Auditors have a full set of tools at their disposal when performing an audit for a client. These include tests of control, which provide a way to take a closer look at the client’s internal control systems. Here’s what tests of controls involve and how they’re used. Show
What are tests of internal controls?A test of control describes any auditing procedure used to evaluate a company’s internal controls. The aim of tests of control in auditing is to determine whether these internal controls are sufficient to detect or prevent risks of material misstatements. A robust internal control system is essential for businesses to keep their financial records accurate. While a financial audit won’t automatically uncover all irregularities, auditors may use tools like tests of control to test the systemic operating controls. This, in turn, reduces the client’s risk. If the controls are operating efficiently, the control risk is low. However, if they are found to be weak or ineffective, the control risk is high. This means that the auditor will have to perform additional tests during the audit. Tests of control vs. tests of detailA test of controls involves many similar audit procedures to a test of detail, but the outcomes are different. While a test of controls supports control risk assessment, a test of details is performed to support the overall audit opinion of a company’s balance sheet and accompanying transactions. Tests of control are only performed when the auditor believes that the control risk is low, enabling them to verify this assessment. However, a test of details is almost always required to obtain sufficient audit evidence. Purposes of tests of controlThere are several reasons to perform tests of control in auditing. If a company’s internal controls are working effectively, it reduces the need for additional substantive audit procedures, which can be time-consuming and costly. Another purpose of these tests is to obtain further audit evidence to support the auditor’s statements. Audit sampling methods for tests of controlsTests of control fall into four main categories:
A single test of controls is usually insufficient to draw any conclusions, so auditors will draw from all four types of control tests for greater assurance. An inquiry should be combined with inspection or reperformance for more accurate results. When errors are found during the tests of internal controls, auditors can take this process to the next step by increasing their audit sampling size. The greater the number of errors, the greater the chance that there is a systemic controls issue. We can helpGoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments. Test of controls is the type of audit procedure that we perform in order to evaluate whether the client’s internal control works effectively in preventing or detecting risks of material misstatements at the assertion level. While obtaining an understanding of the client’s internal control, as auditors, we usually try to identify the internal controls that can reduce the risks of material misstatement. Then we perform the test of controls to obtain evidence of how effectively the controls operate in practice before we can rely on them. As a result, we can choose to rely on the controls and reduce some of our substantive works if the client’s controls work as intended after obtaining the result of the test of controls. On the other hand, if the controls are weak and not effective in preventing or detecting risks of material misstatements, the control risk will be high. In this case, we will need to increase our substantive tests in order to reduce the audit risk to an acceptable level. Purposes of Test of ControlsWe perform the test of controls to evaluate whether the controls are working effectively for two main purposes including:
Reduce substantive audit proceduresThe first purpose of the test of controls is to reduce substantive audit procedures by relying on the client’s internal controls. This is when we believe the client’s internal controls work effectively in preventing or detecting the risks of material misstatements at the assertion level. This is the case when we have assessed that the control risk is low. Hence, we need to perform the test of controls to obtain evidence to support our assessment. Obtain additional audit evidenceThis is the case when we cannot obtain sufficient appropriate audit evidence if we perform only the substantive procedures alone. Likewise, we need to perform the test of controls to obtain additional audit evidence at the assertion level. This may happen when the client uses the IT system to perform certain business transactions, in which no document is produced or maintained. Four Types of Test of ControlsThe four types of test of controls include:
InquiryInquiry is the process of asking for an explanation from the client relating to the control process, or transactions. For example, we may ask the client’s personnel for an explanation about inventory counting procedures at year-end. Inquiry is a type of test of control that can only provide limited evidence as the client’s employee may not tell us the truth. Also, they may tell us very good control procedures that are described in the paper, but they may not properly perform such control procedures in practice. ObservationObservation is the process of looking at the procedures that are being performed by the client. For example, we perform this type of test of controls by observing the inventory counting procedures that are being performed by the client at year-end. This is to make sure the internal control of inventory exists and the procedures are as described. Similar to an inquiry, audit evidence we gather using observation is also limited. This is due to when the client’s employees know that they are being observed, they may try to be more diligent in performing internal control procedures than when they are not being observed. InspectionInspection is the process of examination of supporting documents related to control procedures. For example, we may inspect the bank reconciliation report to make sure it exists and the procedures are as described e.g. preparer and reviewer are different persons. This type of test of control can provide us better evidence comparing to inquiry and observation. This is due to we inspect the physical evidence that the control procedures are in place and performed by the client’s personnel. However, we usually perform the physical inspection on a sample of records as it would be impractical to perform on all transactions; hence, there’s usually sampling risk involved here. Also, when we see the authorization signature on supporting documents, it doesn’t mean that the authorized personnel have properly checked and reviewed transactions before authorizing them. Re-performanceRe-performance is the process of auditor’s re-performing the control procedures that were performed by the client. For example, as auditors, we may re-perform the procedure of bank reconciliation that was performed by the client’s accountant. Re-performance is the most reliable type of test of controls and provides us better assurance comparing to other types. This is due to we gather direct evidence on how the control works when we use re-performance. The downside of re-performance is that it is a very time-consuming process as we need to re-perform the whole process of the control procedures that the client has already performed. So, we usually do not apply this type of procedure on a large sample. In summary, an inquiry procedure alone is not sufficient to evaluate whether the controls work effectively. Other audit procedures, such as observation, inspection, or re-performance should be performed in combination with inquiry to obtain sufficient appropriate audit evidence about the effectiveness of controls. Also, the test of control procedures that use inquiry combining with inspection or re-performance usually provides better assurance than inquiry combining with observation. This is due to the observation may only give assurance that procedures are performed properly by the client when being observed at a point in time. It does not guarantee that control procedures are done properly at other times that are not observed by us, auditors. Test of Controls ExampleWe usually perform the test of controls after we have assessed that the client’s internal control can reduce the risk of material misstatement at the assertion level. In this case, we need to test various audit assertions. These assertions may include:
Example: test of controls for salesFor example, we perform the test of controls for sales by testing various assertions such as occurrence, completeness, and cut-off. OccurrenceWe test occurrence assertion to ensure that there is proper internal control in place to prevent the risk of overstatement of sales either by creating fictitious sale invoices or inflating the actual sales. In this case, we can perform test of controls by:
CompletenessWe test completeness assertion to ensure that all sales are recorded in accounting transactions. In this case, we can perform test of controls to ensure completeness by:
Cut-offWe test cut-off assertion to ensure that sale transactions have been recorded in the correct accounting period. In this case, we can perform test of controls to ensure cut-off by:
Test of Controls vs Test of DetailsWith the example of test of controls above, we can see that the audit procedures are similar to those of the test of details. However, they are not the same; actually, they are completely different. Below is the list of the difference between test of controls and test of details:
In summary, the difference between test of control and test of details are in the table below:
Is a walkthrough a test of controls?Walkthrough is an audit procedure that we perform to understand the client’s accounting system and controls. We perform audit walkthrough by tracing a single transaction step-by-step from beginning to the end of the transaction. For example, we walkthrough on a purchase transaction by tracing a purchase request through purchase approval, purchase order, goods received, credit accounts payable, request for payment, and make payment. We can perform a walkthrough test by making inquiries, observation and inspecting documents. This is similar to test of controls; however, a walkthrough is not a test of controls. This is due to there are some difference below:
|