Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Chapter 3
Microlesson · 5-min read

Deviations from Controls — Response and Mandatory Substantive Procedures

## Deviations from Controls — What the Auditor Must Do

### When Deviations Are Detected During TOC

If the auditor finds that a control has not been applied as designed, they must determine:

(a) Whether the TOC performed provides an appropriate basis for continued reliance on controls.

(b) Whether additional TOC are necessary to gather more evidence.

(c) Whether the potential ROMM arising from the deviation must be addressed through substantive procedures.

---

### Why Substantive Procedures Are Always Required (The Golden Rule)

> Regardless of the assessed level of ROMM, the auditor must ALWAYS perform substantive procedures for each material class of transactions, account balance, and disclosure.

This is because:

ReasonExplanation
Risk assessment is judgmentalThe auditor's assessment of ROMM may itself be incorrect
Inherent limitations of internal controlNo control system is perfect — collusion, errors, system failures
Management override of controlsManagement can bypass even well-designed controls

Consequence: TOC can reduce substantive work, but can never eliminate it entirely.

---

### Specific Inquiries When Deviations Are Found

The auditor must specifically inquire:

  • Were these deviations isolated incidents or systematic?
  • Do they indicate a breakdown in the control?
  • Is there a compensating control that mitigates the risk?

Worked example

### Example 1

TOC Result: Satisfactory — Auditor tests 25 purchase approvals and finds all properly authorised. Result: Auditor applies limited (reduced) substantive procedures on purchase transactions — but does NOT skip substantive procedures entirely.

### Example 2

TOC Result: Deviations Found — Auditor tests 25 purchase approvals and finds 6 were not properly authorised. Result: Auditor (a) considers whether further TOC is needed, (b) assesses whether reliance on this control is appropriate, and (c) increases the extent of substantive procedures on purchase transactions to compensate.

⚠️ Common exam mistakes

  • Believing that satisfactory TOC results allow the auditor to skip substantive procedures — substantive procedures are always mandatory.
  • Treating deviations as conclusive proof of fraud — deviations indicate control weakness and require expanded substantive testing, but are not by themselves evidence of fraud.
  • Not performing substantive procedures because no deviations were found in TOC — absence of control failure does not prove absence of misstatement.
Bare-Act text Para 18 · SA 330 — The Auditor's Responses to Assessed Risks · click to expand
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure.
← Previous
Detection Risk – Sampling Risk
Next →
Entity's Risk Assessment Proce
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic