CONSIDERATION OF INTERNAL CONTROL

APPLICABLE STANDARDS:
 PSA 260 (Revised and Redrafted) – Communication with Those Charged with
Governance
 PSA 265 (New) - Communicating Deficiencies in Internal Control to Those
Charged with Governance and Management
 PSA 315 (Redrafted) – Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment
 PSA 320 (Revised and Redrafted) – Materiality in Planning and Performing an
Audit

BASIC CONCEPTS AND ELEMENTS OF INTERNAL CONTROL

Internal control (IC) – the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement of
an entity’s objectives.

Essential concepts of internal control:

a. Internal control is a process. Internal control is not an end in itself but a means of achieving
the entity's objectives.
b. Internal control is effected by those charged with governance, management and other
personnel. Internal control is accomplished by people at every level of organization.
Responsibilities:
 Management: to design, implement and maintain internal control to assist in achieving
the entity's objectives
 Those charged with governance: to ensure the integrity of accounting and financial
reporting systems through oversight of management
 Staff personnel: to perform their respective functions in order to accomplish the
objectives of the entity

c. Primary purpose/reason for establishing internal control is to provide reasonable

assurance about the achievement of an entity’s objectives.

d. Internal control can be expected to provide reasonable assurance of achieving the

entity's objectives – this is due to inherent limitations of any system of internal control; although
internal control is designed to prevent, detect and correct problems, an effective internal control
can only minimize but not eliminate material misstatements, whether due to fraud or error.

Inherent limitations of internal control:

1. Management overriding the internal control.
2. Circumvention of internal controls through the collusion among employees.
3. The cost-benefit relationship is a primary criterion in designing internal control, that is, the
cost of a control should not exceed its expected benefits. This is known as the concept of
reasonable assurance.
4. Most internal controls tend to be directed at routine transactions rather than non-routine
transactions.
5. The potential for human error due to carelessness, distraction, mistakes of judgment and the
misunderstanding of instructions. Human error may include errors in the design or use of
automated controls.
6. The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate.
7. Segregation of duties may be difficult to achieve in a smaller entity.

e. Internal control is designed to help achieve the entity's objectives. Internal control is
geared towards the achievement of the entity's objectives.

Entity’s objectives: what an entity strives to achieve

Categories of entity's objectives:
1. Financial reporting objective – this objective relates to reliability of financial reporting
2. Operational effectiveness objective – this objective is intended to enhance
effectiveness and efficiency of operations
 3. Compliance objective – this objective relates to entity’s compliance with applicable laws
and regulations

Classification of internal control:

1. According to objectives:
a. Financial reporting controls – controls to achieve reliability of financial reporting objective
b. Operational effectiveness controls – controls to achieve operational effectiveness
objective
c. Compliance controls – controls to achieve compliance objective

There is a direct relationship between the entity’s objectives and the internal control it
implements to provide reasonable assurance about their achievement. Both the entity’s
objectives and controls relate to financial reporting, operations and compliance.

2. According to functions:
a. Preventive controls – to deter problems before they arise
Examples:
 Segregation of employee duties
 Control physical access to assets, facilities and information
b. Detective controls – to discover problems as they arise
Examples:
 Preparing bank reconciliation
 Preparing monthly trial balance
c. Corrective controls – to remedy problems discovered with detective controls
Example:
 Maintaining backup copies of transactions and master files

Benefits of strong internal control:

 Reduced cost of an external audit
 Availability of reliable data for decision-making purposes
 Protection of important documents and records
 Assurance of compliance with applicable laws and regulations

Internal control objective relevant to the audit: not all entity’s objectives and internal control are
relevant to the auditor’s risk assessment

1. Relevant to the auditor – financial reporting objective

Reasons:
 It is relevant to the financial statement assertions
 Pertain to the management of risk that may give rise to material misstatement to financial
statements

2. May be relevant to the auditor – operational and compliance objectives are not usually relevant to
the audit but may relevant to the auditor only if they relate to data the auditor evaluates to
determine the reliability of some financial statement assertions

Examples of operational controls that are not normally be relevant to the audit production and
staff scheduling, quality control, and employee compliance with health and safety requirements.
However, these may be relevant to the auditor if:

a. The information produced is used to develop an analytical procedure.

