Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Chapter 3
Microlesson · 5-min read

Extent of Test of Controls — Determining Factors

## Extent of Test of Controls — Factors (Mnemonic: FLEER)

The auditor must decide how much TOC to perform. Five factors determine this:

### Factor Table

#FactorDirection
FFrequency of control performance by entityMore frequent control → More testing required
LLength of time auditor is relying on the controlLonger reliance period → More testing
EExpected Rate of Deviation from the controlHigher expected deviation → More testing
EEvidence (Reliability) of AE to be obtained about operating effectivenessLess reliable evidence available → More testing
RRest of controls (evidence from other controls)If other controls provide corroborating evidence → Less testing needed

### Using Audit Evidence from a Previous Audit

An auditor may use evidence obtained in a prior year's audit for TOC — but must consider:

1. ROMM and extent of reliance — higher risk requires fresh testing

2. Risk from characteristics of the control — e.g., manual controls are more prone to human error

3. Risk of lack of change — has the control changed since last tested?

4. Nature and extent of deviations noted in the previous audit

5. Personnel changes — who operates the control matters

> Key Rule: The auditor must test controls at least once every 3 years even if prior audit evidence is relied upon.

### General IT Controls

When relying on automated controls, the auditor must also consider the risk arising from General IT Controls (e.g., access controls, change management controls), since automated controls are only reliable if the IT environment they run in is reliable.

Worked example

### Example 1

Frequency Factor: A bank reconciliation is performed daily vs. monthly. For the daily reconciliation, the auditor would test a larger sample (more occurrences) compared to the monthly one, since there are more instances of control operation to cover the year.

### Example 2

3-Year Rule in practice: Auditor A tested the purchase-order approval control in Year 1 and found no deviations. In Year 2, the auditor assesses low risk, no personnel changes, and the control design is unchanged. They may use prior-year evidence but must test it fresh again no later than Year 4 (i.e., within 3 years of the last test).

⚠️ Common exam mistakes

  • Thinking 'more frequent control' means less testing — it is the opposite; more occurrences mean a larger population to sample.
  • Relying on prior-year TOC evidence indefinitely — the 3-year rule mandates fresh testing at least every third year.
  • Ignoring IT general controls when the control being tested is automated — the automated control is only as reliable as the IT environment.
  • Forgetting personnel changes as a reason to refresh prior-year evidence — if a new person operates the control, prior evidence about the previous person's performance may not be relevant.
Reference: Paras 10–11 — SA 330 — The Auditor's Responses to Assessed Risks
← Previous
Evaluating Operating Effective
Next →
Framework of Further Audit Pro
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic