and these procedures may provide some limited audit evidence about the operating effectiveness of internal control. But risk assessment procedures by themselves generally will not provide sufficient appropriate audit evidence to support relying on controls to modify the nature, timing, and extent of substantive procedures.
Nature
As the planned level of assurance increases, the auditor should seek more reliable or more extensive audit evidence about the operating effectiveness of controls. (AU-C 330.09) For example, if the auditor has determined that, for a particular assertion, substantive procedures alone will not be sufficient, then the auditor would want to select tests of controls that will provide more reliable audit evidence.
When designing tests of controls, the auditor should consider the need to obtain audit evidence supporting the effective operation of controls directly related to the relevant assertion, as well as other indirect controls on which those controls depend. (AU-C 330.10) For example, if the auditor tests an IT application control, he or she should consider the need to test the IT general controls upon which the effective operation of the application control depends.
Timing
When determining the timing of tests of controls, the auditor should consider whether audit evidence is needed about how the control operated as of a point in time or how it operated throughout the audit period. (AU-C 330.11) This determination will depend on the auditor’s overall objective. For example, to test the controls over the entity’s physical inventory count, the auditor’s objective would be related to how the control operated at the point in time the physical inventory count was taken. However, to modify the nature, timing, and extent of, say, revenue transactions or accounts payable, the auditor would want to test the operation of controls throughout the audit period.
When further audit procedures are performed at an interim date, the auditor should consider obtaining information about significant changes to controls tested and the additional evidence that is necessary for the remaining period. (AU-C 330.12)
If certain conditions are met, the auditor may use audit evidence about the operating effectiveness of controls obtained in prior audits. These conditions include the following:
The auditor should obtain audit evidence about whether changes to the controls have occurred since the prior audit. If the controls have changed since they were last tested, the auditor should test the controls in the current period to the extent they affect the relevance of the audit evidence from the prior period.
The auditor should test the operating effectiveness of controls at least once every third year in an annual audit. When there are a number of controls for which the auditor determines that it is appropriate to use audit evidence in prior audits, the auditor should test the operating effectiveness of some controls each year.
(AU-C 330.14)
NOTE: When considering whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in prior audits, the auditor should consider matters such as:
The effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process
The risks arising from the characteristics of the control, including whether controls are manual or automated
The effectiveness of IT general controls
The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control from tests of operating effectiveness in prior audits
Whether the lack of a change in a particular control poses a risk due to changing circumstances
The risk of material misstatement and the extent of reliance on the control
(AU-C 330.13)
In general, the higher the risk of material misstatement, or the greater the auditor’s reliance on controls, the shorter the time period that should elapse between tests of the controls.
Extent
In general, the greater the auditor’s planned reliance on the operating effectiveness of controls, the greater the extent of testing. (AU-C 330.A16) Other factors that the auditor should consider when determining the extent of tests of controls include the following:
The frequency of the performance of the control by the entity during the period
The length of time during the audit period that the auditor is relying on the operating effectiveness of the control
The relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects, material misstatements at the relevant assertion level
The extent to which audit evidence is obtained from tests of other controls related to the relevant assertion
The expected deviation from the control
Generally, IT processing is inherently consistent. Therefore, the auditor may be able to limit the testing to one or a few instances of the control operations, providing that IT general controls operate effectively.
Substantive Procedures
The auditor’s substantive procedures should include:
Performing tests directed to the relevant assertions related to each material class of transactions, account balance, and disclosures (AU-C 330.18),
Agreeing the financial statements, including their accompanying notes to the underlying accounting records, and
Examining material journal entries and other adjustments made during the course of preparing the financial statements.
(AU-C 330.21)
The auditor is required to use external confirmation procedures for accounts receivable, except when the account balance is immaterial, external confirmations would be ineffective, or the assessed level of risk at the relevant assertion level is low and other procedures address the risk. (AU-C 330.20)
Section 315 describes significant risks and how the auditor identifies significant risks. With regard to performing procedures related to significant risks, the auditor should perform tests of details or a combination of tests of details and substantive analytical procedures. That is, the auditor is precluded from performing only substantive analytical procedures in response to significant risks. (AU-C 330.22)
Timing of Substantive Procedures
In some circumstances, the auditor may perform substantive procedures as of an interim date, which increases the risk that misstatements that exist at the period end will not be detected by the auditor. Therefore, when substantive tests are performed at an interim date, the auditor should perform further substantive procedures or substantive procedures combined with tests of controls to cover the period between the interim tests and period end. (AU-C 330.23)
When considering whether to perform substantive procedures at an interim date, the auditor should consider factors such as:
The control environment and other relevant controls
The availability of information at a later date that is necessary for the auditor’s procedures
The objective of the substantive procedure
The assessed risk of material misstatement
The nature of the class of transactions or account balance and relevant assertions
The auditor’s