[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Principles
Placing reliance on controls
If the selected approach is to rely on controls to reduce the extent of substantive procedures, the objective of tests of controls is to evaluate whether the key controls, or relevant [a-glossary term="compensating%20controls"]compensating controls)[/a-glossary]
, operated effectively and continuously during the period under review (phase 3 in the diagram below).
Not placing reliance on controls
Even if in the planning phase it is decided not to rely on controls (audit objective), the auditor should still examine the design of key controls (and may perform tests of controls) so as to support findings and identify and report on weaknesses and propose recommendations for improvement.
Nature of tests of controls
The nature of a particular control influences the type of audit procedure required to obtain audit evidence about whether the control was operating effectively at relevant times during the period under audit. There are two levels of controls: high-level controls, such as monitoring controls, and low-level controls, such as authorisation controls, operational controls, physical controls, etc. These can be manual, semi-automated or fully automated. Reliance should be placed on the highest-level control possible. Tests of controls can be divided into three main categories, as follows.
- Tests of key controls over individual transactions processed by a system. Key controls are part of transactions processing, often manual or semi-automated.
- Tests of automated application controls. Application controls are built into the auditee’s systems and are applied to individual transactions or to batches of similar transactions. The auditor should have a good understanding of the auditee’s IT environment. The key application controls are tested since they play a key role in the generation of key reports and the protection of electronic data, and have a significant impact on the financial statements.
- Tests of management and monitoring controls. Additional audit evidence may be obtained by testing monitoring controls, which focus on internal control system outputs and are performed on a regular basis. These detection controls are performed after transaction processing and provide management with assurance that a group or class of transactions has been processed completely, accurately and in accordance with the rules.
Timing of tests of controls
The timing of tests of controls depends on the auditor’s objective and determines the period of reliance on those controls. The timing of tests refers both to the period to cover (at a particular time or throughout a period) and to the time when the auditor will perform the test (interim period or period end) or not (reliance obtained in prior audits). For significant risks, the auditor should test the controls in the current period. If substantially different controls were used at different times during the period under audit, the auditor should consider each one separately.
Tests of Controls carried out
|
Evidence to obtain
|
at a point in time
|
the auditor only obtains audit evidence that the controls operated effectively at that time.
|
throughout the period
|
the auditor obtains audit evidence that the control operated effectively at relevant times.
|
during an interim period
|
additional audit evidence should be obtained for the remaining period about the nature and extent of any significant changes in internal control, e.g. changes in IT or processes.
|
in prior audits
|
the auditor should obtain audit evidence whether changes in those specific controls have occurred after the prior audit through enquiry, in combination with observation or inspection.
|
in prior audits - controls over significant risks
|
the auditor may not rely on evidence obtained in prior audits for controls that mitigate a significant risk: those controls should be tested in the current period.
|
in a prior audit, if controls changed since last tested
|
the operating effectiveness of such controls should be tested in the current audit. Changes may mean there is no basis for continued reliance.
|
in a prior audit, if controls unchanged since last tested
|
the auditor should test the operating effectiveness of such controls at least once every third audit, but avoid testing all controls in one audit period with no testing in the others.
|
Extent of tests of controls
The auditor designs tests of controls to obtain sufficient, relevant and reliable audit evidence that they operated effectively throughout the period of reliance. The more (s)he relies on the operating effectiveness of controls in the risk assessment, the greater the extent of tests of controls.
The auditor may consider the following when determining the extent of tests of controls:
- the frequency of the performance of the control by the entity during the period;
- the length of time during the audit period that the auditor is relying on the control;
- the relevance and reliability of the audit evidence of the control's effectiveness;
- the extent of audit evidence from tests of other controls related to the assertion;
- the extent of planned reliance on the control (reducing substantive procedures);
- the expected deviation from the control, an increase in which leads to increased testing of the control: if deviation is expected to be too high, tests of control may not be effective.
In cases where the auditor decides to increase the extent of the audit procedure, the extent of tests of automated controls does not necessarily need to be increased, because of the inherent consistency of IT processing. Once the auditor determines that an automated control is functioning as intended, (s)he will then consider performing tests to establish whether the control still functions effectively.