For example:
 Controls pertaining to non-financial data that the auditor uses in analytical procedures,
such as production statistics
 Controls pertaining to detecting non-compliance with laws and regulations that may
have a direct and material effect on the financial statements, such as controls over
compliance with income tax laws and regulations used to determine the income tax
provision

b. The information is required for disclosure in the financial statements.

Example,
 Controls to ensure the accuracy of such data to produce statistics that were used as a
basis for an analytical procedure
  Controls for detecting and reporting on non-compliance with certain laws and
regulations that has a direct and material effect on the financial statements

Controls related to the safeguarding of assets often relate to both operations and financial
reporting and objectives. The auditor would generally consider only those controls related to
financial reporting, such as controls that limit access to the programs used to process cash
disbursements.

Components of Internal Control: the interrelated components of internal control represent means used
by an entity to help it achieve its objectives (CRIME)

Five interrelated and essential components or aspects of internal control:

1. Control environment – the overall tone of the organization
2. Risk assessment – management’s identification and assessment of risks
3. Information, financial reporting and communication systems – a means of recording
transactions and communicating responsibilities
4. Monitoring the controls – assessment of internal control performance over time
5. Existing control activities – control policies and procedures

Component 1 – Control Environment:

 It sets the tone of an organization, influencing the control consciousness of its people.
 It includes the governance and management functions the attitudes, awareness, and actions of
those charged with governance and management concerning the entity’s internal control and its
importance in the entity.
 It is a set of characteristics that defined good control working relationships in an entity.
 It is the foundation for effective internal control for it provides an appropriate foundation for other
components of internal control.

Elements of control environment:

1. Integrity and ethical values – The entity should establish ethical standards. Ethical
standards influence the effectiveness of the design, administration and monitoring of
controls.
2. Participation by those charged with governance (BOD and audit committee).
3. Management’s philosophy and operating style – Management’s approach to taking
and managing business risks, attitudes and actions toward financial reporting, and attitudes
toward information processing and accounting functions and personnel.
4. Assignment of authority and responsibility – How authority and responsibility for
operating activities are assigned and how reporting relationships and authorization
hierarchies are established. Appropriate methods of assigning responsibility must be
implemented to avoid incompatible functions and to minimize the possibility of errors
because of too much work load assigned to an employee.
5. Commitment to competence – Management’s consideration of the competence levels
for particular jobs and how those levels translate into requisite skills and knowledge.
Competence is the knowledge and skills necessary to accomplish tasks that define the
individual’s job.
6. Personnel or Human resource policies and procedures – The entity must implement
appropriate policies for recruitment/hiring, orientation, training, evaluating, counseling,
promoting, compensating, and remedial actions because the competence of the entity's
employees will bear directly on the effectiveness of the entity's internal control.
7. Organizational structure – The framework within which an entity’s activities for
achieving its objectives are planned, executed, controlled and reviewed. Establishing a
relevant organizational structure includes considering key areas of authority and
responsibility and appropriate lines of reporting. The appropriateness of an entity’s
organizational structure depends, in part, on its size and the nature of its activities.

Component 2 – Risk Assessment: An entity’s risk assessment for financial reporting purposes is its
identification, analysis, and management of risks relevant to the preparation of financial statements that
are fairly presented in conformity with generally accepted accounting principles. (Note that this component
concerns the assessment by management of risk facing the entity, not the auditor's assessment of control
risk.)

Matters the auditor should consider are how management:

a. Identifies business risks (inherent and residual risks) relevant to financial reporting;
b. Estimates the significance of the risks;
c. Assesses the likelihood of their occurrence; and
 d. Decides upon actions to manage them.

Component 3 – Information and Communication System: Information and communication systems

support the identification, capture, and exchange of information in a timely and useful manner.

The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:

a. The classes of transactions in the entity’s operations that are significant to the financial statements;
b. The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements;
c. The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the
correction of incorrect information and how information is transferred to the general ledger.
d. The records may be in either manual or electronic form;
e. How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
f. The financial reporting process used to prepare the entity’s financial statements, including
significant accounting estimates and disclosures; and
g. Controls surrounding journal entries, including non-standard journal entries used to record non-
recurring, unusual transactions or adjustments.

The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the methods and records established to record, process, summarize, and report entity
transactions (as well as events and conditions) and to maintain accountability for the related assets,
liabilities, and equity.

