First of all lets clear out few things which are essential for this question to be answered. Latest ISAs are based on business risk approach to conduct an audit engagement and requires the auditor to use this approach to design and apply audit procedures. The question of whether to apply full substantive procedures or detailed substantive testing and reduced substantive testing basically arises under business risk approach.
According to ISAs auditor is required to identify and assess the risk of material misstatement at financial statement and assertion level. This is done by understanding the entity and its environment which also includes internal control system of the entity. After auditor has assessed the risk of material misstatement due to fraud or error, he plans further audit procedures on the basis of assessed risk of material misstatement.
Auditor’s assessment of risk may reveal two circumstances:
- Entity’s internal control system is working effectively
- Entity’s internal control system is not working effectively
In case auditor’s risk assessment procedures gave an expectation that internal control system are working effectively then auditor may plan to rely on internal control system i.e. he will use information generated by internal control system as audit evidence. But auditor is still required to apply substantive procedures irrespective of the assessed risk of material misstatement but certainly the amount of substantive procedures will be less and will be applied just to confirm whether expectation about risk of material misstatement was appropriate or not.
In auditor concludes on the basis of risk assessment procedures that internal control system is not working effectively then auditor will not rely on the information provided by the management and will design and apply his own procedures i.e. substantive procedures which will be detailed in nature. In this situation reliance will be placed on the substantive procedures but tests of controls may still be conducted just to confirm the initial risk assessment and to obtain evidence regarding the ineffectiveness of internal control systems.
In short if auditor expects that internal control system is working as it should then substantive procedures will be reduced whereas, if risk of material misstatement is high then auditor will go for detailed or full substantive testing.