Page 319

LO 8.1 Tests of controls

The auditor must obtain sufficient appropriate evidence to support the assessed level of
control risk. As outlined in Chapter 7 , if the auditor assesses control risk as high for an
account balance or assertion, there will be no tests of controls for that account balance or
assertion. This is because the auditor does not plan to place any reliance on the related
controls. Control risk will be assessed as high if the auditor has determined that:

1. controls do not exist

2. the controls that do exist will not provide reliable evidence, or
3. it is more efficient or effective to gather the required evidence by undertaking substantive
testing.

The one exception, where the auditor is required to perform tests of controls to obtain audit
evidence about the operating effectiveness of controls, is if substantive procedures alone
cannot provide sufficient appropriate evidence to reduce a risk of material misstatement to
an acceptable level (ASA 330.8(b)/ISA 330.8(b)). Such areas would include those
involving the routine recording of significant classes of transactions, such as an entity’s
revenue, purchases, cash receipts and cash payments. The characteristics of these routine
transactions often permit highly automated processing with little or no manual
intervention. In such circumstances it might not be possible to perform only substantive
procedures in relation to risk (ASA 315.30/ISA 315.30).

One example of a routine system where it may not be possible to perform only substantive
procedures is airline ticket sales by a large airline such as Qantas. These sales transactions
would be subject to routine control procedures. With numerous sales transactions within an
accounting period, the auditor would be able to verify only a very small proportion of these
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

transactions by using substantive tests of transactions. It would be expected in such systems

that the auditor would evaluate control risk as less than high and undertake tests of controls
in such systems. In addition, any control deficiencies in such automated systems would be
expected to lead to systematic errors, which would be better identified by evaluating and
testing internal control rather than by substantively verifying a small proportion of
transactions or account balances. In assessing the control risk as less than high, the auditor
has identified specific internal control policies and procedures that they believe will
prevent or detect misstatements for the assertion. Evidence is needed to support the
appropriateness of this assessment (ASA 330.8(a)/ISA 330.8(a)).

Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.
 Tests of controls are usually concerned with gathering evidence concerning the
effectiveness and continuity of controls associated with the processing of particular classes
of transactions through the accounting system (existence of controls has been established
during the assessment of controls, as discussed in Chapter 7 ). Transactions can also be
substantively tested to provide evidence to support the assessment of detection risk. The
best way of distinguishing between tests of controls and substantive tests of transactions is
that tests of controls relate only to the assessment of controls and do not directly measure
monetary error in accounting records. Substantive tests, whether of transactions or
balances, are concerned with whether monetary errors have occurred.

The coordinated program of tests of controls, substantive tests of transactions and balances
and substantive analytical procedures (substantive procedures will be discussed further in
Chapter 9 ) is commonly referred to as the audit program, which was discussed in
Chapter 5 . The audit program sets out the combination of evidence-gathering
procedures that the auditor believes will result in the most efficient and effective audit. If at
any stage during this testing phase the auditor determines that controls are not working as
they expected and that they have placed too much reliance on these controls, they can
reduce the extent of tests of controls and increase the reliance on substantive testing, by
changing their nature or increasing their extent.

Planning the scope of tests of controls

The auditor’s underlying objective in undertaking tests of controls is to gain reasonable
assurance that the controls associated with the processing of a particular class of
transactions are working as expected. This will enable the auditor to reduce substantive
tests. The considerations that affect the nature, timing and extent of tests of controls are
explained in the following discussion.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

Nature Page 320

The nature of testing refers in the first place to the type of testing, being either tests of
controls or substantive tests of transactions or balances. Based on the understanding of the
internal control system gained in assessing control risk (as discussed in Chapter 7 ), the
auditor identifies whether there are internal control policies or activities in place that
provide reasonable assurance of achieving control objectives. If such policies or activities
are prescribed, the auditor designs tests of their operating effectiveness (tests of controls).
As the planned level of assurance increases, the auditor seeks more persuasive evidence

Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.
 (ASA 330.9/ISA 330.9). If there are no internal control procedures prescribed that provide
reasonable assurance of achieving specific control objectives, the auditor designs
substantive tests of transactions or balances.

The nature of testing also refers to the specific type of audit procedures used. These were
discussed in Chapter 4 and are contained in ASA 500 (ISA 500), being inspection,
observation, enquiry, external confirmation, recalculation, re-performance and analytical
procedures. The specific type of tests of controls undertaken will depend on the
characteristics of the control, but common procedures for testing controls are inspection,
observation and enquiry. If the auditor identifies a control that they decide to rely on, and
therefore needs to test that control’s operating effectiveness, the auditor should not use
enquiry alone, but should perform other procedures as well (ASA 330.10(a)/ISA
330.10(a)). It would be a very rare circumstance in which enquiry alone provided the
auditor with sufficient appropriate evidence that a control was operating effectively.

This process is best understood by considering Global example 8.1 .

GLOBAL EXAMPLE 8.1 Test of controls for the recording of sales

A specific control objective for sales transactions is that all goods shipped (or
services rendered) have been recorded in the accounting records (the
completeness assertion). A test of controls is to see that shipping documents
are pre-numbered, that the numbers are accounted for by the client and that
the shipping documents are matched to sales invoices and approved sales
orders. The auditor would need to conduct a test of the numerical sequence
of shipping documents issued or seek other evidence to ensure that the
client has checked the numerical sequence, and select a sample of shipping
documents and inspect the related sales invoices and sales orders to ensure
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

that the client has matched the documents. Enquiry alone is unlikely to
provide the auditor with sufficient appropriate evidence that the control was
operating effectively.

