Introduction to

cycles & procedures

Nkuhlu Department of Accounting
 CYCLES OUTLINE
Each cycle:
1. Basic functions
2. Source documents ASSUMED KNOWLEDGE:
PRE-READING!
3. Control activities per function

+ Computerisation

4. Auditing the cycle

- Important accounting aspects
- Test of controls
- Substantive procedures (per assertion)
Control activities/ techniques (𝑺𝟓 𝑪𝟑 RAM)
• Supervision
• Segregation of duties
• Staff practices & description of duties
• Stationery control & document design
• Signatures (Isolation of responsibility)
• Comparisons
• Control accounts
• Custody/access of assets (physical safeguarding)
• Reconciliations & review
• Authorisation
• Management control / oversight

3
Responses to assessed risks

4
Responses to assessed risks

1. Where are we in the audit process?

2. Which key terms do we need to know?

3. What is our auditor’s responsibility and related objective?

4. How do we achieve our objective?

5. Roadmap: The Types of Procedures and Related Practical examples

5
1. WHERE ARE WE IN THE AUDIT PROCESS?

STAGES FURTHER AUDIT PROCEDURES

Obtain sufficient appropriate audit evidence

AUDIT PROCESS / STAGE 3

Execution:
Design and implement appropriate responses to
assessment risk of material misstatements

6
2. WHICH KEY TERMS DO WE NEED TO KNOW?

Test → The application of procedures to some or all items in a population.

→ The entire set of data from which a sample is selected and about
Population which the auditor wishes to draw conclusions.

Sample → A portion of a population selected for examination and testing to

provide evidence regarding the entire population.

Test of controls → An audit procedure designed to evaluate the operating

effectiveness of controls in preventing, or detecting and
correcting, material misstatements at assertion level.

→ An audit procedure designed to detect material misstatements at

Substantive procedure the assertion level. Substantive procedures comprise:
a. Substantive analytical procedures; and
b. Test of details.

7
3. WHAT IS OUR RESPONSIBILITY AND RELATED OBJECTIVE?

Auditor’s responsibility

1. Design responses to the risks of material 2. Implement responses to the risks of material
misstatement AND misstatement

Are you able to recall WHY we did what we did in planning regarding RoMM?

Auditor’s objective
Obtain sufficient appropriate audit evidence regarding the assessed risks of material
misstatements, through:
1. Designing responses to the risks of material 2. Implementing responses to the risks of
misstatement AND material misstatement

NB: This entire process is to ensure that we address the assessed RoMM!!!

8
4. HOW DO WE ACHIEVE OUR OBJECTIVE?

In order to achieve our objective, we are required to:

• Design and implement overall responses

→ Concerned with addressing RoMM at F/S level.

• Document
• Design and perform the nature, timing & extent of further audit procedures
→ Concerned with addressing RoMM at assertion level.

• Evaluate the sufficiency and appropriateness of audit evidence

→ Concerned with addressing RoMM at assertion level.

• Perform audit procedures to evaluate the adequacy of presentation of the F/S

→ Concerned with the overall presentation.

9
Audit of financial statements

IDENTIFY RISKS
A. Risks at overall financial statement level
B. Risks at account/assertion level

RESPOND TO RISKS
A. Risks at overall financial statement level
• ISA 330, para 5 and A1-A3:
- Professional skepticism, experienced staff, experts, supervision, review etc.

B. Risks at account/assertion level

• Design and performance of further audit procedures:
- Tests of controls
- Substantive procedures (analytical procedures and/or tests of detail)
- Combination TOC and SP.

10
Audit of financial statements

How does an auditor respond to risks?

NB: The auditor should remain alert to the volatility, uncertainty, complexity
as well as the ambiguity (VUCA) arising from the substantial use of
technology. Furthermore he/she should critically apply his/her mind and
identify the linkage between risks when formulating responses to the
assessed risk. SAICA CA 2025

11
Responses to assessed risks

First response
• Design/plan audit procedures.

The audit plan includes a description of the following:

• Nature, timing and extent of planned risk assessment procedures, as determined
under ISA 315 revised.
• Nature, timing and extent of planned further audit procedures at the assertion
level, as determined under ISA 330.
• Other planned audit procedures that should be carried out to ensure that the
engagement complies with ISAs.

The audit plan (especially, audit approach) sets out the nature, timing and
extent of audit procedures (TOC and SP) that will need to be performed
to address the assessed ROMM at assertion level.

