There are no items to show in this view.

How does test of controls affect substantive testing?

Purposes of tests of control If a company's internal controls are working effectively, it reduces the need for additional substantive audit procedures, which can be time-consuming and costly. Another purpose of these tests is to obtain further audit evidence to support the auditor's statements.

When detection risk is set at low the audit team will have to perform more substantive procedures?

When detection risk is set at low, then that means that risk of material misstatement was assessed to be high. Since detection risk is set at low, that means that the audit team will have to perform a HIGHER amount of substantive testing in order to reduce the risk of not detecting a material misstatement.

Can internal auditors perform substantive tests?

Substantive testing may also be conducted by a company's internal audit staff. Doing so can provide assurance that internal recordation systems are performing as planned.

What is the relationship between tests of controls and substantive tests in an audit?

In simple terms, control tests involve checking that a client's control is working, whereas a substantive test involves ignoring client systems and just checking the numbers. An example: Companies try to ensure their cashbooks and bank statements are accurate by reconciling them.