In evaluating how to approach an audit, in general, and specific business processes within any audit, in particular, external auditors sometimes choose to audit around the system. That is, they ignore the way systems are designed and test the given process or control without regards to how the system is designed. They do so by identifying a population of transactions related to the process and testing the activity through sampling as required by their internal standards and consistent with the regulator(s) that oversee their audits (PCAOB, OCC, various government agencies, etc).
There are consistent gaps in the approach that external audit firms take that could leave the chosen populations incomplete. Therefore, I will make the argument that a substantive-only audit is a flawed approach and one about which external audit partners and regulators should be concerned.
To illustrate this flaw, I will use arguably the most important control related to the integrity of the financial statements; the control over manual (non-standard) journal entries. Manual journal entries inherently pose a high risk to the integrity of the financial statements because they can move any balance between any account within the trial balance. In my experience, most external auditors don’t know how to properly identify a population of journal entries that equate to a manual journal entry.