Ch 5: Evidence, Testing, and Sampling

Unit 4 — Audit Evidence and Procedures · Lesson 5 of 6

Unit 4 — Audit Evidence and ProceduresLesson 5 of 6

Ch 5: Evidence, Testing, and Sampling

Study Notes

6 articles in this lesson

Audit Documentation and Working Papers That “Stand Up”

View original article

Learning objectives

By the end of this chapter you should be able to:

Explain how audit documentation supports audit quality, accountability, and the ability to defend conclusions in both exam scenarios and practice.
Build a “stand-up” working paper that links the objective, work performed, evidence, results, and conclusion in a way another auditor can reperform.
Apply good file hygiene: clear indexing, cross-referencing, consistent naming, version control, timely sign-off, and disciplined handling of review notes.
Document professional judgement clearly, including alternatives considered and why they were rejected.
Produce exam-ready documentation that is complete, concise, and logically presented, including the assembly and retention of the final file.

Overview & key concepts

Audit documentation is the recorded story of the audit: why a procedure was needed, what was done, what evidence supports the outcome, what exceptions were found, and how the conclusion was reached. Strong documentation does not change the financial statements by itself. It supports the auditor’s opinion and supports (or explains) any proposed adjustments arising from audit work.

A well-built audit file creates a reliable audit trail: a clear route from a financial statement caption (for example, revenue or trade receivables) to the underlying records and independent evidence, and back again. In an exam setting, your working papers must show that you understand the relevant assertions (such as cut-off, valuation, and completeness) and that your conclusions follow from the evidence.

Audit documentation

Audit documentation captures the audit’s output: the tests carried out, the evidence relied upon, the key findings (including exceptions), and the conclusion drawn.

It should make the work reviewable and defensible. Someone competent who was not part of the audit team should be able to follow the story of the file: what risk was addressed, what was done, what evidence supports the result, and how that result led to the conclusion. If a paper cannot be followed without the preparer explaining it, it is not “stand-up” documentation.

Working papers

A working paper is a single file item (or worksheet) covering one area or one procedure. A good working paper is self-contained: it states the objective, shows the work, points to the evidence, records exceptions, and closes with a clear conclusion.

Audit trail

An audit trail is the traceable path linking:

the numbers in the financial statements,
the entity’s accounting records, and
the supporting evidence (internal and external).

A strong audit trail makes it easy to reperform the work and reduces the risk of unsupported conclusions.

Indexing and cross-referencing

Indexing is the reference system used to locate working papers quickly (for example, “B1 Cash” or “R3 Revenue cut-off”).
Cross-referencing connects related documents (for example, the revenue cut-off test cross-referenced to the receivables lead schedule and the proposed adjustment summary).

Professional judgement

Professional judgement is the reasoned decision-making applied where there is more than one acceptable approach. In documentation, judgement must be visible: the issue, the options considered, the factors weighed, the decision, and the impact on the audit conclusion.

Core theory and frameworks

Building a stand-up working paper

A stand-up working paper should read logically from top to bottom:

Objective
What you are trying to prove or disprove, usually expressed in terms of an assertion and the risk being addressed.
Procedure (work performed)
What you did, in enough detail that another auditor could repeat it.
Evidence
What you relied on and where it sits in the file (or how to retrieve it). Record the source and the date obtained.
Results and exceptions
What you found, including errors, unusual items, and unresolved points.
Conclusion
A short, specific conclusion linked to the objective, including whether an adjustment is required and whether further work is needed.

Common exam weakness: conclusions that repeat the objective (“revenue is correct”) without showing what the evidence demonstrated and what the implication is.

File structure and organisation

A usable file is organised so that a reviewer can navigate quickly:

Permanent section: information expected to be relevant across multiple years (for example, background on the business, system descriptions, significant contracts).
Current-year section: planning, risk assessment, testing, completion, finalisation.

A practical folder structure is often grouped by phases (planning → risk → testing → completion), with working papers arranged by financial statement area inside each phase.

One working paper, one purpose. If a document contains multiple unrelated tests, it becomes difficult to review and easy to miss exceptions.

Evidence handling and data hygiene

Evidence quality and data discipline affect whether your work “stands up”:

Naming conventions: use consistent, searchable names that show date, area, source, and version (for example,2025-12-31_BankStmt_MainAcct_BankPortal_v1).
Source and date: record where the evidence came from and when it was obtained (client portal, third party, system report).
One source of truth: avoid uncontrolled duplication; reference the authoritative file location.
Confidentiality: restrict access to sensitive data; avoid including unnecessary personal data in working papers.
Edits and versions: keep version history clear; do not overwrite without retaining the audit trail of changes.

Review workflow and closing notes

Review notes demonstrate quality control and must be handled professionally:

Raising notes: reviewers should be specific: what is missing or unclear, and what outcome is expected.
Responding: preparers should document what was done, attach the new evidence, and state how the note is resolved.
Closure: final sign-off should show preparer and reviewer, with dates. Open notes must not remain at file lock.

Documenting professional judgement

When judgement is involved, document it in a structured way:

Issue: what decision was required?
Options: what alternatives were available?
Factors: what evidence and considerations mattered (risk, reliability of evidence, size, sensitivity)?
Decision: what was chosen and why?
Impact: effect on procedures, conclusions, and any proposed adjustment.

Keep it concise. The aim is clarity, not volume.

Exam and practice anchors (high-level)

Strong documentation usually shows, at a minimum:

who prepared the working paper and when, and who reviewed it and when;
the significant matters identified, and how they were resolved or concluded on;
the key judgements made and what evidence supported them;
clear finalisation: the file is assembled promptly after completion, and retained under the firm’s policies and applicable regulation (retention periods vary by jurisdiction and firm policy).

Worked example

Narrative scenario

You are auditing a mid-sized manufacturing company, ABC Ltd, with a year-end of 31 December 2025.

During the audit, the following matters arise:

Opening balance for trade receivables is £250,000.
Sales revenue for the year is £1,775,000.
A sales invoice for £50,000 is dated 28 December 2025, but the related goods were dispatched on 3 January 2026.
A bank reconciliation shows a difference of £5,000 caused by an unrecorded bank charge.
The inventory count identifies £10,000 of goods that are damaged and require a write-down.
A VAT refund of £15,000 is due from the tax authority at the year-end but has not yet been received.
New machinery costing £149,000 was acquired and financed by a bank loan.
Payroll records show total payroll cost of £500,000, with £50,000 unpaid at the year-end.
A trade receivable of £20,000 is in dispute and is considered unlikely to be collected.
A review note queries the absence of sensitivity analysis in the going concern assessment.

Required

Prepare a working paper for the sales invoice dated 28 December 2025 (cut-off).
Reconcile and document the bank statement discrepancy.
Document the inventory count discrepancy and required adjustment.
Explain the VAT refund’s impact on the year-end position and cash flow.
Assess the impact of the disputed receivable on the financial statements.
Document and resolve the review note on sensitivity analysis for going concern.

Solution

1) Revenue cut-off working paper (invoice dated 28 December 2025)

Index: R3 – Revenue cut-off (Dispatch after year-end)

Objective To confirm revenue is recognised in the correct period and that trade receivables at 31 December 2025 are not overstated (cut-off / occurrence).

Work performed (procedure)

Obtained the sales invoice dated 28 December 2025 for £50,000 and traced it to the sales ledger entry.
Obtained dispatch documentation and verified the dispatch date.
Evaluated whether dispatch is an appropriate point of transfer for recognising revenue for this sale by considering delivery terms (for example, whether the entity’s obligation is satisfied on dispatch or on delivery), supported by dispatch evidence and the entity’s usual shipping arrangements.
Confirmed dispatch occurred on 3 January 2026, after the year-end.

Evidence

Sales invoice: SI20251228 (£50,000).
Dispatch note / delivery record: DN20260103.
Sales ledger extract showing posting date and customer account: SL_R3.
Shipping terms reference (order confirmation / standard terms): ST_R3.

Results / exceptions

Invoice posted in December 2025, but dispatch was 3 January 2026.
Revenue and trade receivables are overstated at 31 December 2025 by £50,000.

Proposed adjustment (journal entry) To reverse the premature recognition:

Dr Revenue (Sales) £50,000
Cr Trade receivables £50,000

If the entity’s system separates dispatch/delivery and invoicing, the correction may be presented via deferred income/contract liability or other timing accounts. The audit point is that revenue and the related asset must not be recognised before the performance obligation is satisfied.

Conclusion Revenue and receivables are overstated by £50,000 due to cut-off error. Adjustment required to recognise the sale in 2026 when the performance obligation is satisfied.

Accounting equation impact (of proposed adjustment)

Assets: Trade receivables decrease £50,000
Income: Revenue decreases £50,000
Equity: Retained earnings decreases £50,000 (via reduced profit)

2) Bank reconciliation discrepancy (unrecorded bank charge)

Index: B1 – Cash and bank (Year-end reconciling items)

Objective To confirm the cash and bank balance is stated correctly and reconciling items are valid (existence / accuracy).

Work performed (procedure)

Agreed the bank statement closing balance to the bank reconciliation.
Compared reconciling items to subsequent clearing on the bank statement where applicable.
Identified a £5,000 bank charge shown on the bank statement that is not recorded in the ledger.

Evidence

Bank statement to 31 December 2025: BS20251231.
Cashbook / ledger extract: CB20251231.
Bank reconciliation prepared by client: BR20251231.

Results / exceptions

Bank charge of £5,000 appears on bank statement; no corresponding ledger entry.

Proposed adjustment (journal entry)

Dr Bank charges expense (operating expense) £5,000
Cr Bank (cash) £5,000

Conclusion Cash is overstated by £5,000 and operating expenses understated by £5,000 unless adjusted.

Accounting equation impact (of proposed adjustment)

Assets: Cash decreases £5,000
Expenses: Increase £5,000 (reducing profit)
Equity: Retained earnings decreases £5,000

3) Inventory count discrepancy (damaged goods requiring write-down)

Index: I2 – Inventory valuation (Damage / write-down)

Objective To confirm inventory is not overstated at year-end and is carried at an appropriate value (existence / valuation).

Work performed (procedure)

Reviewed inventory count records and investigated the variance relating to damaged goods.
Inspected evidence of damage (photos / warehouse report where available).
Compared cost to expected recoverable amount; concluded the items require a write-down of £10,000.
Confirmed the write-down relates to goods included in the year-end count.

Evidence

Inventory count sheets: IC20251231.
Warehouse/quality report on damaged items: WH_DMG_202512.
Inventory valuation listing showing affected lines: IVL_I2.

Results / exceptions

Damaged goods included in inventory require a reduction in carrying value of £10,000.

Proposed adjustment (journal entry) Common presentation is either within cost of sales or as a separate inventory write-down expense:

Dr Cost of sales (or Inventory write-down expense) £10,000
Cr Inventory £10,000

Conclusion Inventory is overstated by £10,000 unless adjusted. The adjustment reduces profit for the year.

Accounting equation impact (of proposed adjustment)

Assets: Inventory decreases £10,000
Expenses: Increase £10,000 (reducing profit)
Equity: Retained earnings decreases £10,000

4) VAT refund (amount due but not yet received)

Index: T1 – Indirect tax (VAT control and year-end position)

Year-end position (mechanics) VAT is typically recorded through a VAT control (or similar) account as output VAT (on sales) and input VAT (on purchases) are accumulated and netted. At the reporting date, the VAT control position will normally be:

a net receivable (current asset) if recoverable from the tax authority, or
a net payable (current liability) if owed.

A refund due of £15,000 at 31 December 2025 indicates a net VAT receivable at year-end (assuming it is valid and recoverable).

Evidence (what would be filed)

VAT return / VAT control reconciliation for the period end showing the net refund position.
Tax authority portal screenshot or correspondence confirming the submitted claim or stated balance.
Subsequent receipt testing (if received after year-end): bank statement entry agreeing to £15,000 and trace to clearing of the VAT balance.

Presentation / reclassification If the trial balance already shows a net VAT receivable balance, there may be no journal required—only audit evidence that the receivable exists and is recoverable.

If the VAT balance is sitting in the wrong place (for example, shown as a payable when it should be a receivable), the correction is typically a reclassification within current assets/liabilities, not a profit adjustment.

Profit impact (tight exam wording) VAT should not normally be recognised as income or expense for a VAT-registered entity acting as a collecting agent. A profit impact arises only if VAT has been incorrectly posted to income or expense lines (for example, grossing up sales or expenses incorrectly), in which case the correction depends on the underlying posting error.

Cash flow impact

There is no cash inflow at year-end because the refund is not yet received.
Cash increases by £15,000 when received in the subsequent period.
At 31 December 2025, the entity reports a VAT receivable (asset) of £15,000.

5) Disputed receivable (likely uncollectible)

Index: R5 – Trade receivables valuation (Specific impairment)

Objective To confirm trade receivables are stated at an amount expected to be collected (valuation).

Work performed (procedure)

Identified the disputed balance of £20,000 and obtained correspondence supporting the dispute.
Considered payment history and current status of the dispute.
Reviewed any subsequent cash receipts after year-end (if available).
Concluded collection is unlikely; a full specific allowance is appropriate unless compelling recovery evidence exists.

Evidence

Aged receivables listing: AR_AGED_20251231.
Dispute correspondence / legal letter: AR_DISP_20K.
Subsequent receipts review (if available): AR_SUBREC_JAN26.

Proposed adjustment (journal entry) To recognise a specific allowance (impairment) against trade receivables:

Dr Impairment loss on receivables (operating expense) £20,000
Cr Allowance for doubtful debts (contra-asset) £20,000

Conclusion Receivables are overstated by £20,000 unless an allowance is recognised. Profit is overstated by £20,000.

Accounting equation impact (of proposed adjustment)

Assets: Net trade receivables decrease £20,000 (via allowance)
Expenses: Increase £20,000 (reducing profit)
Equity: Retained earnings decreases £20,000

6) Review note completion: going concern sensitivity analysis

Index: C3 – Going concern (Model review and sensitivities) Linked note: RN-07 (Completion review notes log)

Review note (raised by reviewer)

RN-07: Sensitivity analysis not evidenced in going concern assessment. Please document management’s base case and at least one downside scenario, including the impact on cash headroom and covenant compliance, and conclude whether going concern remains appropriate.