Tests of controls providing positive evidence
When evaluating and testing controls, the auditor should carefully consider the [link title="inherent%20limitations%20of%20internal%20controls" link="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2FInternal-control.aspx%23Inherent-limitations-of-internal-controls" /]
, as well as the cost-effectiveness of testing controls. The weakly persuasive and negative nature of evidence is a general problem affecting tests of controls. However, tests of controls can be devised that provide positive evidence that a control is operating as expected, e.g. lists of transactions that were rejected as a result of the key controls, along with the record of the correction and reprocessing of the transactions concerned or periodic reconciliation of bank records to accounting data.
Instructions
The techniques that are generally used to test key controls are observation and enquiry, inspection and computation, or a combination thereof. The following overview gives an indication of how to test the operating effectiveness of key controls.
Testing application controls
- Based on mapping of application controls, identify the key processes, master files, interfaces with other modules and systems, the link to the accounting records and management reports. The control objectives (completeness, accuracy, validity, restricted access) addressing the specific risks (access, input, rejection, processing) for each component should be determined. The key controls designed to meet these control objectives should be tested through enquiry, observation, inspection and some re-performance.
Testing the assertions addressed
- Identify key controls that ensure completeness and reliability of transactions and ensure they are effective through re-performance if needed.
Walkthrough testing of controls
- Understand/document the transaction flow and policies & procedures of the control.
- Confirm the process, data used for controls and time the control is in place.
- Interview individuals performing the control on the type of information they look for, how they detect errors, deviations and/or anomalies, and how they treat them.
Testing individual items
- If the auditor cannot obtain sufficient audit evidence using walkthrough testing, then (s)he can use sampling procedures to test individual items. The sample used is either drawn for controls alone (single purpose testing) or is the same as for substantive testing (multipurpose testing).
- Review of corrective actions and enquiry about their follow-up.
Reviewing evidence of controls
- Evidence of authorisation of a selected transaction (signature of the authorising officer, the ex-ante unit, etc.),
- Evidence of review by another official (of correct data computation, etc.),
- Evidence of check of compliance with budgetary rules, legality/regularity, and documentation.
Testing management and monitoring controls
- Ensure that management and monitoring controls have been operating regularly and consistently during the period under review.Review of management information systems.
- Review of management information systems.
- Check that management analysed results of the controls and took corrective action.
Resources
[toggles]
[toggle title="Tests%20of%20controls%20typically%20performed%20when%20auditing%20the%20reliability%20of%20the%20accounts"]
- the accounting control environment (including risk analysis, review activity and accounting manual);
- analysis of the systems for recording data (e.g. ABAC and local systems for recording, pre-financing, guarantees);
- the functioning of key budgetary and accounting procedures;
- the accounts closing process, especially relating to cut-off, invoices, pre-financing, guarantees, RAL (reste à liquider), commitments, payments, off-balance sheet items;
- reconciliations;
- DGs' controls of closure files supporting the final beneficiaries;
- review of applicable IAS reports (Internal Audit Service) and APC (Audit Progress Committee).
[/toggle]
[/toggles]
[toggles]
[toggle title="Examples%20of%20key%20high-level%20controls%20that%20may%20be%20tested%20in%20compliance%20audit"]
- ex-ante controls;
- audit certificates and reliability of the certification process (e.g. certifying bodies and audit authorities);
- ex-post controls, e.g. clearance of accounts procedures, conformity decisions; ex-post controls on projects for Transport, Research and Energy;
- information systems, such as the Integrated Administrative and Control System (IACS);
- monitoring performed by the Commission.
[/toggle]
[/toggles]
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]
[standards]
[link new-window title="ISA%20330" link="https%3a%2f%2fwww.ifac.org%2fsystem%2ffiles%2fpublications%2ffiles%2fIAASB-2020-Handbook-Volume-1.pdf%23INTERNATIONAL%2520STANDARD%2520ON%2520AUDITING%2520330" /]
[/standards]
[/panel]
[/column]
[/row]
[row]
[column 12][/column]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]