Testing of controls is a procedure used in auditing to determine whether internal controls effectively prevent or detect material misstatements at the appropriate assertion level. Control tests determine whether a policy or practice is well-designed to prevent or detect significant financial statement misstatements.
As part of their risk assessment exercise, the auditor is required to ‘obtain an understanding of the entity and its environment including testing of controls.’
It is the responsibility of management to put in place a suitable system of internal control and to address identified financial statement risks, operational risks, and compliance risks.
Testing Of Controls
Effective internal controls, provided they are implemented properly, should ensure:
- Reliable financial reporting,
- the effectiveness and efficiency of operations,
- compliance with appropriate laws and regulation, and
- The effectiveness of internal controls.
Before the auditor can rely on the systems and controls that are in place, they must establish what those systems and controls are, and carry out an evaluation of the effectiveness of the controls.
Five elements together make up an internal control system. These are:
- The control environment,
- The entity’s risk assessment process,
- The information system,
- Control activities (internal controls), and
- The review and monitoring of controls.
When a company operates an effective system of internal control the most efficient method of generating audit evidence normally involves the testing of controls where possible rather than substantive procedures. ‘Systems-based’ techniques, therefore, complement the business risk approach described above to maximize audit efficiency and focus testing on the higher-risk areas. The auditor relies on the accounting systems and the related controls to ensure that transactions are properly recorded. The audit emphasis is on the systems processing the transactions rather than on the transactions themselves. It is necessary to obtain an understanding of internal control relevant to the audit.
Understanding Internal Control System
The internal auditor is required to gain an understanding of each of the five elements of the client’s internal control system and document the relevant features of the control systems. Once this understanding has been gained, the auditor should confirm that their understanding is correct by performing ‘walk-through’ procedures on each major type of transaction (for example, sales transactions, purchase transactions, payroll).
Walk-through testing involves the auditor selecting a small sample of transactions and following them through the various stages in their processing from initiation to reporting to establish whether their understanding of the process is correct. If they understand the controls that are in place, the auditor can go on to assess their effectiveness and the extent to which they can rely on those controls for the audit.
Effectiveness Of An Internal Control System Factors
The degree of effectiveness of an internal control system will depend on the following two factors:
- The design of the internal control system and the individual internal controls. Is the control system able to prevent material misstatements, or is it able to detect and correct material misstatements if they occur? Do the internal controls appear to be adequate and effective ‘on paper’?
- The proper implementation of the controls. Controls are not effective unless they are implemented properly. Are the controls operated properly by the client’s management and other employees? The outcome of this evaluation helps the auditor to assess the control risk. This is the risk that the internal controls will fail to prevent or detect and correct errors in the financial statements.
This evaluation will allow the auditor to decide on the extent to which they can use more tests of controls in the testing instead of more substantive procedures. The auditor may judge that the control risk is high or that the control risk is low because the internal controls are effective.
If the auditor assesses the control risk as very high, they will probably take the view that a systems-based audit approach will not be appropriate. They will move on to detailed testing of transactions and balances and take a substantive testing approach to the audit.
Before they can assess the control risk as low, the auditor must be satisfied that the controls are well-designed and effective. Even if the controls appear to be acceptable on paper, the auditor cannot rely on them and perform a systems-based audit unless they are confident that the controls are working in practice. In this situation, the next stage in the audit process is to carry out tests of controls.
If the outcome of the tests of control indicates that controls are operating effectively, the audit can use a systems-based approach with a reduced amount of substantive testing. Even if the internal control system seems to be effective, the auditor will never rely 100% on their assessment of the controls. They will always do some substantive testing before reaching their conclusion about the financial statements.
Causes Of Control Failure
This is because of the limitations that are inherent in all control systems. It is impossible to avoid the risk of control failure that is caused by:
- human error (and a failure to apply a control properly),
- Obsolescence of controls,
- Over-riding of controls by management (which is a deliberate decision to ignore a control),
- The possibility of collusion and fraud.
Auditors will always supplement their work on systems with some substantive testing. The amount of this testing will depend on the auditor’s evaluation of the effectiveness of the controls. The performance of tests of controls does not guarantee that few substantive procedures would be carried out. If the performance of tests of controls reveals that the internal controls within a particular type or class of transaction are not operating effectively, the auditor will increase the nature, timing, and extent of their substantive audit procedures.
Internal controls can serve two purposes: they can protect a company from accounting fraud, asset loss, or other financial reporting failures, and they can ensure that the company meets regulatory compliance obligations.
An audit assesses the accuracy of a company’s financial statements as well as the effectiveness of its internal control system, with the goal of identifying control weaknesses. Substantive testing, which looks for material misstatements and errors, is usually included in audits. These substantive audit procedures examine, test, and analyze the financial records of a company.