Raised by: Reviewer (initials)
Date raised: (date)
Target paper: C3 Going concern memo

Management information requested and obtained

Objective To obtain sufficient evidence that management has assessed going concern using reasonable assumptions and that the conclusion is supported, including consideration of downside scenarios.

Work performed (procedure)

Obtained management’s going concern assessment and cash flow forecast covering at least 12 months from the reporting date.
Confirmed the forecast is internally consistent (opening cash agrees to bank reconciliation, payroll and major cost lines agree to records, debt repayments agree to loan schedules).
Identified key assumptions (sales volume, gross margin, collection period, input costs, and timing of major payments).
Requested management’s sensitivity analysis. Where not prepared, performed auditor-run sensitivities on the model and discussed results with management.

Evidence

Management cash flow forecast and assumption pack: GC_Model_v2.
Loan agreement and repayment schedule: Loan_Sched_C3.
Covenant calculation support (if applicable): Cov_Calc_C3.
Minutes/emails confirming management approval of forecast: GC_Mgmt_Approval.

Sensitivity analysis (documented)

Base case summary (management)

Forecast shows positive cash headroom throughout the period and no covenant breaches.

Downside scenarios (example sensitivities documented)

Scenario 1: Revenue 10% below base case for the first 6 months; gross margin unchanged.
Scenario 2: Customer receipts delayed by 15 days across the forecast period (working capital stress).

Results (what the model shows)

Scenario 1: Headroom reduces but remains positive; no covenant breach noted.
Scenario 2: Lowest cash headroom occurs in (month), but remains above the minimum facility buffer; no covenant breach noted.

Auditor evaluation and conclusion

Considered whether the sensitivities selected reflect realistic downside risks given the business and current trading conditions.
Evaluated management actions (if needed) for plausibility and whether they are within management control (for example, deferring discretionary spend vs. raising new finance).
Considered whether disclosures are adequate, and whether the auditor’s report would require emphasis or modification depending on the presence of a material uncertainty.
Concluded whether there is (i) no material uncertainty, (ii) a material uncertainty requiring disclosure, or (iii) an inappropriate going concern basis (rare), based on the evidence obtained.

Conclusion (example) Sensitivity analysis has been obtained/performed and documented. Under tested downside scenarios, the entity maintains sufficient liquidity headroom and remains within covenant limits. Going concern basis remains appropriate. No material uncertainty identified based on the evidence reviewed.

Review note closure

Preparer response: Completed. Evidence added to C3 and linked.
Closed by reviewer: (initials)
Date closed: (date)

Pulling the adjustments together (overall effect)

If the proposed adjustments are processed (and assuming each item was originally recorded incorrectly or omitted as described):

Revenue decreases by £50,000 (cut-off correction).
Operating expenses increase by £5,000 (bank charge) and £20,000 (receivable impairment).
Cost of sales (or inventory write-down) increases by £10,000.

Total reduction in profit for 2025 = £50,000 + £5,000 + £10,000 + £20,000 = £85,000.

Balance sheet impacts from these profit-related adjustments:

Trade receivables decrease by £50,000 (cut-off reversal).
Cash decreases by £5,000 (bank charge).
Inventory decreases by £10,000 (write-down).
Net trade receivables decrease by £20,000 (allowance).

Net decrease in assets = £85,000, consistent with the profit reduction.

The VAT refund creates or confirms a £15,000 VAT receivable at year-end and affects cash only when received.

Common pitfalls and misunderstandings

Saying “documentation affects the financial statements.” Documentation supports conclusions; it does not change the numbers unless an adjustment is proposed and processed.
Cut-off errors explained without a journal entry. When you conclude an item is in the wrong period, show the correcting entry clearly and explain the impact on profit and net assets.
Debits and credits inconsistent with the conclusion. For example, reversing overstated revenue requires a debit to revenue and a credit to receivables (if the invoice was posted).
Cash versus receivable confusion. A VAT refund due is a receivable at the reporting date; it is not cash until received.
Inventory write-down treated as a “missing stock” issue only. Damage and obsolescence are valuation matters; document evidence supporting the reduced recoverable amount.
Allowance vs write-off muddled. If the balance still exists but is doubtful, use an allowance (contra-asset). A write-off requires evidence that the receivable is no longer valid.
Review notes left open. A file is not complete until notes are answered with evidence and formally closed.
Tick marks without meaning. Tick marks must have a legend; otherwise they add clutter without clarity.
Weak cross-referencing. If your working paper does not link to the lead schedule and evidence, a reviewer cannot follow the audit trail.
Uncontrolled versions of key schedules. Multiple competing “final” files undermine what was actually audited.
Missing sign-off. If the file does not show who did the work, who reviewed it, and when, it is difficult to defend.

Summary and further reading

Audit documentation is the recorded basis for audit conclusions. A strong working paper is built around a clear objective, a procedure that can be repeated, reliable evidence, a transparent record of results, and a conclusion that follows logically.

Good organisation (indexing and cross-referencing), disciplined evidence handling, version control, timely sign-off, and professional treatment of review notes make the file usable under time pressure and defensible in review. Where audit findings lead to proposed adjustments, documentation should clearly set out the correction and the effect on profit, net assets, and key balances.

For broader context, review introductory financial reporting materials on recognition, measurement, cut-off, receivables valuation, and inventory write-downs, alongside general audit methodology guidance from professional bodies and regulators.

FAQ

Why is audit documentation so important?

Because it shows what was done, what evidence supports the work, what was found, and how conclusions were reached. It supports accountability, enables review and reperformance, and helps defend the work if challenged later.

What are the key elements of a strong working paper?

A clear objective, a step-by-step record of work performed, referenced evidence, documented results (including exceptions), a specific conclusion, and visible sign-off by preparer and reviewer with dates.

How do indexing and cross-referencing improve the audit file?

They make the file navigable and verifiable. Indexing helps you locate papers quickly; cross-referencing connects the financial statements, lead schedules, testing, and evidence into one coherent audit trail.

How should professional judgement be documented?

State the issue, outline realistic alternatives, record the factors considered (risk, evidence reliability, sensitivity, size), document the decision, and explain the impact on procedures and conclusions.

How should review notes be handled?

Answer them with evidence, not reassurance. Record what you did, attach or reference the supporting evidence, and close the note with reviewer sign-off and date once resolved.

Summary (Recap)

This chapter explains how to create audit documentation that is clear, complete, and defensible. It sets out how to build stand-up working papers that connect objectives, procedures, evidence, results, and conclusions. It also covers file organisation, evidence handling, version control, and review note discipline. The worked example demonstrates how to document common findings, show the related debit/credit entries and accounting equation effects, and complete a review note by obtaining and evaluating sensitivity analysis for going concern.

Glossary

Audit documentation The recorded output of the audit: what risks were addressed, what work was done, what evidence was relied on, what was found, and what conclusion was reached.

Working paper A single file item covering one audit area or procedure, designed so another auditor can follow and reperform the work.

Audit trail The route linking financial statement figures to underlying records and supporting evidence, and back again.

Indexing A reference system used to organise and locate working papers efficiently.

Cross-referencing Links between working papers, schedules, and evidence that allow the reviewer to follow the audit trail.

Professional judgement Reasoned decision-making where more than one acceptable approach exists, documented so the rationale is clear.

Review note A reviewer query requiring action, evidence, and documented closure.

Sign-off Recorded confirmation (name/initials/e-signature and date) that preparation and review responsibilities have been completed.

Version control Controls that make the latest approved document identifiable and prevent confusion caused by multiple competing versions.

Confidentiality The duty to protect client information and restrict access to those who need it for the audit.

Practice Questions

Audit Evidence: Reliability, Sufficiency, and Practical Methods

View original article

Learning objectives

By the end of this chapter, you should be able to:

Explain what audit evidence is and distinguish relevance from reliability when evaluating it.
Judge how much evidence is required in different situations, linking the extent of work to risk and materiality.
Select practical evidence-gathering methods (for example inspection, observation, recalculation, re-performance, confirmation, enquiry and analytical procedures) and match them to common assertions.
Deal appropriately with conflicting information and understand when additional procedures are required.
Document audit work so that an experienced reviewer can understand what was done, what was found, and how conclusions were reached.
Recognise common evidence pitfalls, including bias, weak corroboration and over-reliance on enquiry.

Overview & key concepts

Audit evidence sits behind every audit conclusion. It consists of information obtained and evaluated to support whether the financial statements are free from material misstatement. The auditor responds to the assessed risk of material misstatement by designing further audit procedures that reduce detection risk. When those procedures are properly performed and evaluated, overall audit risk is reduced to an acceptably low level, supported by sufficient appropriate evidence.

Evidence work links directly to the financial statements. If evidence supports (or challenges) a balance or transaction, it supports (or challenges) the related elements:

Assets (for example receivables, inventory, property)
Liabilities (for example payables, loans, provisions, deferred income)
Equity (for example share capital and retained earnings)
Income and expenses (for example revenue, cost of sales, operating expenses)

Audit evidence

Audit evidence is the information used to form audit conclusions. It is obtained from:

Accounting records (ledgers, journals, invoices, contracts, reconciliations, management reports)
Other sources (third parties, external databases, observations, confirmations, physical inspection, recalculation)

Two questions drive evidence evaluation:

Is it relevant?
Does it address the specific assertion and period being tested?
Is it reliable?
How much confidence can be placed in it, given where it came from and how it was obtained?

Sufficiency and appropriateness

Appropriateness (quality)

Appropriateness is about quality, mainly:

Relevance to the assertion being tested
Reliability of the source and method

Better quality evidence can reduce the extent of further work, but it does not remove the need for enough coverage over the population.

Sufficiency (quantity)

Sufficiency is about quantity: how much evidence is needed to support a conclusion. The amount of work is influenced by:

the risk of material misstatement and the specific audit response required
materiality and tolerable misstatement for the balance or class of transactions
sampling risk (the chance the sample does not represent the population) and population characteristics (size, variability, stratification, expected error)
the expected misstatement rate (based on prior experience, walkthroughs, interim results, or preliminary testing)
the effectiveness of controls, where the audit approach plans to rely on them (strong tested controls can reduce the extent of substantive work; weak controls usually increase it)

Quantity alone never compensates for poor-quality evidence. If evidence is weak or inconsistent, the response is usually to obtain stronger evidence and/or extend testing.

How auditors think: double-entry logic

Understanding double-entry is essential because misstatements rarely sit in isolation. Errors and manipulation typically affect at least two places.

Examples:

Overstated revenue may also overstate receivables (or understate deferred income) and overstate profit and equity.
Understated payables may understate expenses or cost of sales, inflating profit and equity.
Inventory errors affect assets and profit through cost of sales.

This logic guides testing direction:

Vouching (ledger → source) is powerful for testing occurrence/existence.
Tracing (source → ledger) is powerful for testing completeness.

Reliability of audit evidence

How to judge reliability in practice

Rather than treating sources as automatically “strong” or “weak,” assess reliability using four practical questions:

Independence: How far is the information from management influence (for example third-party data vs internally prepared schedules)?
Control and custody: Could the client intercept, edit, or curate what you receive (for example replies routed through management, emailed PDFs, screenshots)?
Integrity of the item: Is it traceable to an underlying record with a clear audit trail, or is it an extract/copy that could be altered without detection?
System strength: If evidence is produced by the entity’s systems, are access rights, change controls, and review controls strong enough to trust the output?

Reliability generally increases when evidence is independent, received directly by the auditor, traceable to underlying records, and generated in a controlled environment. Auditors still need to remain alert to error, bias, and modern threats such as spoofed emails and fabricated documents.

Corroboration

Corroboration strengthens a conclusion by combining evidence from different sources or different procedures. It reduces the risk of relying on one narrow indicator.

Examples:

A receivable confirmation supported by subsequent cash receipts and sales/dispatch documentation.
Inventory count observations supported by cut-off testing, price testing, and net realisable value checks.
Payroll expense supported by re-performance, authorised change documentation, and bank payment evidence.

Professional scepticism

Professional scepticism must be applied throughout planning and performance, not only when something looks wrong. It is particularly important when dealing with:

contradictory evidence and exceptions
management estimates and other judgemental areas
related party transactions and unusual relationships
fraud risks, including the possibility of management override of controls

Scepticism is disciplined judgement: asking whether the evidence is complete, consistent, and plausible, and expanding work where it is not.

Contradictory evidence

Contradictory evidence occurs when information does not fit together. It must be resolved, not ignored. Responses commonly include:

extending tests and obtaining alternative evidence
investigating timing differences and cut-off errors
checking for disputes, returns, credit notes, and post-year-end adjustments
reassessing whether one exception indicates a broader control or fraud issue

A conclusion is not supported if significant contradictions remain unresolved.

Management representations

What they add—and what they don’t

Written representations are management’s formal confirmation of responsibilities and certain judgements. They can help close gaps where evidence is indirect (for example confirming that all known litigation has been disclosed), but they do not replace documentary or independent support.

If management refuses to provide representations, or if representations are unreliable or conflict with other findings, this is a serious limitation. The auditor must redesign procedures and consider the impact on the report, including whether a modified opinion is required depending on significance and pervasiveness.

External confirmation

External confirmation obtains information directly from an independent third party (for example banks, customers, suppliers). It can provide strong evidence for existence, rights and obligations, and sometimes valuation.

Key practical points:

The auditor must control the process (selection, addressing, sending, and receiving replies).
Non-responses require follow-up and, where necessary, alternative procedures (for example subsequent receipts for receivables, supplier statements and post-year-end payments for payables).
Reliability threats include interception or management involvement, incorrect contact details, and email fraud/spoofing. Replies should be assessed for authenticity and authority (who responded, from where, and whether the response makes sense in context).
Exceptions and disputed responses must be investigated and resolved.

Analytical procedures

Analytical procedures evaluate financial information through relationships such as trends, ratios, comparisons, and reasonableness models. They are used in planning and can also provide substantive evidence when relationships are predictable and data is reliable. Where judgement is high or relationships are unstable, analytical work usually needs support from tests of details.