Communication involves providing an understanding of individual roles and responsibilities pertaining

to internal control over financial reporting. Communication may take such forms as policy manuals and
financial reporting manuals. Open communication channels help ensure that exceptions are reported and
acted on.

Accounting system: means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. The tasks identify, assemble, analyze, calculate,
classify, record, summarize and report transactions and other events.

Component 4 – Control Activities: Control activities are the policies and procedures that help
ensure management’s directives are carried out and that necessary steps to address risks are taken.
Control activities address risks that if not mitigated would threaten the achievement of the entity’s
objectives.

The auditor should obtain a sufficient understanding of control activities to assess the risks of material
misstatement at the assertion level and to design further audit procedures responsive to assessed risks.

Categories of Control activities: Categories of specific control activities that may be relevant to
an audit:

1. Prenumbering of documents – helps to assure that:

a. All transactions are recorded (completeness).
b. No transactions are recorded more than once (existence).

2. Authorization of transactions – authorization should occur before commitment of

resources

3. Independent checks to maintain asset accountability – independent checks involve

the verification of work previously performed by others
Examples include:
a. Review of bank reconciliations
b. Comparison of subsidiary records to control accounts
c. Comparison of physical counts of inventory to perpetual records

4. Documentation – provides evidence of the underlying transactions and is a basis for

establishing responsibility for the execution and recording of transactions
5. Performance reviews – includes review of the following:
a. Reviews and analyses of actual performance versus budgets, forecasts, and prior period
performance
b. Relating different sets of data to one another, together with analyses of the relationships
and investigative and corrective actions (for example, the management of a sports team
might use attendance data to ascertain the reasonableness of ticket sales).
c. Comparing internal data with external sources of information, and
d. Review of functional or activity performance (for example, sales reports, receivable
reports, etc., may be used to analyze performance and to identify errors).

6. Information processing controls – ensure that transactions are valid, properly

authorized, and completely and accurately recorded

a. Application controls – controls which apply to the processing of individual applications

Examples of application controls:
 Checking the arithmetical accuracy of records
 Maintaining and reviewing accounts and trial balance
 Automated controls such as edit checks of input data and numerical sequence
checks
 Manual follow-up of exception reports
 Controls surrounding receivables
 Controls surrounding payroll

b. General controls – which are controls that relate to many applications and support
the effective functioning of application controls by helping to ensure the continued
proper operation of information systems. General controls apply to information
processing throughout the company.
Examples of general controls:
 Program change controls
 Controls that restrict access to programs or data
 Controls over the implementation of new releases of packaged software
applications
 Controls over system software that restrict access to or monitor the use of system
utilities that could change financial data or records without leaving an audit trail
 Controls over data center/network

7. Physical controls – are physical controls for safeguarding assets involve security devices
and limited access to programs and to restricted areas, including computer facilities

a. Physical segregation and security of assets, including adequate safeguards such secured
facilities over access to assets and records.
Examples of physical controls:
 Protective or security devices
 Bonded or independent custodians
 Physical and security of assets:
 Cash – placed in cash boxes, vault or safe deposit boxes
 Cash – deposited in a bank
 Inventory – placed in a warehouse
 PPE items – tagged with non-movable labels
b. Authorization for access to computer programs and data files (for example, requiring
password prior to access)
c. Authorized access to assets and records (such as through the use of computer access
codes, prenumbered forms, and required signatures on documents for the removal or
disposition of assets)
d. Required signatures on documents for the removal or disposition of assets
e. Periodic counting and comparison with amounts shown on control records
Examples:
 Comparing the results of cash, security and inventory counts with accounting
records
 Reconciliations
f. The extent to which physical controls intended to prevent theft of assets are relevant to
the reliability of financial statement preparation, and therefore the audit, depends on
circumstances such as when assets are highly susceptible to misappropriation.
 8. Segregation of duties – involves ensuring that individuals do not perform incompatible
duties. Duties should be segregated such that the work of one individual provides a
crosscheck on the work of another individual.

A proper segregation of duties (or incompatible functions) requires that one person
should not be responsible for all phases of a transaction. It requires assigning different
people the responsibilities of:
 Authorizing transactions
 Recording transactions – recordkeeping
 Maintaining custody of assets involved in the transactions

This means that different employees authorize transactions in the asset, record the
transactions, and have custody of the asset.

