Test of Controls
Test of controls is the type of audit procedure that we perform in order to evaluate whether the client’s internal control works effectively in preventing or detecting risks of material misstatements at the assertion level.
While obtaining an understanding of the client’s internal control, as auditors, we usually try to identify the internal controls that can reduce the risks of material misstatement. Then we perform the test of controls to obtain evidence of how effectively the controls operate in practice before we can rely on them.
As a result, we can choose to rely on the controls and reduce some of our substantive works if the client’s controls work as intended after obtaining the result of the test of controls.
On the other hand, if the controls are weak and not effective in preventing or detecting risks of material misstatements, the control risk will be high. In this case, we will need to increase our substantive tests in order to reduce the audit risk to an acceptable level.
Purposes of Test of Controls
We perform the test of controls to evaluate whether the controls are working effectively for two main purposes including:
- Reduce substantive audit procedures
- Obtain additional audit evidence
Reduce substantive audit procedures
The first purpose of the test of controls is to reduce substantive audit procedures by relying on the client’s internal controls. This is when we believe the client’s internal controls work effectively in preventing or detecting the risks of material misstatements at the assertion level.
This is the case when we have assessed that the control risk is low. Hence, we need to perform the test of controls to obtain evidence to support our assessment.
Obtain additional audit evidence
This is the case when we cannot obtain sufficient appropriate audit evidence if we perform only the substantive procedures alone. Likewise, we need to perform the test of controls to obtain additional audit evidence at the assertion level.
This may happen when the client uses the IT system to perform certain business transactions, in which no document is produced or maintained.
Four Types of Test of Controls
The four types of test of controls include:
Inquiry is the process of asking for an explanation from the client relating to the control process, or transactions. For example, we may ask the client’s personnel for an explanation about inventory counting procedures at year-end.
Inquiry is a type of test of control that can only provide limited evidence as the client’s employee may not tell us the truth. Also, they may tell us very good control procedures that are described in the paper, but they may not properly perform such control procedures in practice.
Observation is the process of looking at the procedures that are being performed by the client. For example, we perform this type of test of controls by observing the inventory counting procedures that are being performed by the client at year-end. This is to make sure the internal control of inventory exists and the procedures are as described.
Similar to an inquiry, audit evidence we gather using observation is also limited. This is due to when the client’s employees know that they are being observed, they may try to be more diligent in performing internal control procedures than when they are not being observed.
Inspection is the process of examination of supporting documents related to control procedures. For example, we may inspect the bank reconciliation report to make sure it exists and the procedures are as described e.g. preparer and reviewer are different persons.
This type of test of control can provide us better evidence comparing to inquiry and observation. This is due to we inspect the physical evidence that the control procedures are in place and performed by the client’s personnel.
However, we usually perform the physical inspection on a sample of records as it would be impractical to perform on all transactions; hence, there’s usually sampling risk involved here. Also, when we see the authorization signature on supporting documents, it doesn’t mean that the authorized personnel have properly checked and reviewed transactions before authorizing them.
Re-performance is the process of auditor’s re-performing the control procedures that were performed by the client. For example, as auditors, we may re-perform the procedure of bank reconciliation that was performed by the client’s accountant.
Re-performance is the most reliable type of test of controls and provides us better assurance comparing to other types. This is due to we gather direct evidence on how the control works when we use re-performance.
The downside of re-performance is that it is a very time-consuming process as we need to re-perform the whole process of the control procedures that the client has already performed. So, we usually do not apply this type of procedure on a large sample.
In summary, an inquiry procedure alone is not sufficient to evaluate whether the controls work effectively. Other audit procedures, such as observation, inspection, or re-performance should be performed in combination with inquiry to obtain sufficient appropriate audit evidence about the effectiveness of controls.
Also, the test of control procedures that use inquiry combining with inspection or re-performance usually provides better assurance than inquiry combining with observation. This is due to the observation may only give assurance that procedures are performed properly by the client when being observed at a point in time. It does not guarantee that control procedures are done properly at other times that are not observed by us, auditors.
