The Rabbit Hole of Substantive Testing

For decades now, audit firms, especially small firms, or SMPs, as they are known nowadays, have insisted on the substantive approach, without any regard for controls. This was due to fears of blowing the budget, not knowing how to audit systems, or deciding that they would have to go substantive anyway, when controls prove to be ineffective. The result was that the audit client received less bang for their buck, in that feedback on system weaknesses was shoddy, and risks were not properly identified, as the requirements of ISA315 were interpreted as that one could not look at controls when assessing risk, while the words, ‘risk assessment’, and ‘understanding controls’ appeared in the same sentence in the standard.

This was accepted by clients and the regulator alike, as nobody understood the requirements anyway. With the increase in automated and computerised systems in even small businesses, however, the chickens have come home to roost because, all along, there has been the following sneaky requirement in ISA315 that everybody ignores:

‘When substantive audit procedures alone do not provide sufficient and appropriate evidence, you HAVE to test the operating effectiveness of controls.’

Yet, hardly anybody assesses whether their substantive test results are positive, even when they have only tested 30 items out of three million. Imagine assessing the revenue of Checkers by a sample of till slips. The same maxim may be adhered to by small audits. Automated controls require very little testing, their results span the entire population, and the client receives relevant feedback from the audit.

SMPs need to become focused on IT controls, and how to interpret large datasets, as the proper approach to address them, and to apply the correct tools and experts, will most probably increase the level of comfort and evidence obtained, while being more efficient and budget friendly.