Professional Documents
Culture Documents
Substantive Procedures
Substantive procedures are performed in order to detect material misstatements at the assertion level
(like; occurrence, completeness, accuracy, valuation, existence, rights and control), and include tests of
details of classes of transactions, account balances and disclosures and substantive analytical procedures.
The auditor plans and performs substantive procedures to be responsive to the related assessment of the
risk of material misstatement. Irrespective of the assessment of risk of material misstatement, the auditor
should design and perform substantive procedures for each material class of transactions, account
balance, and disclosure.
The auditors substantive procedures should include the following audit procedures related to the
financial statement closing process:
Examining material journal entries and other adjustments made during the course of preparing the
financial statements.
When the auditor has determined that an assessed risk of material misstatement at the assertion level is a
significant risk, the auditor should perform substantive procedures that are specifically responsive to that
risk.
Test of Control The auditor is required to perform tests of controls when the internal controls are
operating effectively or when substantive procedures alone do not provide sufficient appropriate audit
evidence at the assertion level. Tests of controls comprise of testing three things:
1. Design that the internal controls are properly designed to cover the risk it is meant for. (examined
through ICQs and ICECs)
2. Implementation that the internal controls have been put into operation.(examined through a walk
through test with a little sample)
3. Operating effectiveness that the systems of internal control were operating effectively at relevant
times during the period. ( examined through compliance tests based on a judgmental sample)
Inquiry and observation (e.g. inquiry about and observation of controls over opening of mail to verify
controls over cash receipts).
Re-performance (e.g. preparation of bank reconciliation statement);
Applying CAATs.
Tests of controls and tests of details may be applied simultaneously on the same transaction; tests of
control see whether e.g. invoice is approved and tests of details to detect material misstatement in that
invoice.
1. a particular time or
However, if auditor wants to obtain evidence about the effective operation of controls throughout the
period under audit, then tests of controls should be applied on transactions of the entire period.
If auditor wants to rely on controls tested in prior periods, he should make inquiry that there is no change
in such controls. If these controls have changed, these should be tested for operating effectiveness first
before relying on these.
The auditor may not test all the controls every audit if there is no change in them. However, such
controls must be tested at least every third audit. Extent of tests of controls
The auditor designs tests of controls to obtain sufficient appropriate audit evidence that the controls
operated effectively throughout the period of reliance.
Matters the auditor may consider in determining the extent of the tests of controls include the following:
1. The frequency of the performance of the control by the entity during the period.
2. The length of time during the audit period that the auditor is relying on the operating effectiveness of
the control.
3. The relevance and reliability of the audit evidence to be obtained in supporting that the control
prevents, or detects and corrects, material misstatements.
4. The extent to which the auditor plans to rely on the effectiveness of the control (and thereby reduce
substantive procedures based on the reliance on such control).
Reporting on compliance and other information (Chairman's statement and Directors report)
When reporting on compliance with laws and regulation the auditors objective include
To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws
and regulations generally recognized to have a direct effect on the determination of material amounts and
disclosures in the financial statements;
To perform specified audit procedures to help identify instances of non-compliance with other laws and
regulations that may have a material effect on the financial statements; and
To respond appropriately to non-compliance or suspected non-compliance with laws and regulations
identified during the audit.
If the auditor becomes aware of information concerning an instance of non-compliance or suspected non-
compliance with laws and regulations, the auditor shall obtain;
An understanding of the nature of the act and the circumstances in which it has occurred; and
Further information to evaluate the possible effect on the financial statements.
Seek legal advice if sufficient information not made available on material non-compliance, which auditor
suspects.
If information cannot be obtained consider impact on opinion.
Consider the impact of non-compliance on auditors risk assessment and the reliability of written
representations, and take appropriate action.
Communicate to those charges d with governance, unless they themselves are involved.
If management and those charged with governance are involved consider reporting to next level of
authority like audit committee.
Where no higher authority exists, or if the auditor believes that the communication may not be acted
upon or is unsure as to the person to whom to report, the auditor shall consider the need to obtain legal
advice
If the auditor concludes that the non-compliance has a material effect on the financial statements, and has
not been adequately reflected in the financial statements, the auditor shall, express a qualified opinion or
an adverse opinion on the financial statements.