Tests of controls and substantive procedures

Audit procedures are often described as:

Tests of controls: to evaluate whether controls operated effectively during the period (supporting a plan to rely on controls).
Substantive procedures: to detect material misstatements at the assertion level, including analytical procedures and tests of details.

How evidence choices change when controls are strong or weak

Where controls are designed well and have been tested as operating effectively, the audit response may place more emphasis on control testing and reduce the extent of substantive testing (while still performing sufficient substantive work overall). Where controls are weak, the audit approach typically shifts towards more extensive substantive procedures, larger sample sizes, and more direct evidence (for example confirmations, external documents, re-performance).

Core theory and frameworks

Assertions and evidence matching

Evidence is strongest when procedures are chosen to match the assertion under test. Assertions are framed slightly differently depending on what is being tested:

Classes of transactions and events (for example revenue, purchases, payroll)
Account balances (for example receivables, inventory, payables)
Presentation and disclosures (for example classification, completeness of disclosures)

Common assertions include:

Existence
Completeness
Accuracy
Cut-off
Valuation
Rights and obligations
Presentation and disclosure

A single procedure rarely covers all assertions; effective work usually combines procedures to provide corroboration.

Evidence and the accounting equation

The accounting equation (Assets = Liabilities + Equity) is a useful sense-check for audit findings. When evidence suggests a misstatement, consider:

which balances are overstated/understated
what double-entry would have been recorded (or omitted)
whether profit is affected (and therefore retained earnings)
whether the issue is measurement, classification, or disclosure

Worked example

Narrative scenario

ABC Ltd is a retailer preparing financial statements for the year ended 31 December 2025. The draft results include:

Revenue: £1,675,000
Reported gross margin: 21.8%
Capital expenditure during the year: £76,000
Tax rate used by management in planning calculations: 24.3%
Discount rate used by management for certain long-term estimates: 6.7%

During the audit, the following areas are identified as requiring focused evidence:

Sales revenue recorded close to year end
Inventory quantities and valuation at year end
Trade receivables and payables balances
Management’s estimate of warranty provisions
Documentation of procedures and conclusions

Required

Evaluate the sufficiency and appropriateness of evidence for year-end revenue.
Verify inventory existence and valuation at year end.
Confirm the accuracy of receivables and payables.
Assess the reliability of evidence supporting the warranty provision.
Summarise and document procedures and conclusions.

Solution

1) Sales revenue recognition (year-end)

Risk focus: revenue cut-off and validity close to year end; risk of revenue inflation via early recognition or unsupported manual entries. Key assertions: occurrence, accuracy, cut-off, and (where relevant) classification between revenue and deferred income.

Best procedure mix:

Cut-off testing (directional): select sales recorded just before year end and match to dispatch/delivery evidence; select dispatches just before year end and ensure the related sales are recorded in the correct period.
Inspect post-year-end credit notes/returns: investigate whether these indicate sales recorded prematurely or incorrectly.
Confirm selected customer balances or specific invoices where risk is high (large, unusual, or disputed items).
Analytical expectation using gross margin:

Financial statement impact (conceptual): Overstated revenue usually overstates profit and equity, and may overstate receivables or cash. If invoicing occurs before performance, amounts may be more appropriately shown as deferred income rather than revenue.

Conclusion: Revenue is supported when cut-off testing, returns/credit notes review, and (where appropriate) confirmations provide consistent evidence that recorded sales belong in the period and represent genuine transactions.

2) Inventory verification (year-end)

Risk focus: overstatement of inventory quantities and values, and cut-off errors affecting both inventory and cost of sales. Key assertions: existence, completeness, valuation, cut-off.

Best procedure mix:

Attend and observe the inventory count, perform test counts, and assess count controls and count instructions.
Reconcile count results to inventory records and investigate differences.
Cut-off testing: inspect goods received notes and dispatch records around year end to ensure purchases and sales are recorded in the correct period.
Cost testing: agree unit costs to supplier invoices and verify that costing is applied consistently.
NRV testing: compare selling prices after year end (less selling costs) to carrying amounts, focusing on slow-moving, obsolete, or damaged lines.

Financial statement impact (conceptual): Inventory errors affect assets and profit via cost of sales. Overstated closing inventory typically overstates profit and equity.

Conclusion: Inventory is supported when quantity evidence (count) and valuation evidence (cost/NRV) are both obtained and are consistent with cut-off testing results.

3) Trade receivables and trade payables

Trade receivables

Risk focus: existence (fictitious debtors) and valuation (uncollectible balances). Key assertions: existence, valuation, rights.

Best procedure mix:

Customer confirmations for a sample of balances (or specific invoices), controlling the process.
Subsequent cash receipts testing to support existence and collectability.
Aged receivables review and inspection of dispute correspondence.
Impairment assessment: evaluate the reasonableness of expected credit losses by testing inputs and considering whether specific high-risk balances need additional provision.

Conclusion: Receivables are supported when confirmations and/or subsequent receipts support existence, and the impairment approach is consistent with observable collection evidence.

Trade payables

Risk focus: understatement through unrecorded liabilities. Key assertions: completeness, existence, accuracy.

Best procedure mix:

Supplier statements reconciliation to the payables ledger.
Search for unrecorded liabilities: review post-year-end payments, unmatched goods received notes, and unmatched supplier invoices.
Confirm selected supplier balances where reconciling items, disputes, or unusual movements exist.

Conclusion: Payables are supported when completeness-focused procedures (supplier statements and unrecorded liabilities work) provide consistent evidence that liabilities are not understated.

4) Warranty provisions

Risk focus: management bias and uncertainty in estimates; completeness of obligations and measurement. Key assertions: completeness, valuation.

Best procedure mix:

Inspect warranty terms to confirm which sales create obligations and the coverage period.
Re-perform the calculation and test the accuracy of underlying data (eligible sales volumes, claim rates, average repair/replace costs).
Compare prior estimates to actual outcomes to assess estimation reliability.
Assess current conditions (new products, known defects, supplier issues) that could change claim patterns.

Discounting (where relevant): If expected cash outflows are spread over a long period and the impact is material, consider whether discounting is appropriate and whether the discount rate used is reasonable. For short settlement periods, discounting is unlikely to be significant.

Conclusion: The provision is supported when the model is re-performed, inputs are validated, and the output is consistent with historical outcomes and current conditions, with discounting considered where relevant.

5) Working papers and clear sign-off

Your audit file should tell the story of the work without needing you in the room to explain it. For each test, record:

what you were trying to prove (the risk and the assertion)
what you tested (the population, the selection method, and the items chosen)
what you did (steps performed, timing, and who did the work)
what you saw (key evidence captured or referenced so it can be re-traced)
what went wrong (exceptions, how they were investigated, and the final outcome)
why the conclusion makes sense (how results link back to risk and materiality)

Good documentation is not just a checklist of actions; it shows that the work was targeted, sufficient for the risk, and properly evaluated.

Interpretation of the results

The procedures above show how evidence decisions depend on risk and controls:

Year-end revenue typically needs strong cut-off work and corroboration from dispatch/delivery evidence and post-year-end returns.
Inventory conclusions require quantity and valuation work, supported by cut-off testing.
Receivables testing must address both existence and impairment; payables testing must prioritise completeness.
Provisions require evidence over assumptions and inputs, with a clear evaluation of potential management bias.

Common pitfalls and misunderstandings

Treating enquiry as evidence on its own: explanations guide work but rarely provide sufficient support without corroboration.
Confusing relevance with reliability: evidence must address the assertion and be trustworthy.
Ignoring completeness risks in liabilities: payables and accruals are commonly understated; testing must search beyond recorded items.
Stopping after inventory count attendance: valuation and cut-off still require separate evidence.
Over-trusting internal outputs: internal reports require control evaluation and corroboration.
Not aggregating exceptions: individual small errors may point to a pattern when combined.
Weak cut-off thinking: cut-off is directional and often requires testing from both sides of year end.
Unresolved contradictions: conflicting evidence must trigger extra procedures and a reassessment of risk.
Assuming confirmations always solve the issue: non-responses and disputed replies require alternative work.

Summary and further reading

Audit evidence supports conclusions reached from procedures designed to reduce detection risk to an acceptably low level. Appropriateness is about quality (relevance and reliability); sufficiency is about quantity and depends on risk, materiality/tolerable misstatement, sampling risk, expected misstatement rates, and whether effective controls can be relied on. Strong audits use corroboration, investigate contradictions, apply professional scepticism throughout, and document work so the file clearly supports the final conclusions.

For wider context, review materials on audit risk, internal controls, estimates and provisions, revenue cut-off, and analytical procedures.

FAQ

Why is external confirmation often stronger than internal evidence?

Because it is obtained from an independent party and is less exposed to management bias. However, confirmations must be controlled by the auditor and assessed for authenticity, authority of the respondent, and reliability threats such as interception or email spoofing.

How is the sufficiency of audit evidence determined?

By linking the planned work to the risk of material misstatement and materiality/tolerable misstatement, considering sampling risk and population characteristics, and evaluating expected error rates. Where controls are tested and reliable, the extent of substantive work may reduce; where controls are weak, substantive work usually increases.

What does professional scepticism change in practical terms?

It changes how the auditor responds to estimates, unusual items, contradictions, related party activity, and fraud risks. It drives a requirement to corroborate explanations and to expand procedures when evidence is inconsistent or overly dependent on management judgement.

What are common pitfalls when using analytical procedures?

They become weak when expectations are unclear, data quality is poor, or relationships are not stable. Analytical results must be supported by investigation of significant deviations and, where needed, by tests of details.

What should be done when evidence conflicts?

The conflict must be resolved through additional procedures and careful evaluation. If unresolved issues remain significant, the auditor must reconsider the risk assessment and the impact on the report.

Glossary

Audit evidence Information used to support audit conclusions, obtained from accounting records and other sources.

Sufficiency The amount of evidence needed to support a conclusion, influenced by risk of material misstatement, materiality/tolerable misstatement, sampling risk, expected misstatement, and control effectiveness where relying on controls.

Appropriateness The quality of evidence, mainly its relevance to the assertion and its reliability.

Reliability The degree of confidence that can be placed in evidence, influenced by independence, custody/control, traceability to underlying records, and the strength of systems and controls that generate the information.

Corroboration Strengthening a conclusion by combining evidence from different sources or different procedures.

Professional scepticism A questioning approach applied throughout planning and performance, especially for estimates, contradictions, related parties, and fraud risks.

Contradictory evidence Information that conflicts with other evidence and must be investigated and resolved.

Management representations Written confirmations from management that support certain matters but do not replace other evidence; refusal or unreliability can create a limitation that may affect the audit report.

External confirmation Evidence obtained directly from a third party (for example banks, customers, suppliers), requiring control over the process and careful evaluation of authenticity and exceptions.

Analytical procedures Evaluation of financial information by studying relationships and trends to identify inconsistencies or support conclusions.

Tests of controls Procedures performed to evaluate whether controls operated effectively during the period.

Substantive procedures Procedures designed to detect material misstatements, including analytical procedures and tests of details.

Tests of details Substantive procedures that verify amounts and disclosures through inspection, recalculation, re-performance, and other direct checks of underlying records.

Practice Questions

Tests of Controls: Designing, Performing, and Interpreting

View original article

Learning objectives

By the end of this chapter you will be able to:

Explain why auditors evaluate internal controls and how this affects the planned audit approach.
Distinguish between procedures used to assess design and implementation of controls and procedures used to test operating effectiveness.
Link financial reporting risks to control objectives, relevant assertions, and key controls.
Design control tests that specify the population, period coverage, attributes, evidence, and timing.
Perform and document control testing, evaluate deviations, and determine how further audit procedures should respond.

Overview & key concepts

Auditors evaluate internal controls for two related but distinct reasons:

Design and implementation (understanding the system): to determine whether controls are suitably designed to address identified risks and whether they have been put into operation. This is typically obtained through process understanding, walkthroughs, and observing/confirming that key steps are in place.
Operating effectiveness (testing controls): to obtain evidence about whether a control operated as intended throughout the relevant period. These procedures are commonly referred to as tests of controls.

In most audit approaches, the detailed work called “tests of controls” is aimed at operating effectiveness. Evidence about design and implementation usually comes earlier, when the auditor gains an understanding of processes and performs walkthroughs.

Control testing is most useful when:

reliance on controls is expected to make the audit more efficient; or
a substantive-only approach would be inefficient or impractical, for example where there are high volumes of routine transactions processed through systems.

Even where controls are strong, substantive procedures are still required in many areas, particularly for material balances, estimates, and disclosures where controls do not remove the need for direct evidence.

Control objectives and key controls

Control objectives

A control objective states what a control is meant to achieve, usually expressed as the risk it is addressing. Examples in the purchases and payments cycle include:

supplier payments relate only to genuine business purchases
invoices are recorded accurately and in the correct period
supplier data (including bank details) cannot be changed without appropriate authorisation

Control objectives should be linked to relevant assertions. In this area, common assertions include:

occurrence (transactions happened and relate to the entity) — often where “validity/authorisation” is examined in practice
accuracy (amounts are correctly recorded and calculated)
cut-off (recorded in the correct accounting period)
classification (recorded in the correct accounts)
completeness (all relevant transactions are recorded)

Linking controls to assertions (illustration):

three-way match supports occurrence (valid purchase), accuracy (price/quantity), and sometimes cut-off (receipt date)
approval of payment run supports occurrence/authorisation and may also support accuracy (review of unusual items)
independent bank reconciliation supports detection of errors affecting cash and payables (accuracy/completeness), but often after payment has occurred

Key controls

Key controls are those the auditor expects to rely on, or those that are critical to responding to assessed risks. In exam answers, it is helpful to distinguish them from non-key controls:

Key controls directly address significant risks or major process points where failure could lead to a material misstatement.
Non-key controls may still be useful, but are less central to the audit response.

Operating effectiveness and deviations

Operating effectiveness

A control operates effectively when it is performed:

by appropriate personnel with the right authority
in the required manner
at the right time (for example, approval occurs before payment is released)
consistently across the period being relied upon

Deviations (exceptions)

A deviation is an instance where the control does not operate as designed for a tested item. The term exception is often used as shorthand. Examples include:

missing evidence of required approval
approval obtained after payment release
match performed but key discrepancies not resolved before payment

Not all deviations have the same implications. The auditor should consider both the frequency and the nature of deviations, including whether they indicate a one-off lapse or a systematic weakness.

