6051 Test of controls and their importance

Jun-2021

CAS Guidance

Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in a relevant assertion, and the auditor plans to test those controls. If substantially different controls were used at different times during the period under audit, each is considered separately (CAS 330.A20).

Testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the design and implementation of controls. However, the same types of audit procedures are used. The auditor may, therefore, decide it is efficient to test the operating effectiveness of controls at the same time as evaluating their design and determining that they have been implemented (CAS 330.A21).

Further, although some risk assessment procedures may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls. For example, the auditor’s risk assessment procedures may have included (CAS 330.A22):

• Inquiring about management’s use of budgets
• Observing management’s comparison of monthly budgeted and actual expenses
• Inspecting reports pertaining to the investigation of variances between budgeted and actual amounts

These audit procedures provide knowledge about the design of the entity’s budgeting policies and whether they have been implemented, but may also provide audit evidence about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses.

In addition, the auditor may design a test of controls to be performed concurrently with a test of details on the same transaction. Although the purpose of a test of controls is different from the purpose of a test of details, both may be accomplished concurrently by performing a test of controls and a test of details on the same transaction, also known as a dual-purpose test. For example, the auditor may design, and evaluate the results of, a test to examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. A dual-purpose test is designed and evaluated by considering each purpose of the test separately (CAS 330.A23).

In some cases, the auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level. This may occur when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. In such cases, paragraph 8(b) requires the auditor to perform tests of controls that address the risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence (CAS 330.A24).

A higher level of assurance may be sought about the operating effectiveness of controls when the approach adopted consists primarily of tests of controls, in particular where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures (CAS 330.A25).

An effective test provides appropriate audit evidence to an extent that, taken with other audit evidence obtained or to be obtained, will be sufficient for the auditor’s purposes. In selecting items for testing, the auditor is required by paragraph 7 to determine the relevance and reliability of information to be used as audit evidence; the other aspect of effectiveness (sufficiency) is an important consideration in selecting items to test. The means available to the auditor for selecting items for testing are (CAS 500.A63):

(a) Selecting all items (100% examination);

(b) Selecting specific items; and

(c) Audit sampling.

The application of any one or combination of these means may be appropriate depending on the particular circumstances, for example, the risks of material misstatement related to the assertion being tested, and the practicality and efficiency of the different means.

The auditor may decide that it will be most appropriate to examine the entire population of items that make up a class of transactions or account balance (or a stratum within that population). 100% examination is unlikely in the case of tests of controls; however, it is more common for tests of details. 100% examination may be appropriate when, for example (CAS 500.A64):

• The population constitutes a small number of large value items;

• There is a significant risk and other means do not provide sufficient appropriate audit evidence; or

• The repetitive nature of a calculation or other process performed automatically by an information system makes a 100% examination cost effective.

Obtaining audit evidence from different sources or of a different nature may indicate that an individual item of audit evidence is not reliable, such as when audit evidence obtained from one source is inconsistent with that obtained from another. This may be the case when, for example, responses to inquiries of management, internal auditors, and others are inconsistent, or when responses to inquiries of those charged with governance made to corroborate the responses to inquiries of management are inconsistent with the response by management. CAS 230 includes a specific documentation requirement if the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a significant matter (CAS 500.A68).