## Controls Relevant to the Audit

Not all of an entity's controls are relevant to the auditor. The auditor focuses only on controls that are relevant to the reliability of financial reporting.

> Key Rule: Not all controls are relevant to the audit. Controls related to operations and compliance may be excluded unless they also affect financial reporting.

### Factors Determining Relevance of a Control to Audit

The auditor exercises professional judgement in determining whether a control is relevant, considering:

1. Materiality — Is the related amount or risk material?

2. Significance of the related risk — How significant is the risk the control addresses?

3. Size of the entity

4. Nature of the entity — business model, ownership characteristics

5. Diversity and complexity of the entity's operations

6. Applicable legal and regulatory requirements

7. Whether the control (individually or in combination) can prevent, detect, or correct a material misstatement

8. Nature and complexity of systems — including use of service organisations

### Internal Control over Safeguarding of Assets

Controls over safeguarding of assets from unauthorised acquisition, use, or disposition include controls relating to both financial reporting and operative activities.
The auditor is concerned only with those safeguarding controls that are relevant to the reliability of financial reporting.
Example (Relevant): Access controls (passwords) limiting access to accounting data → relevant to financial statement audit.
Example (Not Relevant): Controls to prevent excessive use of materials in production → generally NOT relevant to financial statement audit.

### Design vs. Implementation of Controls

The auditor must evaluate both:

Aspect	What the Auditor Does
Design	Evaluates whether the control is capable of preventing or correcting a material misstatement.
Implementation	Determines whether the control actually exists and is being used by the entity.

> The auditor first assesses Design, then assesses Implementation.

### Procedures to Assess Design and Implementation

Enquiry alone is not sufficient. The auditor must also:

Observe the application of specific controls
Inspect documents and reports
Trace transactions through the information system relevant to financial reporting

These procedures also serve as Risk Assessment Procedures under SA 315.

Worked example

### Example 1

Example 1 — Relevant vs. Not Relevant:

A manufacturing company has two controls:

(A) Password protection ensuring only the accounts team can post journal entries in the ERP system.

(B) Controls to prevent line supervisors from ordering more raw material than the production schedule requires.

Control (A) is relevant to the financial statement audit — it directly prevents unauthorised changes to accounting records. Control (B) relates to operational efficiency and is generally not relevant to the auditor unless there is a financial reporting implication (e.g., inventory overstatement risk).

### Example 2

Example 2 — Design vs. Implementation:

An entity has a policy that all credit notes above ₹1 lakh must be approved by the CFO (Design = adequate). However, upon inquiry and observation, the auditor finds that in practice, the accounts manager approves these without CFO sign-off (Implementation = deficient). The auditor identifies a control deficiency despite the policy being well-designed.

### Example 3

Exam Theory Question:

What factors does an auditor consider in determining whether a control is relevant to the audit?

Key points: Materiality, significance of related risk, size and nature of entity, diversity/complexity of operations, applicable laws, whether the control can prevent/detect/correct a material misstatement, and nature/complexity of systems including service organisations.

⚠️ Common exam mistakes

Stating that 'all controls are relevant to the audit' — only controls relevant to financial reporting reliability matter to the auditor.
Confusing Design and Implementation — design asks 'can it work?'; implementation asks 'is it actually working?'. Both must be assessed.
Relying solely on enquiry to assess controls — SA 315 requires enquiry to be supplemented by observation, inspection, and tracing of transactions.
Including operational controls (e.g., production efficiency controls) as relevant to the financial statement audit without linking them to a financial reporting risk.
Forgetting that safeguarding controls can relate to BOTH financial reporting and operations — but the auditor only cares about the financial reporting side.

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Controls Relevant to Audit — Factors, Design and Implementation

Worked example

⚠️ Common exam mistakes