If the auditor is precluded by management or those charged with governance from obtaining sufficient
appropriate audit evidence to evaluate whether non-compliance that may be material to the financial
statements has, or is likely to have, occurred, the auditor shall express a qualified opinion or disclaim an
opinion on the financial statements on the basis of a limitation on the scope.
If the auditor is unable to determine whether non-compliance has occurred because of limitations
imposed by the circumstances rather than by management or those charged with governance, the auditor
shall evaluate the effect on the auditors opinion in accordance with ISA
Auditors responsibility on other information
Other information refers to Financial and non-financial information (other than the financial statements
and the auditors report thereon) which is included, either by law, regulation or custom, in a document
containing audited financial statements and the auditors report thereon
Employment data.
Financial ratios.
The auditor shall read the other information to identify material inconsistencies, if any, with the audited
financial statements
The auditor shall make appropriate arrangements with management or those charged with governance to
obtain the other information prior to the date of the auditors report. If it is not possible to obtain all the
other information prior to the date of the auditors report, the auditor shall read such other information as
soon as practicable
If, on reading the other information, the auditor identifies a material inconsistency, the auditor shall
determine whether the audited financial statements or the other information needs to be revised.
If revision of the audited financial statements is necessary and management refuses to make the revision,
the auditor shall modify the opinion in the auditors report
It is the proactive identification and removal of the casual and enabling factors of fraud
It is based on the premise that fraud is not a random occurrence, it occurs when the conditions
are right for it to occur.
It is performed on the premise that improving organisational procedures to reduce the casual
factors of fraud is the single best defense against fraud.
It involves both short term (procedural) and long term (cultural) initiatives
Deterrence involves an analysis of the conditions and procedures that affect fraud enablers, in essence,
looking at what could happen in the future given the process definitions in place, and the people operating
that process.
DETERRENCE VS PREVENTION
While deterrence is preventive in nature, there are semantical problems with referring to fraud
prevention. Prevention can imply complete elimination of a risk, which is not possible in the
case of fraud.
Motive (or pressure) The need for committing fraud (need for money, etc)
Rationalization The mindset of the fraudster that justifies them to commit fraud.
Opportunity The situation that enables fraud to occur (Often when Internal Controls are weak
or nonexistent)
Has the potential to significantly improve audit quality, not just in detecting fraud, but in
detecting all material misstatements & improving quality of financial reporting process.
It requires you to determine whether Management has designed programs and controls that
address identified risks of material misstatement due to fraud and whether those programs and
controls have been placed in operation.
COSO MODEL
It describes 5 inter related components of internal control that provide the foundation for fraud
deterrence.
These elements are the means for which the opportunity factors in the fraud triangle can be
removed to most effectively limit instances of fraud.
CONTROL ENVIROMENT
Consists of actions, policies and procedures that reflect the overall attitude of the management,
directors and owners of an entity about Internal control and its importance to the entity.
SUB COMPONENTS
Integrity
Ethical Values
Commitment to competence
Board of Directors
Organisational structure
RISK MANAGEMENT
It is a forward looking survey of the business environment to identify anything that could
prevent the accomplishment of organizational objectives.
As it relates to fraud deterrence, risk assessment involves the identification of internal and
external means that could potentially defeat the organizations internal control structure,
compromise an asset, and conceal the actions from management.
Risk assessment is a creative process; it involves identifying as many potential threats as possible,
and evaluating them in a way to determine which require action, and the priority for that action
CONTROL PROCEDURES
Control activities generally fall into the five following specific control activities:
Information should flow downward to the line functions and provide the best, most accurate
information as needed to allow the function to produce the best results possible.
Information about performance should flow upwards through management, through both formal
and informal communication channels, providing objective feedback.
Both communication channels must function effectively to safeguard the organization
MONITORING
Monitoring activities deal with ongoing or periodic assessment of quality of internal control
performance by management to determine that controls are operating as intended and that they
are modified as appropriate for changes in conditions. Monitoring involves both fraud
deterrence and fraud detection activities.
Management must ensure that all control processes are performed as designed and approved.
Control compliance analysis to verify correct performance of procedures could reveal a control
that has been inappropriately modified or one that is not performed as approved; this control
weakness could present the opportunity for fraud.
Proactively identifying these weaknesses and correcting the weakness is this is the fraud
deterrence aspect of the monitoring process