Segregation of duties is intended to reduce the opportunities to allow any person to be

in a position to both perpetrate and conceal errors or fraud in the normal course of the
person’s duties.

Example of segregation of duties:

 The responsibilities of the treasury department include handling of cash and custody
of securities but do not include data processing.

Component 5 – Monitoring the Controls: Monitoring is a process that assesses the quality of internal
control performance on an ongoing basis. Management’s monitoring of controls includes considering
whether they are operating as intended and that they are modified as appropriate for changes in conditions.

Monitoring assesses the effectiveness of the internal control’s performance over time. The objective
is to ensure the controls are working properly and, if not, to take necessary corrective actions. Management
accomplishes monitoring of controls through ongoing activities, separate evaluations or a combination of
the two.

Management’s monitoring activities may also include using information from external parties such as
complaints from customers or comments from regulatory bodies that may indicate problems, highlight
areas in need of improvement, or require communications relating to internal control from external auditors.

Internal Control in Smaller Entities

In smaller entities, there are often few employees, which can limit the extent to which segregation
of duties is practicable and the paper trail of documentation available. But internal control still exists.
In such entities, the control environment (management’s commitment to ethical values, competence,
attitude toward control, and their day-to-day actions) will be very important to evaluate. This will
involve assessing the behavior, attitudes, and actions of management.

The presence of a highly involved owner-manager can be both an internal control strength and an
internal control weakness. The strength is that the person (assuming his or her competence) will be
knowledgeable about all aspects of operations and that it is highly unlikely material errors will be
missed. The weakness is that the person is also in a good position to override internal controls.

Effect of Information Technology on Internal Control

Effect on Internal Control

An entity's use of information technology may affect any of the five components of internal
control:
a. Management's failure to appropriately address IT risks may negatively impact the control
environment.
b. The use of IT may enhance an entity's risk assessment by providing more timely
information.
c. Many information and communication systems make extensive use of IT, and the way in
which IT is used often affects an entity's internal control.
d. Much of the information used in monitoring is provided by IT, and therefore, the accuracy of
the IT system is crucial.
e. The use of IT may affect the way in which existing control activities are implemented. Also,
the effectiveness of user controls may depend upon the accuracy of information provided to
the user by IT systems.
 Manual vs. Automated Controls
a. Manual controls may be more appropriate than automated controls in situations where
judgment and discretion is required, such as circumstances in which misstatements are
difficult to define, anticipate, or predict.
b. Manual controls, however, may pose additional risks because they can be more easily
ignored or overridden, they are subject to human error, and they are less consistent than
automated controls.

Testing Automated Controls

a. In testing automated controls, the auditor needs to identify and test not just specific
application controls but relevant general controls on which the application controls depend.
(Application controls and general controls are covered further below.)
b. In a manual system, manual controls such as approvals, reviews, and reconciliations are
used. In an automated system using information technology, both manual and automated
controls may be used; however, even manual controls may be dependent to some extent on
the effective functioning of IT.

IT Benefits
IT is used by an entity to improve the efficiency and effectiveness of its internal control. The
auditor should consider the effect of such benefits as part of assessing internal control. Benefits may
include:
a. The ability to process large volumes of transactions and data accurately and consistently.
b. Improved timeliness and availability of information.
c. Facilitation of data analysis and performance monitoring.
d. Reduction in the risk that controls will be circumvented.
e. Enhanced segregation of duties through effective implementation of security controls.

IT Risks
The use of IT may also create additional internal control risks. The auditor must evaluate the
entity's use of IT to determine whether and to what extent the following risks exist:
a. Potential reliance on inaccurate systems.
b. Unauthorized access to data, which may result in loss of data and/or data inaccuracies.
c. Unauthorized changes to data, systems, or programs.
d. Failure to make required changes or updates to systems or programs.

