A3 M3
Substantive procedures should include:
-Agreement of the financial statements to the underlying accounting records -Examination of material journal entries or adjustments made while preparing the financial statements -Evaluation of the overall presentation of the financial statements in accordance with applicable financial reporting framework, including disclosures
Assertion Level Risks
-Assertion level risks are risks that relate to specific transactions, account balances, or disclosures at the relevant assertion level -When assessing the risk of material misstatement at the assertion level, the auditor should identify controls that have been properly designed and implemented such that the controls are capable of effectively preventing or detecting and correcting material misstatements that could arise from the risks
Timing
-Audit tests may be performed at an interim date or at period end -The higher the assessed risks of material misstatement, the closer to period-end substantive procedures should be performed -Performing audit procedures before period end allows earlier identification of significant matters; however, additional evidence is necessary for the remaining period -In considering the timing of audit tests, the auditor should consider when relevant information is available. Some procedures occur only at certain times and electronic data may not be retained indefinitely
Timing of Substantive Procedures
-Can be performed during an interim period, at period end, or after period end -If they are performed at an interim date, the auditor should perform further substantive procedures, or substantive procedures combined with tests of controls, to provide a reasonable basis for extending audit conclusions to period end -Performing them at an interim date increases the risk that the auditor will not detect material misstatements in the financial statements. The longer the period between the interim date and the period end, the greater the risk -In certain situations, such as those in which there is an identified fraud risk or high risk of material misstatement, the auditor may choose to perform substantive procedures at or near period end -If misstatement are discovered at an interim date, the auditor should modify the related risk assessment and the procedures to be performed for the remaining period, or should consider repeating audit procedures at period end -Evidence obtained form substantive tests performed in a prior audit generally is not sufficient for the current period
In response to risk assessed at the financial statement level, the auditor may:
-Communicate to the audit team an increased need for professional skepticism -Assign staff with more experienced or specialized skills -Increase the level of supervision -Incorporate a greater level of unpredictably into the audit -Make pervasive changes to the nature, extent, and timing of tests, such as shifting substantive procedures closer to period end
Evidence Obtained in Prior Audits
-Evidence obtained in a prior audit about the operating effectiveness of controls may be used in the current audit, as long as the auditor obtains evidence about whether changes in those controls have occurred -If controls have changed since they were last tested, operating effectiveness must be retested in the current period -Even if controls have not changed, operating effectiveness must be tested at least once every third year -The auditor may also choose, based on the circumstances, to retest operating effectiveness more often than once every third year -The auditor may not rely on audit evidence obtained in prior audits for controls that mitigate a significant risk
Additional considerations:
-If a control is applied on a transaction basis throughout the period, the auditor should use sampling to test the control -IT processing is inherently consistent, so it is possible to test only a few instances of the operation of an automated control -Once the auditor has determined that an automated control is functioning as expected, the auditor should determine that it continues to function effectively
If substantive analytical procedures are to be used to extend audit conclusions from interim testing to period end, the auditor should consider when:
-Period end balances are reasonably predictable with respect to amount, relative significance, and composition -The entity's accounting procedures are appropriate -The entity's information system will provide sufficient information to allow investigation of unusual or unexpected transactions or balances
Factors that may be indicative of significant risks include:
-Risk of fraud -Significant recent economic, accounting, or other developments -Related parties and related party transactions -Improper revenue recognition -Nonroutine, unusual, or complex transactions -Accoutign estimates or other subjective measurements of financial information -Noncompliance with laws and regulations -Accounting principles that are subject to different interpretations
Identifying Significant Risks
-Significant risks are risks that require special audit consideration -The auditor uses professional judgment to determine whether a given risk of material misstatement is a significant risk -The auditor's judgment should be based on the nature of the risk and the magnitude and likelihood of the potential misstatement
Operating Effectiveness of Controls
-Some risk assessment procedures performed to obtain an understanding of internal control may provide evidence about operating effectiveness, even if they were not intended for that purpose -If it is efficient to do so, the auditor may choose to test the operating effectiveness of controls concurrently with obtaining an understanding of internal control
Responding to RMM: Substantive Procedures Overview
-Substantive procedures are used to detect material misstatements at the relevant assertion level -The NET of substantive procedures should be responsive to the assessed risks of material misstatement, including the results of tests of controls and the planned level of detection risk -Regardless of the assessed risks of material misstatement, substantive procedures are required for each material transaction class, accounting balance, or disclosure -The fact that a substantive procedure does not identify any material misstatements does not necessarily imply that the related control is operating effectively