Exception rate

A basic measure used in many controls tests is the deviation (exception) rate:

Exception rate = (Number of exceptions ÷ Items tested) × 100%

This is an indicator of operating effectiveness, but it is not the only factor in the conclusion.

Test methods and the strength of evidence

Common methods include:

Inspection: examining documents, records, or system logs (e.g., evidence of matching or approval).
Observation: watching a control being performed (useful but limited to what is seen at that moment).
Inquiry: asking staff about the operation of controls (normally needs corroboration).
Re-performance: independently executing the control (often strong evidence, particularly for calculations or system-driven checks).

In practice, auditors often combine methods. Inquiry may explain what should happen; inspection and re-performance provide more persuasive evidence that it did happen.

Sampling and populations in control testing

Population

The population is the full set of items to which the control applies over the period being tested (e.g., all supplier invoices processed during the year).

A frequent weakness is selecting a population that does not match the control. For example, testing only year-end invoices is not appropriate if the control operates throughout the year.

Sampling risk and non-sampling risk

Sampling risk: the sample result differs from what would be concluded if the whole population were tested.
Non-sampling risk: the auditor reaches the wrong conclusion due to poor design, poor execution, or incorrect evaluation (e.g., testing the wrong attribute, misunderstanding what evidence demonstrates performance).

Good test design reduces non-sampling risk; balanced sample selection and careful evaluation help manage sampling risk.

Compensating controls and reliance strategy

Compensating controls

A compensating control is a different control that reduces the same risk when a primary control is weak. For example, if evidence of invoice approval is inconsistent, a timely independent review of bank reconciliations and follow-up of unusual payments may reduce the risk that unauthorised payments remain undetected.

Compensating controls do not automatically eliminate the problem. The auditor must consider whether they operate with sufficient timeliness and precision to address the specific risk.

Reliance strategy

A reliance strategy means the auditor plans to place reliance on controls and, as a result, adjust further audit procedures. Reliance can affect the nature, timing, and extent of substantive procedures, but it does not usually remove the need for substantive work entirely—particularly for material balances, estimates, and disclosures.

Core theory and frameworks

When are tests of controls necessary vs optional?

Control testing is commonly performed when:

the auditor plans to rely on controls to respond to assessed risks; or
substantive-only testing is not expected to be efficient or sufficient on its own (often in automated, high-volume environments); or
the auditor needs evidence about operating effectiveness to support the planned audit approach.

Control testing may be limited (or not performed in detail) when the auditor plans a substantive-focused approach and substantive evidence is expected to be obtained efficiently. However, the auditor still needs an understanding of processes and relevant controls to assess risks and design procedures appropriately.

Interim testing and roll-forward

Controls are often tested at an interim date. If the auditor plans to rely on interim results for the full year, further evidence is needed that the controls continued to operate effectively for the remaining period. Typical approaches include:

testing additional items from the period after interim testing; and/or
obtaining evidence that there were no relevant process changes and the control continued to operate (supported by targeted testing rather than assumption).

Selecting controls and defining attributes

Selecting the right controls to test involves identifying those that address higher-risk areas and key process points. The attributes tested should be:

observable (supported by evidence)
clear pass/fail criteria
directly linked to the control objective

Examples of strong attributes:

“Evidence that supplier bank detail changes were approved by an independent reviewer before the change took effect.”
“Evidence that PO, receipt documentation, and invoice were matched and differences resolved before payment release.”

Designing the test: method, evidence, and timing

A well-designed control test specifies:

the control and related control objective
population and period coverage
sample selection approach
test method(s)
evidence expected
timing across the period (not concentrated at one point)

A weekly control should normally be tested across different weeks; a daily control across a spread of days and months.

Performing the test and documenting results

Documenting the work

Your working papers should tell the story of the test from start to finish. Someone else on the audit team should be able to see:

which control was tested and why it matters (the risk/control objective link)
the population and how the sample was selected
exactly what you checked for each item (the attribute criteria)
what evidence you looked at (file references, screenshots, log extracts)
what you found (including any deviations and how they were followed up)
your conclusion on whether the control can be relied on for the period, and what changes (if any) are needed to the audit approach

Evaluating deviations and updating the audit plan

When deviations are identified, the auditor should:

quantify the deviations (how many and how often)
understand the cause and pattern (isolated lapse vs systematic issue; specific period, staff member, supplier, or location)
evaluate whether reliance remains appropriate
update further audit procedures to respond to the revised assessment of risk

Dual-purpose tests and edge cases

Dual-purpose tests can be efficient where one procedure supports both:

control operation (e.g., approval present and timely), and
substantive evidence (e.g., recalculation, agreement to supporting documents)

Dual-purpose tests should be planned so that sample selection and coverage are suitable for both objectives. Documentation should clearly distinguish:

the control attributes tested (operating effectiveness), and
the substantive assertions addressed (amounts, cut-off, classification, etc.)

Edge cases require careful evaluation. For example, an approval obtained after payment may provide some accountability evidence but generally does not meet a control objective intended to prevent unauthorised payments.

Automated controls and the IT environment

For automated controls (for example, system-enforced matching rules), reliance usually requires evidence that the control is reliable in the system environment. At a high level, auditors often consider:

whether relevant access controls and change controls support the reliability of the application control; and/or
whether there is direct evidence the application control operated as intended (such as system configuration review, system logs, or re-performance using system outputs)

The key point is that automated controls still require audit evidence—they are not assumed to work simply because they are automated.

Worked example

Narrative scenario

ABC Ltd has annual revenue of GBP 1,190,000. The company operates controls over supplier payments to reduce the risk of incorrect or unauthorised payments. During the year, ABC Ltd processed 2,400 supplier invoices.

Key control points in the payments process

ABC Ltd uses several control points to reduce the risk of incorrect or unauthorised supplier payments:

Supplier data changes are restricted and reviewed: changes to supplier bank details are initiated by accounts payable staff but must be approved by a separate senior reviewer before they take effect.
Payment is supported by matching evidence: before an invoice is cleared for payment, the invoice is matched to an approved purchase order and receiving evidence, with differences documented and resolved.
The payment run is checked before release: the payment run is reviewed for unusual payees/amounts and approved by a manager who is not involved in posting invoices.
After-the-event detection: bank reconciliations are prepared promptly and independently reviewed, with follow-up of unusual or unmatched payments.

The audit team plans to test the operating effectiveness of these controls.

Required

Calculate the exception rate for a sample of invoices tested.
Evaluate the implications of the exception rate on control reliance.
Design a test of control for the matching requirement.
Interpret the results and adjust the audit plan accordingly.

Solution

1) Calculate the exception rate

Items tested: 40 invoices
Deviations found: 3 invoices lacked evidence of required approval

Exception rate = (3 ÷ 40) × 100% = 7.5%

2) Evaluate implications for reliance

Assume:

tolerable deviation rate: 5%
observed deviation rate: 7.5%

Because 7.5% exceeds 5%, the results do not support the original planned level of reliance on this control without further evaluation.

Exam-safe nuance (sampling and judgement) The observed rate is an indicator based on a sample, not a measurement of the entire population. The conclusion should also consider sampling risk and the nature and cause of deviations (for example, whether approvals were genuinely missing, obtained late, or evidenced elsewhere). Where the exceptions suggest a systematic weakness, the auditor would reduce reliance and increase substantive work.

3) Design a test for the matching control

Control objective: only invoices relating to goods received and properly ordered are approved for payment.

Population: all supplier invoices processed during the year (2,400 invoices).

Period coverage: the full year (include items from different months and different payment runs).

Sample: select 30 invoices across the year.

Method: inspection plus re-performance.

Attribute criteria (pass/fail for each item):

Purchase order exists and matches the supplier and items invoiced.
Receiving evidence exists for the goods/services invoiced.
Invoice quantities and prices agree to the PO/receipt evidence within policy tolerances, or differences are documented and resolved.
Evidence shows the match and any resolution occurred before the invoice was released for payment.

Evidence retained: copies/screenshots of PO, receiving documentation, invoice, match report/checklist, and evidence of resolution (including relevant dates/timestamps).

4) Interpret results and adjust the audit plan

Interpretation

The deviations indicate that the approval control did not operate consistently. This increases the risk of unauthorised or incorrect payments and suggests a higher risk of misstatement in the purchases, payables, and cash disbursements cycle.

Audit response

Revise reliance: reduce planned reliance on the approval control unless further work supports reliance (e.g., additional testing or evidence that deviations were isolated and not indicative of broader failure).
Increase substantive procedures, focusing on:
Consider compensating controls: evaluate whether independent bank reconciliations and follow-up are timely and detailed enough to reduce risk, and test their operating effectiveness if reliance is planned.
Update risk assessment: if deviations show a pattern (specific period, staff member, supplier category, or system issue), expand procedures in the affected area and adjust the audit plan accordingly.

Common pitfalls and misunderstandings

Treating policy existence as control operation: a policy is not evidence that the control operated.
Testing only at year-end: controls operating through the year require period coverage.
Missing timing requirements: approvals after processing often fail the control objective.
Relying on inquiry alone: inquiry should be supported by inspection and/or re-performance.
Quantifying deviations without analysing them: cause and pattern matter.
Weak attribute definitions: vague criteria lead to inconsistent conclusions.
Ignoring sampling risk: sample results require judgement before concluding on reliance.
Poor documentation: unclear working papers weaken the audit trail and conclusions.
Overconfidence in automated controls: automated controls require evidence that the system environment supports reliability.
Ignoring override behaviour: frequent overrides may indicate that controls are not operating as intended.

Summary and further reading

Auditors evaluate controls through (i) procedures that assess design and implementation, and (ii) tests of controls that focus on operating effectiveness. Control testing helps determine whether reliance is appropriate and how further audit procedures should be planned. Deviations must be evaluated by frequency, nature, and cause, with audit responses tailored accordingly.

This topic links closely to risk assessment and further audit procedures, because control results influence the nature, timing, and extent of substantive work, while recognising that substantive procedures are still required in many areas even where controls are strong.

For further reading, consult introductory audit texts covering internal control, audit evidence, and audit sampling, along with professional guidance on audit risk and audit evidence.

FAQ

What is the primary purpose of tests of controls?

To obtain evidence about whether a control operated effectively over the period of reliance. This helps the auditor decide whether reliance is appropriate and how further audit procedures should be designed.

How do you decide which controls to test?

Prioritise key controls that respond to higher-risk areas and that the auditor expects to rely on. Controls that operate frequently or within automated systems may be particularly relevant where substantive-only testing would be inefficient.

Which methods are commonly used, and which provide stronger evidence?

Inspection and re-performance usually provide stronger evidence. Observation is limited to the time observed, and inquiry is generally weak unless corroborated.

What should be done when deviations are found?

Quantify deviations, understand cause and pattern, and evaluate whether reliance remains appropriate. If reliance reduces, increase or refocus substantive procedures and consider whether compensating controls can be relied on (supported by testing).

How do sampling risk and non-sampling risk affect conclusions?

Sampling risk means a sample may not reflect the population. Non-sampling risk arises from poor test design or execution. Both are managed by good test design, appropriate sampling, and careful evaluation of results.

Summary (Recap)

This chapter explained how auditors assess controls through understanding design and implementation and through tests of controls focused on operating effectiveness. It covered how to link risks to control objectives and assertions, how to design and perform control testing with clear attributes and period coverage, and how to evaluate deviations. The worked example demonstrated calculating an exception rate, applying judgement (including sampling considerations), designing a matching control test, and revising further audit procedures in response to control weaknesses.

Glossary

Tests of controls Procedures performed to obtain evidence about whether controls operated effectively over the relevant period.

Design and implementation Evaluating whether controls are suitably designed to address risks and have been put into operation, typically through process understanding and walkthroughs.

Control objective The outcome a control is intended to achieve, expressed in terms of the risk it addresses.

Key control A control that is central to responding to higher-risk areas and/or one the auditor expects to rely on.

Operating effectiveness Whether a control operated consistently, by appropriate personnel, in the required manner, and at the right time across the period of reliance.

Deviation An instance where a control did not operate as designed for a tested item (often called an exception).

Exception rate (Number of exceptions ÷ Items tested) × 100%, used as an indicator of control performance in a sample.

Attribute testing Testing whether specified control features are present using clear pass/fail criteria.

Dual-purpose test A procedure designed to provide evidence about both control operation and substantive assertions, planned and documented to meet both objectives.

Population The complete set of items to which a control applies over the relevant period.

Sampling risk The risk that the sample conclusion differs from the conclusion that would be reached by testing the whole population.

Non-sampling risk The risk of an incorrect conclusion due to poor design, execution, or evaluation rather than the choice of sample.

Compensating control A different control that reduces the same risk when a primary control is weak, provided it operates with sufficient timeliness and precision.

Reliance strategy An audit approach that plans to rely on controls (supported by testing) and adjust further audit procedures accordingly.

Practice Questions

Assertions and Designing Substantive Procedures

View original article

Learning objectives

By the end of this chapter, you should be able to:

Explain how financial statement assertions relate to classes of transactions, account balances, and disclosures.
Link a specific risk of misstatement to the most relevant assertion(s) and the direction of that risk.
Design substantive procedures that are assertion-led, directionally logical, and capable of detecting material misstatement.
Distinguish between tests of details and substantive analytical procedures, and select an appropriate mix.
Evaluate exceptions from substantive work, quantify likely misstatement, and decide appropriate next steps.
Recognise common assertion–procedure mismatches and correct flawed audit logic.

Overview & key concepts

Financial statements are built from management’s records and estimates. Each line item and disclosure carries an implied claim about what is being reported. These implied claims are commonly described as assertions. Assertions give a practical structure for turning risk into work: what could be wrong, and what evidence would expose it?

