Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
6051 Test of controls and their importance
Jun-2021
Overview
This topic explains:
- The importance of tests of controls
CAS Requirement
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls if (CAS 330.8):
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor plans to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control (CAS 330.9).
In designing and performing tests of controls, the auditor shall (CAS 330.10):
(a) Perform other audit procedures in combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including:
- (i) How the controls were applied at relevant times during the period under audit
- (ii) The consistency with which they were applied; and
- (iii) By whom or by what means they were applied
(b) To the extent not already addressed, determine whether the controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls.
When designing tests of controls and tests of details, the auditor shall determine means of selecting items for testing that are effective in meeting the purpose of the audit procedure (CAS 500.10).
As required by CAS 330, the auditor shall design and perform tests to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls, if (CAS 540.19):
(a) The auditor's assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively; or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
CAS Guidance
Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in a relevant assertion, and the auditor plans to test those controls. If substantially different controls were used at different times during the period under audit, each is considered separately (CAS 330.A20).
Testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the design and implementation of controls. However, the same types of audit procedures are used. The auditor may, therefore, decide it is efficient to test the operating effectiveness of controls at the same time as evaluating their design and determining that they have been implemented (CAS 330.A21).
Further, although some risk assessment procedures may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls. For example, the auditor’s risk assessment procedures may have included (CAS 330.A22):
- Inquiring about management’s use of budgets
- Observing management’s comparison of monthly budgeted and actual expenses
- Inspecting reports pertaining to the investigation of variances between budgeted and actual amounts
These audit procedures provide knowledge about the design of the entity’s budgeting policies and whether they have been implemented, but may also provide audit evidence about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses.
In addition, the auditor may design a test of controls to be performed concurrently with a test of details on the same transaction. Although the purpose of a test of controls is different from the purpose of a test of details, both may be accomplished concurrently by performing a test of controls and a test of details on the same transaction, also known as a dual-purpose test. For example, the auditor may design, and evaluate the results of, a test to examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. A dual-purpose test is designed and evaluated by considering each purpose of the test separately (CAS 330.A23).
In some cases, the auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level. This may occur when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. In such cases, paragraph 8(b) requires the auditor to perform tests of controls that address the risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence (CAS 330.A24).
A higher level of assurance may be sought about the operating effectiveness of controls when the approach adopted consists primarily of tests of controls, in particular where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures (CAS 330.A25).
An effective test provides appropriate audit evidence to an extent that, taken with other audit evidence obtained or to be obtained, will be sufficient for the auditor’s purposes. In selecting items for testing, the auditor is required by paragraph 7 to determine the relevance and reliability of information to be used as audit evidence; the other aspect of effectiveness (sufficiency) is an important consideration in selecting items to test. The means available to the auditor for selecting items for testing are (CAS 500.A63):
(a) Selecting all items (100% examination);
(b) Selecting specific items; and
(c) Audit sampling.
The application of any one or combination of these means may be appropriate depending on the particular circumstances, for example, the risks of material misstatement related to the assertion being tested, and the practicality and efficiency of the different means.
The auditor may decide that it will be most appropriate to examine the entire population of items that make up a class of transactions or account balance (or a stratum within that population). 100% examination is unlikely in the case of tests of controls; however, it is more common for tests of details. 100% examination may be appropriate when, for example (CAS 500.A64):
-
The population constitutes a small number of large value items;
-
There is a significant risk and other means do not provide sufficient appropriate audit evidence; or
-
The repetitive nature of a calculation or other process performed automatically by an information system makes a 100% examination cost effective.
Obtaining audit evidence from different sources or of a different nature may indicate that an individual item of audit evidence is not reliable, such as when audit evidence obtained from one source is inconsistent with that obtained from another. This may be the case when, for example, responses to inquiries of management, internal auditors, and others are inconsistent, or when responses to inquiries of those charged with governance made to corroborate the responses to inquiries of management are inconsistent with the response by management. CAS 230 includes a specific documentation requirement if the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a significant matter (CAS 500.A68).
OAG Guidance
Dual Purpose Testing
Tests of controls normally precede substantive tests because the results of the tests of controls can affect our decision about the nature, timing and extent of substantive tests. For greater efficiency the two types of tests may be performed simultaneously using the same document and record. A substantive test is not a control test but a control test can become a substantive test. The reason that a substantive test is not a control test is that substantive tests are designed to determine that transactions are appropriately and completely summarized and reported using the applicable financial reporting framework. Inferring that controls are operating effectively based on the results of a substantive test is inappropriate.
When we conduct a dual purpose test, we need to confirm we are testing the controls and that consideration has been given to the sample sizes and the assessment of control risk (see OAG Audit 6053). Examples where we may perform dual purpose testing are:
- Reconciliations (OAG Audit 7580)
- Journal Entries
- Business performance reviews
When designing a dual purpose test, begin with testing the control. A determination of whether the actions comprising the control activity can be reperformed and evidence that management, in fact, executed those actions is made. In some cases reperforming the control alone could provide enough evidence for substantive testing purposes. For example, if there is a control where there is a 100 percent completeness and accuracy review of updates made to the pricing master file, reperforming the control by checking the price in the system to underlying support would also satisfy our substantive testing criteria if our planned substantive testing would also include agreeing the price in the system to the underlying support.
For the purposes of control testing, each item needs to have an opportunity to be selected. Because this is not the case when targeted testing is performed, if a targeted testing strategy is employed for substantive evidence, it is unlikely that dual purpose testing can be employed.
In regards to documenting conclusions for dual purpose testing:
-
Determine there is a specific conclusion in the controls testing procedure as to whether the control operated effectively as designed.
-
Determine there is a specific conclusion for our substantive testing. The conclusion also needs to align with the stated purpose of the substantive test.
Substantive Procedures
There are situations where substantive procedures do not provide sufficient appropriate audit evidence, such is the case in highly automated controls. See OAG Audit 4024 for additional guidance.
OAG Guidance
Compliance with Authorities
Each year, we perform audit procedures designed to assess compliance with significant authorities, using various approaches. Where there is reliance on internal financial controls for purposes of the audit, components dealing with compliance with authorities should be included in the tests of relevant controls. For example, we may test the application of sections 32, 33, 34 of the FAA or the application of the approval process specified in the entity bylaws for amounts over a threshold or for important acquisitions of capital assets.
Typically, substantive tests of details are often the most appropriate way to test compliance with authorities. The reason for this is that some authority requirements do not lend themselves to a controls-reliant approach (for example, the approval of the corporation’s Corporate Plan by the Governor in Council or of the annual budgets by the Treasury Board). See OAG Audit 7040 for further guidance on tests of details.