Why do we do test of details?

Auditors have a full set of tools at their disposal when performing an audit for a client. These include tests of control, which provide a way to take a closer look at the client’s internal control systems. Here’s what tests of controls involve and how they’re used.

What are tests of internal controls?

A test of control describes any auditing procedure used to evaluate a company’s internal controls. The aim of tests of control in auditing is to determine whether these internal controls are sufficient to detect or prevent risks of material misstatements. A robust internal control system is essential for businesses to keep their financial records accurate.

While a financial audit won’t automatically uncover all irregularities, auditors may use tools like tests of control to test the systemic operating controls. This, in turn, reduces the client’s risk. If the controls are operating efficiently, the control risk is low. However, if they are found to be weak or ineffective, the control risk is high. This means that the auditor will have to perform additional tests during the audit.

Tests of control vs. tests of detail

A test of controls involves many similar audit procedures to a test of detail, but the outcomes are different. While a test of controls supports control risk assessment, a test of details is performed to support the overall audit opinion of a company’s balance sheet and accompanying transactions. Tests of control are only performed when the auditor believes that the control risk is low, enabling them to verify this assessment. However, a test of details is almost always required to obtain sufficient audit evidence.

Purposes of tests of control

There are several reasons to perform tests of control in auditing. If a company’s internal controls are working effectively, it reduces the need for additional substantive audit procedures, which can be time-consuming and costly. Another purpose of these tests is to obtain further audit evidence to support the auditor’s statements.

Audit sampling methods for tests of controls

Tests of control fall into four main categories:

  • Inquiry: At the first stage, auditors may ask clients to explain their control processes. Simply inquiring about procedures qualifies as a test of control, but it provides limited evidence, so it will need to be supplemented with additional audit sampling.

  • Observation: The test may involve observing a business process or transaction while it’s happening, taking note of all relevant control elements. One example of observational audit sampling for tests of controls would be to watch the client’s year-end inventory counting procedures.

  • Reperformance: The auditor might start a new transaction to repeat the internal controls used by the client during this process. This is considered to be one of the most reliable audit sampling methods for tests of controls because it actively gathers direct evidence rather than relying on observation alone.

  • Inspection: Tests of control involve the examination of business documents for any signs of review. Signatures, checkmarks, and stamps are all signs that internal controls have been used. In this fourth category, audit sampling for tests of controls requires the inspector to look at a random selection of documents over time. If only a few of them show signs of review, this indicates a weak internal control system. However, if they are all uniformly marked with a verifying signature, this would indicate efficient controls.

A single test of controls is usually insufficient to draw any conclusions, so auditors will draw from all four types of control tests for greater assurance. An inquiry should be combined with inspection or reperformance for more accurate results.

When errors are found during the tests of internal controls, auditors can take this process to the next step by increasing their audit sampling size. The greater the number of errors, the greater the chance that there is a systemic controls issue.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Test of controls is the type of audit procedure that we perform in order to evaluate whether the client’s internal control works effectively in preventing or detecting risks of material misstatements at the assertion level.

While obtaining an understanding of the client’s internal control, as auditors, we usually try to identify the internal controls that can reduce the risks of material misstatement. Then we perform the test of controls to obtain evidence of how effectively the controls operate in practice before we can rely on them.

As a result, we can choose to rely on the controls and reduce some of our substantive works if the client’s controls work as intended after obtaining the result of the test of controls.

On the other hand, if the controls are weak and not effective in preventing or detecting risks of material misstatements, the control risk will be high. In this case, we will need to increase our substantive tests in order to reduce the audit risk to an acceptable level.

Purposes of Test of Controls

We perform the test of controls to evaluate whether the controls are working effectively for two main purposes including:

  • Reduce substantive audit procedures
  • Obtain additional audit evidence

Reduce substantive audit procedures

The first purpose of the test of controls is to reduce substantive audit procedures by relying on the client’s internal controls. This is when we believe the client’s internal controls work effectively in preventing or detecting the risks of material misstatements at the assertion level. 

This is the case when we have assessed that the control risk is low. Hence, we need to perform the test of controls to obtain evidence to support our assessment. 

Obtain additional audit evidence

This is the case when we cannot obtain sufficient appropriate audit evidence if we perform only the substantive procedures alone. Likewise, we need to perform the test of controls to obtain additional audit evidence at the assertion level.

This may happen when the client uses the IT system to perform certain business transactions, in which no document is produced or maintained.

Four Types of Test of Controls

The four types of test of controls include:

  • Inquiry
  • Observation
  • Inspection
  • Re-performance

Inquiry

Inquiry is the process of asking for an explanation from the client relating to the control process, or transactions. For example, we may ask the client’s personnel for an explanation about inventory counting procedures at year-end.

Inquiry is a type of test of control that can only provide limited evidence as the client’s employee may not tell us the truth. Also, they may tell us very good control procedures that are described in the paper, but they may not properly perform such control procedures in practice.

Observation

Observation is the process of looking at the procedures that are being performed by the client. For example, we perform this type of test of controls by observing the inventory counting procedures that are being performed by the client at year-end. This is to make sure the internal control of inventory exists and the procedures are as described.

Similar to an inquiry, audit evidence we gather using observation is also limited. This is due to when the client’s employees know that they are being observed, they may try to be more diligent in performing internal control procedures than when they are not being observed.

Inspection

Inspection is the process of examination of supporting documents related to control procedures. For example, we may inspect the bank reconciliation report to make sure it exists and the procedures are as described e.g. preparer and reviewer are different persons.