Timing

Given that most of the controls the auditor intends to rely on relate to transaction flows, the
auditor will need to establish that the control is operating effectively for the entire period of
intended reliance. To aid the auditor’s ability to meet deadlines and the scheduling of staff,
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.
 the auditor sometimes schedules tests of controls to provide audit evidence for an interim
period (this testing is commonly undertaken one to three months before balance date). The
auditor would not normally undertake this testing at an early stage unless they believed that
there were adequate controls in place to allow ‘roll-forward of testing’ (extending tests
until year end). When obtaining evidence about the operating effectiveness of internal
controls during this interim period, the auditor identifies whether there are any significant
changes to the internal controls subsequent to the time that they were tested, and
determines what additional evidence should be obtained for the remaining period (ASA
330.12/ISA 330.12).

The factors that influence the extent of tests of controls necessary for the Page 321
remaining period (the period between the interim date and the balance date) are as
follows:

Results of the tests of the interim period If results indicate that internal control policies
and procedures lack operating effectiveness, control risk should be assessed as high and
substantive tests of transactions and balances should be undertaken for the entire period
of audit interest.
Enquiries concerning the remaining period Enquiries should be directed at
determining whether there were any significant changes in control or accounting
procedures during the remaining period.
Nature and amount of the transactions and balances involved If the transactions
occurring between the completion of tests of controls and the end of the year are atypical
of the transactions for the year, this indicates the need to test further. That would be the
case with a highly seasonal business and with an entity that has several large or unusual
transactions near the end of the year.
Evidence of compliance within the remaining period obtained from substantive tests
Evidence obtained through tests such as the pricing of inventory or external confirmation
of accounts receivable at balance date (which will be discussed in Chapter 9 ) shows
both the accuracy of total debits and credits to those accounts and the propriety of the
ending balances. If these tests indicate satisfactory results, there is less need to test
controls for the remaining period.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

Other matters that the auditor considers relevant in the circumstances These include
the auditor’s assessment of business risk and inherent risk, and the results of analytical
procedures applied as an aid in planning the audit program.

A commonly asked question is whether it is necessary to test the operating effectiveness of

internal controls every year in order to continue to place reliance on them. The answer to
this is no. If the auditor gains evidence that controls on which reliance was placed in
previous audits have not changed, they may still rely on these controls for the current audit.
The auditor obtains this evidence by enquiring of those responsible, combined with
observation or inspection to confirm the auditor’s understanding of those specific controls.

Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.
 Depending on the evidence thus gathered, the auditor then takes one of the following
courses of action:

If there have been changes that affect the continuing relevance of the audit evidence from
the previous audit, the auditor tests the controls in the current audit.
If there have not been any such changes, the auditor tests the controls at least once in
every third audit, making sure to test some controls in each audit to avoid the possibility
of testing all the controls in a single audit period with no testing of controls in the
subsequent two audit periods (ASA 330.13–14/ISA 330.13–14).

Extent

The more the auditor relies on the operating effectiveness of controls, the greater will be
the extent of the auditor’s tests of controls (ASA 330.9/ISA 330.9).

The extent of tests of controls that consist of inspecting documents for indication of the
performance of a checking routine or approval by stamps, initials or signatures is
commonly determined using audit sampling techniques. Determination of the extent of
tests of controls using audit sampling will be explained in Chapter 10 .

The extent of tests of controls that consist of re-performance of completed accounting

routines is not, however, determined by reference to audit sampling. Many reconciling and
balancing routines (for example, bank reconciliations) are performed monthly by the client.
A common audit approach is to recompute one or a few such reconciliations or balancings
and evaluate controls associated with these accounting routines (such as review or
authorisation), and then check that the routine and related control procedures were
performed in the other months. If the routine is performed much more frequently, the
common approach is to select a sample of routines, to check whether the routine was
performed throughout the period. The rationale for this approach is that inspecting Page 322
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

a reconciliation or trial balance provides reasonable evidence that the routine and
related control procedures were properly performed and that, if they were not, sloppy or
improper performance will be apparent.

The only exception to an increase in extent with increasing reliance is in the area of
automated IT processing. Because of the inherent consistency of IT processing, an
automated control should function consistently unless the program is changed. Therefore,
audit tests may be undertaken to ensure that changes have not been made to the program
(ASA 330.A29/ISA 330.A29).

Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.
 QUICK REVIEW
1. Tests of controls must be undertaken if reliance is to be placed on controls
(i.e. if control risk is assessed as less than high).
2. Tests of controls will normally only be undertaken if the increased effort is
more than offset by a reduced level of substantive testing. The auditor
chooses the most efficient and effective combination of tests of controls,
substantive tests of transactions and balances and substantive analytical
procedures. The auditing standards also require tests of controls to be
undertaken where substantive procedures alone do not provide sufficient
appropriate evidence.
3. The auditor does not undertake tests of controls if there is no reliance to
be placed on controls, either because of a lack of controls or because of
identified control weaknesses, or because a substantive approach will
result in a more efficient or effective audit. In either of these circumstances
control risk should be assessed as high.
4. When planning the scope of tests of controls, the auditor considers the:

nature—the specific control objectives for a transaction class provide

a framework for designing tests of controls
timing—many tests of controls are undertaken at an interim period
and the auditor should determine what additional evidence should be
obtained for the remaining period
extent—this is usually determined with reference to audit sampling
techniques.

5. The auditor does not necessarily need to test the operating effectiveness
of internal controls every year in order to place reliance on them. If the
auditor gains evidence that controls on which reliance was placed in
previous audits have not changed, they may still rely on these controls for
the current audit. They must, however, test these controls at least once in
every third audit.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.

Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [30 October 2020].
Created from usc on 2020-10-30 19:46:03.