[pickanicken]

I must be stupid because for some reason I cannot wrap my head around this even after reading it a million times. Let’s get this straight. Can some one please outline the steps in performing an audit. In my head I see it this way so maybe you can clear it up:

Risk Assessment

Are internal controls designed and implemented?

If there is internal control, then test of controls are performed to verify the controls are effective

If internal control is not effective, substantive procedures performed

I need some help understanding the details and the exceptions to the rules, etc. For example, if you initially perform a analytical substantive test during risk assessment, how would you also perform a substantive test to respond to a significant risk identified during the risk assessment? What is the difference between analytical substantive test and just a substantive test?

I just keep getting confused because I thought that substantive tests should be performed after it is determined that there is a lack of internal control or the test of controls show deficiencies. A lot of the time it seems like it is the other way around?

REG - 81
BEC - 83
AUD - 86
FAR - 78 (Done!)

[Biff-1955-Tannen]

Tests of controls will be used if the auditor assesses the control risk below maximum. They do tests of controls to be able to justify their assessment of control risk below the maximum.
If the auditor assesses control risk at the maximum, there is no need to test the controls. There is no need to test the controls because the auditor believes that the controls are so deficient that it is pointless to test them. Testing them will not result in a reduction in control risk, they are so deficient.

Substantive testing is not done during risk assessment, it is done after.

Don't think of substantive tests like an actual procedure. Substantive tests is more of a step in the audit. Analytical and tests of details are the procedures performed during this “step” of the audit.
Substantive testing will always be done in an audit, because…. well that is pretty much the audit. Analytical procedures and tests of details are substantive testing.
So to visualize this, if you were to have a venn diagram of substantive tests, “substantive tests” would be the main circle. Inside of that circle would be two other circles. One circle is “tests of detail”, the other is “Analytical procedures”.
If you don't do substantive testing, you've effectively done absolutely nothing during the audit.
Hope this helps. Let me know if you still need help

AUD - 93
BEC - 83
FAR - 83
REG - 84

Nobody calls me chicken

AUD 93 Jan 16
BEC 83 Feb 16
FAR 83 Apr 16
REG 84 May 16

99% Ninja MCQ only

[pickanicken]

I haven't read your response yet but I just have to say that I love your user name. I am one of the biggest Back to the Future fans you will ever meet. Now I will read. Thanks in advance.

REG - 81
BEC - 83
AUD - 86
FAR - 78 (Done!)

[pickanicken]

I think I am getting screwed up because I work in internal audit and primarily perform tests of internal controls. If we identify a risk and note that a control doesn't exist to mitigate the risk we perform a substantive test.

So from an external perspective… I still think I am confused… Risk assessment is performed to evaluate control and inherent risk. The auditor then determines detection risk based on control and inherent risk, correct? This is the level of RMM. From here, unless control risk is at the max, they would perform tests of controls to reduce the RMM to an acceptable level. Now what?

REG - 81
BEC - 83
AUD - 86
FAR - 78 (Done!)

[Biff-1955-Tannen]

I don't know a lot about Internal control, but I would guess that you call your work involving controls, substantive tests because that's what internal auditors do. Working with the controls is the main focus of the audit. For external auditors, the focus of the audit isn't to determine internal control effectiveness, it's to express an opinion on the financial statements. So for internal audit, controls are the meat and potatoes of the audit (substantive tests), for external audit, the financial statements are the meat and potatoes of the audit (substantive tests).
Yea they use RMM to determine their detection risk. If they assess control risk below maximum, they will perform tests of controls to justify their assessment, and/or to reduce RMM. So our concern with the internal controls (unless it's an integrated audit) is only on how they are going to affect the extent of the procedures (substantive) that we perform on the actual financial statements. Deficient controls will mean more substantive tests/ year end tests. And efficient controls means we won't need to do as much substantive tests and can do interim tests.

So the order should be: engagement acceptance > risk assessment/planning > substantive procedures > review

AUD - 93
BEC - 83
FAR - 83
REG - 84

Nobody calls me chicken

AUD 93 Jan 16
BEC 83 Feb 16
FAR 83 Apr 16
REG 84 May 16

99% Ninja MCQ only

[wombataholic]

Let me try explaining it as best I can with an example:

Your firm is auditing DoeCo, a small public company that makes and sells widgets. You are assigned to check out the accounts payable function/balances. Jane Smith is one of a handful of people in the AP department and fills in on occasion to sign checks when that person is off. All checks require an an approved purchase order, invoice and receiving document to be issued. The balance of AP is material to the financial statements.

Do the following steps:

1. Do internal controls for the AP function exist and working properly? If yes, go to #2, otherwise go to #3. Answer: No – documentation is required to issue a check – which you will verify by walking a transaction through or talking to people, but there is a breach of segregation of duties.

2. Is the balance of AP material to the financial statements? If yes, go to #3. If no, you're done auditing AP. Answer: Yes – it says so in the information above.

3. Do substantial testing of AP/checks issued. Select a random set of checks issued, then trace them backward to the supporting documentation and recording in the ledgers.*

If the internal controls both exist and are working properly, you won't have to do as much substantial testing because in theory, the controls should have prevented erroneous/improperly issued checks. Since the controls aren't working properly, you can't rely on them and have to look through more checks/documentation to support the audit opinion that AP is materially accurate. If AP wasn't material to the financial statments, there wouldn't be a real benefit to doing a lot of extra work to confirm the balance of AP.

*You would probably do more tests of details like confirming AP balances with vendors, but for this example we'll keep it simple and only do one type of substantial testing.

TL;DR – You know that old saying, “An ounce of prevention is worth a pound of cure”? This is a lot like that.

As far as this affecting types of reviews:
Compilation – Does not involve asking about/checking on internal controls.
Review – A review of the financial statements isn't going to involve asking about or checking internal controls.
Audit – Will involve checking out internal controls.

Hope this helped.

AUD - 91
BEC - 85
FAR - 91
REG - 92

CPA, CFE
Passed all 4 CPA exam sections with Ninja Notes/MCQ/Audio

Licensed CPA
Passed each section on the first try with Ninja Notes/MCQ/Audio

[pickanicken]

I've done a few million more hours of studying and have come back to take a look at the comment you all made a couple of weeks ago. Everything is starting to make a lot more sense now. Thanks for the help. I just had to shake that internal audit thought process out of my head.

REG - 81
BEC - 83
AUD - 86
FAR - 78 (Done!)

[Author]

Replies