Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / AUDIT
Microlesson · 5-min read

Methods of Evaluation of Internal Control (Narrative Record, Checklist, ICQ, Flowchart) & Testing of Controls

# Methods of Evaluation of Internal Control

Four widely used methods of evaluating Internal Control:

## A. Narrative Record

A complete & exhaustive description of the system as found in operation by the auditor.

Best suited for: Small & trading businesses.

Disadvantages:

  • Difficult to comprehend (summarize) system in operation
  • Difficult to identify weaknesses in the system
  • Difficult to incorporate changes

## B. Check List

A series of instructions or questions which the audit team member must follow or answer.

Format of answers: Yes / No / Not Applicable

## C. Internal Control Questionnaire (ICQ)

A comprehensive series of questions on IC — the most widely used form for collecting information about IC.

Interpretation of answers:

AnswerMeaning
YesSatisfactory position
NoSuggests weakness (explanation required)
Not ApplicableNot relevant

Process: Questionnaire is issued to client to be filled by employees. There is discussion to get a clear picture.

## D. Flow Chart

A graphic presentation of the ICS.

  • Most concise way of recording the auditor's review of ICS
  • Gives a bird's eye view of the system

## Benefits of Evaluation of IC to Auditor

Review of IC enables auditor to know:

  • Whether any administrative control has bearing on his work
  • Extent & depth of examination needed
  • Whether controls adequately safeguard assets
  • How adequately Mgt is discharging its function for correct recording of transactions
  • How reliable reports to Mgt can be
  • Whether errors & frauds are likely to be located
  • Areas where control is weak & where it is excessive
  • Whether effective Internal Audit Department is operating
  • Whether suggestions can be given to improve ICS
  • Appropriate audit technique & procedure
  • Whether adequate ICS is in use & operating as planned by Mgt

## Testing of Internal Controls (TOC)

### Purpose

To obtain audit evidence about effectiveness of Design and Operation of ICS.

### TOC Include

  • Testing of IC operating on specific computerized applications
  • Inquiries & observation of IC that leave no audit trail
  • Inspection of documents supporting transactions to gain evidence that controls operated properly
  • Reperformance (SA 500)

### Considerations While Obtaining Evidence about Effective Operation

  • How controls were applied
  • Consistency with which they were applied during the period
  • By whom they were applied

### Action on Detecting Deviations

When deviations are detected:

  • Auditor makes specific inquiries regarding timing of staff changes in key IC functions
  • Based on results of TOC, auditor evaluates whether IC are designed & operating as in preliminary assessment
  • If assessed level of control risk needs revision → modify NTE of planned substantive procedures

Worked example

### Example 1

Example 1 — Choosing the Right Method:

A small kirana shop with 3 employees and simple transactions → use Narrative Record.

A large manufacturing company with multiple plants → use Flow Chart for bird's eye view.

### Example 2

Example 2 — Interpreting an ICQ:

Question: 'Are all purchase invoices signed by the Purchase Manager before processing?'

  • Answer Yes → Satisfactory
  • Answer No → Weakness; auditor must investigate compensating controls or expand substantive procedures
  • Answer N/A → Not relevant (e.g., entity has no purchase function)

### Example 3

Example 3 — Testing of Controls Application:

A company's control requires the Finance Manager to sign all bank reconciliations.

TOC procedure:

  • Inspection: Select 30 monthly reconciliations across the year and verify Finance Manager's signature
  • Inquiry: Ask whether anyone else signed during the Manager's leave
  • Reperformance: Re-do one reconciliation to test arithmetical accuracy
  • Observation: Watch the reconciliation being signed in the current month

⚠️ Common exam mistakes

  • Using Narrative Record for large complex entities — it becomes unmanageable
  • Treating ICQ as a tick-box exercise without seeking explanations for 'No' answers
  • Performing only inquiry as Test of Control — must combine with inspection, observation, reperformance
  • Failing to consider WHO applied the control and the CONSISTENCY with which it was applied
  • Not modifying NTE of substantive procedures when TOC reveals control deviations
  • Confusing 'Test of Control' (effectiveness of controls) with 'Substantive Procedures' (detecting MM)
Bare-Act text SA 330 & SA 500 · ICAI Standards on Auditing · click to expand
SA 330: The Auditor's Responses to Assessed Risks — The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if: (a) the auditor's assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively; or (b) substantive procedures alone cannot provide sufficient appropriate audit evidence.
← Previous
Manual vs Automated Elements i
Next →
Professional Ethics - Fundamen
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic