Chapter 11

Tests of Controls

Objectives
Explain the relationship between control risk assessment
and audit strategy
Describe the purpose of tests of controls and the nature,
timing and extent of such tests
Clarify how the work of internal auditing may be used in
tests of controls
Explain the process of assessing control risk and
documenting the conclusion

Objectives
Indicate the appropriate communications the auditor
makes on internal control matters
Describe the types of controls you would expect to see in
an information technology environment
Identify the alternate types of computer-assisted audit
techniques

Preliminary Assessment of
Control Risk
ASA 315 para 25 states:
The auditor shall identify and assess the risks of
material misstatement at the financial report level, and
at the assertion level for classes of transaction,
account balances and disclosures
Assessment to obtain a reasonable understanding of
controls in place
Subsequently, decide on appropriate audit strategy so
as to design a detailed audit program

Process of assessing
control risk
Use professional judgement to assess the control
environment
Assess the design effectiveness of control procedures
and their ability to prevent or correct misstatements
Assess whether controls were effectively applied
throughout the period under audit

Assessment of control risk

and audit strategy
In order to place reliance on the internal controls to
support the audit opinion, the auditor must test
controls to ensure that they have been implemented
as they were designed
In order to complete the work on internal controls the
auditor must carry out the following steps:
Perform tests of controls
Evaluate the evidence obtained and assess the
level of control risk

Assessment of control risk

and audit strategy
When an auditor chooses a predominantly substantive
approach, he or she should have sufficient knowledge or
the system of internal control to understand the potential
causes of misstatements.
This approach is associated with a planned assessed level
of control risk of high based on one of the following:
No significant internal controls that relate to the
assertion
Relevant internal controls are unlikely to be effective
Efficient to obtain evidence to evaluate the
effectiveness of relevant internal controls
7

Assessment of control risk

and audit strategy
In some cases a lower assessed level of control risk
approach is planned because the client has effective
internal controls and the auditor plans to test those
controls
In some circumstances the auditor might find that
contrary to expectations the control appears to be
ineffective in such a case, it is appropriate to change
the strategy to a predominantly substantive approach

Tests of Controls
Tests of controls are carried out to evaluate the
operating effectiveness of the internal control policies
and procedures
The auditor must decide on the nature, timing and
extent of tests of control
ASA 330 The Auditors Procedures in Response to
Assessed Risks

Designing tests
Tests of controls include:
enquiring of client personnel
observation of activities and procedures
e.g. observation of counting during a stock take
inspection of documents and records
re-performance of procedures

10

Designing tests
Tests of controls conduced at interim period as auditor
can get an early indication of controls are operating
effectively and change tests to substantive tests if
required
Extent of tests is determined by auditors planned
assessed level of control risk
More extensive testing is needed for a low assessed
level of control risk

Illustrative partial audit program for tests

of controls

Using internal auditors

Internal audit is generally considered a crucial part of
the corporate governance structure of the company.
Effectiveness of internal audit must be considered first
in accordance with ASA 610 Considering the Work of
Internal Audit
Issues include organisational status, independence,
technical expertise, supervision of work etc.

13

Final assessment
Need to fully document all tests
Important to communicate all concerns regarding
internal control matters to the entitys management
and board
Refer ASA 265 on Communication of Audit Matters
with Those Charged with Corporate Governance (i.e.
to director level)

14

Communication of internal
control matters
Insert figure 1: monitoring applied to
the internal control process

Types of controls in an
information technology
environment
Overview of computer controls

Types of controls in an
information technology
environment
Audit strategies for assessing control risk
assessing control risk based on user controls
Planning for a low control risk assessment based on
application controls
Planning for a high control risk assessment based on
general controls and manual follow-up

Types of controls in an
information technology
environment
User controls
Manual procedures designed to test the
completeness and accuracy of computer processed
transactions
Application controls
Use of automated controls and planning of strategies
to assess control risk as low

Computer assisted audit

techniques

Test data
Integrated test facility
Parallel simulation
Continuous monitoring
Tagging transactions
Systems control audit review file

Computer assisted audit

techniques
Test data
Dummy transactions are prepared by the auditor
and processed under auditor control by the entitys
software
e.g. payroll test data may include both a valid and
invalid overtime transaction to test how the system
processes it

20

Computer assisted audit

techniques
Integrated test facility
requires the creation of a small subsystem with dummy
master files that are subjected to the same
programmed controls as are placed on the actual data,
and a separate set of outputs is produced for the
auditor
advantage is the integrated test facility allows for
ongoing testing
disadvantage is the risk that errors could be created in
the entitys data files
accordingly, entities are often reluctant to allow
auditors to do this type of testing unless the integrity of
the testing can be guaranteed
21

Computer assisted audit

techniques
Parallel simulation
involves reprocessing actual entity data using
auditor-controlled software
advantage is the auditor can independently run
tests and verify transactions by tracing them to
source documents and approvals
must ensure data tested is representative

22

Computer assisted audit

techniques
Continuous monitoring of online real-time systems
An audit routine is added to the processing programs
Transactions sampled at random intervals
Output is used in testing controls

Computer assisted audit

techniques
Tagging transactions
Indicator placed on selected transactions
Transaction is traced through the system s it is being
processed

Computer assisted audit

techniques
Systems control audit review file
File used to record events that meet
auditor specified criteria as they at
occur at designated points in the system
Also known as an audit log