CONSIDERING INTERNAL CONTROL

 Considering internal control – involves study and evaluation of internal control

 Reasons/purpose of the auditor’s study and evaluation of internal control:
1. Primary: to provide a basis for planning the audit to determine the nature, timing, and extent
of audit procedures
2. Secondary: to provide a basis for constructive suggestions to management about
improvements in internal control structure

 Steps in consideration of internal control:

1. Obtain sufficient understanding of the internal control relevant to the audit –

involves obtaining understanding of the design and operation of internal control relevant to the
audit

 The auditor should use the understanding of the five components of internal control sufficient
to evaluate the design and determine if the control has been implemented.
 While the five components of internal control provide a useful framework for identifying and
evaluating controls, the auditor should be more concerned with whether and how a specific
control prevents, or detects and corrects, material misstatements, than with the classification
of controls into categories.
 Internal control is relevant to the entire entity and each of the five components of internal
control may affect any of the three entity objectives, but not all of an entity's objectives and
related controls are relevant to the audit. Generally, those controls that pertain to financial
reporting objective are most relevant to the audit; it is primarily those controls that the auditor
must consider and understand. The auditor need not assess all controls related to financial
reporting, but rather applies professional judgment in determining which controls to assess.
 a. Evaluate the design of relevant control – involves determining whether the control,
individually or in combination with other controls, is capable of effectively preventing or
detecting and correcting material misstatements

Major emphasis in the design of effective control

a. Assets are properly protected
b. Duties are segregated
c. Transactions are authorized

b. Determine whether the control has been implemented – whether the control is
placed in operation; a control has been implemented if the control exists and is being used
by the entity

Procedures to obtain evidence about the design and implementation of controls:

 Inquiry of entity personnel (inquiry alone is not sufficient)
 Inspecting documents and records
 Observing of application of specific controls
 Performing a “walk-through” test – tracing a transaction through the accounting
system, from initial recording to presentation in the financial statements

The understanding of internal control is used by the auditor in:

 Identify types of potential misstatements that can occur
 Consider factors that affect the risks of material misstatements
 Determine the nature, timing, and extent of audit procedures

2. Perform preliminary assessment of control risk – the assessment of control risk is based
on understanding of internal control
a. Assess control risk at a high level:
(1) If internal control is poor or not effective, or
(2) If it is inefficient to rely on internal control (inefficient to perform tests of controls)

Auditor’s response if control risk is assessed at a high/maximum level:

 Skip or do not perform tests of controls
 Rely primarily on substantive tests

b. Assess control risk at less than high level:

(1) If internal control is effective or reliable, and
(2) If it is inefficient to obtain evidence to justify the assessment of control risk at less
than high level

Note: Even if the internal control is effective, the auditor should assess control risk at a high
level if it is inefficient to obtain evidence to justify the assessment of control risk at less than
high level. The PSA requires the auditor to document the basis which is the evidence to
justify the assessment of control risk at less than high level.

Auditor’s response if control risk is assessed at less than high/maximum level:

 Perform tests of controls – to confirm operating effectiveness of controls

3. Perform tests of controls – tests of controls are performed when the auditor plans to rely
on internal control; the auditor will only test those controls that he plans to rely upon (controls
that are likely to prevent or detect and correct material misstatement relevant to the financial
statements)

Tests of controls –
 Tests performed to test the operating effectiveness (as to design and operation) of internal
controls that are likely to detect or prevent material misstatements in support of a reduced
assessed level of control risk. Thus, tests of controls are performed to substantiate the reduced
assessed level of control risk
 Tests performed confirm that the controls tested are working effectively
 Unlike substantive tests of details, tests of controls are not required audit procedure.
 The greater the reliance the auditor plans to place on internal control, the more extensive the
tests of those controls that need to be performed.
 Tests of controls generally consist of one (or combination of the following evidence gathering
techniques:
a. Inquiry
 b. Observation
c. Inspection
d. Reperformance

a. Results of tests of controls does not confirm effectiveness of controls – the auditor should
revise the preliminary risk assessment of control risk from less than high to high level; the
auditor should also make the necessary revision on the overall audit strategy, audit plan
and preliminary audit program
b. Results of tests of controls confirm effectiveness of controls – the auditor may rely on
entity’s internal control and decrease substantive testing

Required Documentation:

