Substantive procedures (or substantive tests) are those activities performed by the auditor to detect material misstatement at the assertion level. [1]
Management implicitly assert that account balances and disclosures and underlying classes of transactions do not contain any material misstatements: in other words, that they are materially complete, valid and accurate. Auditors gather evidence about these assertions by undertaking activities referred to as substantive procedures.
There are two categories of substantive procedures - substantive analytical procedures and tests of detail. [1] Analytical procedures generally provide less reliable evidence than the tests of detail.[ citation needed ]
For example, an auditor may: physically examine inventory as evidence that inventory shown in the accounting records actually exists (existence assertion); inspect supporting documents like invoices to confirm that sales did occur (occurrence); arrange for suppliers to confirm in writing the details of the amount owing at balance date as evidence that accounts payable is a liability (rights and obligation assertion); and make inquires of management about the collectibility of customers' accounts as evidence that trade debtors are accurate as to its valuation. Evidence that an account balance or class of transaction is not complete, valid or accurate is evidence of a substantive misstatement but only becomes a material misstatement when it is large enough that it can be expected to influence the decisions of the users of the financial statement.
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, Pub. L.Tooltip Public Law 107–204 (text)(PDF), 116 Stat. 745, enacted July 30, 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley, SOX or Sarbox, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.
An auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.
Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002. Please see PCAOB AS 2401.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.
Predictive analytics is a form of business analytics applying machine learning to generate a predictive model for certain business applications. As such, it encompasses a variety of statistical techniques from predictive modeling and machine learning that analyze current and historical facts to make predictions about future or otherwise unknown events. It represents a major subset of machine learning applications; in some contexts, it is synonymous with machine learning.
Materiality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. The objective of an audit of financial statements is to enable the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in conformity with an identified financial reporting framework, such as the Generally Accepted Accounting Principles (GAAP) which is the accounting standard adopted by the U.S. Securities and Exchange Commission (SEC).
ISA 500 Audit Evidence is one of the International Standards on Auditing. It serves to guide the auditor on obtaining audit evidence through the application of an appropriate mix of tests of control systems and substantive tests of transaction and balances.
Analytical procedures are one of many financial audit procedures which help an auditor understand an entity's business and changes in the business, and to identify potential risk areas to plan other audit procedures. It can also be an audit substantive test involving the evaluation of financial information made by a study of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.
Audit evidence is evidence obtained by auditors during a financial audit and recorded in the audit working papers.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Sampling risk is one of the many types of risks an auditor may face when performing the necessary procedure of audit sampling. Audit sampling exists because of the impractical and costly effects of examining all or 100% of a client's records or books. As a result, a "sample" of a client's accounts are examined. Due to the negative effects produced by sampling risk, an auditor may have to perform additional procedures which in turn can impact the overall efficiency of the audit.
Management assertions or financial statement assertions are the implicit or explicit assertions that the preparer of financial statements (management) is making to its users. These assertions are relevant to auditors performing a financial statement audit in two ways. First, the objective of a financial statement audit is to obtain sufficient appropriate audit evidence to conclude on whether the financial statements present fairly, in all material respects, the financial position of a company and the results of its operations and cash flows. In developing that conclusion, the auditor evaluates whether audit evidence corroborates or contradicts financial statement assertions. Second, auditors are required to consider the risk of material misstatement through understanding the entity and its environment, including the entity's internal control. Financial statement assertions provide a framework to assess the risk of material misstatement in each significant account balance or class of transactions.
Inherent risk, in a financial audit, measures the auditor's assessment at the assertion level of the likelihood that there are material misstatements, either individually or in aggregate, due to error or fraud in a class of transactions, account balance or disclosure before considering the effectiveness of internal control. If the auditor concludes that a high likelihood exist, the auditor will conclude that inherent risk is high.
Detection Risk (DR) is the risk that the auditor will not detect a misstatement that exists in an assertion that could be material, either individually or when aggregated with other misstatements. In other words, the chance that the auditor will not find material misstatements relating to an assertion in the financial statements through substantive test and analysis. Detection risk results in the auditor's conclusion that no material errors are present where in fact there are. It is a component of audit risk.
An entity-level control is a control that helps to ensure that management directives pertaining to the entire entity are carried out. These controls are the second level to understanding the risks of an organization. Generally, entity refers to the entire company.
Audit technology is the use of computer technology to improve an audit. Audit technology is used by accounting firms to improve the efficiency of the external audit procedures they perform.