Dual-Purpose Tests
-Test of controls that is performed concurrently with a test of details on the same transaction -The purpose of a test of controls is to evaluate the operating effectiveness of a control, whereas the purpose of a test of details is to support relevant assertions or detect material misstatements -A dual-purpose test should be deigned to accomplish both objectives
Nature of Tests of Controls
-Tests of the operating effectiveness of controls, presented in the order of the evidence that they would ordinarily produce, from least to most, include the following: inquiries, observation, inspection, and re-performance. -The auditor should use a combination of procedures to obtain sufficient evidence of operating effectiveness -Inquiry alone is not sufficient -Observation generally is pertinent only at the time the observation is made, so observation should be supplemented with other procedures, such as inquiry, inspection, and re-performance -For some controls, operating effectiveness may be evidenced by documentation; for other controls, documentation may not be available or relevant -To test such controls, the auditor would likely rely on inquiry and observation
Selection of Substantive Procedures
-The auditor may use only substantive analytical procedures, only tests of details, or a combination of both -Substantive analytical procedures are often used when there is a large volume of predictable transactions -Tests of details are generally more appropriate when obtaining evidence regarding the existence and valuation of account balances -If tests of controls indicate that controls are operating effectively, then substantive analytical procedures may be sufficient to reduce detection risk to an acceptably low level -If tests of controls indicate that controls are not operating effectively or tests of controls were not performed, then the auditor may perform tests of details only
Responses to Risks at the Relevant Assertion Level
-The auditor should design audit procedures that address the risks of material misstatement for each relevant assertion of each significant account, balance, or disclosure -The linkage should be clear between the assessed level of risk at the relevant assertion level and the nature, extent, and timing of further audit procedures, including tests of controls and substantive procedures
Extent
-The extent of an audit procedure refers to the quantity to be performed, such as the number of observations to be made or the sample size to be used -The higher the assessed risks of material misstatement, the greater the extent of audit procedures should be -The auditor should also consider the tolerable misstatement and the degree of assurance the auditor plans to obtain
Nature
-The nature of an audit procedure includes both its purpose and its type -The higher the assessed risk of material misstatement, the more reliable and relevant audit evidence must be. The auditor varies the nature of audit procedures in order to achieve the desired level of reliability and relevancy -If the auditor uses information provided by the entity's information system, the accuracy and completeness of that system must be tested -In responding to assessed risks, the nature of selected audit procedures is of primary importance
In designing further audit procedures that are responsive to the assessed risks, the auditor should consider:
-The significance and likelihood of the risk -The characteristics of the transaction, balance, or disclosure -The nature of controls used -Whether the auditor expects to test the operating effectiveness of the controls
Combined Approach
-Uses both tests of the operating effectiveness of controls and substantive procedures -If controls are operating effectively, less assurance will be required from substantive proceudres
Tests of Design and Operating Effectiveness
-When performing tests of controls, the auditor must obtain evidence that the controls selected for testing were both designed effectively and operated effectively during the period of reliance. -Testing the design and operating effectiveness of controls includes obtain evidence regarding: 1. Whether the controls were applied at relevant times 2. How controls were applied 3. The consistency with which controls were applied 4. By whom or by what means controls were applied -Auditor judgment is used to determine the NET of test of controls
Testing at a Particular Time vs. Throughout a Period
-When tests of controls are performed at one particular time, they provide evidence that controls operated effectively only at that time -Controls tested throughout the period provide evidence of operating effectiveness during that period -The auditor may choose to test the operating effectiveness of a control only at one particular time, but then supplement this test with other tests that provide evidence for the remainder fo the period -Tests related to period-end controls, such as tests of controls over the counting of physical inventory at period end, may be performed at only one time, if the auditor only intends to rely on the control at that one time -Controls that are tested only during an interim period should be supplemented by additional evidence for the remaining period
In order to reduce audit risk to an acceptably low level, the auditor should develop the following responses to the assessed risks of material misstatement:
1. An overall response to address financial statement level risks 2. A response at the relevant assertion level, whereby the nature, extent, and timing of audit procedures are designed to address risks related to specific assertions 3. A response to significant risks
There are two types of substantive procedures:
1. Tests of details applied to transaction classes, account balances, and disclosures -Consists of audit procedures used to gather evidence to support the account balances as reflected in the FS. -They are performed on ending balances, the details of transactions, or a combination of the two 2. Substantive analytical procedures -Evaluations of financial information made by a study of plausible relationships among both financial and non-financial data, and they generally involve comparisons of recorded amounts to independent expectations developed by the auditor
