## Test of Controls (TOC) — Concept and Objectives

### What is TOC?

Test of Controls is a procedure to evaluate whether internal controls are operating effectively (not just whether they exist — that is covered under understanding of IC via SA 315).

```

Understanding of IC (SA 315)

↓

Evaluation & Risk Assessment

↓

Testing Operating Effectiveness of IC (SA 330 — TOC)

```

### Objective of TOC

To obtain Sufficient Appropriate Audit Evidence (SAAE) about the operating effectiveness of controls.

### When Must the Auditor Perform TOC?

TOC is required in two situations:

Situation (a):

The auditor's assessment of ROMM includes an expectation that controls are operating effectively — i.e., the auditor intends to rely on those controls to reduce the extent of substantive work.

Situation (b):

Substantive procedures alone cannot provide SAAE at the assertion level (this often occurs in IT-heavy environments where a paper trail is absent).

### Nature of TOC Procedures

When performing TOC, the auditor must go beyond mere inquiry and combine procedures to obtain evidence about:

1. How controls were applied at relevant times

2. Consistency with which they were applied during the period

3. By whom or by what means they were applied

Specific procedures used in TOC:

Procedure	Application in TOC
Inquiry + Observation	Together confirm whether a control was actually performed
Inspection of Documents	Verify that transactions were authorised (e.g., signature on voucher)
Re-performance	Independently re-execute a control originally done by the entity (e.g., re-doing bank reconciliation)
Testing on computerised IT applications	When controls operate through IT systems

Indirect Controls: If a control depends on another control, the auditor must also test that indirect (supporting) control.

> Example: If the system auto-posts journal entries based on a master-file setting, the auditor must also test the access controls over that master file.

Worked example

### Example 1

Bank Reconciliation Re-performance: The entity's accountant prepares a bank reconciliation monthly. The auditor independently re-performs the reconciliation using the bank statement and cash book — this is Re-performance as a TOC procedure, confirming the control (reconciliation) actually works as intended.

### Example 2

Voucher Authorisation Inspection: The entity's policy requires purchase invoices above ₹1 lakh to be approved by the CFO. The auditor inspects a sample of purchase vouchers to check for the CFO's signature — this is Inspection of Documents as a TOC procedure.

⚠️ Common exam mistakes

Assuming 'understanding' of internal control (SA 315) is the same as 'testing' it — SA 315 gives understanding; SA 330 gives evidence of operating effectiveness.
Using only inquiry to test controls — inquiry alone is never sufficient for TOC; it must be combined with other procedures like observation or inspection.
Forgetting to test indirect controls when the primary control depends on them.
Performing TOC only when the auditor plans to rely on controls — remember, TOC is also required when substantive procedures alone cannot provide SAAE.

Bare-Act text Para 8 · SA 330 — The Auditor's Responses to Assessed Risks · click to expand

The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls when: (a) the auditor's assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively; or (b) substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Test of Controls (TOC) — Objectives and When Required

Worked example

⚠️ Common exam mistakes