12
Responses to assessed risks

IMPORTANT
The nature of an audit procedure
= its purpose (i.e. TOC or SP)
= its type (inspection, inquiry, confirmation, recalculation, reperform, or AP)

The timing of an audit procedure

= when the procedure will be performed:
• Interim (before year end); or
• At year end; or
• After year end; or
• Early verification just before year end, with roll-forward procedures at year end;
or
• Both in the interim and year end
The extent of an audit procedure
= the quantity if procedures performed (strong CE – more TOC & AP, fewer TOD)

13
Responses to assessed risks

IMPORTANT

The approach that the auditor follows is governed by:

• The necessity to place reliance on the controls;

• The possibility of placing reliance on the controls; and
• The desirability of relying on the controls.

14
Responses to assessed risks

Tests of control (think 𝑺𝟓 𝑪𝟑 RAM ) Substantive procedures

Nature Necessity Necessity

Examples of when it is necessary/required to Examples of when it is

test controls:
• IT environment (ISA 330, A24)
• No document/record is
produced/maintained (ISA 330, A24)
• Changes affect the continuing relevance
of audit evidence from prior years (ISA
330, 14(a))
• At least once in every 3rd audit, if there
were no changes that will affect the audit
evidence obtained in prior years (ISA 330,
14(b))
• Auditor plans to rely on controls over
significant risk (ISA 330, 15)
necessary/required to do
substantive procedures:
• ROMM at assertion level is a
significant risk (ISA 330, 21); or
• Each material class of
transaction, account balance,
and disclosure (ISA 330, 18)
Consider the combination of:
• Test of detail;
• Test of year-end balances; and
• Analytical procedures

15
Responses to assessed risks

Tests of control (think 𝑺𝟓 𝑪𝟑 RAM ) Substantive procedures

Nature Possibility
• Consider whether it is possible to place
reliance on the controls.

Desirability
• Controls are effective in the current year,
TOC might be reduced in future years
(consider necessity first)
• Gives feedback that adds value and cheaper
to test controls (win-win)
Timing Particular time or throughout the period, for • At and after year end; or
which planning to place reliance on controls. • Early verification with roll-
forward procedures; or
• Interim and at year end (ISA
330, 22)

16
Responses to assessed risks

Tests of control (think 𝑺𝟓 𝑪𝟑 RAM ) Substantive procedures

Extent Strong control environment Strong control environment

- Perform more tests of control - Perform less test of detail, and
more analytical procedures.

Weak control environment Weak control environment

- If it is necessary to test controls, then perform - Perform more tests of detail, and
less tests of controls. less analytical procedures.

17
Responses to assessed risks

NB to note:
• It is not possible to develop an audit strategy and audit plan without proper
understanding of the entity and its environment.
• The auditor will only test a control when there is an expectation that it is operating
effectively. If the auditor already knows that the control is not working effectively,
or that there is a weakness in the design or implementation, there is no point in
testing the control.
• Procedures to obtain audit evidence are very important (refer to annexure).
• TOC have to be conducted at various times during the financial year under audit,
to gain evidence that the controls were functioning effectively over a period of
time.
• Irrespective of the assessed ROMM, the auditor shall design and perform SP for
each material class of transaction, account balance and disclosures (ISA 330, 18
and A42). TOC alone do not provide sufficient appropriate audit evidence.
• When ROMM at assertion level is a significant risk (ISA 330, 21), the auditor must
perform SP (which must include TOD).
• An effective audit plan involves a combination of TOC and SP. It also includes a
mixture of different types of tests.

18
Responses to assessed risks

ISA 500 para. 4 states that “the objective of the auditor is to design and perform
audit procedures in such a way as to enable the auditor to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to
base the auditor’s opinion”.

What is sufficient appropriate audit evidence?

• Audit evidence is information used by the auditor in arriving at the conclusions on
which to base the auditor’s opinion. It includes information obtained from various
such as accounting records, and info obtained from other sources.

Sufficient audit evidence refers to (ISA 500, 5):

• Measure of the quantity of audit evidence (how much?);
• Quantity of the audit evidence is affected by the auditor’s assessment of ROMM and by the
quality of such audit evidence.

19
Responses to assessed risks

ISA 500 para. 4 states that “the objective of the auditor is to design and perform
audit procedures in such a way as to enable the auditor to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to
base the auditor’s opinion”.

What is sufficient appropriate audit evidence?

Appropriateness of the audit evidence (ISA 500, 5):
• Measure of the quality if audit evidence, its reliability and relevance in providing
support for the conclusions for auditor’s opinion;
• Relevance: evidence obtained is relevant to the assertion being tested (direction
of testing is important) (ISA 500, A31-A34). E.g. selecting purchase invoices and
following them through to the accounting records, will provide audit evidence for
the completeness assertion, but not for the occurrence assertion.
• Reliability: source and nature of the audit evidence (ISA 500, A35-A38). E.g.
evidence obtained from independent 3rd party (external) may be considered more
reliable than evidence provided by the client (internal).

