Considering the Nature, Timing, and Extent of Further Audit Procedures

Nature

12. The nature of further audit procedures refers to their purpose (tests of controls or substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures. Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of misstatement of the occurrence assertion.

13. The auditor’s selection of audit procedures is based on the assessment of risk. The higher the auditor’s assessment of risk, the more reliable and relevant is the audit evidence sought by the auditor from substantive procedures. This may affect both the types of audit procedures to be performed and their combination. For example, the auditor may confirm the completeness of the terms of a contract with a third party, in addition to inspecting the document.

14. In determining the audit procedures to be performed, the auditor considers the reasons for the assessment of the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure. This includes considering both the particular characteristics of each class of transactions, account balance, or disclosure (i.e., the inherent risks) and whether the auditor’s risk assessment takes account of the entity’s controls (i.e., the control risk). For example, if the auditor considers that there is a lower risk that a material misstatement may occur because of the particular characteristics of a class of transactions without consideration of the related controls, the auditor may determine that substantive analytical procedures alone may provide sufficient appropriate audit evidence. On the other hand, if the auditor expects that there is a lower risk that a material misstatement may arise because an entity has effective controls and the auditor intends to design substantive procedures based on the effective operation of those controls, then the auditor performs tests of controls to obtain audit evidence about their operating effectiveness. This may be the case, for example, for a class of transactions of reasonably uniform, non-complex characteristics that are routinely processed and controlled by the entity’s information system.

15. The auditor is required to obtain audit evidence about the accuracy and completeness of information produced by the entity’s information system when that information is used in performing audit procedures. For example, if the auditor uses non-financial information or budget data produced by the entity’s information system in performing audit procedures, such as substantive analytical procedures or tests of controls, the auditor obtains audit evidence about the accuracy and completeness of such information to comply with VSA 500 Audit Evidence.

Timing

16. Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies.

17. The auditor may perform tests of controls or substantive procedures at an interim date or at period end. The higher the risk of material misstatement, the more likely it is that the auditor may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times (for example, performing audit procedures at selected locations on an unannounced basis). On the other hand, performing audit procedures before the period end may assist the auditor in identifying significant matters at an early stage of the audit, and consequently resolving them with the assistance of management or developing an effective audit approach to address such matters. If the auditor performs tests of controls or substantive procedures prior to period end, the auditor considers the additional evidence required for the remaining period (see paragraphs 39-40 and 58-63).

18. In considering when to perform audit procedures, the auditor also considers such matters as the following:

a) The control environment;

b) When relevant information is available (for example, procedures to be observed may occur only at certain times);

c) The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings expectations by subsequent creation of false sales agreements, the auditor may wish to examine contracts available on the date of the period end); and

d) The period or date to which the audit evidence relates.

19. Certain audit procedures can be performed only at or after period end, for example, agreeing the financial statements to the accounting records and examining adjustments made during the course of preparing the financial statements. If there is a risk that the entity may have entered into improper sales contracts or transactions may not have been finalized at period end, the auditor performs procedures to respond to that specific risk. For example, when transactions are individually material or an error in cutoff may lead to a material misstatement, the auditor ordinarily inspects transactions near the period end.

Extent

20. Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of observations of a control activity.

The extent of an audit procedure is determined by the judgment of the auditor after considering the materiality, the assessed risk, and the degree of assurance the auditor plans to obtain. In particular, the auditor ordinarily increases the extent of audit procedures as the risk of material misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration.

21. The use of computer-assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.

22. Valid conclusions may ordinarily be drawn using sampling approaches. However, if the quantity of selections made from a population is too small, the sampling approach selected is not appropriate to achieve the specific audit objective, or if exceptions are not appropriately followed up, there will be an unacceptable risk that the auditor’s conclusion based on a sample may be different from the conclusion reached if the entire population was subjected to the same audit procedure. VSA 530 Audit Sampling and Other Selective Testing Procedures contains guidance on the use of sampling.

23. This VSA regards the use of different audit procedures in combination as an aspect of the nature of testing as discussed above. However, the auditor considers whether the extent of testing is appropriate when performing different audit procedures in combination.

Tests of Controls

24. The auditor is required to perform tests of controls when the auditor’s risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level.

25. The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that controls are operating effectively, the auditor and the audit firm should perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating effectively at relevant times during the period under audit. Paragraphs 41-46 below discuss the use of audit evidence about the operating effectiveness of controls obtained in prior audits.

26. Auditor’s assessment of risk of material misstatement at the assertion level may include an expectation of the operating effectiveness of controls, in which case the auditor performs tests of controls to obtain audit evidence as to their operating effectiveness. Tests of the operating effectiveness of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion.

27. When the auditor has determined that it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the auditor should perform tests of relevant controls to obtain audit evidence about their operating effectiveness. For example, the auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system.

28. Testing the operating effectiveness of controls is different from obtaining audit evidence that controls have been implemented. When obtaining audit evidence of implementation by performing risk assessment procedures, the auditor determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively during the period. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under audit, the auditor considers each separately. The auditor may determine that testing the operating effectiveness of controls at the same time as evaluating their design and obtaining audit evidence of their implementation is efficient.

29. Although some risk assessment procedures that the auditor performs to evaluate the design of controls and to determine that they have been implemented may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls. For example, the auditor may have made inquiries about management’s use of budgets, observed management’s comparison of monthly budgeted and actual expenses, and inspected reports pertaining to the investigation of variances between budgeted and actual amounts. These audit procedures provide knowledge about the design of the entity’s budgeting policies and whether they have been implemented, and may also provide audit evidence about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses. In such circumstances, the auditor considers whether the audit evidence provided by those audit procedures is sufficient.