Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Concepts / SAs
Microlesson · 5-min read

Testing of Internal Controls — Tests of Controls (SA 330)

## Testing of Internal Controls

### Purpose of Tests of Controls

Tests of controls obtain audit evidence about the effectiveness of:

1. The design of the accounting and internal control system

2. The operation of internal control throughout the period

### Types of Tests of Controls

Test TypeWhat It InvolvesExample
Inspection of documentsExamining documents supporting transactions to verify controls operated properlyVerifying that a transaction bears authorisation evidence
Inquiry and ObservationUsed for controls that leave no audit trailDetermining who actually performs each function — not merely who is supposed to
Re-performanceAuditor's independent execution of procedures/controls originally performed by the entityRe-doing bank reconciliation to verify it was correctly performed
IT-specific testingTesting controls over computerised applications or overall IT functionTesting access controls or program change controls

> Key rule: Inquiry alone is not sufficient as a test of control.

### Key Considerations When Assessing Evidence of Operating Effectiveness

When obtaining audit evidence about the effective operation of internal controls, the auditor must consider:

  • How the controls were applied
  • The consistency with which they were applied during the period
  • By whom they were applied

### Understanding Controls vs. Testing Operating Effectiveness

ActivityPurposeSufficient?
Understanding controls (risk assessment)Know what controls exist and are designed to doDoes NOT establish operating effectiveness
Tests of controlsObtain evidence that controls worked throughout the periodRequired to place reliance on controls

### IT Controls — Special Consideration

Due to the inherent consistency of IT processing, implementing an automated control may also serve as evidence of its operating effectiveness — provided IT general controls (especially program change controls) are also tested and found effective.

Worked example

### Example 1

Scenario: The auditor observes that the cashier accepts cash receipts without any supervisory countersignature. Since this control operates without leaving a document trail. Best test: Observation — the auditor observes who actually performs the receipt process and whether countersigning occurs, rather than relying on inquiry alone.

### Example 2

Scenario: The auditor needs evidence that the bank reconciliation control operated effectively. Test used: Re-performance — the auditor independently re-prepares the bank reconciliation for a sample of months and compares it to the entity's version to verify it was correctly and consistently performed.

### Example 3

Scenario: An entity's purchase order system automatically blocks orders above ₹10 lakhs unless approved by the CFO (automated control). Analysis: The auditor tests that the system is correctly configured (implementation). Since automated controls operate consistently, this may also serve as evidence of operating effectiveness — provided the auditor has also tested that program changes to this system require proper authorisation (IT general controls).

### Example 4

Scenario: An auditor inquires of the accounts manager whether invoices are matched to GRNs before payment. The manager says 'yes'. Is this sufficient? No — inquiry alone is insufficient. The auditor must also inspect a sample of paid invoices for evidence of matching, or observe the matching process being performed.

⚠️ Common exam mistakes

  • Treating inquiry as sufficient for testing controls — SA 315/330 is explicit that inquiry alone is NOT sufficient; it must be combined with at least one corroborating procedure.
  • Not distinguishing between understanding controls (risk assessment phase) and testing operating effectiveness (risk response phase) — these are separate audit activities triggered at different stages.
  • Forgetting to assess consistency and 'by whom' when evaluating operating effectiveness — a control applied inconsistently or by an unauthorised/untrained person is not operating effectively even if it was applied at some points.
  • Assuming that testing an automated control at one point in time is always sufficient — it is only sufficient if IT general controls (especially program change controls) are also tested and effective.
Reference: — SA 330 – The Auditor's Responses to Assessed Risks (ICAI)
← Previous
Substantive Procedures — Tests
Next →
Tests of Control and Evaluatio
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic