OBTAINING AUDIT EVIDENCE
The auditor's responses to risk
*ROMM at AFS level require overall responses & ROMM at assertion level require further audit procedures
Objectives of an auditor Objectives of ISA330
*To obtain reasonable assurance about if AFS as a whole *Give guidance on how auditors should obtain sufficient
are free from material misstatement, whether due to appropriate evidence regarding assessed ROMM by
fraud or error & to issue an auditor's report incl. designing & implementing appropriate responses.
auditor's opinion
Substantive procedure Test of Controls
*audit procedure designed to detect material *audit procedure designed to evaluate the operating
misstatements at assertion level. effectiveness of controls in preventing, or detecting &
*Comprises of Tests of details (of classes of trans., acc. correcting, material misstatements at assertion level.
balances, & discl.), & Substantive analytical procedures.
Further audit procedures (assertion level) Nature
*Consider reasons for assessment of ROMM at assertion *Refers to audit procedure purpose (test of controls or
level for each class of trans, acc. Balance & disclosure: substantive procedure) & its type (i.e., inspect., observ.,
*Particular characteristics of class of trans., acc. inquiry, confirm., recalc.,reperform., or analytics).
balance, or disclosure (i.e., inherent risks) & Audit approaches
*If relevant risk assessment takes account of entity’s *Combined - substantive & test of controls
controls (i.e.,the control risk), incl. nature of specific *Substantive procedure approach
controls used (manual or automated), & if auditor expects Timing
to obtain evidence to determine controls are effective;& *Auditor can perform audit procedures at the following:
Seek more persuasive audit evidence, whether from tests - Before year-end (interim) - At and after year-end
of controls or substantive procedures, the higher the - Prior to ye(early verification) with rolling forward at ye
auditor’s assessment of risk. - Both at interim stage & after ye
* More persuasive audit evidence is obtained by incr. Extent
quantity or relevance & reliability of evidence. *How many audit procedures & in how much detail
*Nature of audit procedures is of most importance in Limited tests of controls may be performed if
responding to the assessed risks *Risk assessment procedures indicate most internal
Overal responses (AFS level) controls don't operate effectively
* Emphasizing need to maintain professional skepticism. *fraud exists, e.g manag. overrides controls or collusion
*Assign more experienced staff or using experts *Cost of combined approach doesn't warrant benefit
* Providing more supervision. Analytical procedures
* additional elements of unpredictability in selection *Can be used to assess risk, but don't provide evidence
of further audit procedures to be performed. of effectiveness of internal control, therefore not used as
*Changes to nature, timing, or extent of audit procedures tests of controls.
Tests of controls Substantive procedures
*Required if auditor’s risk assessment incl. an expectation * include analytical procedures & tests of detail
controls are operating effectively or substantive *Can be performed at an interim date, but perform
procedures alone don't provide sufficient appropriate further audit procedures to cover remaining period.
audit evidence at assertion level. *If ROMM is assessed as high & results of the tests of
*Bigger entities doing numerous trans. using computers controls prove internal controls aren't operating
& no physical doc. are produced require tests of controls. effectively, control risk is set high,resulting in need to
*performed on controls determined suitably designed to reduce detection risk, therefore increasing extent of
prevent or detect & correct a MM at assertion level. substantive procedures.
*Auditor tests controls throughout a period to obtain audit *If internal controls are operating effectively auditor may
evidence of effectiveness throughout that period. choose to perform analytical substantive procedures only
*Can't perform test of controls only
Test of control concepts in a manual environment
FORMULATION TEST OF CONTROLS : HOW, WHAT, WHY
HOW WHAT
*Inspection *Observation *Refers to source doc. & action performed
*Reperformance *Inquiry (not sufficient on its own) WHY
*External confirmation : only for substantive procedures *Reason for performing test of control (assertion)
*Recalculation : only for substantive procedures
*Analytical procedures : only for substantive procedures
Test of Control Concepts in a control environment
*auditor may use CAATs to perform audit procedures in computerised env.
*Auditor should consider certain factors when deciding whether to use CAATs.
*Auditor should decide whether to audit around computer, through computer, on the computer, or a combination
*May use system-oriented CAATs to test automated internal controls in an automated env.
HOW SHOULD A TEST OF CONTROL BE FORMULATED USING TEST DATA?
HOW: Start most of your sentences with “Attempt to …”
WHAT: action (control)performed (e.g. “gain access to the system by entering a fictitious username and password”).
WHY: With valid test data, your action should be accepted and with invalid test data, your action should be rejected.
