The internal control of a company defines its policies, processes, tasks, behaviours, and other aspects that help in effective operations, ensure the quality of internal and external reporting and ensure compliance with applicable laws. The definition is from the Turnbull report that Nigel Turnbull produced after drawing it up with the London Stock Exchange. The objectives of internal control for a company or business include efficient conduct of business, safeguarding its assets, preventing and detecting fraud and other acts, completeness and accuracy of financial records, and timely preparation of financial statements.
For the purpose of auditing, the internal controls of a company are crucial in determining the audit risks of the audit assignment. Similarly, it is vital in the determination of the audit procedures that auditors must perform for that particular assignment. It is mainly because the internal controls of a company affect the process of its preparation of financial statements. Companies with a reliable internal control function can easily prevent or detect material misstatements in their financial statements and correct them promptly. Therefore, auditors must first determine the effectiveness of the internal controls of a company before performing audit procedures.
To determine the effectiveness of the internal controls of a company, auditors must use a method known as the test of controls.
What is Test of Controls?
Test of controls is an audit procedure that auditors perform on the internal controls of a company after the initial planning and understanding phase of an audit assignment. Auditors perform the test of controls in order to obtain audit evidence about the effectiveness of the following:
Test of controls occurs only after auditors have obtained an understanding of and evaluate the design and implementation of controls.
Sometimes, auditors may also design their test of controls to be performed concurrently with the test of details of a company. While the purpose of both the tests is different, auditors can accomplish both by performing test of controls and details on the same transaction, also known as a dual-purpose test. Therefore, sometimes, test of controls may also take the form of a dual-purpose test.
Why Test Controls?
The audit test of controls is a crucial part of the audit process. Firstly, the test of controls used by auditors can determine the level of risk associated with a particular audit assignment. This risk can further dictate different aspects of the audit. These aspects include materiality, performance materiality, and some other aspects.
The importance of the test of controls also depends on its results. If auditors get positive results from test of controls, or when the client’s internal control process is effective, it can significantly reduce the audit procedures that auditors must perform. However, if the result is negative or unsatisfactory, it can help auditors increase their audit procedures to minimize the audit risks of an assignment.
Test of controls is also vital as it dictates the amount of audit evidence that auditors must obtain. Same as the case above, if the internal controls of a company are satisfactory, auditors can rely on less audit evidence. Contrastingly, in case of an unsatisfactory test of control results, the amount of audit evidence they must obtain increases substantially.
How to Test Controls?
The way auditors test the controls of their clients depends on several factors. First of all, auditors need to check their initial risk assessment of the client. This way, auditors can also compensate for any control deficiencies during the risk assessment process. Once they determine the risk associated with an audit assignment, they can get into testing the effectiveness of controls at the client. They can do this in many ways, discussed below in procedures to obtain test of controls. Based on these tests, auditors can either expand their sample size or move directly to substantive testing.
When to Test Controls?
When the auditors perform test of controls depends on the client and the auditors’ understanding of the client. According to the International Standards on Auditing, auditors must perform test of controls during their planning phase. However, practically, that may not be possible due to restrictions from clients or auditors. Therefore, auditors perform test of controls during the execution phase of the audit. However, auditors must still prioritize test of controls over other procedures as it determines the level of other procedures they must perform.
Procedures to Obtain Test of Controls
There are four types of test of controls or procedures to obtain test of controls. These are audit procedures that relate to only testing the operative effectiveness of the internal controls of the client. These procedures include the following.
1. Inquiries about Internal Controls
An inquiry is an audit procedure in which auditors ask the management of a company for an explanation related to control processes. Inquiry consists of verbal communications between the auditor and management of the client. While inquiring is an audit procedure and used in the test of controls, according to auditing standards, it is a low-quality form of audit evidence. It is because the inquiry is verbal and not written, which makes it an unreliable mode of obtaining audit evidence. Therefore, auditors must use other audit procedures alongside it to verify the claims of management.
