Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required.
Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:
- Test of details
- Substantive analytics
- Test of controls
This article focuses on the third option.
Below you will see:
- The Right Response
- Not Testing Controls (including video about the same)
- The Decision Regarding Testing
- How to Test Controls
- Required Tests
- Which Controls to Test
- Three-year Rotation of Testing
- Interim or Period-End Testing
The Right Response
Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.
If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).
By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)
Not Testing Controls
Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high.
Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time.
The Decision Regarding Testing
But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.
Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.
How to Test Controls
Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.
Your approach to testing controls depends on risk.
For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use.
Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.
Test Supports Effectiveness
Now it’s time to test for effectiveness.
Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)
The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty.
The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed.
The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections.
Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment.
And what about substantive tests?
You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.
Test Doesn’t Support Effectiveness
If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance.
So, when should you test controls? First let’s look at required tests and then optional ones.
Required Audit Tests of Controls
Here are two situations where you must test controls:
- When there is a significant risk and you are placing reliance on controls related to that risk
- When substantive procedures don’t properly address a risk of material misstatement
Let me explain.
Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually.
Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant.
Optional Audit Test of Controls
We just covered the two situations when testing is required. All other control testing is optional.
Prior to making the decision about testing, consider the following:
- Do you anticipate effectiveness? There’s no need to test an ineffective control.
- Does the control relate to an assertion for which you desire a lower control risk?
- Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach.
- Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
- Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
- How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test.
- Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic.
Three-Year Rotation of Testing
As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.
In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs.
So should you test controls at interim or after year-end?
Interim or Period-End Testing
Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?
Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective.
Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate.
If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.
So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).
As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.
Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.