Control testing (tests of controls) evaluates whether a client's internal controls are working as designed. When controls are effective, auditors can reduce the extent of substantive testing, creating a more efficient audit.
Why Test Controls?
Audit Efficiency
- Effective controls = lower control risk
- Lower control risk = less substantive testing needed
- Less substantive testing = more efficient engagement
Requirement
- Controls must be tested if the auditor plans to rely on them
- PCAOB requires control testing for integrated audits of public companies
- Even for private companies, control testing is often cost-effective
Types of Control Tests
Inquiry
- Ask personnel about how controls operate
- Weakest form of evidence (alone, insufficient)
- Combined with other procedures
Observation
- Watch controls being performed
- Evidence limited to the point in time observed
- Useful for controls that leave no documentary trail
Inspection
- Examine documents and records for evidence of control operation
- Review approvals, signatures, reconciliations
- Strongest evidence for manual controls
Reperformance
- Independently execute the control procedure
- Most persuasive form of evidence
- Time-intensive but definitive
Control Testing Considerations
Sample Size
- Based on frequency of control operation
- Daily controls: test 25-60 items
- Monthly controls: test 2-5 items
- Annual controls: test 1 item (with additional considerations)
Timing
- Interim testing: During the audit period (requires roll-forward procedures)
- Year-end testing: At or near the balance sheet date
- Dual-purpose testing: Combines control and substantive procedures
Exceptions
When control failures are found:
- Evaluate the nature and cause
- Determine if the control can still be relied upon
- Consider the impact on audit strategy
- Increase substantive testing if necessary
Documentation
Control testing workpapers must document:
- Control being tested
- Nature of test procedure
- Items selected and results
- Conclusions on design and operating effectiveness
- Impact on audit approach if exceptions found