✓Automated and performed in

large part by computer programs.

✓Source documents, journals, and
ledgers that traditionally were
paper-based are now digitized and
stored in relational databases
 Substantive Testing
❖The third phase of the audit process
focuses on financial data.
❖This phase involves a detailed
investigation of :
✓ specific account balances
✓ transactions.
For example
The auditor selects a sample of accounts receivable
In an IT environment, the data needed to perform
balances and traces these back to their source.
substantive tests
Customers confirmation
• Account balances Data Files
❖to determine if the amount stated is in fact owed by a
• Names and addresses of customers
bona fide customer
Extracted using Computer-Assisted Audit Tools and
Some substantive tests are physical, labor-intensive Techniques (CAATTs) software.
activities,
❖ Such as counting cash, counting inventories in the
warehouse, and verifying the existence.

Organization An organization’s
management is
internal control
required by law to
Establish and Maintain system comprises
an adequate system policies, practices,
of internal control. and procedures
 organization’s internal control system

To achieve four broad objectives: Inherent in these

1. To safeguard assets of the firm control objectives are
2. To ensure the accuracy and reliability of four modifying principles
accounting records and information that guide designers and
3. To promote efficiency in the firm’s auditors of internal
operations
control systems.
4. To measure compliance with management’s
prescribed policies and procedures

1. Management Responsibility
Modifying Principles
1.Management Responsibility This concept holds that
2. Methods of Data Processing the establishment and
maintenance of a
3. Limitations
system of internal
4. Reasonable Assurance control is a management
responsibility

2. Methods of Data Processing
The internal control system
should achieve the four
broad objectives regardless
of the data processing
method used (whether
manual or computer based)
Limitations
b. Circumvention
personnel may circumvent
the system through
collusion or other means
3. Limitations
Every system of internal control has
limitations on its effectiveness:
a. The possibility of error
No system is
perfect
c. Management Override
Management is in a position
to override control procedures
by personally distorting
transactions or by directing a
subordinate to do so. Limitations
 d. Changing conditions 4. Reasonable
Conditions may change
over time so that existing
Assurance
effective controls may This reasonableness
become ineffectual. means that the cost
of achieving improved
control should not
outweigh its benefits
Limitations

▪ To illustrate the limitations

and reasonable assurance
principles
▪ Internal Control System
as a shield that protects
the firm’s assets from
numerous undesirable
events that bombard the
organization.
a. Attempts at unauthorized c. Errors due to employee
access to the firm’s assets incompetence
(including information)

b. Fraud perpetrated by
persons both in and outside
the firm
d. faulty computer
programs
e. Corrupted input data

f. Mischievous acts such as:

-unauthorized access by
computer hackers
-threats from computer
viruses that destroy
programs and databases Absence of or weakness in
controls
 Material weaknesses in
controls, however, increase
The principle of the firm’s risk to financial loss
reasonable assurance, or injury
these control weaknesses
may not be worth fixing

Some weaknesses are

immaterial and tolerable

Preventive Controls
Figure 1.3 illustrates
that the internal Prevention is the first line of defense in
control shield the control structure.
represented in Figure passive techniques designed to reduce the
1.2 actually consists frequency of occurrence of undesirable
of three levels of events.
control: Preventing errors and fraud is far more
a. preventive controls cost-effective than detecting and
b. detective controls correcting problems after they occur.
c. corrective controls
The vast majority of undesirable events can
The PDC Model be blocked at this first level.
 MYOB
MYOB
❖ Forces the
❖ Well data entry
clerk to
designed
enter the
data entry required data

❖Permit only ❖ Prevents

specific necessary
types of data from
data being omitted

Detective Controls - is the second line of defense

devices, techniques,
and procedures When the detective
designed to identify control identifies a
and expose (reveal departure from
specific types of standard, it sounds an
errors) undesirable alarm/attention
events that elude
preventive controls.
What is the important
distinction between Corrective Controls
detective controls and
❖Corrective actions must be
corrective controls
taken to reverse the
effects of detected errors.

Detective controls identify undesirable For any detected error, there may be
events and draw attention to the MORE than ONE feasible corrective
problem; action, but the best course of action
WHILE… may not always be obvious
Corrective controls actually fix the
problem.
 they may not be

▪ First inclination may have been to change the total ❑ The PDC control model is conceptually pleasing
value from $1,000 to $100 to correct the problem but offers little practical guidance for designing
(This presumes that the quantity and price values in the or auditing specific controls.
record are correct)
❑ The current authoritative document for
At this point, we cannot determine the real cause of the problem; we know
only that one exists. specifying internal control objectives and
Linking a corrective action to a detected error, as an automatic response, may techniques is the Statement on Auditing
result in an INCORRECT ACTION that causes a worse problem than the original Standards No. 109, which is based on the
error.
COSO framework.
For this reason, error correction should be viewed as a separate
control step that should be taken cautiously.