1. Document the understanding of accounting and internal control systems

 Form of documentation may vary

 One form or a combination of forms of documentation may be used at the same time
 Forms of documentation:
1. Internal control questionnaire – consists of a list of questions on internal control
be answered by "Yes" or "No" response. A negative response is designed to draw
attention to a possible weakness in internal control. Written explanations are required
for "No" answers.
2. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system
or the sequential flow of authority, processes, transactions and documents. The use
of standard symbols makes flowcharts easy to understand.
a. Systems flowcharts – used to evaluate internal control because it shows the
origin of each document in the system, its subsequent processing, and its final
disposition
b. IT flowcharts – used in evaluating the internal control in an
automated/computerized accounting environment. The auditor can use these
flowcharts to evaluate both the flow of the program and the internal controls
related to the IT function in general.
3. Internal control checklists – a detailed listing of ideal control measures (the auditor
tickmarks the controls adopted by the client)
4. Narrative memoranda – a written version of a flowchart. It is a description of the
auditor's understanding of the system of internal control. Note that flowcharts are
more appropriate for documenting complex control structures, while written narratives
are more appropriate for less complex structures.
5. Decision trees or tables –
a. Decision trees – are graphic illustrations that depict the logic of an operation or
process. They generally employ questions with "Yes" or "No" answers, which direct
the user to the next relevant questions.
b. Decision tables – are graphic illustrations that depict the logical relationships of
a system in table form. Both approaches document the auditor's understanding of
a process.

2. Document the assessed level of control risk

 If the control risk is assessed at a high level, the auditor should document his conclusion that
control risk is at a high level.
 If the control risk is assessed at less than high level, the auditor should document:
a. His conclusion that control risk is at less than high level, and
b. The basis for that assessment – results of tests of controls confirming the assessment of
control risk at below high/maximum level

Communicating with those charged with governance and management:

The auditor should communicate audit matters of governance interest arising from the audit of financial
statements with those charged with governance of an entity.

Governance refers to the role of persons entrusted with the supervision, control and direction of an
entity. Those charged with governance ordinarily are accountable for ensuring that the entity achieves its
objectives, financial reporting, and reporting to interested parties.

Reportable conditions are significant deficiencies/weaknesses in the design or operation of the

internal control which have come to the auditor’s attention that should be reported to the appropriate level
of management such as the highest official of the company or those charged with governance (usually to
the entity’s audit committee of the board of directors) in writing, in a formal management letter (the by-
product of the audit engagement) at the earliest opportunity so that appropriate corrective actions may be
taken as soon as possible.

A deficiency may be of such magnitude as to be considered a material weakness in internal control.

A material internal control weakness is a condition in which material errors or fraud would ordinarily
not be detected within a timely period by employees in the normal course of performing their assigned
functions.

No expression of opinion on entity’s internal control:

Consideration of internal control in financial statement audit is not sufficient to e xpress an opinion
on an entity’s controls because only those controls on which an auditor intends to rely are reviewed,
tested, and evaluated. Moreover, the auditor is not required to identify or search for internal control
weaknesses.

Internal control weaknesses: Examples of significant weaknesses in internal control include:

 Weak control environment (such as ineffective oversight, poor attitude toward internal control, or
instances found of management override or fraud)
 Weaknesses in IT general controls.
 Significant business risks that have not been addressed by policies, procedures or internal controls.
 Inadequate policies and procedures in place for:
 Appropriately assessing and applying accounting principles
 Determining accounting estimates and assessing their reasonableness
 Preparing the financial statements and the disclosures required, and
 Safeguarding assets
 Significant internal control activities or application controls not operating as designed, not applied
consistently by appropriate individuals, or not monitored by appropriate individuals.
Significant deficiencies previously communicated to management or those charged with governance that
remain uncorrected after some reasonable period of time.
(1) Substantive procedures – audit procedures designed to detect material
misstatements at the assertion level
Other best descriptions: Substantive procedures may also be described as audit
procedures that are designed to:
 Detect material peso/monetary errors or fraud
 Substantiate the validity of management's assertions regarding the financial
statements. Thus, substantive procedures are sometimes called validation
procedures because they provide evidence about the existence of
misstatement.
 Gather evidence in respect to all material classes of transactions, account
balances, and disclosures.
 Be performed in response to the assessment of the risks of material
misstatement at the assertion level, which includes the results of tests of
controls, if any. In other words, substantive procedures are performed in
response to the planned level of detection risk.

Substantive procedures are mandatory:

Irrespective of the assessed risks of material misstatement, substantive procedures
are required for all relevant assertions related to each material class of transactions,
account balance, and disclosure. This requirement reflects the fact that:
a. The auditor’s assessment of risk is judgmental and so may not identify all risks
of material misstatement; and
b. There are inherent limitation to internal control
Substantive testing cannot be eliminated. However, it may be reduced by auditor’s
reliance on entity’s effective internal control.