Test of Controls Example
We usually perform the test of controls after we have assessed that the client’s internal control can reduce the risk of material misstatement at the assertion level. In this case, we need to test various audit assertions.
These assertions may include:
- Classification, etc.
Example: test of controls for sales
For example, we perform the test of controls for sales by testing various assertions such as occurrence, completeness, and cut-off.
We test occurrence assertion to ensure that there is proper internal control in place to prevent the risk of overstatement of sales either by creating fictitious sale invoices or inflating the actual sales. In this case, we can perform test of controls by:
- Select a sample of sale transactions in the general ledger
- Vouch the selected sale transactions to sale invoices, shipping documents, and sale orders.
We test completeness assertion to ensure that all sales are recorded in accounting transactions. In this case, we can perform test of controls to ensure completeness by:
- Scan supporting documents such as sale invoices, shipping documents, and sale orders for numerical sequence.
- Trace shipping documents to sale transactions in general ledger.
We test cut-off assertion to ensure that sale transactions have been recorded in the correct accounting period. In this case, we can perform test of controls to ensure cut-off by:
- Trace date of shipping document to the date of sale invoice and sale transaction.
- Check and review FOB terms to ensure they are properly applied.
Test of Controls vs Test of Details
With the example of test of controls above, we can see that the audit procedures are similar to those of the test of details. However, they are not the same; actually, they are completely different. Below is the list of the difference between test of controls and test of details:
- We perform the test of controls to support our control risk assessment while the test of details is to support our audit opinion.
- The objective of the test of controls is to obtain audit evidence that the internal controls are effective in preventing or detecting material misstatement. On the other hand, the test of details is to gather audit evidence to form a basis of opinion.
- We only perform test of controls when we assess that the control risk is low and it is effective to reduce the risk of material misstatement. However, we will always need to perform test of details in order to obtain sufficient appropriate audit evidence if the substantive analytical procedure is not applicable or not sufficient.
- The result of the test of controls determines the nature, timing and extent of the test of details while the result of the test of details determines the audit conclusion on relevant assertions of account transactions and balances.
- Test of controls is based on the control risk, e.g. if the control risk is high, we will not perform the test. On the other hand, the test of details is based on the detection risk, e.g. if we want the low level of detection risk, we need to perform more tests of details.
In summary, the difference between test of control and test of details are in the table below:
|Test of controls vs test of details|
|Test of Controls||Test of Details|
|Support control risk assessment||Support audit opinion|
|Obtain evidence about control’s effectiveness||Obtain evidence to form a basis of opinion|
|Only perform when control risk is low||Always need to perform if analytical procedure is not applicable or not sufficient|
|Determine nature, timing and extent of the test of details||Determine the audit conclusion on relevant assertions|
|Based on control risk||Based on detection risk|
Is a walkthrough a test of controls?
Walkthrough is an audit procedure that we perform to understand the client’s accounting system and controls. We perform audit walkthrough by tracing a single transaction step-by-step from beginning to the end of the transaction.
For example, we walkthrough on a purchase transaction by tracing a purchase request through purchase approval, purchase order, goods received, credit accounts payable, request for payment, and make payment.
We can perform a walkthrough test by making inquiries, observation and inspecting documents. This is similar to test of controls; however, a walkthrough is not a test of controls. This is due to there are some difference below:
|Difference between walkthrough and test of controls|
|Walkthrough||Test of controls|
|To understand accounting system and controls||To test effectiveness of internal controls|
|Perform on a single transaction||Perform on a sample of transactions to obtain sufficient evidence|
|Look at the transaction from the begin to the end to make a full cycle||Only look at a number of incidents that internal controls are being applied|
|Need to perform the walkthrough, even though the control risk is high, to obtain evidence of risk assessment||No need to perform the test of controls when the control risk is high|
|Perform during risk assessment to assess the risk of material misstatement||Perform after risk assessment to respond to risk of material misstatement|