Assertions are applied to:

Classes of transactions and events (for example, sales, purchases, payroll)
Account balances at the reporting date (for example, inventory, receivables, payables)
Presentation and disclosures (for example, related party disclosures, accounting policies, commitments)

Assertions and the accounting equation

Most misstatements ultimately distort the accounting equation:

Assets = Liabilities + Equity

Overstated assets (for example, receivables not recoverable) usually overstate equity through overstated profit.
Understated liabilities (for example, missing accruals) usually overstate equity through understated expenses.
Cut-off errors shift income/expenses between periods and therefore shift equity (retained earnings) between reporting dates.

Keeping procedures tied to these outcomes makes conclusions more robust.

Core theory and frameworks

Assertion framework used in this chapter

Assertions are often taught as “families” of ideas (existence, completeness, valuation, etc.). Marking, however, typically expects students to show they can apply assertions in three distinct contexts: transactions, balances, and disclosures. The same concepts appear in each context, but with different labels and emphasis.

How the assertion families map to the three contexts

Use the following map to translate the chapter’s language into a format that aligns neatly to exam marking expectations.

Classes of transactions and events

Occurrence → “Did the recorded transaction happen and relate to the entity?”
Completeness → “Have all transactions that should be recorded been recorded?”
Accuracy → “Were amounts and data captured correctly?”
Cut-off → “Is the transaction recorded in the correct period?”
Classification → “Is it recorded in the correct account/category?”

Account balances at the reporting date

Existence → “Does the recorded balance represent something real at the reporting date?”
Rights and obligations → “Does the entity control the asset / owe the liability?”
Completeness → “Are any balances missing?”
Valuation (and allocation) → “Is the balance carried at an appropriate amount (including estimates)?”

Presentation and disclosures

Occurrence / rights and obligations → “Do disclosed events/transactions exist and genuinely relate to the entity?”
Completeness → “Are all required disclosures included?”
Classification and understandability → “Is disclosure appropriately grouped and clear?”
Accuracy and valuation → “Are disclosed amounts and narrative explanations consistent with the underlying records and measurement?”

This mapping helps you write answers in whichever terminology you are most comfortable with, while still presenting the categories markers expect.

A one-page map: Assertion ↔ direction ↔ typical procedures

The quickest way to avoid weak audit logic is to match assertion and risk direction to a sensible evidence route.

Overstatement risks (too high): start from what is recorded and vouch back to supporting evidence.
Understatement risks (too low): start from source evidence and trace forward into the records.

Common pairings:

Revenue occurrence (overstatement): ledger invoice → order/terms → dispatch → delivery/acceptance → post year-end returns/credit notes.
Revenue cut-off (timing): dispatch/delivery around year-end → invoice date/posting date → correct period.
Revenue measurement (returns/rebates/free goods): promotion terms → pricing/rebate calculations → credit notes/refund activity → liabilities/contra-revenue presentation.
Payables completeness (understatement): post year-end supplier invoices/GRNs → year-end payables/accruals → general ledger.
Inventory existence: physical count/third-party confirmation → inventory records.
Inventory valuation: cost build-up + ageing/obsolescence → selling prices/markdowns/post year-end sales → write-down where needed.
Receivables valuation: ageing + historical default/recovery + forward-looking factors → post year-end cash/credit notes → allowance adequacy.

Explanations of key assertions (applied, exam-focused)

Existence and occurrence

Existence (balances): items recorded at the reporting date are real.
Occurrence (transactions): recorded transactions/events actually happened and relate to the entity.

Typical risk pattern: overstatement (fictitious revenue, inventory that does not exist, receivables that are not real).

Completeness

Everything that should be recorded or disclosed has been included.

Typical risk pattern: understatement (missing payables/accruals, omitted provisions, incomplete disclosures).

Accuracy

Amounts and other data are correctly captured (prices, quantities, dates, customer/supplier, calculations).

Classification

Items are recorded in the correct account/category.

Example:

Repairs are expensed rather than capitalised (unless they meet capitalisation criteria). Misclassification can distort profit and asset balances.

Valuation

Balances are carried at supportable amounts, including estimates and adjustments.

Valuation work often involves:

assessing whether assumptions are reasonable,
checking calculations,
comparing to subsequent events that provide evidence (cash receipts, sales, write-offs).

Rights and obligations

The entity controls the recorded assets and is responsible for recorded liabilities.

Cut-off

Transactions are recorded in the correct period. Cut-off is about timing, but the correct period often depends on terms, acceptance, and return arrangements, not simply an invoice date.

Presentation and disclosure

Items are properly described, grouped, and disclosed so that users can understand them.

From risk to work: writing the “audit story”

A good procedure starts with a specific worry, not a generic test. Describe the item you are auditing, then write the risk as a short story:

What could be misstated? (state the misstatement plainly)
Which assertion does that misstatement attack? (for example, completeness for missing liabilities, occurrence for fictitious revenue)
Why is this entity exposed to that misstatement? (incentives, complexity, estimates, manual processing, weak oversight)
What evidence would make the misstatement hard to sustain? (third-party confirmation, records generated outside finance, subsequent cash/returns behaviour)

If you cannot explain how the evidence would “corner” the misstatement, the procedure is not aimed tightly enough.

Directional testing (choosing the right evidence route)

Directional testing is a logic check:

If the risk is overstatement, start with what is recorded and vouch back to independent support.
If the risk is understatement, start with what should exist (source evidence) and trace forward into the records.

This is especially important for:

Revenue (overstatement) vs payables (understatement),
assets (overstatement) vs liabilities (understatement).

Writing a procedure that earns marks

A strong substantive procedure is specific enough that another auditor could perform it and reach a defendable conclusion. Use five headings:

Risk target: the item, period/date, and the assertion you are trying to prove or disprove.
Evidence route: whether you will vouch back from recorded items (overstatement risk) or trace forward from source evidence (understatement risk).
What you will test: define the population and what makes items high risk (value, manual processing, unusual terms, proximity to year-end).
What counts as proof: identify the documents or outputs that directly address the assertion (and what would be unacceptable).
How you will evaluate results: how you will quantify errors, decide whether they are isolated/systemic, and what extra work you would do if exceptions arise.

Substantive procedures

Substantive procedures are designed to detect material misstatement at the assertion level. They are commonly grouped into:

Tests of details

Direct checking of transactions, balances, or disclosures.

Examples:

Vouch invoices to dispatch documentation (revenue occurrence).
Confirm receivable balances with customers (existence).
Inspect post year-end invoices and match to pre year-end receipts (payables completeness).

Substantive analytical procedures

Using relationships in data to develop expectations and identify differences that require investigation.

For analytical work to be persuasive, it needs:

a predictable relationship (a sensible basis for expectation),
reliable data (inputs that can be trusted),
corroborated investigation of variances.

Explanations must be supported (for example, by source records or independent evidence); otherwise the variance remains an unresolved risk.

Worked example

Narrative scenario

ABC Ltd has a year-end of 31 December 2025.

The records show:

Revenue: £1,430,000
Gross margin: 18.4%
Trade receivables at year-end: £500,000
Allowance for expected credit losses recorded: £12,000
Inventory at year-end: £900,000
Trade payables at year-end: £300,000
Accrued expenses at year-end: £85,000
Capital expenditures during the year: £103,000
Tax rate: 16.1%
Discount rate: 8.0%

Additional background:

A bonus scheme is linked to sales growth.
Sales returns are increasing.
Manual credit notes are issued after year-end.
A major promotion ran near year-end: “Buy 10, get 2 free” plus a 5% rebate if annual purchases exceed a threshold.
Goods were shipped on the last day of the year, with a 30-day return policy.

Required

Compute the expected allowance for credit losses using the ageing information provided below.
Design substantive procedures for:
Evaluate inventory valuation work that would be appropriate given the scenario.
Assess payables completeness work that would be appropriate given the scenario.
Identify and correct assertion–procedure mismatches.

Ageing profile and expected loss rates:

Current: £280,000 at 1%
31–60 days: £120,000 at 3%
61–90 days: £60,000 at 8%
90+ days: £40,000 at 25%

Solution

1) Expected allowance for credit losses (ageing approach)

Expected allowance = Σ (balance in band × expected loss rate)

Current: £280,000 × 1% = £2,800
31–60 days: £120,000 × 3% = £3,600
61–90 days: £60,000 × 8% = £4,800
90+ days: £40,000 × 25% = £10,000

Total expected allowance = £21,200

Recorded allowance = £12,000 Potential shortfall = £21,200 − £12,000 = £9,200

Financial statement impact (accounting equation):

Increasing the allowance by £9,200:

Illustrative adjusting entry:

Dr Impairment loss (profit or loss) £9,200
Cr Allowance for expected credit losses (contra receivable) £9,200

Exam-safe realism point: An ageing matrix is a useful audit expectation tool, but it should be challenged. Consider whether the loss rates reflect current conditions, include forward-looking factors, and reconcile sensibly to actual write-offs and recoveries.

2) Revenue: procedures split by (a) occurrence/cut-off and (b) measurement/presentation

The scenario contains strong risk indicators: sales-linked bonuses, rising returns, manual credit notes after year-end, complex promotions, and shipments on the last day of the year with return rights. Procedures should address both whether revenue is genuine/timely and whether it is measured and presented correctly.

(a) Occurrence and cut-off (genuineness and timing)

Risk target: Revenue near year-end overstated by recording sales that did not occur, or by recognising revenue in the wrong period.

Evidence route: Overstatement risk → vouch from recorded revenue to independent support.

What you will test (population and selection):

Sales invoices posted from 18–31 December and 1–7 January.
Test all invoices above tolerable misstatement (or another risk-based cut-off linked to performance materiality) and a targeted sample of the remainder focusing on:

What counts as proof (tests of details):

Agree invoice to customer order/terms (including shipping terms and acceptance points).
Agree to dispatch documentation (goods-out record/dispatch note).
Obtain delivery confirmation or customer acknowledgement where available.
For shipments on 31 December, evaluate whether the terms and evidence support recognition before year-end rather than in the next period.

How you will evaluate results:

Missing dispatch/delivery/acceptance evidence is an exception.
Quantify the misstatement per item and assess whether it indicates a wider pattern (especially around 31 December).
Extend testing if exceptions cluster around specific customers, promotional sales, or manual postings.

Cut-off test using dispatch records (source → ledger for timing accuracy):

Select dispatches in the last 7–10 days before year-end and first 7–10 days after year-end.
Trace to sales invoice and posting date to confirm revenue is recorded in the correct period given the shipping/acceptance terms.
Investigate any invoices dated pre year-end where dispatch/delivery occurred after year-end.

(b) Measurement and presentation (returns, rebates, free goods)

Risk target: Revenue and related liabilities misstated because returns, rebates, and “free goods” are not reflected appropriately in the transaction price, contra-revenue, or refund/contract liabilities.

Evidence route: Measurement/presentation risk → test calculations, terms, and subsequent behaviour (returns/credit notes).

Returns and right-of-return risks:

Analyse January returns and credit notes and match significant items back to late-December sales.
For goods shipped on 31 December with a 30-day return policy:

Manual credit notes issued after year-end:

Obtain a listing of manual credit notes issued in January/February.
For a risk-focused sample (and all significant items), inspect:
Consider whether the pattern indicates aggressive year-end revenue recognition.

Promotion: “Buy 10, get 2 free”

Inspect promotion terms and how “free” units are processed in the system.
Test a sample of promotional sales to confirm:

5% rebate above an annual threshold

Identify customers close to or exceeding the threshold near year-end.
Recalculate rebate accruals (or credit notes issued) based on:
Assess whether rebates are presented appropriately (revenue reduction and/or liability, depending on how the entity settles the rebate).

How you will evaluate results:

Reperformance differences are quantified as misstatement.
If measurement errors are systematic (for example, threshold rebates not accrued), extend testing to additional customers and reassess the overall estimate.

3) Inventory valuation (cost and recoverability)

Risk target: Inventory overstated and cost of sales understated due to slow-moving stock, promotional pricing pressure, or returns-related effects.

Evidence route: Test cost build-up and then test recoverability using selling evidence.

What you will test:

Stratify inventory by value and risk: slow-moving lines, promotional items, and high-return categories.
Select all significant lines (by value) plus targeted items with long ageing or poor margins.

What counts as proof:

For cost: agree a sample to purchase invoices and costing records; check consistent costing method application.
For recoverability:

How you will evaluate results:

Where selling prices achieved after year-end are below cost (or stock remains unsold with persistent markdowns), quantify a write-down and assess whether it is material.

4) Payables completeness (unrecorded liabilities)

Risk target: Liabilities understated and expenses understated by missing invoices, missing accruals, or delayed recording of goods/services received.

Evidence route: Understatement risk → trace from source evidence into the records.

What you will test:

Post year-end supplier invoices received in January/early February.
Unmatched goods received notes at year-end.
Significant payments made after year-end.

What counts as proof:

Match post year-end invoices to evidence of receipt/service before year-end.
Where receipt/service is pre year-end, trace into year-end payables or accruals.
For payments after year-end, inspect the invoice and receipt date to assess whether the liability should have existed at year-end.

How you will evaluate results:

Quantify each missing liability and assess whether omissions are isolated or indicate a wider cut-off/completeness weakness.
Extend testing if multiple exceptions arise in the same supplier group or around year-end.

5) Assertion–procedure mismatches (and corrected approaches)

Mismatch: Testing revenue overstatement mainly by tracing from customer orders to invoices.
Why flawed: Orders can exist even if goods were not dispatched or accepted; it does not directly prove recorded revenue is genuine.
Correct approach: Start with recorded sales and vouch to dispatch and delivery/acceptance evidence (occurrence), then corroborate with post year-end returns/credit notes.
Mismatch: Concluding revenue is correct based only on gross margin analytics.
Why flawed: Analytics highlight risk but rarely settle it where incentives, returns, and manual adjustments exist.
Correct approach: Use analytics to direct attention, then perform targeted tests of details and corroborate explanations with records.
Mismatch: Testing payables completeness by vouching recorded payables to invoices.
Why flawed: That supports existence of what is recorded, not whether liabilities are missing.
Correct approach: Inspect post year-end invoices/GRNs and trace relevant items into year-end payables/accruals.
Mismatch (common trap in this scenario): Testing revenue occurrence and cut-off but ignoring returns, rebates, and free goods effects.
Why flawed: Revenue can be genuine and timely but still overstated if the transaction price is not adjusted for expected returns/rebates, or if promotional mechanics inflate invoiced amounts.
Correct approach: Add procedures that reperform rebate calculations, analyse post year-end returns, and test promotional transactions to ensure measurement and presentation are appropriate.

