## Tests of Controls (SA 330)
### When Must the Auditor Test Controls?
The auditor must design and perform tests of controls when either of two conditions is met:
| Condition | Trigger |
|---|---|
| A — Planned reliance | Risk assessment includes an expectation that controls are operating effectively, i.e., the auditor intends to rely on controls to reduce substantive work |
| B — Substantive procedures alone are insufficient | Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level |
> Key insight: Condition B is non-negotiable — even if the auditor didn't plan to rely on controls, if substantive alone can't work, controls must be tested.
---
### Nature of Tests of Controls
When designing tests of controls, the auditor must address three dimensions:
1. What to investigate:
- How the control was applied at relevant times
- Consistency of application throughout the period
- Who or what applied the control (person vs. system)
2. Indirect controls: Determine if the control under test depends on another control (an indirect control). If so, test the indirect control too.
3. Audit procedure mix:
- Inquiry alone is never sufficient — always combine with another procedure
- Inquiry + Inspection/Reperformance > Inquiry + Observation
- Observation is pertinent only at the moment it is made
- If effectiveness is documented → inspect the documentation
- If more persuasive evidence is needed → increase extent of testing
---
### Extent of Tests of Controls
Factors that determine how much testing is required:
1. Frequency of control performance during the period
2. Length of time the auditor is relying on the control's effectiveness
3. Expected rate of deviation from the control
4. Relevance and reliability of evidence about operating effectiveness at the assertion level
5. Extent of evidence already obtained from tests of other related controls
---
### Timing of Tests of Controls
| Scenario | Approach |
|---|---|
| Point-in-time control (e.g., physical inventory count at period-end) | Evidence pertaining to that specific point may be sufficient |
| Control relied upon across a period | Tests must cover relevant times throughout the period |
---
### Using Prior-Audit Evidence
Evidence from previous audits may be used, but the auditor must consider six factors before doing so:
1. Effectiveness of other internal control elements (control environment, monitoring, risk assessment process)
2. Risks from control characteristics — manual vs. automated
3. Effectiveness of general IT controls
4. Effectiveness of the control itself and its application — including deviations noted before, and personnel changes
5. Whether unchanged controls now pose risk due to changed circumstances
6. Risks of material misstatement and extent of reliance on the control
---
### Handling Deviations from Controls
When deviations are detected in controls the auditor intends to rely on, the auditor must make specific inquiries and determine:
- Whether the tests performed still provide an appropriate basis for reliance
- Whether additional tests of controls are needed
- Whether substantive procedures must address the potential risk of misstatement
> Important rule: Regardless of assessed risks, the auditor must always design and perform substantive procedures for each material class of transactions, account balance, and disclosure — because (i) risk assessment is judgmental and may miss risks, and (ii) internal control has inherent limitations including management override.