Audit

Audit Tests of Controls

by Fahad Zar
written by Fahad Zar 8 minutes read

Tests of controls are the procedures that an auditor performs to test the effectiveness of the control systems of a client. A control system is a process that the client uses to identify, detect and prevent misstatements and errors. In simple terms, controls are the internal controls that businesses use to run their operations faultless and effectively. In this article, I’ll demystify the concept, use and the “why” behind audit tests of controls.

Definition

Tests of controls, in an audit, are the techniques or procedures that an auditor performs to evaluate the effectiveness of a client’s internal control system. The auditor is interested in knowing the control risk of a client that arises from poor controls which ultimately leads to material misstatements & errors in the financial statements.

In businesses, management uses different processes or controls to ensure everything works in an intended way. The controls are designed in a way that ensures transactions and activities are carried out error-free and irregularities are detected and prevented in real-time. So, why are the auditors concerned with the internal controls of the client?

Audit is a review of the financial statements in which the auditor expresses their opinion about the financial statements whether they are presented true and fair. To come up with an opinion, the auditor performs different procedures and techniques on transactions and activities of the client. Due to the limitation of time & resources, the auditor has to make sure most of the procedures and tests are performed on activities/processes that have much higher chances of material misstatements.

To find those hotspots, the auditor performs tests of controls on different activities and processes of the client. If an activity or process is found to be less effective or not effective at all, it is considered to have a higher control risk whereas, effective internal control activity or process is considered to have a lower control risk. That means if an auditor finds a control to be less effective, they will expect misstatements in the underlying activity and will plan to perform thorough procedures.

How Tests of Controls are Performed?

Tests of controls are performed in the planning stage of the audit. Before starting the audit engagement, the auditor is interested in finding the control risk of the client. To find the control risk, tests of controls are performed on major activities of the client, and audit procedures are planned accordingly. There is a simple 3-step approach to do that;

  • Step 1: The auditor identifies controls of the client. For example, if a company performs background checks before issuing credit to new customers, it is a control.
  • Step 2: The control is assessed to see how well it is designed. For example, does the company relies on a single source of confirmation or takes a step further to dig into the details of the financial history of the customer. That might be fetching the customer’s financial record from credit agencies or previous suppliers.
  • Step 3: The controls are tested to see how well they are working. There are techniques to test the controls that I’m going to discuss below.

Think about it; a client may have hundreds of controls in place and it would be impracticable to check each and every one. Therefore, the auditor relies on sampling techniques to check how well the overall control system of the client is designed. Primarily, the auditor tests the internal controls using the following FOUR methods.

1. Inquiry

It is the most basic test of control in which the auditor inquires about the client’s internal controls. The client explains the control system in place and give the auditor details that are necessary to conduct the audit engagement. A simple inquiry is an easy way to collect useful information about the control system but could be misleading for the auditor and is not a reliable way to test the client’s controls.

Evidence obtained through inquiries could be misleading and insufficient to conclude a report on the controls. Therefore, another test of control method should be used alongside to give a touch of reliability to the test.

2. Observation

While using observation as a test of control method, the auditor closely watches and monitors the controls of the client to take notes regarding the effectiveness of the operations. Simply, the auditor watches the live performance of a process or activity. For example, if the client is undertaking inventory count at the end of the year, the auditor will watch the process to see what techniques have been used and what controls are in place to prevent errors and misstatements in the inventoryy count.

3. Reperformance

In the Reperformance method, the auditor might start a whole new transaction for the sake of testing the effectiveness of controls in place. It’s an advanced form test of control method that results in more reliable evidence due to its practical implication. An example of Reperformance would be placing a dummy sale and tracking it flowing through different channels to see if sales are recorded accurately.

4. Inspection

Businesses use different verification and review methods to prevent misstatements and errors. An inspection is simply reviewing whether the business has done a good job double-checking transactions. While using inspection as a test of control method, the auditor will randomly go through some items to see if they are reviewed or authorized (ie they will look for a signature or a stamp).

If the majority of the transactions have been reviewed or double-checked, it’s a good control sign and lack of signatures and stamps on most of the transactions would mean a weaker control system thus higher control risk.

KEY TAKEAWAYS

  • As auditors, we use tests of controls to find out how effective the internal controls of a client are in detecting & preventing errors and misstatements.
  • Firstly, we identify the controls in place to assess how well they are designed. In the next step, we take a step further and test the effectiveness of the controls using different methods. These methods include Inquiry, Observation, Re-performance, and Inspection.
  • Once we complete the assessment, the results are analyzed. If the controls work as intended, it means we can rely on the internal controls of the client and may choose to perform fewer procedures. If the controls are unable to prevent or detect misstatements, we may choose to perform detailed and thorough procedures considering the high control risk.

Purpose of Tests of Controls

In an audit, the auditor has to check transactions and activities that have occurred in a year (In most cases). These transactions and activities are significant in number and the auditor cannot check each and every transaction. To complete the engagement timely, the auditor uses sampling techniques.

For the sampling techniques to work effectively, the auditor needs to pick most of the samples from activities that have much higher chances of misstatements and errors. Therefore, to find those hotspots, the auditor performs tests of controls to analyze the control system of the client. They simply check different processes or operations of the client to see how well they are working.

If the operation works as intended, the auditor is more likely to trust the outcome of the operation and may choose to perform fewer procedures. If, on the other hand, an operation lacks the mechanism to detect and prevent errors, chances are that more misstatements will occur as a result and the auditor will choose to perform detailed procedures on the underlying operation.

That being said, the tests of controls help auditors identify areas that have higher chances of misstatements and consequently perform more procedures on that particular item. The auditor may also choose to rely on the internal controls if they are found to be designed effectively.

I'm Fahad Zar, a skilled Chartered Accountant and Digital Marketing enthusiast. Through my captivating blog, I aim to empower the youth with both academic knowledge and innovative online business strategies for a brighter future!

You may also like

Introduction to Computer-Assisted Audit Techniques (CAATs)

What Does Cut-Off In Accounting Mean?

Why do Managers Fear Audit and Auditors?

What Is Familiarity Threat In Auditing?

Audit Evidence Hierarchy and How it is Obtained?

Sufficient and Appropriate Audit Evidence | Definition |...

Inventory Tests of Controls

Disclaimer of Opinion

What is an Unmodified Audit Report?

What is Forensic Audit & how it is...