Interpretation of results

The ageing-based expectation indicates a potential allowance shortfall of £9,200. If uncorrected, receivables (net), profit, and equity would all be overstated by £9,200.

Revenue risk is heightened by incentive pressure and post year-end adjustments (returns and manual credit notes). Effective substantive work therefore needs two strands: (1) evidence that recorded year-end sales are genuine and in the correct period, and (2) evidence that revenue has been measured and presented appropriately after considering returns, rebates, and promotional terms.

Inventory valuation and payables completeness work support the balance sheet by ensuring assets are not overstated and liabilities are not understated, both of which feed directly into profit and equity.

Common pitfalls and misunderstandings

Confusing occurrence and completeness: Occurrence asks whether recorded items are genuine; completeness asks whether items are missing.
Ignoring direction: Vouching supports overstatement risks; tracing supports understatement risks.
Blurring objectives: Keep each procedure focused and ensure evidence directly targets the assertion.
Accepting explanations without corroboration: Variance explanations must be supported by evidence, otherwise the risk remains.
Over-reliance on analytics in high-risk areas: Use analytics to identify where to test; do not use it as the only basis for conclusions where incentives and manual processing exist.
Neglecting returns/rebates/free goods mechanics: These frequently drive measurement and presentation misstatements in revenue.

Summary and further reading

Assertions convert broad audit aims into clear, testable questions about transactions, balances, and disclosures. High-scoring substantive procedures are assertion-led, directionally logical, and supported by evidence that would reasonably expose the stated misstatement. Tests of details and analytical procedures work best together: analytics flags risk and builds expectations; detailed testing validates or corrects the figures.

Where exceptions arise, quantify the impact, investigate the cause, extend procedures where necessary, and conclude whether sufficient appropriate evidence has been obtained.

For wider study, focus on revenue features that create measurement complexity (returns, rebates, free goods), estimation areas (credit losses, inventory write-downs), and common completeness risks (unrecorded liabilities and accruals), as these frequently underpin substantive testing requirements.

FAQ

What are financial statement assertions, and why do they matter?

Assertions are the implied claims behind each figure and disclosure—such as whether it is real, complete, correctly measured, and properly described. They matter because they help convert risks into targeted procedures capable of detecting misstatement.

How do you decide which substantive procedures to perform?

Start with the risk: describe the misstatement, identify the assertion it affects, explain why it could occur, then choose evidence that would make that misstatement difficult to maintain. Match the direction of the procedure to whether the risk is overstatement or understatement.

What makes substantive analytical procedures persuasive?

A predictable relationship, reliable data, and investigation that produces evidence. Explanations must be corroborated to records or independent sources; otherwise the variance remains unresolved.

Why split revenue work into (a) occurrence/cut-off and (b) measurement/presentation?

Because revenue can be genuine and in the correct period, yet still misstated if returns, rebates, or promotional terms are not reflected properly. Separating these strands ensures the audit response matches the real risk.

What do you do when exceptions are found?

Quantify the misstatement, identify the root cause, assess whether it indicates a broader problem, extend testing or perform alternative procedures, and consider whether an adjustment is needed.

Glossary

Assertions Implied claims that figures and disclosures are genuine, complete, correctly measured, and properly presented.

Existence A balance recorded at the reporting date represents something real.

Occurrence A recorded transaction or event took place and relates to the entity.

Completeness All transactions, balances, and disclosures that should be recorded are included.

Accuracy Amounts and related data are captured correctly.

Classification Items are recorded in the correct accounts and categories.

Valuation Balances are carried at appropriate amounts, including estimates and necessary adjustments.

Rights and obligations The entity controls recorded assets and is responsible for recorded liabilities.

Cut-off Transactions are recorded in the correct accounting period.

Presentation and disclosure Items are appropriately described, grouped, and disclosed so users can understand them.

Substantive procedures Procedures designed to detect material misstatement at the assertion level, including tests of details and analytical procedures.

Tests of details Direct checking of transactions, balances, or disclosures using underlying evidence.

Substantive analytical procedures Developing expectations from data relationships and investigating significant differences to obtain evidence.

Directional testing Selecting evidence routes that match risk direction: vouching for overstatement risks and tracing for understatement risks.

Corroborative evidence Evidence from independent or multiple sources that supports the same conclusion and strengthens reliability.

Practice Questions

Substantive Testing by Area (Including Inventory Counts)

View original article

Learning objectives

Design substantive procedures that target key assertions for major balance areas, including trade receivables, trade payables, inventory, cash and bank, non-current assets, and provisions.
Plan, perform, and evaluate attendance at an inventory count, including actions to obtain evidence before, during, and after the count.
Select procedures that respond directly to specific assertions (existence, completeness, rights and obligations, accuracy, cut-off, classification, valuation, and presentation).
Evaluate audit evidence, quantify misstatements, and determine appropriate follow-up work where results are inconsistent or incomplete.
Document clear, assertion-linked conclusions that address identified risks and explain how the evidence obtained supports the reported balances and disclosures.

Overview & key concepts

Substantive testing provides direct evidence about whether transactions, balances, and disclosures are materially misstated. It is performed at the assertion level and is especially important where inherent risk is high, controls are weak, or reliance on controls is limited.

Substantive work commonly takes two forms:

Tests of details: inspection, confirmation, recalculation, reperformance, observation, and enquiry applied to selected transactions or balance items (for example, agreeing an invoice to the ledger or confirming a receivable with a customer).
Substantive analytical procedures: evaluating financial information by studying plausible relationships (for example, comparing gross margin trends to prior periods and investigating unexpected movements with corroborating evidence).

Substantive procedures do not “change” the accounting equation. Their purpose is to detect misstatements that would distort reported assets, liabilities, income, and expenses.

Note on wording: in practice, accuracy often relates to correct recording (amounts, dates, coding), while valuation focuses on appropriate measurement and recoverability of balances.

Substantive procedures by area

Inventory counts

Inventory is often high risk because misstatements can arise from:

Existence: recorded inventory may not be physically present, or quantities may be inflated (including double counting).
Completeness: items held may be omitted from records (including goods in transit, items stored off-site, or inventory held by third parties).
Valuation: incorrect costing, inaccurate standard costs, unrecorded write-downs, or inclusion of obsolete/slow-moving items at inappropriate values.
Cut-off: purchases and sales recorded in the wrong period can misstate inventory, cost of sales, revenue, and trade payables/receivables.

What attendance at a count does and does not prove Attending a count does not provide a guarantee that all inventory exists. Attendance provides evidence about:

whether the entity’s count process appears capable of producing a reliable inventory listing; and
the auditor’s own test counts on selected items.

Attendance alone does not usually provide sufficient evidence over rights and obligations (for example, consignment stock, goods held for third parties, or inventory subject to retention of title) or completeness (for example, goods held at external locations). These typically require additional work such as third-party confirmations, review of consignment and delivery terms, and cut-off testing using goods received and goods despatched documentation.

Trade receivables and revenue-related balances

Revenue and receivables are commonly exposed to overstatement risk (for example, premature recognition, fictitious sales, or failure to recognise credit notes and returns).

Evidence that often helps includes:

External confirmations (customer confirmations): can support existence and accuracy for the items confirmed, but they have limits. Non-responses require alternative procedures; disputed balances need investigation; and there is a risk of management interference if the process is not properly controlled by the auditor. Confirmations also do not, by themselves, demonstrate recoverability—valuation requires additional follow-up.
Subsequent receipts testing: agrees cash received after period end to individual customer balances, supporting existence and giving some evidence about collectability.
Credit note and returns testing: reviews post year-end credit notes and returns to identify possible overstatement at period end.
Loss allowance (expected credit losses) (often called a doubtful debts allowance): evaluates whether receivables are stated at an amount expected to be collected, using ageing analysis, customer-specific information, post year-end receipts, and support for assumptions.

Trade payables and purchase-related balances

Trade payables are commonly exposed to understatement risk (for example, unrecorded supplier invoices, goods received not invoiced, or cut-off errors).

Evidence that often helps includes:

Supplier statement reconciliations: reconciles supplier statements to the payables ledger to identify missing invoices, unrecorded credit notes, or timing differences.
Search for unrecorded liabilities: inspects evidence after period end to identify obligations that existed at period end but were not recorded, and to detect cut-off errors. Common sources and what to look for include:
GRNI / accrual testing: tests the completeness and cut-off of liabilities arising from goods received before year-end but invoiced after year-end.

Cash and bank

Cash is exposed to risks around existence, completeness, rights, and presentation (including overdrafts and restricted balances).

Evidence that often helps includes:

Bank confirmations: independent evidence of balances and, depending on the scope requested, banking arrangements such as loans, overdraft limits, and security. Where requested, confirmations can also provide evidence about guarantees and similar arrangements.
Bank reconciliation testing: agrees the reconciliation to bank statements and the cash book, and tests reconciling items for validity and clearing after period end.
Cash book review: scans for unusual entries, large manual journals, round-sum postings, and period-end transactions that may indicate cut-off manipulation.

Non-current assets (property, plant and equipment and similar)

Common risks include existence (assets no longer in use but still recorded), valuation (incorrect depreciation or impairment), and completeness (unrecorded additions).

Evidence that often helps includes:

Additions testing: agrees additions to invoices, contracts, authorisations, and evidence of receipt and use.
Disposals testing: agrees disposals to sale documentation and ensures derecognition from the register, including correct treatment of accumulated depreciation and gain/loss.
Depreciation recalculation: tests depreciation based on cost, residual value, useful life, and the date available for use.
Impairment indicator review: looks for evidence that carrying amounts may not be recoverable (for example, idle assets, damage, adverse performance against budgets, adverse market changes, or restructuring decisions in minutes).

Provisions and other liabilities

These balances are sensitive to judgement and can be biased or incomplete.

Evidence that often helps includes:

Understanding the underlying event: identify what gave rise to the potential obligation (contracts, claims correspondence, board minutes, HR files, or legal letters).
Challenging the amount recorded: check arithmetic accuracy and evaluate whether key assumptions are reasonable, using independent support where possible.
Using later information appropriately: review outcomes after period end for consistency with the year-end estimate, distinguishing between information that confirms circumstances existing at year end and genuinely new events arising after year end.

Core theory and frameworks

Designing substantive procedures

Effective substantive procedures start with clear links between:

the balance or disclosure being tested;
the relevant assertions;
the specific risk(s) of misstatement identified; and
the procedure(s) that can produce evidence directly responsive to those risks.

To keep answers disciplined and exam-appropriate, frame procedures as:

Procedure → Assertion(s) → Risk addressed → Evidence expected

Example (receivables):

Inspect post year-end receipts and match to customer balances → existence/valuation → risk of overstated receivables → evidence that the balance was real and some cash was collected.

Example (payables):

Review unmatched GRNs and trace to invoices/ledger period → completeness/cut-off → risk of unrecorded liabilities → evidence that goods received were accrued where required.

Inventory counts

Attending an inventory count: what the auditor is trying to achieve

When attending a count, the auditor is not “re-counting the warehouse”. The purpose is to judge whether the entity’s count process is likely to produce a reliable final inventory listing and to obtain independent test evidence from selected items.

1) Understand the count setup (before counting starts) Read the count plan with professional scepticism. Focus on whether it addresses common failure points: movement control, clear marking of counted areas, treatment of damaged and mixed items, and supervision of count teams. Map locations (including external sites) and identify where error risk is highest (high-value lines, small portable items, bulk materials, messy storage, or multiple similar items). Decide how cut-off references will be captured by recording the last despatch and receipt references around the reporting date.

2) Obtain test evidence while the count is happening Observe what actually happens in practice. If movement continues, recounts occur without explanation, or labelling is inconsistent, increase the extent of testing.

Two ways to pick test counts (use both):

Start with what you can see: choose items on the floor (especially high-value or easy-to-move lines) and prove they appear once, correctly described, in the count records. This helps address inflation and duplication risk.
Start with what’s recorded: choose entries from the count sheets/listing (including unusual descriptions or unexpectedly low quantities) and locate them physically. This helps address omission risk and poor identification.

Record enough identifiers (location, unit, condition, and product code where available) so the item can be matched back to the final listing without ambiguity. Note items that appear damaged, slow-moving, or obsolete so they can be followed up in valuation work.

3) Link what you observed to the final numbers (after the count) Trace test counts into the final inventory listing and investigate differences. Reconcile listing totals to the general ledger and obtain explanations for adjustments made after the count. Then move beyond quantity: test pricing and costing, and consider whether recorded amounts are likely to be recovered through sale or use. Finally, complete cut-off work for goods received and goods despatched around the reporting date so that inventory, cost of sales, revenue, and related payables/receivables are recorded in the correct period.

A practical cut-off approach is to select a sequence of last goods despatched notes and last goods received notes around year-end and trace each to invoices and ledger posting dates to confirm the correct period has been used.

Worked example

Narrative scenario

ABC Ltd is a wholesaler with a year-end of 31 December. The company holds a mixed inventory range, including high-value electronics and slow-moving accessories.

During the year, the following occurred:

Sold goods for £50,000 on credit to Northbridge Ltd.
Received £30,000 from Northbridge Ltd relating to previous sales.
Purchased inventory for £20,000 from Larch & Co, payable in 30 days.
Paid £15,000 to Larch & Co relating to previous purchases.
Recognised a provision of £5,000 for a legal claim.
Disposed of an old machine for £10,000. It originally cost £25,000 and had accumulated depreciation of £18,000 at disposal date.
Purchased a new machine for £52,000 and depreciates it on a straight-line basis over 8 years with a residual value of £4,000.
A physical inventory count was performed on 30 November, with records subsequently adjusted for purchases and sales up to year-end.
During the count work, obsolete inventory with a carrying amount of £2,000 was identified.
Bank charges of £500 were identified that had not yet been recorded in the cash book.
A £1,200 cash book error was identified and corrected in December.
A bank confirmation reported a year-end bank balance of £100,000.

