Escolar Documentos
Profissional Documentos
Cultura Documentos
UNIT 8
Test of Controls
o The purpose is to test the effectiveness of controls in support of a reduced control risk for the
audit
o During the understanding phase, the auditor will have already gathered some evidence in support
of both the design of the controls and their implementation by using procedures to obtain and
understanding.
o Auditor = likely that enough evidence won’t be gathered for the reduction of assessed risk
THUS, obtain additional evidence about the operating effectiveness of controls throughout
all, or at least most of the period
Types of Procedures
o 1. Although inquiry is not necessarily a highly reliable source of evidence about the effective
operation of controls, it is still appropriate. (If unauthorized personnel are denied access to
computer files, it is possible to ask the computer library controller)
o 2. Many controls leave a clear trail of documentary evidence that can be used to test controls.
(Customer order receipt -> create customer sales order -> which is approved for credit)
o 3. Some controls do not leave an evidence trail, which means that it is not possible at a later date to
examine evidence that the control was executed (separation of duties -> specific persons and tasks -
> and there is no documentation available
o Control-related activities for which there are related documents and records, but their content is
insufficient for the auditor’s purpose of assessing whether controls are operating effectively
Extent of Procedures – depends on the preliminary assessed control risk. Lower assessed control risk
would result to more extensive tests of controls are applied, both in terms of the number of controls tested
and the extent of the tests for each control. (Auditor -> low assessed control risk -> larger sample size for
inspection, observation, and reperformance procedures)
Testing less than the audit period – depends on the frequency of the operation of the controls (end of the
year, quarterly, monthly)
o Evidence from prior year’s audit – When auditors plan to use evidence about the operating
effectiveness of internal control obtained in prior audits, auditing standards require tests of the
controls’ effectiveness at least every third year. (If change was observed by the auditor since last
testing, they should test it in the current year), automated or manual.
o Testing of Controls Related to Significant Risks – significant risks are those risks that the auditor
believes require special audit consideration. When the auditor’s risk assessment procedures
identify significant risks, the auditor is required to test the operating effectiveness controls that
mitigate these risks in the current year audit.
o Testing less than the entire audit period – PCAOB auditing standards require the auditor to perform
tests of controls that are adequate to determine whether controls are operating effectively at year
end. Timing will depend on the nature of controls and when the company uses them.
Internal Controls in Outsourced Systems – Auditing standards require the auditor to
consider the need to obtain an understanding and test the internal controls if it involves
processing significant financial data.; Depth of the auditor’s understanding depends on the
complexity of the system and the extent to which the control is relied upon to reduce
control risk.
Reliance on Service Center Auditors – Understanding of the service center ‘s internal
controls (Service Organization Controls or SOC), and issue a SOC report for use by all
customers and their independent auditors. This independent assessment is to provide
service center customers reasonable assurance about the adequacy of the service center’s
general and application controls. It is also to eliminate the need for redundant audits by
customers’ auditors.