What is test of control? (External audit perspective)

Test of control in audit is performed to evaluate internal controls implemented by the business/audit client. If the client has strong internal controls, the external auditor concludes that there are less chances of errors in the financial statement. On the other hand, if the client has weak internal controls, the auditor concludes that there are more chances of error/misstatement in the financial statement.

This conclusion of the auditor directly impacts the overall risk of the engagement. For instance, if the company has strong internal controls, there is lower detection risk and vice versa.

In return, detection risk directly impacts the sample size to be selected by the auditor. For instance, if the risk is lower, the sample to be tested will be lower and vice versa.

Detailed understanding for the test of control

An auditor needs to collect sufficient and appropriate audit evidence. Generally, they have two options to obtain such evidence and include,

  1. Substantive audit  procedures – SAP
  2. Test of control

Auditors need to perform SAP at any cost because they provide sufficient audit evidence. However, auditors have the option to choose if they want to obtain assurance from test of control or not. So, if auditors conclude that controls implemented by the management are strong, they rely on system and count assurance from the test of controls. As a result, the extent of audit procedures to be performed decreases.

On the other hand, if auditors conclude that internal controls are weak, they do not rely on controls and have to perform extensive audit procedures. Generally, audit firm follow the following assessment for risk and assurance.

If the risk of material misstatement is significant and controls are strong. The audit can be planned as follows.

(All values are assumed)

Risk valueAssurance from SAPAssurance from TOCAssurance from analytical proceduresTotal assurance
31.510.53

As the risk of material misstatement was significant – we assigned the largest assumed scale of 3, which means we need to get the higher assurance to cover higher risk. An assurance of 1.5 is taken from SAP by planning audit procedures. An assurance of 1 is taken from TOC as implemented controls are strong, and the remaining 0.5 is taken from analytical procedures. Hence, the total risk assessment is three, and assurance planned is 3 as well.

On the other hand, if the risk of material misstatement is significant and controls are weak. The audit can be planned as follows.

Risk valueAssurance from SAPAssurance from TOCAssurance from analytical proceduresTotal assurance
32.500.53

Since the auditor has decided not to rely on internal controls, that’s why they need to obtain higher assurance from Substantive audit procedures and perform more work on the account balance.

On the contrary, if risk of material misstatement is low and implemented internal controls are strong. The audit can be planned as follows,

Risk valueAssurance from SAPAssurance from TOCAssurance from analytical proceduresTotal assurance
21102

Since the risk of material misstatement is not significant, the assigned value of risk stands at 2. So, an auditor can take assurance of 1 from audit procedures and 1 from a control test as control is strong. In this case, the work to be performed by the auditor is limited.

It’s important to note that allocation of numbers for the assigned risk is assumed and dependent on the auditor’s professional judgment. If auditors need to obtain higher assurance, they need to plan extensive procedures and vice versa. However, the following equation must be equal in any case.

Risk of material misstatement = Total assurance obtained   

Test of control example

Suppose Laura is audit-in-charge and planning audit at Sun-tech limited. At the planning stage, Laura’s manager wants to decide if they should place reliance on implemented controls. So, the manager tells Laura to perform test of control on different functional areas like sales, purchase, and fixed assets.

Laura approaches the sales manager asks for Standard Operating Procedures –(SOPs) and the population of transactions. Then, she selects some random samples and requests complete data of selected transactions. The complete data includes approved sales orders, communication with the production, finance, accounting department, customer, and internal management. It means a complete walkthrough is performed and compared with the SOPs.

If the walkthrough is in line with the SOPs, control is concluded to be strong and vice versa. Further, sometimes auditors prefer to identify discrete controls like approval, review, reconciliation, inspection to conclude on the effectiveness of the implemented controls. For instance, they inspect sales order to assess proper approval and authorization to be processed further.

Conclusion

Test of control includes assessment of internal controls to decide if external auditor should place reliance on implemented controls. If the auditor concludes that implemented controls are strong, assurance is planned from TOCs and vice versa. So, if auditors conclude that controls are strong, less sampling risk in assessed and less substantive work is planned and vice versa.

Leave a Comment