However, the inquiry is still an effective procedure when it comes to testing of controls of a company. It is a great way for auditors to interact with the management of the client and obtain an understanding of the processes and procedures they have in place for internal controls. Despite that, inquiry provides limited evidence as sometimes a client’s employees or management may be reluctant to share information with auditors. Similarly, sometimes, they may also tell the auditors about procedures that are a part of the policies of the company rather than the actual procedures they use.
2. Inspection of Documents
To counter the chances of wrong information provided by the client, auditors can also use the inspection as an audit procedure. Inspections consist of examining the supporting documents related to the internal controls of the client. For example, auditors can inspect the bank reconciliation statement prepared by the management of the client to determine whether it is reliable. Auditors can also inspect the tangible assets of a company. However, only inspecting records and documents relates to test of controls.
Inspections give auditors a better form of evidence as compared to inquiry and observation. That is because inspection contains examining the source documents of transactions or balances, which is in written form. Written evidence is more reliable to auditors as compared to other sources, which includes verbal evidence. Similarly, inspecting also gives auditors a better idea of the controls in place for the client and the personnel responsible for those controls.
Inspections require auditors to select a sample of transactions first to test for controls. Therefore, sometimes inspection may also not return correct results as there is sampling risk involved in it. Similarly, despite control procedures being in place, it does not ensure that the employees performed the procedures correctly. These are the risks that auditors must bear with inspection used in the test of controls.
3. Observation of Controls
Observation is the process of examining the procedures that are in place at a company firsthand. It usually requires auditors to be present when the client is performing its control procedures. The best example for observation is during the end of the year when the client is counting the inventory and auditors observe the process. Observation can give auditors an idea of how the procedures in place are performed by the personnel responsible for it. Similarly, observation can help auditors detect any weaknesses in the internal control process on the spot.
However, observation, like inquiry, has its disadvantage. Observation is not a written form of evidence, and, therefore, not considered high-quality. Observation can also return false results for auditors as it only shows the effectiveness of control in their presence. Thus, auditors’ presence may influence the procedures performed by personnel.
4. Reperformance of Control Procedures
Reperformance is another audit procedure that auditors can use as a part of test of controls. It typically consists of auditors’ independent execution of procedures or controls that the client performs as a part of its internal control system. For instance, it involves auditors reperforming the bank reconciliation process to check for any inefficiencies in the process. Reperformance is the most reliable form of audit evidence that auditors can obtain. It is because it involves direct evidence on how the controls in place at the client’s work.
However, there are some limitations of reperformance as well. Reperformance is usually time-consuming as auditors need to reperform all the steps involved in the process despite the client already having done it. For example, for bank reconciliation, auditors need to check every item in the bank statements of its clients and check for any differences between the bank book and bank statement balances. Therefore, these procedures are limited to small samples only.
5. Examination of Evidence of Management Views
This is another audit procedure that auditors can use as part of their testing of internal control. This done by performing the examination to obtain evidence after obtaining the management views.
The examination can be done by obtaining the minutes of the meeting, board resolution, or any shareholder resolution where applicable.
Test of Controls Example
An audit firm needs to perform a test of controls on the sale process of a client, ABC Co. To do so, they can use the following test of controls.
- They can observe the sale process of ABC Co. through a walkthrough. While observing the process, auditors can determine whether the internal controls in place are sufficient to detect or prevent misstatements and correct them. However, observation may not be the best test of control for transactions.
- They can inquire about the management of ABC Co. about the internal controls associated with the sales process. Inquiry can help the auditors better understand the process.
- They can inspect the underlying source documents associated with sale transactions for controls. In the case of sales, inspecting records may be the best option.
- For sales, reperforming may not be an option for the auditors. However, auditors can perform calculations based on the number of units and sale prices.
Conclusion
Test of controls is the process of examining the effectiveness of the internal controls of a client used by auditors. Auditors use test of controls for different reasons, which may include reducing the audit risk and audit procedures performed by auditors. Auditors use various procedures to perform test of controls of a client. Usually, they must test controls during the planning stage of the audit. However, practically, they do it during the execution phase. The main procedures in test of controls include inquiry, inspection, observation, and reperformance as well as the examination of the evidence of management view.