20
Responses to assessed risks

ISA 500 para. 4 states that “the objective of the auditor is to design and perform
audit procedures in such a way as to enable the auditor to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to
base the auditor’s opinion”.

How is sufficient appropriate audit evidence obtained?

Audit evidence is obtained through (ISA 500, A14):
• Risk assessment procedures; and
• Further audit procedures consisting of:
• Tests of control; and
• Substantive procedures (TOD and AP)

21
AUDIT PROCEDURES

TEST OF CONTROL OBJECTIVES

➢ Validity/Accuracy/Completeness

SUBSTANTIVE AUDIT OBJECTIVES

➢ To verify “assertion” of “account balance/class of transaction/disclosure”

❑ Assertions:

o Balance – CCERV

o Transaction – COCCA

Proper formulation of procedures (NB) :

➢ VERB (how? – procedure to obtain audit evidence)
➢ SOURCE (what/who? – consider source documents/personnel per cycle)
➢ REASON (why? )

22
Procedures to obtain audit evidence

23
 Auditing a cycle

Client has: Audit objective: Audit

procedure:

• Control • ToC = VAC • ToC

• CoT / • SP = • SP (AP/TOD)
Balance / assertions
Disclosure

24
TOC vs SP

Tests of controls (think 𝑺𝟓 𝑪𝟑 RAM ):

These are procedures performed to test the functioning of the client’s
accounting and internal controls, namely whether the controls were:
• functioning effectively
• throughout the period of reliance.

Substantive procedures:
These are procedures to test the assertions of the financial
statements.
It relates to the testing of the amounts and disclosure in the financial
statements.
➢ Test of detail
➢ Analytical procedures

25
CAATs

“The use of audit software” section in each cycle chapter.

Using CAATs “Select a sample…”

Stratify population…
Sequence testing/duplications…
Compare…
Extract…

26
A little fun….

When documenting procedures, it is important that our procedures are

detailed enough so that an independent third party is able to perform the
procedure without asking any more questions (i.e. follow instructions to get
to the same answer you would get to).

In order to demonstrate the importance of documenting procedures

sufficiently, watch the video in the link and I hope you have as good a laugh
as I did ☺
https://www.youtube.com/watch?v=Ct-lOOUqmyY
SAMPLING

28
Sampling

Principles of sampling
• An auditor can seldom test/examine every item in a population (e.g. high
volumes of transactions in sales – cannot examine all sales invoices) –
auditing everything here will not be time or resource efficient.
• There are populations where all “items” can be audited (e.g. all loans to
directors, and all minutes of shareholders/directors’ meeting will be
inspected).
• ISA 530 – audit sampling requires that when designing audit procedures,
the auditor should determine appropriate means for selecting items for
testing to gather sufficient appropriate audit evidence to draw reasonable
conclusions on which to base auditor’s opinion.
• Remember, results obtained from auditing a sample of items, will not be
the only evidence gathered about the population being audited. Evidence
obtained from audit procedures (TOC or AP), will corroborate the
evidence gained from the sampling procedures.

29
Sampling

Principles of sampling
• Results of the tests on a sample must be extrapolated over the
population as a whole.
• As the auditor forms an opinion on the population, it is of little use to
conclude that “we only found three errors in the sample, so there is no
problem”.
• The question to ask is “how many errors are there in the entire
population?” The methods of extrapolating the sample results over the
population will vary depending on whether statistical or non-statistical
sampling has been carried out.
• Where statistical sampling has been used, the extrapolation will be more
defendable than where the auditor has used some judgmental process to
extrapolate.

30
Sampling

Definitions
• Audit sampling – involves applying audit procedures to less than 100%
of the items within a population of audit relevance such that all sampling
units have a chance of selection to provide the auditor with a reasonable
basis on which to draw conclusions about the entire population.
• Anomaly – a misstatement/deviation that is not representative of
misstatements/deviations in the population.
• Population – the entire set of data from which a sample is selected and
the auditor wishes to draw conclusions.

31
Sampling

Definitions
Sampling risk – the risk that the auditor’s conclusion based on a sample
may be different from the conclusion that would be reached if the entire
population were subjected to the same audit procedure.
There are two types of sampling risk:
• The risk that the auditor will conclude, in the case of TOC, that controls
are more effective than they are, or in the case of TOD, that a material
misstatement does not exist when it in fact does. The auditor is primarily
concerned with this type of erroneous conclusion because it affects audit
effectiveness and is more likely to lead to an inappropriate audit opinion,
and
• The risk that the auditor will conclude, in the case of TOC, that controls
are less effective than they are, or in the case of TOD, that a material
misstatement exists when it does not. This erroneous conclusion affects
audit efficiency because it will lead to additional audit work being carried
out to establish that the initial conclusion was incorrect.