Results of Tests of Controls
After performing tests of controls, the auditor may conclude that audit evidence indicates that controls are either: 1. Operating effectively and can be relied upon. The auditor then proceeds to substantive procedures based on the assessed risks of material misstatement 2. Not operating effectively, in which case the auditor can: -Test alternative controls; or -Reassess control risk
Financial Statement Level Risks
Financial statement level risks are risks that relate pervasively to the FS as a whole and potentially impact many relevant assertions. The risk of material misstatement at the FS level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. Financial statement level risks include weaknesses related to: -The process used to prepare the financial statements, including the development of significant accounting estimates and the preparation of financial statement footnotes -The overall control environment -Lack of qualified personnel in financial reporting roles -The selection and application of significant policies
Response to Significant Risks
For all significant risks, the auditor should: -Evalute the design of the entity's related controls and determine whether the controls have been implemented -If relying on the operating effectiveness of internal controls intended to mitigate significant risk, tests of controls must be performed in the current period. The auditor cannot rely on tests of controls performed in prior periods -Perform substantive procedures that are clearly linked and responsive to the risk. For areas of signifiant risk, substantive procedures can consist of: 1. Tests of details only; or 2. A combination of tests of details and substantive analytical procedures
Substantive Approach
For certain relevant assertions and risks, only substantive procedures will be performed. This occurs when control risk is assessed at maximum because: -There are no effective controls relative to the specific assertion -The implemented controls are assessed as ineffective -It would not be efficient to test the operating effectiveness of controls
Assessing Specific Risks
For each identified risk, the auditor should consider: -What could go wrong at the relevant assertion level -The significance and likelihood or potential material misstatements -Whether the risk is significant enough to require special audit consideration -Whether tests of controls are required because substantive tests alone are insufficient to reduce detection risk to an acceptable level -Whether the risk relates to a specific relevant assertion or whether it has a more pervasive effect on the financial statements
When to Perform Tests of Control
In making risk assessments, the auditor should identify those controls that are likely to prevent or detect and correct material misstatements in specific relevant assertions. -Obtaining an understanding of a control is not sufficient to determine whether the control is operating effectively -Tests of controls are performed when: 1. The auditor's risk assessment is based on the assumption that controls are operating effectively; or 2. When substantive procedures alone are insufficient -Only those controls that are suitable designed to prevent or detect material misstatements are subject to tests of operating effectiveness
Tests of Controls May Be Required
In situations in which a significant amount of information is initiated, authorized, recorded, processed, or reported electronically, substantive procedures alone may not be sufficient. Tests of controls are generally required when: -An entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system -Audit assertions are related to routine day-to-day business transactions that permit highly automated processing with little or not manual intervention -Audit evidence is obtained in electronic form. The sufficiency and appropriateness of such evidence is dependent on the effectiveness of controls over the accuracy and completeness of the information
Required Documentation
The auditor should document: -The discussion among the audit team regarding risk assessment, including how and when it occurred, the participants, the subject matter discussed, and significant decisions reached -Key elements of the understanding of the entity and its environment, the sources of information used to develop the understanding, and the risk assessment procedures performed -The assessment of the risks of material misstatement and the basis for the assessment -The identified risks and related controls evaluated by the auditor (A more complex entity/environment results in more extensive audit procedures, which in turn should result in more extensive audit documentation)
Extent of Tests of Controls
The more extensively a control is tested, the greater the evidence obtained from that test. The auditor should consider the following factors in determining the appropriate extent of testing controls: -The frequency of the performance of the control during the period -The length of time during which the auditor wishes to rely on the control -The relevance and reliability of the evidence to be obtained -The extent to which other tests provide audit evidence about the same assertion -The extent to which the auditor wishes to rely on the operating effectiveness of the control to reduce substantive procedures -The expected deviation rate from the control
Extent of Substantive Procedures
The more extensively a substantive procedure is performed, the greater the evidence obtained from the procedure. The extent of substantive procedures is affected by: -The overall risk of material misstatement: the greater these risks, the less detection risk that can be accepted, and the greater the extent of substantive procedures -Control risk: if controls are operating effectively, the extent of substantive procedures may be reduced (In designing tests of details, the extent of substantive procedures generally refers to the sample size)