(A) Substantive approach only
Where internal controls are initially assessed as weak, there is no point in testing them as this will only confirm that control risk is high and that a systems-based approach is therefore not appropriate.
Internal controls will be weak in small organisations where there are too few staff for proper segregation of duties. Also, in a small organisation where the owner-manager operates the system of internal controls, he can easily override controls which he himself has set up. Even where controls exist, there may be no evidence that those controls have been operated.
In addition, for smaller organisations, it is not appropriate to perform tests of controls if it is quicker (and therefore more efficient) to check all (or a substantial proportion of) transactions during the year. Performing tests of controls involves a fixed time (to ascertain and record the systems and evaluate controls as well as testing them) which cannot be recouped in the relatively short time needed to substantively test transactions.
As an extension of a purely substantive approach, a statement of financial position approach may be suited to small companies. In the statement of financial position approach, the auditor concentrates primarily on testing balances as opposed to balances and transactions. It is also an approach suited to companies where assets and liabilities are substantial in relation to transactions (e.g. investment companies). This approach is based on the accounting equation whereby opening net assets plus profit for the year equals closing net assets. The theory is that if opening net assets were correct and closing net assets are also correct then the profit for the year must be correct.
Combination of a systems-based approach and substantive procedures
On larger audits, the auditor will usually seek to place reliance on internal controls as this will allow him to perform reduced substantive procedures. This approach is preferable where audit testing time will be less than that needed for (extensive) substantive testing alone.
Generally a combined approach will result in a more cost-effective audit where there are:

• sufficient staff to allow the operation of an effective system of internal control, and
• a large number of transactions.
  To take a wholly substantive approach in this situation would require a large number of transactions to be vouched, whereas testing internal controls produces a lower control risk which requires fewer substantive procedures.                                                                                                                                                                                                                                                              (B)

  Business risk approach
  The business risk approach involves the auditor looking at the business as a whole and carrying out an evaluation of the risks to which it may be exposed.
  The general approach will be to:

  • identify the key business risks
  • evaluate their possible impact on the financial statements
  • plan the approach to the audit around the key business risks identified.
    In order for this approach to work effectively, the auditor must have a good understanding of the client’s business and of the environment in which it operates. The auditor is interested in business risk not for its own sake, but in the light of its possible impact on the financial statements.
    The business risk approach is sometimes referred to as a ‘top down’ approach to an audit. The approach starts with the business, which generates the financial transactions. It ends with the financial statements which record the outcome of the business transactions. It is the business which ‘drives’ the financial statements.
    Advantages
  • The business risk approach starts at an earlier stage than the conventional audit risk model, based on inherent and control risks. By looking at the nature of the business itself, the auditor should get a more complete picture of the events which may affect the entity’s ability to meet its objectives. By doing so the auditor will better understand the inherent and control risks to which the business may be subject.
  • It provides a framework for the audit, helping to identify areas where most work should be performed. This will be linked to the auditors’ assessment of the materiality of the risk and the likelihood of the risk crystallising.
  • The business environment is changing rapidly – a business risk approach keeps the auditor up-to-date.
  • Evidence suggests that major audit problems are more likely to result from business-related problems than from control deficiencies.
  • This approach may allow the auditor to ‘add value’ by making effective recommendations to improve the performance of the client’s business.
  • Audit costs may be reduced as a result of the use of less detailed audit testing.
  • The approach may benefit the auditor’s own business as it indicates the use of a modern approach, which may differentiate the firm’s product from that of its competitors.
    Limitations
  • The approach requires the use of more experienced audit staff, including partners and managers. This may serve to cancel some of the cost savings mentioned above.
  • The closer involvement that the approach requires from the auditor may raise questions about auditor independence.
  • Some auditors feel uneasy about the ‘broad’ view taken by the business risk approach.
  • The approach may be effective only in the case of audits of larger entities by larger firms.