EXAM TECHNIQUE : Identify controls e.g passwords, signatures etc. and then come up with How, When and why
The auditor's responses to risk
*ROMM at AFS level require overall responses & ROMM at assertion level require further audit procedures
Objectives of an auditor Objectives of ISA330
*To obtain reasonable assurance about if AFS as a whole *Give guidance on how auditors should obtain sufficient
are free from material misstatement, whether due to appropriate evidence regarding assessed ROMM by
fraud or error & to issue an auditor's report incl. designing & implementing appropriate responses.
auditor's opinion
Substantive procedure Test of Controls
*audit procedure designed to detect material *audit procedure designed to evaluate the operating
misstatements at assertion level. effectiveness of controls in preventing, or detecting &
*Comprises of Tests of details (of classes of trans., acc. correcting, material misstatements at assertion level.
balances, & discl.), & Substantive analytical procedures.
Further audit procedures (assertion level) Nature
*Consider reasons for assessment of ROMM at assertion *Refers to audit procedure purpose (test of controls or
level for each class of trans, acc. Balance & disclosure: substantive procedure) & its type (i.e., inspect., observ.,
*Particular characteristics of class of trans., acc. inquiry, confirm., recalc.,reperform., or analytics).
balance, or disclosure (i.e., inherent risks) & Audit approaches
*If relevant risk assessment takes account of entity’s *Combined - substantive & test of controls
controls (i.e.,the control risk), incl. nature of specific *Substantive procedure approach
controls used (manual or automated), & if auditor expects Timing
to obtain evidence to determine controls are effective;& *Auditor can perform audit procedures at the following:
Seek more persuasive audit evidence, whether from tests - Before year-end (interim) - At and after year-end
of controls or substantive procedures, the higher the - Prior to ye(early verification) with rolling forward at ye
auditor’s assessment of risk. - Both at interim stage & after ye
* More persuasive audit evidence is obtained by incr. Extent
quantity or relevance & reliability of evidence. *How many audit procedures & in how much detail
*Nature of audit procedures is of most importance in Limited tests of controls may be performed if
responding to the assessed risks *Risk assessment procedures indicate most internal
Overal responses (AFS level) controls don't operate effectively
* Emphasizing need to maintain professional skepticism. *fraud exists, e.g manag. overrides controls or collusion
*Assign more experienced staff or using experts *Cost of combined approach doesn't warrant benefit
* Providing more supervision. Analytical procedures
* additional elements of unpredictability in selection *Can be used to assess risk, but don't provide evidence
of further audit procedures to be performed. of effectiveness of internal control, therefore not used as
*Changes to nature, timing, or extent of audit procedures tests of controls.
Tests of controls Substantive procedures
*Required if auditor’s risk assessment incl. an expectation * include analytical procedures & tests of detail
controls are operating effectively or substantive *Can be performed at an interim date, but perform
procedures alone don't provide sufficient appropriate further audit procedures to cover remaining period.
audit evidence at assertion level. *If ROMM is assessed as high & results of the tests of
*Bigger entities doing numerous trans. using computers controls prove internal controls aren't operating
& no physical doc. are produced require tests of controls. effectively, control risk is set high,resulting in need to
*performed on controls determined suitably designed to reduce detection risk, therefore increasing extent of
prevent or detect & correct a MM at assertion level. substantive procedures.
*Auditor tests controls throughout a period to obtain audit *If internal controls are operating effectively auditor may
evidence of effectiveness throughout that period. choose to perform analytical substantive procedures only
*Can't perform test of controls only
Test of control concepts in a manual environment
FORMULATION TEST OF CONTROLS : HOW, WHAT, WHY
HOW WHAT
*Inspection *Observation *Refers to source doc. & action performed
*Reperformance *Inquiry (not sufficient on its own) WHY
*External confirmation : only for substantive procedures *Reason for performing test of control (assertion)
*Recalculation : only for substantive procedures
*Analytical procedures : only for substantive procedures
Test of Control Concepts in a control environment
*auditor may use CAATs to perform audit procedures in computerised env.
*Auditor should consider certain factors when deciding whether to use CAATs.
*Auditor should decide whether to audit around computer, through computer, on the computer, or a combination
*May use system-oriented CAATs to test automated internal controls in an automated env.
HOW SHOULD A TEST OF CONTROL BE FORMULATED USING TEST DATA?
HOW: Start most of your sentences with “Attempt to …”
WHAT: action (control)performed (e.g. “gain access to the system by entering a fictitious username and password”).
WHY: With valid test data, your action should be accepted and with invalid test data, your action should be rejected.
EXAM TECHNIQUE : Identify controls e.g passwords, signatures etc. and then come up with How, When and why