Required

Compute the closing balances for trade receivables and trade payables (using the information given).
Set out the year-end bank reconciliation approach and identify any cash book adjustments required.
Calculate depreciation for the new machine for the year (assume a full year’s depreciation is appropriate for this example).
Explain the inventory adjustments required for obsolescence and for rolling forward a count from 30 November to 31 December.
Document conclusions that link evidence obtained to the assertions addressed.

Solution

1) Trade receivables and trade payables (closing balances)

Trade receivables (Northbridge Ltd) Closing balance = Credit sales − Cash received (opening balance not provided)

Credit sale: £50,000
Cash received: £30,000

Closing trade receivables = £20,000

Journal entries (for context)

Credit sale:
Receipt from customer:

Trade payables (Larch & Co) Closing balance = Credit purchases − Cash paid (opening balance not provided)

Credit purchase: £20,000
Cash paid: £15,000

Closing trade payables = £5,000

Journal entries (for context)

Credit purchase (inventory):
Payment to supplier:

2) Bank reconciliation (what can be concluded from the given facts)

The bank confirmation shows a year-end bank balance of £100,000. The only item explicitly identified as missing from the cash book is bank charges of £500, which must be posted to the cash book.

Cash book adjustment

Dr Bank charges (expense) £500
Cr Bank £500

A full bank reconciliation also requires details of timing differences (for example, outstanding payments and outstanding lodgements) and the cash book balance at 31 December. Those figures are not provided here. In practice, the reconciliation would be prepared by:

obtaining the year-end bank statement and the cash book balance;
identifying timing differences between the two; and
verifying reconciling items and checking that they clear shortly after period end.

3) Depreciation for the new machine

Depreciation per year = (52,000 − 4,000) ÷ 8 = £6,000

Journal entry (for context)

Dr Depreciation expense £6,000
Cr Accumulated depreciation £6,000

4) Disposal of the old machine (profit/loss check)

Proceeds: £10,000
Cost: £25,000
Accumulated depreciation: £18,000
Carrying amount: £25,000 − £18,000 = £7,000
Profit on disposal: £10,000 − £7,000 = £3,000

Journal entry (for context)

Dr Bank £10,000
Dr Accumulated depreciation £18,000
Cr Non-current assets (cost) £25,000
Cr Profit on disposal (income) £3,000

5) Inventory: obsolescence and rolling forward a 30 November count

Obsolescence (valuation) Obsolete inventory with a carrying amount of £2,000 should be written down to net realisable value (NRV) — the amount expected to be realised from sale after allowing for any selling and completion costs. If NRV is assumed to be nil for this example:

Dr Cost of sales (or inventory write-down expense) £2,000
Cr Inventory £2,000

Rolling forward the count from 30 November to 31 December (existence, completeness, cut-off) Because the physical count occurred before year-end, the year-end inventory figure must be supported by movement testing from 1 December to 31 December, including:

purchases/receipts into inventory (goods received documentation and supplier invoices);
sales/despatches out of inventory (dispatch notes and sales invoices); and
cut-off testing around 31 December to ensure goods received and goods despatched are recorded in the correct period, with related receivables and payables appropriately recognised.

The earlier the count date, the more the auditor must rely on movement records and controls and extend roll-forward and cut-off testing (often increasing sample sizes).

Where inventory is held at third parties or subject to consignment/retention terms, additional procedures such as third-party confirmations and contract/terms review are required to support rights and completeness.

6) Provision for the legal claim

Provision recognised: £5,000

Journal entry (for context)

Dr Legal expense £5,000
Cr Provision £5,000

Substantive work focuses on identifying the underlying event and evaluating whether the amount recorded is a reasonable estimate based on available evidence, including later information where it helps assess circumstances existing at year end.

Conclusions linked to assertions

Trade receivables (£20,000): existence and accuracy supported by customer confirmation (where obtained) and/or subsequent receipts testing; valuation supported by post year-end receipts, dispute review, and assessment of the loss allowance (expected credit losses).
Trade payables (£5,000): completeness and cut-off supported by supplier statement reconciliation, unmatched GRNs/GRNI testing, and post year-end payments testing.
Cash at bank: existence and rights supported by bank confirmation; accuracy supported by posting missing cash book items (bank charges) and by testing the bank reconciliation and clearing of reconciling items.
Non-current assets: depreciation recalculation supports valuation; impairment indicator review supports measurement where indicators exist; disposal documentation supports derecognition and accurate profit on disposal.
Inventory: count attendance supports evidence over the counting process and test counts; valuation supported by NRV testing and write-downs for obsolete items; completeness/rights and cut-off supported by roll-forward movement testing, third-party confirmations where relevant, and goods received/despatched testing around year end.
Provisions: evidence supports the underlying event and management’s estimate through documentation, calculation checks, independent support for assumptions where available, and review of later outcomes for consistency with the year-end estimate.

Common pitfalls and misunderstandings

Treating attendance at an inventory count as proof that all inventory exists: attendance supports the process and selected test counts, not a guarantee over the full balance.
Over-claiming what confirmations prove: non-responses, disputes, and interference risk must be addressed; recoverability needs additional work.
Failing to search for unrecorded liabilities using multiple sources (post year-end payments, unmatched GRNs, supplier statements): focusing only on the ledger can miss understatement.
Reconciling only the totals on bank reconciliations: each reconciling item must be supported and shown to clear after period end.
Ignoring post year-end credit notes and returns: these can signal overstatement of revenue and receivables at period end.
Misstating disposal accounting: derecognition requires removing both cost and accumulated depreciation, with gain/loss based on carrying amount.

Summary and further reading

Substantive testing provides direct evidence about whether balances and disclosures are materially misstated. Effective procedures are assertion-led and risk-focused: define the population, target high-risk items, obtain independent evidence where possible, test cut-off around period end, and evaluate estimates for both arithmetic accuracy and reasonableness.

Inventory work often requires a combination of count attendance, roll-forward movement testing, valuation procedures (including NRV), and cut-off testing. Receivables work commonly focuses on existence and recoverability, payables work prioritises completeness, and cash work relies heavily on independent confirmations and a well-supported reconciliation. Provisions and other estimates require a disciplined focus on evidence for the underlying event and the reasonableness of management’s estimate.

FAQ

What are substantive procedures?

Substantive procedures are audit procedures performed to obtain direct evidence about whether transactions, balances, and disclosures are materially misstated. They include tests of details and analytical procedures that investigate unexpected relationships or movements.

Why is inventory frequently high risk?

Inventory can be misstated through incorrect quantities, inappropriate costing, failure to write down slow-moving or obsolete lines to NRV, and cut-off errors affecting both inventory and profit. Multiple locations and high volumes can further increase error risk.

How is cut-off tested in practice?

Cut-off testing examines transactions around the reporting date. A practical approach is to select the last goods despatched notes and goods received notes around year-end and trace each to sales/purchase invoices and ledger posting dates to confirm the correct period has been used.

What does a bank confirmation cover?

A bank confirmation provides independent evidence of balances at the reporting date and, depending on the scope requested, may also confirm loans, overdraft facilities, and security. Where requested, it may also provide evidence about guarantees and similar arrangements.

How is completeness of payables tested?

Common approaches include supplier statement reconciliations, review of unmatched GRNs/GRNI listings, inspection of post year-end payments, and testing invoices received after year end that relate to pre year end receipts.

What does attending an inventory count actually prove?

Attendance provides evidence about whether the entity’s count process appears reliable and supports the auditor’s test counts on selected items. Additional procedures are usually needed for rights/obligations (for example, consignment) and completeness (for example, external locations) as well as valuation and cut-off.

Glossary

Substantive procedures Audit procedures performed to obtain direct evidence about whether transactions, balances, and disclosures are materially misstated, using tests of details and/or analytical procedures.

Tests of details Substantive procedures applied to selected transactions or balance items (for example, inspecting invoices, recalculating depreciation, or agreeing balances to external evidence).

Substantive analytical procedures Substantive procedures that evaluate financial information by analysing relationships and investigating unexpected movements using corroborating evidence.

Receivables confirmation A request sent to customers asking them to confirm amounts owed (or other details) at a specified date. Responses can support existence and accuracy for the items confirmed, subject to follow-up for disputes and non-responses.

Subsequent receipts testing Testing cash received after period end and matching it to specific receivable balances to support existence and provide evidence relevant to collectability.

Supplier statement reconciliation Comparing supplier statements to the payables ledger and investigating differences to identify missing invoices, unrecorded credit notes, or timing issues.

Search for unrecorded liabilities Procedures aimed at identifying obligations existing at period end that are missing from the ledger, commonly using post year-end payments, unmatched GRNs/GRNI listings, invoices received after year end, and supplier statements.

Bank confirmation Independent evidence obtained from a bank covering balances and, where requested, key arrangements such as loans, overdrafts, security, and guarantees.

Bank reconciliation A reconciliation between the cash book and bank statement that explains differences through timing items and corrects cash book errors or omissions.

Inventory count attendance Attendance at a physical count to observe the entity’s counting process and perform test counts, supporting evidence over selected quantities and informing follow-up valuation and cut-off work.

Cut-off testing Testing whether transactions are recorded in the correct accounting period, particularly around the reporting date for sales, purchases, and inventory.

Provision (audit-focused) A liability where the amount and/or timing is uncertain. Audit work focuses on whether there is evidence of an obligation at the reporting date, whether settlement is likely to require an outflow, and whether the recorded amount is a reasonable estimate supported by available evidence.

Valuation testing Procedures that assess whether recorded amounts are reasonable and appropriately measured (for example, testing inventory write-downs to NRV, depreciation calculations, or the reasonableness of estimates).

Practice Questions

Sampling and Data-Driven Audit Techniques

View original article

Learning objectives

By the end of this chapter you will be able to:

Explain audit sampling and identify when it is suitable and when it is not.
Select an appropriate sampling approach based on the audit objective and the nature of the population.
Determine practical sample sizes using key drivers such as risk, tolerable deviation/misstatement, expected deviation/misstatement, and the level of confidence required.
Evaluate sample results, allow for sampling risk, and conclude appropriately on the population.
Explain how data-driven audit techniques complement sampling and when full-population testing of specific attributes may be possible.
Design effective follow-up procedures for exceptions identified through analytics and link outcomes to audit responses.

Overview & key concepts

Auditors rarely test every transaction or balance in full. Instead, they gather sufficient, appropriate evidence by focusing work where the risk of error is higher and by using methods that make testing efficient. Sampling supports this by allowing the auditor to test a subset of items drawn from a defined population and use the results to support a conclusion about that population. Data-driven techniques (often referred to as audit analytics) extend this approach by scanning or analysing larger datasets to identify patterns, outliers, and exceptions that deserve targeted attention.

Sampling and analytics are not simple substitutes. Analytics can improve planning and direct work towards higher-risk items, while sampling provides a disciplined way to select items, test them, and evaluate results. Even where analytics can test an entire dataset for a tightly defined rule, professional judgement, data validation, and corroborative procedures remain essential.

Audit sampling

What audit sampling is

In many audits, examining every item would add cost without producing proportionate assurance. Instead, the auditor selects a subset of items from a clearly defined population and applies the planned audit tests to those items. The aim is to obtain evidence that supports a conclusion about the population as a whole—while recognising that conclusions drawn from a subset carry uncertainty, which must be managed through careful selection and evaluation.

Sampling is typically used to:

assess whether controls operated consistently (tests of controls), or
estimate misstatement in a balance or class of transactions (substantive testing).

Sampling is not suitable where the audit objective requires testing every item, such as when:

the population is very small and full testing is feasible,
a small number of items are individually significant and must be examined in full, or
completeness is the primary concern and the population listing itself may be incomplete or unreliable.

When sampling is appropriate—and when it is not

Sampling is usually appropriate when:

the population is large and contains many similar items,
the population can be defined and obtained reliably,
the auditor expects the sample to be capable of supporting a conclusion about the population, and
full-population testing would be inefficient without materially improving the conclusion.

Sampling may be inappropriate when:

the population is small enough to test fully at reasonable cost,
the risk is concentrated in a small number of items (suggesting 100% testing of those items),
the population is incomplete or unreliable (sampling from a flawed list produces weak evidence), or
the audit objective cannot be met by partial testing (for example, where each item is critical).

Population and sampling unit

Population

The population is the complete set of items from which the sample is selected. It must match the audit objective precisely. A well-designed sample does not help if it is drawn from the wrong population.

Examples of populations:

all purchase orders raised during the year above a stated threshold,
all sales invoices recorded in a particular month,
all manual journal entries posted after period-end close.

Sampling unit

The sampling unit is the individual item selected for testing (for example, one purchase order, one invoice, one journal entry). Each sampling unit must be identifiable, available for inspection, and appropriate for the test being performed.

A frequent practical issue is ensuring that the sampling unit aligns with the control or assertion under test. For example, if testing a purchase approval control, the sampling unit would normally be a purchase order (or requisition) that should contain evidence of approval.

Sampling risk and non-sampling risk

Sampling risk

Sampling risk is the possibility that the sample results do not reflect what would be found if every item in the population were tested. The risk cuts both ways:

a sample can give false comfort, suggesting a control is operating well (or a balance is reasonable) when the wider population is not, or
a sample can trigger a false alarm, suggesting a widespread issue when the population is actually acceptable.

The auditor reduces sampling risk by choosing a suitable method, using a sample size consistent with the level of assurance needed, and interpreting exceptions in context rather than in isolation.

Non-sampling risk

Non-sampling risk arises from causes unrelated to the representativeness or size of the sample. Examples include:

using an inappropriate procedure,
misunderstanding how a control operates,
misinterpreting evidence (for example, accepting an approval that is not from an authorised person),
failing to investigate exceptions properly.

Non-sampling risk is reduced through good planning, supervision, training, professional scepticism, and review.

Tolerable and expected deviation or misstatement

Tolerable deviation rate (controls testing)

When testing controls, auditors consider a tolerable deviation rate—the maximum rate of control failure that could exist in the population while still allowing reliance on that control for audit purposes.

Expected deviation rate (controls testing)

The expected deviation rate is the rate of failure anticipated before testing, based on prior results, process changes, or other knowledge. Higher expected deviation generally leads to larger sample sizes and may reduce the value of controls reliance.