Nature, timing and extent of substantive tests:

When internal control is not reliable, the auditor will have to perform extensive
substantive tests. Thus, the result of test of controls is a major factor in determining
the nature, timing and extent of substantive tests.
1. Nature: relates the quality of audit evidence (performing more effective or less
effective audit procedures)
2. Timing: also relates to the quality of evidence (performing the audit procedures
at year-end or at interim date)
3. Extent: relates to the quantity of audit evidence (using larger sample size or
smaller sample size)

Reliance on substantive tests:

The reliance placed on substantive tests in relation to the reliance placed on internal
control has an inverse relationship.

Types of substantive procedures:

Whether or not to use substantive analytical procedures or to perform tests of
details of transactions and balances, the auditor usually consider the relative
effectiveness and efficiency of the tests.
1. Tests of details – examining or obtaining audit evidence on the actual details of
account balance, class of transactions, and disclosure
 The objective of tests of details is to substantiate or identify misstatements in
the recorded amounts.
Directional testing – refers to the direction of an audit test
a. Tracing – if the auditor starts from original source documents and traces
forward to the accounting records, this tests the assertion of completeness.
This helps the auditor identify understatement errors.
b. Vouching – If the auditor starts from the accounting records and vouches
backwards to the original source documents, this tests the assertion of
existence or occurrence. This helps the auditor identify overstatement
errors.
 a) Test of details of transactions – testing of transactions which give rise to
the ending balance of a given account; these involve examining authorization,
recording and posting of transactions (such as examining receipts or
disbursements of Cash account)
 Applicability of test of details of transactions: It is used when the
account being substantiated has relatively few or smaller volume of
transactions of relatively material amounts occurring during the year (for
example, PPE, intangibles, bonds payable and stockholders’ equity
accounts)
 Test of transactions are often performed several months prior to the
balance sheet date.
 Tests of details of transactions primarily involve tracing and vouching.

b) Tests of details of balances – direct testing of accounts ending balance

 Tests of details of balances focus on obtaining evidence directly about an
account balance.
 More types of evidence are obtained using tests of details of balances than
by using any other type of test.
 Test details of balances is usually the most costly to perform.
 Applicability of test of details of balances:
 For accounts whose balances are affected by large volume transactions
of relatively immaterial amounts (such as cash, accounts receivable and
inventories).
 If an account has a high turnover rate with many transactions occurring
during the year, the auditor generally will concentrate more on the
ending balance total.
 It is used when the auditor is satisfied that internal control is strong.

2. Substantive analytical procedures – these are analytical procedures

performed during testing phase to substantiate predictable relationships among
both financial and non-financial data
 Analytical procedures are evaluations of financial information made by a
study of plausible relationships among both financial and nonfinancial data.
Analytical procedures generally involve comparisons of recorded amounts to
independent expectations developed by the auditor.
 The application of planned analytical procedures is based on the expectation
that relationships among data exist and continue in the absence of known
conditions to the contrary.
 Analytical procedures will result to circumstantial evidence rather than
conclusive evidence.
 Results of substantive analytical procedures would entail additional tests to be
performed.
 Analytical procedures are the audit tests that are usually the least costly to
perform.

Applicability of substantive analytical procedures:

 Generally more applicable to large volume of transactions that tend to be
predictable over time
 Not required substantive procedures during testing phase (but are required
during audit planning and final or overall review stages)
 When appropriate, they are used on accounts that are predictable and
plausible.

