After assimilating the internal control system, the auditor needs to examine whether and how far the same is actually in operation. For this, he resorts to actual testing of the system in operation. This he does on a selective basis: he can plan this testing in such a manner that all the important areas are covered in a period of, say, three years. Selective testing is being done by application of procedural tests and auditing in depth.
Tests of Control
Tests of control are performed to obtain audit evidence about the effectiveness of the:
- design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and
- operation of the internal controls throughout the period.
Tests of control include tests of elements of the control environment where strengths in the control environment are used by auditors to reduce control risk. Some of the procedures performed to obtain the understanding of the accounting and internal control systems may not have been specifically planned as tests of control but may provide audit evidence about the effectiveness of the design and operation of internal controls relevant to certain assertions and, consequently, serve as tests of control. For example, in obtaining the understanding of the accounting and internal control systems pertaining to cash, the auditor may have obtained audit evidence about the effectiveness of the bank reconciliation process through inquiry and observation. When the auditor concludes that procedures performed to obtain the understanding of the accounting and internal control systems also provide audit evidence about the suitability of design and operating effectiveness of policies and procedures relevant to a particular financial statement assertion, the auditor may use that audit evidence, provided it is sufficient to support a control risk assessment at less than a high level.
Tests of control may include:
- Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly, for example, verifying that a transaction has been authorised.
- Inquiries about, and observation of, internal controls which leave no audit trail, for example, determining who actually performs each function and not merely who is supposed to perform it.
- Re-performance of internal controls, for example, reconciliation of bank accounts, to ensure they were correctly performed by the entity.
- Testing of internal control operating on specific computerised applications or over the overall information technology function, for example, access or program change controls.
When obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognises that some deviations may have occurred. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When deviations are detected the auditor makes specific inquiries regarding these matters, particularly, the timing of staff changes in key internal control functions. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation. Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures.
Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor, the auditor should consider whether the assessment of control risk is confirmed. In case of deviations from the prescribed accounting and internal control systems, the auditor would make specific inquiries to consider their implications. Where, on the basis of such inquiries, the auditor concludes that the deviations are such that the preliminary assessment of control risk is not supported, he would amend the same unless the audit evidence obtained from other tests of control supports that assessment. Where the auditor concludes that the assessed level of control risk needs to be revised, he would modify the nature, timing and extent of his planned substantive procedures. It has been suggested that actual operation of the internal control should be tested by the application of procedural tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage through which it flows. For example, the procedure for sales requires the following:
- Before acceptance of any order the position of stock of the relevant article should be known to ascertain whether the order can be executed in time.
- An advice under the authorisation of the sales manager should be sent to the party placing the order, internal reference number, and the acceptance of the order. This advice should be prepared on a standardised form and copy thereof should be forwarded to stock section to enable it to prepare for the execution of the order in time.
- The credit period allowed to the party should be the normal credit period. For any special credit period a special authorisation of the sales manager would be necessary.
- The rate at which the order has been accepted and other terms about transport, insurance, etc., should be clearly specified.
- Before deciding upon the credit period, a reference should be made to the credit section to know the creditworthiness of the party and particularly whether the party has honoured its commitments in the past.
An auditor testing the internal controls on sales should invariably test whether any of the aforesaid procedures have been omitted. If credit has actually been granted without a reference to the credit section to know the creditworthiness of the party, it is possible that the amount may prove bad because of the financial crisis or deadlock in the management of the party, a fact which could have been easily gathered from the credit section. Similarly, if an order is received without a reference to the stock section, it is likely due to non-availability of the stock on the stipulated date; execution of the order may be delayed and the company may have to compensate the buyer for the damages suffered by him.