Tolerable misstatement and expected misstatement (substantive testing)

For substantive sampling, the focus is on monetary error:

Tolerable misstatement: the maximum monetary error in the population that can be accepted without changing the planned audit response.
Expected misstatement: the likely monetary error in the population anticipated before testing.

Stratification and selection methods

Stratification

Stratification means splitting a population into subgroups that share a common feature (often value or risk). This improves efficiency and audit focus. A typical approach is:

test all items above a set value threshold (100% testing of the high-value stratum), and
apply sampling to the remaining items.

Stratification is especially useful where risk is not evenly spread across the population.

Selection methods

Common selection methods include:

Random selection: each sampling unit has a known, non-zero chance of selection. This supports defensible conclusions and helps reduce selection bias.
Systematic selection: selecting every n th item after a random start. This is efficient, but the ordering of the population list must not create patterns that distort selection.
Haphazard selection: selecting items without a structured technique while attempting to avoid bias.

Important caution on haphazard selection: Haphazard selection does not allow a measurable level of sampling risk and is more vulnerable to unconscious bias (for example, avoiding complex items or selecting “easy” documents). It may be acceptable for limited, low-risk work where the conclusion does not depend on extrapolating to the population. Where conclusions about the population matter, random or systematic selection is generally preferable because it is more defensible and better controlled.

Data-driven techniques in auditing

Data-driven techniques use data extracts, queries, and analytical routines to examine datasets for features relevant to audit objectives. They can support planning, risk assessment, controls testing, and substantive procedures.

Common uses include:

identifying duplicate payments,
spotting transactions just below authorisation thresholds,
highlighting unusual posting times (e.g. weekends, late-night entries),
analysing trends by supplier, department, or product line,
isolating manual entries with higher-risk characteristics.

Tight boundaries on “replacing” sampling

Analytics can sometimes enable full-population testing of specific attributes under a clearly defined rule (for example, identifying all payments that match a duplicate-payment rule). However, the auditor still needs to:

validate the completeness and accuracy of the dataset,
confirm that the rule logic is appropriate and does what it claims to do, and
investigate flagged items using corroborative evidence (documents, authorisations, bank records, and explanations).

Analytics rarely removes the need for professional judgement or further testing. It most often improves the audit by increasing coverage, directing attention to higher-risk areas, and providing stronger insight for designing and evaluating other procedures.

Core theory and frameworks

Planning a sampling test

A practical planning framework is to link the test to the claim being made, the data available, the selection approach, and the evaluation and response.

State the audit purpose clearly
Define and obtain the population
Define the sampling unit
Decide whether sampling is suitable
Set tolerable and expected deviation/misstatement
Determine the sample size using practical drivers
Sample size tends to increase when:
Select an appropriate selection method

Evaluating sample results

For tests of controls (deviation-based)

Evaluation involves more than comparing an observed rate to a tolerable rate. The auditor must also consider sampling risk—i.e. whether, allowing for the uncertainty that comes from testing only a subset, the population deviation rate could be above tolerable.

A practical approach is:

calculate the sample deviation rate,
consider the pattern and nature of deviations (isolated vs systematic; linked to a time period, site, user, or transaction type),
allow for an allowance for sampling risk (plain-language concept: the population failure rate may be higher than what the sample shows), and
decide whether it remains reasonable to rely on the control, or whether the audit response should be changed.

In statistical sampling, this allowance is often expressed through an “upper” estimate of the population deviation rate at a chosen confidence level. In non-statistical sampling, the auditor does not calculate an upper rate but should still make a cautious judgement that reflects the possibility that the true population rate is higher than observed.

If deviations are identified, the auditor should also consider:

whether the deviation indicates non-operation of the control or missing evidence,
whether the control is designed so that evidence should always be retained (if so, missing evidence is treated as a deviation),
whether additional testing is needed (for example, expanding the sample or testing a focused period).

For substantive tests (monetary misstatement)

Evaluation typically involves:

measuring misstatements found in the sample,
projecting misstatement to the population where appropriate,
comparing estimated population misstatement to tolerable misstatement (with a sensible allowance for sampling risk), and
determining whether further work or adjustments are required.

Data-driven testing approach

A structured approach to data-driven testing is:

Clarify the audit question
Obtain and understand the data
Validate the dataset
Run targeted routines
Investigate exceptions
Conclude and link to the audit response

Worked example

Narrative scenario

ABC Ltd is a manufacturing company with annual revenue of £900,000. The audit team plans to test the operating effectiveness of a control requiring manager approval for purchase orders above £5,000.

Population: all purchase orders above £5,000 during the year
Population size: 1,200 purchase orders
Sample selected: 60 purchase orders
Deviations found: 3 purchase orders with missing evidence of approval
Tolerable deviation rate: 2%
Expected deviation rate: 1%

ABC Ltd also uses data-driven techniques within the purchase-to-pay cycle. The analytics routines flag:

12 duplicate payment candidates, and
7 payments processed at weekends.

Required

Calculate the sample deviation rate and compare it to the tolerable deviation rate.
Evaluate the impact of the deviations on audit conclusions, allowing for sampling risk and deviation patterns.
Describe follow-up actions for the analytics exceptions.
Explain how sampling and analytics can be integrated in the audit process.

Solution

1) Sample deviation rate and comparison

Sample deviation rate = deviations ÷ sample size = 3 ÷ 60 = 0.05 = 5%

Comparison to tolerable deviation rate:

Sample deviation rate: 5%
Tolerable deviation rate: 2%

The observed deviation rate is above the tolerable level.

2) Impact on audit conclusions (including sampling risk and deviation pattern)

Initial implication: A 5% observed deviation rate indicates that the control is not operating consistently in the sample. Since the observed rate already exceeds tolerable, this strongly suggests the control is not reliable enough for the planned level of reliance.

Allowance for sampling risk (plain language): Because only 60 items were tested, the true deviation rate in the full population could be higher or lower than 5%. The auditor should not assume the population rate equals the sample rate. A cautious conclusion is required, particularly when tolerable deviation is low (2%).

Nature and pattern of deviations: Before finalising the response, the auditor should consider:

Root cause: Are approvals genuinely not happening, or is approval occurring but evidence is not being retained? If the control requires evidence to be retained, missing evidence is treated as a control failure either way.
Clustering: Do the three deviations relate to the same month, location, approver, or supplier category? Clustering may indicate a specific breakdown that can be targeted.
Control design link: If approvals are missing, what downstream risks arise (unauthorised purchases, incorrect supplier selection, price manipulation, or fraudulent payments)?

Conclusion for audit planning: On the basis of the sample results, reliance on this control should be reduced or removed for the affected population. The audit response would normally include:

increasing substantive procedures over purchases, payables, and supplier payments,
considering whether other related controls compensate (for example, three-way match controls),
performing additional focused testing if clustering suggests a specific period or area of weakness (e.g. expand testing in the suspect month or site), and
considering whether the results indicate a broader control environment issue requiring a wider response.

3) Follow-up actions for analytics exceptions

A. Duplicate payment candidates (12 items) Follow-up aims to confirm whether each is a true duplicate, an allowable repeat payment, or a false positive:

agree key fields (supplier, invoice reference, date, amount, bank details) to source documents,
inspect invoices and credit notes to determine whether the “duplicate” is a correction or reversal,
review payment run reports and authorisation for the payment batches,
trace payments to bank statements to confirm number and timing of payments,
check whether duplicates arise from vendor master file issues (e.g. duplicate supplier records),
where true duplicates are confirmed, assess recovery actions and consider the control implications.

B. Weekend payments (7 items) Weekend processing can be legitimate or higher risk. Procedures may include:

determine whether payments were automated or manually initiated,
inspect who initiated and approved the payments and whether approval complied with policy,
review supporting documentation and business rationale for weekend processing,
assess whether weekend items correlate with other risk indicators (unusual suppliers, last-minute bank detail changes, manual overrides),
expand testing if items cluster around specific users, suppliers, or periods.

4) Integration of sampling and analytics

An integrated approach can work as follows:

Use analytics in planning to identify higher-risk features (duplicates, threshold behaviour, unusual timing).
Perform targeted testing of flagged items to understand whether issues exist and why.
Use sampling to support a conclusion on broader control operation or population characteristics.
Refine each approach using outcomes from the other:

Interpretation of the results

The observed deviation rate of 5% suggests the approval control is not operating consistently enough for reliance at a tolerable deviation rate of 2%. The auditor should adjust the audit response by reducing reliance on the control and increasing substantive work, while also investigating the root cause of failures and whether deviations cluster around specific conditions. Analytics flags provide targeted starting points for follow-up but require corroboration before any conclusion is drawn. Used together, sampling and analytics provide broader visibility and more focused testing, improving the quality of audit evidence and the precision of the audit response.

Common pitfalls and misunderstandings

Treating control evaluation as purely mechanical: observed deviation rates must be interpreted with an allowance for sampling risk and an understanding of deviation patterns.
Confusing sampling risk with non-sampling risk: sampling risk is about representativeness; non-sampling risk is about performing or interpreting work incorrectly.
Defining the wrong population: the sample cannot support the objective if the population does not match what is being tested.
Using a biased listing for systematic selection: ordering by value, supplier, or approver can distort results.
Over-relying on haphazard selection: higher risk of unconscious bias and no measurable sampling risk; weaker defensibility where population conclusions are required.
Skipping data validation in analytics: results are unreliable if the dataset is incomplete, duplicated, or not reconciled to the ledger.
Assuming exceptions are errors: analytics flags indicate risk, not proof; each exception needs investigation.
Weak linkage to the audit response: findings must change the planned nature, timing, or extent of further procedures where necessary.
Poor documentation: unclear rationale, selection method, and evaluation undermines the strength of the conclusion.

Summary and further reading

Sampling supports efficient audit evidence by enabling testing of a subset of items drawn from a defined population. Effective sampling depends on clear objectives, correct population definition, appropriate selection, and careful evaluation that allows for sampling risk. Data-driven techniques strengthen audit work by scanning datasets to reveal trends and exceptions, improving planning and directing attention to higher-risk items. Even where analytics can test an entire dataset for a defined rule, the auditor must validate the data, confirm logic, and investigate exceptions using corroborative evidence.

For further reading, refer to professional auditing guidance on audit evidence and sampling, and practitioner resources on audit analytics, data validation, and exception follow-up in transaction cycles.

FAQ

What is the difference between sampling risk and non-sampling risk?

Sampling risk is the possibility that the sample does not reflect the population and therefore leads to a different conclusion than full testing would. Non-sampling risk arises from issues such as using the wrong procedure, misunderstanding the control, or misreading evidence. Sampling risk is reduced through suitable selection and sample sizes aligned to the confidence required; non-sampling risk is reduced through good planning, supervision, training, scepticism, and review.

How do you determine an appropriate sample size for an audit test?

Sample size is driven by assessed risk, tolerable deviation/misstatement, expected deviation/misstatement, and the level of confidence required (lower acceptable sampling risk generally means a larger sample). Practical constraints matter, but they do not override the need for evidence strong enough to support the conclusion.

When can data-driven techniques be used instead of traditional sampling?

Data-driven techniques can sometimes test an entire dataset for a narrowly defined attribute under a clear rule (for example, a duplicate-payment rule). However, the auditor must validate the dataset, confirm rule logic, and investigate results with corroborative evidence. In most cases, analytics complements sampling and other procedures rather than replacing them.

What are common pitfalls in systematic sampling?

The main risk is unintended bias from how the population list is ordered. Selecting every n th item can over- or under-represent certain transaction types if the ordering aligns with value, supplier, approver, or processing batches. A random start helps, but ordering must still be assessed.

How does stratification improve sampling?

Stratification improves efficiency by separating higher-risk or higher-value items from the rest. Testing all items in a high-risk stratum and sampling the remainder provides stronger evidence where it matters most while reducing unnecessary work on low-risk items.

Summary (Recap)

This chapter explains how sampling supports audit evidence by enabling disciplined testing of a subset of a defined population. It shows how to define populations and sampling units, distinguish sampling risk from non-sampling risk, set tolerable and expected deviation/misstatement, and evaluate results with an allowance for sampling risk. It also explains how data-driven techniques can scan datasets for trends and exceptions, how to validate data and rule logic, and how to investigate exceptions using corroborative evidence. A worked example demonstrates calculating a deviation rate, drawing a cautious conclusion on control reliance, and designing follow-up procedures for analytics flags.

Glossary

Audit sampling Selecting a subset of items from a defined population and testing them to support a conclusion about the population as a whole.

Population The complete set of items relevant to an audit objective from which a sample is selected.

Sampling unit The individual item that can be selected for testing (for example, one purchase order, one invoice, one journal entry).

Sampling risk The possibility that the sample results do not reflect the population, leading to a different conclusion than full testing would produce.

Non-sampling risk The risk of an incorrect conclusion for reasons unrelated to sampling, such as applying an inappropriate procedure or misinterpreting evidence.

Tolerable deviation rate The maximum rate of control failures that could exist in the population while still allowing reliance on that control.

Expected deviation rate The control failure rate anticipated before testing, based on prior results and knowledge of the process.

Tolerable misstatement The maximum monetary error in a population that can be accepted without changing the planned audit response.

Expected misstatement The monetary error anticipated before testing based on prior experience and risk assessment.

Stratification Dividing a population into subgroups (often by value or risk) to improve the efficiency and focus of testing.

Random selection A selection method where each sampling unit has a known, non-zero chance of being chosen.

Systematic selection Selecting items at a fixed interval after a random start, requiring careful consideration of how the population list is ordered.

Haphazard selection Selecting items without a structured method while trying to avoid bias; less defensible for population-wide conclusions due to higher bias risk and no measurable sampling risk.

Data-driven audit techniques (analytics) Using data extracts and analytical routines to scan datasets for patterns, outliers, and exceptions relevant to audit objectives.

Exception An item highlighted by an analytical routine as unusual or higher risk, requiring investigation and corroboration before conclusions are drawn.

Practice Questions

Ready to continue?

Mark this lesson complete and move to the next.

Ch 4: Internal Control Fundamentals

Next Lesson

Ch 6: Completion and Reporting

Developed by Accounting Body Editorial Team · Written and reviewed by qualified accountants · Always free