32
Sampling

Definitions
• Non-sampling risk – is the risk that the auditor arrives at, an erroneous
conclusion for any reason not related to sampling risk. E.g. because s/he
has applied her/his sampling plan incorrectly, adopted an inappropriate
procedure or misunderstood the results of her/his sampling exercise.
• Sampling unit – individual items constituting a population.
• Statistical sampling – any approach to sampling that has the following
characteristics:
• Random selection of a sample, and
• Use of probability theory to evaluate sample results, including
measurement of sampling risk.
A sampling approach without these characteristics is considered non-
statistical sampling.

33
Sampling

Definitions
• Stratification – the process of dividing a population into subpopulations,
each of which is a group of sampling units that have similar
characteristics (often monetary value). E.g. debtors balance from R0 to
R10 000, R10 001 to R25 000, R25 001 to R50 000.
• Tolerable rate of deviation – a number/percentage of deviations from prescribed
internal control procedures set by the auditor. The auditor seeks to obtain an
appropriate level of assurance that actual deviations do not exceed the
number/percentage set by the auditor in the population.
• Tolerable misstatement – a monetary amount set by the auditor in respect of
which the auditor seeks to obtain an appropriate level of assurance that the
monetary amount set by the auditor is not exceeded by the actual misstatement in
the population.

34
Sampling

Tests of control and sampling

• After obtaining understanding of the accounting and internal control

systems, the auditor will be able to identify the characteristics or
attributes that indicate the performance of a control procedure.
• E.g. the signature of the credit controller on a customer order indicating
credit approval.
• Once the indicators have been identified, the auditor can test the control
by extracting a sample from the entire population of customer orders and
inspecting the authorizing signature.

35
Sampling

Tests of control and sampling

• NB: clear about what evidence a test is providing.

• E.g. the above test will only provide evidence of orders which did not
contain the credit controller’s signature and therefore may have been
processed without the approval of the credit controller.
• The test will, however, not indicate whether the credit controller
considered the customer’s creditworthiness before approving the order.
• Whether the credit controller is actually performing the control will
probably be best established by investigating whether the customer
subsequently paid, and that payment was made on time.

36
Sampling

Substantive procedures and sampling

• Substantive procedures are concerned with balances and amounts.

• Sampling may be used to gather evidence about one or more assertions
relating to the balance or amount, or to make an independent estimate
(projection) of some amount.
• E.g. a sample of debtors may be selected for positive verification to
obtain evidence about the existence of debtors, or, using an appropriate
sampling plan, the total value of inventory, based upon a sample
selected, may be projected for comparison with the value represented by
the directors in the FS.

37
Sampling

Statistical vs non-statistical approach

• The decision to use either or of the approach, is a matter of professional

judgment.
• These approaches are not mutually exclusive, certain aspects of
statistical sampling may be used when performing a non-statistical
sampling.
• E.g. the sample size may be decided upon on a judgment basis (non-
statistical approach) but the items to be selected may be chosen using
computer-generated random numbers (statistical approach).
• Valid statistically based evaluation of the sampling results can only take
place where all the characteristics of statistical sampling have been
adopted; e.g. sample size, selection of items, extrapolation, and
evaluation, are properly applied in terms of probability theory.

38
Sampling

Steps in the sampling exercise

• Decide whether it will be statistically or non-statistically based.
• Professional judgment will guide the above but will be based on the level
of assurance required by the auditor, the skills and time available, and
the “defensibility” of the results the auditor might require.
• Regardless of this decision, the steps to be taken remain broadly the
same.

39
Sampling

Steps in the sampling exercise

1. Determine the objectives of the procedures – TOC or SP.
2. Determine the procedures to be performed – error condition (deviation or
misstatement).
3. Confirm that the population is appropriate and complete – all units in the
population must be available for selection (completeness test NB).
4. Define the units of the population – better to have a numbering system
identifying each unit of the population.
5. Determine the sample size – depends on professional judgment.
• Non-statistical sampling – sample size depends on professional judgment only.
• Statistical sampling – professional judgment is applied to a formula and sample size
selected:
• Confidence levels; tolerable misstatement/deviation; expected misstatement/
rate of deviation; and population size.

40
Sampling

Steps in the sampling exercise

6. Select the sample – after determining sample size above, can use the
following to select the sample:
• Random sampling; systematic sampling, haphazard sampling, block sampling; or
monetary unit sampling.

7. Perform the audit procedure – TOC or SP.

8. Analyse the nature and cause of the deviations or misstatements – nature
and cause:
• Anomaly – isolated or unique.
• Error – discrepancies or mistakes.

9. Project the sample results across the population – anomaly, don’t project.
Error project using formula in statistical sampling. Error project using
judgment.
10. Conclude – evidence obtained is persuasive rather than conclusive.

41