This type of test of control can provide us better evidence comparing to inquiry and observation. This is due to we inspect the physical evidence that the control procedures are in place and performed by the client’s personnel. 

However, we usually perform the physical inspection on a sample of records as it would be impractical to perform on all transactions; hence, there’s usually sampling risk involved here. Also, when we see the authorization signature on supporting documents, it doesn’t mean that the authorized personnel have properly checked and reviewed transactions before authorizing them. 

Re-performance

Re-performance is the process of auditor’s re-performing the control procedures that were performed by the client. For example, as auditors, we may re-perform the procedure of bank reconciliation that was performed by the client’s accountant.

Re-performance is the most reliable type of test of controls and provides us better assurance comparing to other types. This is due to we gather direct evidence on how the control works when we use re-performance.

The downside of re-performance is that it is a very time-consuming process as we need to re-perform the whole process of the control procedures that the client has already performed. So, we usually do not apply this type of procedure on a large sample. 

In summary, an inquiry procedure alone is not sufficient to evaluate whether the controls work effectively. Other audit procedures, such as observation, inspection, or re-performance should be performed in combination with inquiry to obtain sufficient appropriate audit evidence about the effectiveness of controls.

Also, the test of control procedures that use inquiry combining with inspection or re-performance usually provides better assurance than inquiry combining with observation. This is due to the observation may only give assurance that procedures are performed properly by the client when being observed at a point in time. It does not guarantee that control procedures are done properly at other times that are not observed by us, auditors.

Test of Controls Example

We usually perform the test of controls after we have assessed that the client’s internal control can reduce the risk of material misstatement at the assertion level. In this case, we need to test various audit assertions.

These assertions may include:

  • Occurrence
  • Existence
  • Completeness
  • Valuation
  • Accuracy
  • Cut-off
  • Classification, etc. 

Example: test of controls for sales

For example, we perform the test of controls for sales by testing various assertions such as occurrence, completeness, and cut-off.

Occurrence

We test occurrence assertion to ensure that there is proper internal control in place to prevent the risk of overstatement of sales either by creating fictitious sale invoices or inflating the actual sales. In this case, we can perform test of controls by:

  • Select a sample of sale transactions in the general ledger
  • Vouch the selected sale transactions to sale invoices, shipping documents, and sale orders.

Completeness

We test completeness assertion to ensure that all sales are recorded in accounting transactions. In this case, we can perform test of controls to ensure completeness by:

  • Scan supporting documents such as sale invoices, shipping documents, and sale orders for numerical sequence.
  • Trace shipping documents to sale transactions in general ledger.

Cut-off

We test cut-off assertion to ensure that sale transactions have been recorded in the correct accounting period. In this case, we can perform test of controls to ensure cut-off by:

  • Trace date of shipping document to the date of sale invoice and sale transaction.
  • Check and review FOB terms to ensure they are properly applied.

Test of Controls vs Test of Details

With the example of test of controls above, we can see that the audit procedures are similar to those of the test of details. However, they are not the same; actually, they are completely different. Below is the list of the difference between test of controls and test of details:

  • We perform the test of controls to support our control risk assessment while the test of details is to support our audit opinion. 
  • The objective of the test of controls is to obtain audit evidence that the internal controls are effective in preventing or detecting material misstatement. On the other hand, the test of details is to gather audit evidence to form a basis of opinion. 
  • We only perform test of controls when we assess that the control risk is low and it is effective to reduce the risk of material misstatement. However, we will always need to perform test of details in order to obtain sufficient appropriate audit evidence if the substantive analytical procedure is not applicable or not sufficient.
  • The result of the test of controls determines the nature, timing and extent of the test of details while the result of the test of details determines the audit conclusion on relevant assertions of account transactions and balances. 
  • Test of controls is based on the control risk, e.g. if the control risk is high, we will not perform the test. On the other hand, the test of details is based on the detection risk, e.g. if we want the low level of detection risk, we need to perform more tests of details.

In summary, the difference between test of control and test of details are in the table below:

Test of controls vs test of details
Test of ControlsTest of Details
Support control risk assessmentSupport audit opinion
Obtain evidence about control’s effectivenessObtain evidence to form a basis of opinion
Only perform when control risk is lowAlways need to perform if analytical procedure is not applicable or not sufficient
Determine nature, timing and extent of the test of detailsDetermine the audit conclusion on relevant assertions
Based on control riskBased on detection risk

Is a walkthrough a test of controls?

Walkthrough is an audit procedure that we perform to understand the client’s accounting system and controls. We perform audit walkthrough by tracing a single transaction step-by-step from beginning to the end of the transaction.

For example, we walkthrough on a purchase transaction by tracing a purchase request through purchase approval, purchase order, goods received, credit accounts payable, request for payment, and make payment.

We can perform a walkthrough test by making inquiries, observation and inspecting documents. This is similar to test of controls; however, a walkthrough is not a test of controls. This is due to there are some difference below:

Difference between walkthrough and test of controls
WalkthroughTest of controls
To understand accounting system and controlsTo test effectiveness of internal controls
Perform on a single transactionPerform on a sample of transactions to obtain sufficient evidence
Look at the transaction from the begin to the end to make a full cycleOnly look at a number of incidents that internal controls are being applied
Need to perform the walkthrough, even though the control risk is high, to obtain evidence of risk assessmentNo need to perform the test of controls when the control risk is high
Perform during risk assessment to assess the risk of material misstatementPerform after risk assessment to respond to risk of material misstatement
Why do we do test of details?
report this ad