Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Testing of Internal Controls

## Testing of Internal Controls (Tests of Controls)

### Purpose

Tests of controls are performed to obtain audit evidence (AE) about the effectiveness of:

1. Design of the accounting and IC system

2. Operations of IC throughout the period

> Note: Both design AND operating effectiveness must be tested — a well-designed control that is not followed provides no real assurance.

---

### Methods Used in Tests of Controls

#### 1. Inspection of Documents

  • Inspect documents supporting transactions and other events
  • Provides evidence that the control has operated properly
  • Example: Checking that purchase invoices have been stamped 'approved' and match purchase orders

#### 2. Inquiry and Observation

  • Inquiries about controls and observation of controls in operation
  • Used for controls that leave no audit trail (e.g., physical safeguarding, segregation of duties observed in real time)
  • Limitation: Observation only proves the control worked at the time of observation

#### 3. Reperformance

  • The auditor independently re-executes a procedure or control originally performed by the entity
  • Example: Auditor independently recalculates the bank reconciliation the client prepared
  • Strongest form of evidence for control effectiveness

#### 4. Testing IT-Specific Controls

  • Testing controls operating on specific computerised applications or over the overall IT function
  • Example: Testing that the system automatically rejects sales orders that would exceed a customer's credit limit

Worked example

### Example 1

Inspection: Auditor selects 50 payment vouchers and checks that each has: (a) an approved purchase order, (b) a goods received note, and (c) an authorised signature before payment. All 50 match → design and operation of the three-way matching control is confirmed.

### Example 2

Observation: Auditor observes the cash-counting process at the end of a business day to verify that two employees are always present (dual-custody control). Since no document records this, observation is the only method available.

### Example 3

Reperformance: The client's system automatically calculates depreciation. The auditor independently recalculates depreciation for a sample of assets using the entity's stated method and rates and compares results to the system output.

### Example 4

IT Control Testing: Auditor uses Computer Assisted Audit Techniques (CAATs) to test whether the payroll system correctly prevents salary rates above the authorised pay scale from being processed.

⚠️ Common exam mistakes

  • Relying solely on inquiry — inquiry alone is never sufficient for tests of controls because staff may describe what is supposed to happen, not what actually happens.
  • Confusing 'tests of controls' with 'substantive procedures' — tests of controls check whether a control works; substantive procedures detect actual misstatements in account balances.
  • Forgetting that testing only needs to cover the period the auditor plans to rely on the control — if a key control was only introduced mid-year, only the period after implementation is relevant.
  • Assuming observation is strong evidence — it only evidences the moment of observation, not the entire period.
Reference:
← Previous
Testing Methods in Automated E
Next →
Threats to Independence
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic