Nature of Tests of Controls

30. The auditor selects audit procedures to obtain assurance about the operating effectiveness of controls. As the planned level of assurance increases, the auditor seeks more reliable audit evidence. In circumstances when the auditor adopts an approach consisting primarily of tests of controls, in particular related to those risks where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures, the auditor ordinarily performs tests of controls to obtain a higher level of assurance about their operating effectiveness.

31. The auditor should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls. Although different from obtaining an understanding of the design and implementation of controls, tests of the operating effectiveness of controls ordinarily include the same types of audit procedures used to evaluate the design and implementation of controls, and may also include reperformance of the application of the control by the auditor. Since inquiry alone is not sufficient, the auditor uses a combination of audit procedures to obtain sufficient appropriate audit evidence regarding the operating effectiveness of controls. Those controls subject to testing by performing inquiry combined with inspection or reperformance ordinarily provide more assurance than those controls for which the audit evidence consists solely of inquiry and observation. For example, an auditor may inquire about and observe the entity’s procedures for opening the mail and processing cash receipts to test the operating effectiveness of controls over cash receipts. Because an observation is pertinent only at the point in time at which it is made, the auditor ordinarily supplements the observation with inquiries of entity personnel, and may also inspect documentation about the operation of such controls at other times during the audit period in order to obtain sufficient appropriate audit evidence.

32. The nature of the particular control influences the type of audit procedure required to obtain audit evidence about whether the control was operating effectively at relevant times during the period under audit. For some controls, operating effectiveness is evidenced by documentation. In such circumstances, the auditor may decide to inspect the documentation to obtain audit evidence about operating effectiveness. For other controls, however, documentation of control effectiveness may not be available or relevant. For example, documentation of operation may not exist for some factors in the control environment, such as assignment of authority and responsibility, or for some types of control activities, such as control activities performed by a computer. In such circumstances, audit evidence about operating effectiveness may be obtained through inquiry in combination with other audit procedures such as observation or the use of CAATs.

33. In designing tests of controls, the auditor considers the need to obtain audit evidence supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a user review of an exception report of notes receivable over a customer’s authorized credit limit as a direct control related to an assertion. In such cases, the auditor considers the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report.

34. In the case of an automated application control, because of the inherent consistency of IT processing, audit evidence about the implementation of the control at the time of assessment, when considered in combination with audit evidence obtained regarding the operating effectiveness of the entity’s general controls may provide substantial audit evidence about its operating effectiveness during the relevant period.

35. When responding to the risk assessment, the auditor may design a test of controls to be performed concurrently with a test of details on the same transaction. The objective of tests of controls is to evaluate whether a control operated effectively. The objective of tests of details is to detect material misstatements at the assertion level. Although these objectives are different, both may be accomplished concurrently through performance of a test of controls and a test of details on the same transaction, also known as a dual-purpose test. For example, the auditor may examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. The auditor carefully considers the design and evaluation of such tests to accomplish both objectives.

36. The absence of misstatements detected by a substantive procedure does not provide audit evidence that controls related to the assertion being tested are effective. However, misstatements that the auditor detects by performing substantive procedures are considered by the auditor when assessing the operating effectiveness of related controls. A material misstatement detected by the auditor’s procedures that was not identified by the entity ordinarily is indicative of the existence of a material weakness in internal control, which is communicated to management and those charged with governance.

Timing of Tests of Controls

37. The timing of tests of controls depends on the auditor’s objective and determines the period of reliance on those controls. If the auditor tests controls at a particular time, the auditor only obtains audit evidence that the controls operated effectively at that time. However, if the auditor tests controls throughout a period, the auditor obtains audit evidence of the effectiveness of the operation of the controls during that period.

38. Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose, for example, when testing controls over the entity’s physical inventory counting at the period end. If, on the other hand, the auditor requires audit evidence of the effectiveness of a control over a period, audit evidence pertaining only to a point in time may be insufficient and the auditor supplements those tests with other tests of controls that are capable of providing audit evidence that the control operated effectively at relevant times during the period under audit. Such other tests may consist of tests of the entity’s monitoring of controls.

39. When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period. In making that determination, the auditor considers the significance of the assessed risks of material misstatement at the assertion level, the specific controls that were tested during the interim period, the degree to which audit evidence about the operating effectiveness of those controls was obtained, the length of the remaining period, the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and the control environment. The auditor obtains audit evidence about the nature and extent of any significant changes in internal control, including changes in the information system, processes, and personnel that occur subsequent to the interim period.

40. Additional audit evidence may be obtained, for example, by extending the testing of the operating effectiveness of controls over the remaining period or testing the entity’s monitoring of controls.

41. If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in prior audits, the auditor should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit. The auditor should obtain audit evidence about whether such changes have occurred by performing inquiry in combination with observation or inspection to confirm the understanding of those specific controls. VSA 500 Audit Evidence states that the auditor performs audit procedures to establish the continuing relevance of audit evidence obtained in prior periods when the auditor plans to use the audit evidence in the current period. For example, in performing the prior audit, the auditor may have determined that an automated control was functioning as intended. The auditor obtains audit evidence to determine whether changes to the automated control have been made that affect its continued effective functioning, for example, through inquiries of management and the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls.

42. If the auditor plans to rely on controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit. Changes may affect the relevance of the audit evidence obtained in prior periods such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of prior period audit evidence; however, a change that causes data to be accumulated or calculated differently does affect it.

43. If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least once in every third audit. As indicated in paragraphs 42 and 46, the auditor may not rely on audit evidence about the operating effectiveness of controls obtained in prior audits for controls that have changed since they were last tested or controls that mitigate a significant risk. The auditor’s decision on whether to rely on audit evidence obtained in prior audits for other controls is a matter of professional judgment. In addition, the length of time period between retesting such controls is also a matter of professional judgment, but cannot exceed two years.

44. In considering whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in prior audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor considers the following:

a) The effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process.

b) The risks arising from the characteristics of the control, including whether controls are manual or automated.

c) The effectiveness of general IT-controls.

d) The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control from tests of operating effectiveness in prior audits.

e) The risk of material misstatement and the extent of reliance on the control. The higher the risk of material misstatement, or the greater the reliance on controls, the shorter the time period elapsed, if any, is likely to be. Factors that ordinarily decrease the period for retesting a control, or result in not relying on audit evidence obtained in prior audits at all, include the following:

– A weak control environment;

– Weak monitoring of controls;

– A significant manual element to the relevant controls;

– Personnel changes that significantly affect the application of the control;

– Changing circumstances that indicate the need for changes in the control; and

– Weak general IT-controls.

45. When there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit. The purpose of this requirement is to avoid the possibility that the auditor might apply the approach of paragraph 43 to all controls on which the auditor proposes to rely, but test all those controls in a single audit period with no testing of controls in the subsequent two audit periods. In addition to providing audit evidence about the operating effectiveness of the controls being tested in the current audit, performing such tests provides collateral evidence about the continuing effectiveness of the control environment and therefore contributes to the decision about whether it is appropriate to rely on audit evidence obtained in prior audits. Therefore, when the auditor determines in accordance with paragraphs 41-44 that it is appropriate to use audit evidence obtained in prior audits for a number of controls, the auditor plans to test a sufficient portion of the controls in that population in each audit period, and at a minimum, each control is tested at least every third audit.

46. When the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk and the auditor plans to rely on the operating effectiveness of controls intended to mitigate that significant risk, the auditor should obtain the audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period. The greater the risk of material misstatement, the more audit evidence the auditor obtains that relevant controls are operating effectively. Accordingly, although the auditor often considers information obtained in prior audits in designing tests of controls to mitigate a significant risk, the auditor does not rely on audit evidence obtained in a prior audit about the operating effectiveness of controls over such risks, but instead obtains the audit evidence about the operating effectiveness of controls over such risks in the current period.

Extent of Tests of Controls

47. The auditor designs tests of controls to obtain sufficient appropriate audit evidence that the controls operated effectively throughout the period of reliance. Matters the auditor may consider in determining the extent of the auditor’s tests of controls include the following:

a) The frequency of the performance of the control by the entity during the period;

b) The length of time during the audit period that the auditor is relying on the operating effectiveness of the control;

c) The relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects, material misstatements at the assertion level;

d) The extent to which audit evidence is obtained from tests of other controls related to the assertion;

e) The extent to which the auditor plans to rely on the operating effectiveness of the control in the assessment of risk (and thereby reduce substantive procedures based on the reliance of such control); and

f) The expected deviation from the control.

48. The more the auditor relies on the operating effectiveness of controls in the assessment of risk, the greater is the extent of the auditor’s tests of controls. In addition, as the rate of expected deviation from a control increases, the auditor increases the extent of testing of the control. However, the auditor considers whether the rate of expected deviation indicates that the control will not be sufficient to reduce the risk of material misstatement at the assertion level to that assessed by the auditor. If the rate of expected deviation is expected to be too high, the auditor may determine that tests of controls for a particular assertion may not be effective.

49. Because of the inherent consistency of IT processing, the auditor may not need to increase the extent of testing of an automated control. An automated control should function consistently unless the program is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor considers performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls.