A substantive audit test is a direct test that validates a financial statement balance, while internal control tests are focused on key controls, such as management reviews or standardized templates, that are designed to prevent and detect material misstatements. Substantive testing often requires a large amount of recalculating, confirming, and vouching. For example, when an auditor substantively tests an inventory balance, he or she will go to the on-site location of the inventory, run reports that list the amount of inventory stored on the premises, and physically count each inventory item on a sample basis. Using the same example under an internal control testing approach, an auditor would assess the systems generating the reports, consider the experience level of the personnel on the premises that manage the inventory, and review shipping and receiving documents for the appropriate sign-offs instead of counting the actual inventory on the premises.
Prior to testing the operations of an internal control, an auditor will assess the design of the control for its effectiveness. Conclusions on effectiveness are drawn after a sample population of a control is walked through, or re-performed, with the personnel responsible for the regular operation of the control. If the auditor's inquiries and observations about the control are adequately addressed, the test of the internal control is considered to be designed effective and can then be tested for its operating effectiveness by selecting a larger sample of the control and re-performing each of the steps. In contrast, if it suggests that internal controls are not designed or operating effectively, substantive testing usually must be completed. This includes observation, third-party confirmations, analytical procedures, vouching, and reconciliation.
The purpose of certain audit tests used by external and internal auditors can vary slightly because of different objectives. External audits focus on historical financial information, and such auditors are typically engaged by the Board of Directors of an organization, or more specifically the audit committee. An audit committee, along with statute requirements, outlines the expectations for the auditors to provide an independent opinion on the financial statements of the organization taken as a whole. The internal audit function is a part of the organization and typically has its objectives established internally by the Board of Directors, which is used by the Board to assess the internal control structure surrounding both financial and non-financial information. A goal of the internal auditors is to further develop the organization by focusing on how to create and prepare more useful information for management by improving operations, assessing risk management, and establishing governance.
Both internal and external audits have the ultimate goal of assuring users of financial statements that the information is presented and disclosed fairly, exists at the time the information is dated, is complete and rightfully included, is valued accurately according to Generally Accepted Accounting Principles (GAAP), and that the company has rights and obligations to the financial data as reported. The scope of the audit, or the structure and volume of the audit tests that will be performed over the financial transactions, is determined as a result of the risk assessment that is completed during the planning stages of an audit. Generally, the higher the audit risk assessment is, the lower the materiality threshold will be for selecting accounts and transactions for testing. Audit staff will use such a risk assessment to develop audit programs that will outline specific steps to be followed in order to address the audit risk and summarize the accuracy of the transaction. Test results usually are tracked by auditors in either manual working papers or audit management software.