A test of controls is a response to the risk a material misstatement. Today, I tell you when to use this response and how.
Three Responses to the Risk of Material Misstatement
The audit standards provide three potential responses to the risk of material misstatement:
- Test of details
- Substantive analytical procedures
- Test of controls
Today we look at the third option.
Why Test Controls?
Which response to a risk of material misstatement (RMM) is best? That depends on what you discover in risk assessment.
If, for example, your client consistently fails to record payables, then assess the completeness assertion for control risk at high. Your response? Perform a search for unrecorded liabilities, a test of details.
By contrast, if controls for receivables are strong, then assess the existence assertion for control risk at less than high. And test controls.
Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. And you may not be able to assess control risk at less than high. (Nevertheless, most entities do have some controls that are effective.)
Control risk assessments of less than high must be supported with a test of controls. Why? To prove effectiveness. But if controls are not effective, you must assess control risk at high. This is why you might bypass control testing. You know, either from prior experience or from current-year walkthroughs, that controls are not effective. And if you test controls and find they are ineffective, you are back to square one: a control risk assessment of high. And now you must respond with either a test of details or substantive analytics, or a combination of the two. Testing ineffective controls is a waste of time.
Nevertheless, if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures (test of details or substantive analytics).
Once risk assessment is complete, the decision regarding responses is largely based on efficiency. If control testing takes less time, then test controls. If substantive procedures takes less time, then perform a test of details or use a substantive analytical approach. But, regardless of efficiency considerations, address all risks with appropriate responses.
Next, we'll assume that controls are anticipated to be effective. And we'll look at how to test controls.
How to Test Controls
So you've decided to test controls for effectiveness. But how? Let's look at an example starting with risk assessment.
Your approach to testing controls depends on risk identified during risk assessment. For example, your walkthrough reveals appropriate segregation of duties. And you also see that the client issues receipts for each payment. Additionally, total daily cash inflows are reconciled to the bank statement. In other words, controls are designed properly and they have been implemented. Also, as an example, you've determined completeness is a relevant assertion. Why? Theft is a concern.
Control Test Supports Effectiveness
Now, it's time to test for effectiveness. You've already determined segregation of duties is present. If necessary, make additional observations regarding who is doing what. And document those observations. If the client has an accounting handbook, see if there were any amendments to the control system during the period being audited. Why? You want to know if the segregation of duties was present throughout the year. Make additional inquires, if needed.
Additionally, re-perform the receipt controls on a sample basis. But before doing so, determine the controls you are testing and the sample size. For example, your sample size might be 60 receipts and the control being tested is the issuance of a receipt by an authorized person. Additionally, you might sample 25 daily reconciliations to the bank statement. Document this information including how you determined your sample sizes. Now perform your tests and document whether the controls are effective. If yes, leave your control risk at less than high. You have support for that lower risk assessment. Additionally, you can now perform fewer substantive tests.
Test Doesn't Support Effectiveness
If your test does not support effectiveness, expand your sample size and test additional receipts. Or you can punt on the testing controls and move to a substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency.
So, when should you test controls?
When to Test Controls
Here are two situations where you are required to test controls:
- When there is a significant risk and you are placing reliance on controls related to that risk
- When substantive procedures don't properly address a risk of material misstatement
Allow me to explain.
Required Test of Controls
Auditing standards allow a three-year rotation for testing controls, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested in the current period. Additionally, the auditor should perform substantive procedures responsive to the significant risk. And those substantive procedures must include a test of details.
Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. There are no humans involved in the process, other than the participant. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization's auditor. And you can leverage (place reliance upon) those tests.
Three Year Rotation
As I said earlier, audit standards allow a three-year rotation for testing effectiveness. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as before. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.
In short, testing for effectiveness can occur every three years, in most cases. But risk assessment procedures (e.g., walkthroughs) must be performed annually.
So should tests occur at interim or after year-end?
Interim or Year-End Tests
Some auditors test after the period has ended. Others at interim. Which should you choose?
If it fits better into your work schedule, perform interim test of controls. Here's an example: You perform an interim test of controls on November 1, 2019. Later, say in February 2020, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing an additional tests of controls for the November 1 to December 31 period. Once done, determine if the controls are effective.
But testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate.
If you choose to test after year-end, then you'll examine controls for the full period being audited. Your sample should be representative of that timeframe.
So should you ever test at a point in time and not over a period of time? Yes, sometimes. For example, you might test inventory count controls at year-end.
Well, can you see why testing controls is confusing? There's a lot to think about.
As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.
Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytics: Smart Audit Procedures.