Limitations of analytical procedures: Since analytical procedures are based

on expected plausible relationships among data, differences do not necessarily
indicate errors or fraud, but simply indicate the need for further investigation.
Changes in an account, changes in accounting principle, and inherent differences
between industry norms and the client all contribute to fluctuations in expected
amounts.
Audit Procedures According to Types:
The following procedures, individually or in combinations, may be used as risk assessment
procedures, test of controls, or substantive procedures, depending on the context in which they
are applied by the auditor:
1. Inspection – consists of examining records or documents (whether internal or external,
in paper form, or other media), or a physical examination of an asset
 For example, an inspection of records or documents for evidence of authorization is
a test of controls.
2. Observation – consists of viewing/looking at a process or procedure being performed by
others.
Examples:
 Observation of the counting of inventories by the entity’s personnel
 Observation of the performance of control activities that leave no audit trail
3. External confirmation – represents audit evidence obtained by the auditor as a direct
written response to the auditor from a third party (the confirming party) in paper form, or
by electronic or other medium
 Confirmation is a specific type of inquiry that involves the process of obtaining a
representation of information or of an existing condition about account balances and
transactions or events directly from independent third parties.
 Confirmations are controlled by the auditor because the auditor:
a. Selects the parties to be contacted
b. Prepares and mails the confirmation requests, and
c. Receives the confirmation replies directly from the third parties
 External confirmations frequently are relevant when addressing assertions associated
with certain account balance and their elements. However, they are not restricted to
account balances only.
Examples of external confirmation:
 Confirmation of accounts receivable balances:
a. Positive confirmation – customers should reply whether or not they agree
with their respective balances; it is considered more effective than negative
confirmation
b. Negative confirmation – customers should reply if there are discrepancies
 Bank confirmation of account balances (including amount of loan outstanding)
 Suppliers’ confirmation of accounts payable
 Confirmation from lenders
 Inventory confirmation when inventory is under custody and control of a third party
 Confirmation from lawyers or financiers who have custody over client’s property title
deeds
 Confirmations of the terms of agreements or transactions an entity has with third
parties
 Confirmation about the absence of certain conditions, for example, the absence of a
“side agreement” that may influence revenue recognition
d. Recalculation (computation) – consists of checking the mathematical accuracy
(manually or electronically) of documents or records
Examples:
 Auditor’s recalculation of depreciation, interest expense or earnings per share
e. Reperformance – involves the auditor’s independent execution of procedures or controls
that were originally performed (by the client’s staff) as part of the entity’s internal control
f. Analytical procedures – consist of evaluations of financial information made by a study
of plausible relationships among both financial and non-financial data
Analytical procedures also encompass the investigation of identified fluctuations and
relationships that are inconsistent with other relevant information or deviate significantly
from predicted amounts.
g. Inquiry – consists of seeking information of knowledgeable persons, both financial and
non-financial, within the entity or outside the entity.
 Inquiry is used extensively throughout the audit in addition to other audit procedures.
 Inquiries may be formal written inquiries or informal oral inquiries.
 Evaluating responses to inquiries is an integral part of the inquiry process.
  Evidence obtained from inquiry can be gathered with every type of audit test.
In respect of some matters, the auditor may consider it necessary to obtain written
representation from management and, where appropriate, those charged with governance
to confirm responses to oral inquiries.

Audit Techniques:
The auditor applies audit techniques (methods) to gather corroborative evidence and uses his
professional judgment to determine which audit techniques would best result to the audit
evidence he needs.

Examples of audit techniques:

1. Confirm – to obtain information directly from an independent third party
2. Inspect – to obtain evidence through physical examination
3. Count – physical examination of assets (such as cash count or petty cash count)
4. Compare – technique used after count of assets; also used to compare current period
balances with those of prior periods
5. Inquire – asking questions, whether oral or written, directed to the client or to third
parties
6. Trace – to determine whether transactions supported by source documents are properly
recorded and posted
7. Vouch – examine and authenticate of underlying evidential papers
8. Verify – to prove the accuracy of extensions, footings, postings, ownership and existence
9. Reconcile – to bring into agreement information obtained from two groups of related,
but independent, figures
Reconciliation involves comparing financial amounts from two independent sources
for agreement, such as:
 Reconciling the cash balance per the books with the balance per bank
 Reconciling the physical inventory count with the perpetual inventory records
 Reconciling lead schedules to general ledger amounts
10. Analysis of accounts – to detail the composition of an account or to detail the individual
debits and credits in the account in a chronological sequence
11. Review – perform to obtain evidence of authoritative documentation to support certain
transactions
12. Extend – to prove the accuracy of multiplications (on invoices, payroll records, etc.)
13. Foot – to prove the accuracy of vertical or horizontal additions
14. Scan – looking for evidence of unusual amounts/items, which, if found, would be further
investigated
 Scanning may also be considered an analytical procedure, as the auditor uses
professional judgment to search for large, significant, or unusual items in the
accounting records.