_and_quot;Substantive_and_quot; Audit Approach 1204

  • Hi All,
    Just wanted to get everyone’s thoughts on an argument a buddy and I just had. He believes that a substantive approach is, by itself, sufficient in determining the operating effectiveness of a control. What he means by ‘substantive’ is that, for example a review control to verify the accurate recording of a transaction, the auditor can simply rely on reperformance to be comfortable that the control was operating effectively (without having to verify evidence that the review ever happened). I would say, however, that this logic is weak since management’s assertion relates to our assessment of the control, not an assessment of business transactions. A transaction can still be accurate but unless we verify (with evidence) that the review happened, we cannot make a conclusion that the control was in place and working effectively. In other words, how do I know that the preparer/processor of the transaction just didn’t make a mistake and that the reviewer really didn’t review the transaction?
    What I have done in my SOX external and internal audit days is both a test to ensure we have evidence that the control was done, AND to a certain extent (depending on the nature of the control and the risk profile of the transaction) perform some substantive review of the transaction (i.e., agree numbers) to ensure that the review was done accurately?
    Any feedback/opinion would be greatly appreciated.

  • You are right, and your buddy is wrong:
    Substantive tests of accounts and balances provide insufficient evidence that a control environment is free of material weaknesses (or deficiencies for that matter).
    SOx specifically requires a framework (such as COSO) to define a company’s control envirnment. Once a control environment is defined, Key Controls must be identified and tested.
    In addition, even if substantive tests were enough, testing an account/balance provides no assurance that General IT and Application controls, and entity level controls (anti-fraud) are effective.
    However, it is true that a material mis-statement of an account/balance DOES indicate a material weakness in the control environment.

  • John, I appreciate your feedback. I am in the process of writing to a friend’s friend at the PCAOB to get their take–as well as other common misconceptions I’ve noticed in other areas.

Log in to reply