By MIA Professional Practices & Technical
What is a test of controls (TOC)? Why is there a need to perform TOC and how can it help in improving audit efficiency?
Before we delve into the technicalities, let us start with a quick understanding of TOC. TOC is a type of audit procedure that auditors perform to evaluate whether the client’s internal controls operate effectively in preventing or detecting risks of material misstatements at the financial assertion level. Auditors can choose to rely on the controls and thus, reduce some substantive audit procedures if the client’s internal controls work as intended. Hence, with reduction of the substantive audit procedures, this will improve audit fieldwork efficiency since a lesser volume of testing are required while still being able to accumulate an adequate amount of audit evidence.
It is common for most organisations to implement certain controls to manage their business operations. However, what really matters is the extent of the strength and effectiveness of the client’s controls, which can affect the level of risk of material misstatements in the financial statements at the assertion level. Thus, performing a TOC can address this important question. If the controls over the operations in a particular area are strong and effective, it is likely that the risk of material misstatements in the financial statements in relation to that area would be relatively low, whether those risks are due to errors or fraud. On the other hand, if the controls are weak and not effective in preventing or detecting risks of material misstatements (i.e. the control risk¹ is high), there is a higher risk of such material misstatements in the financial statement. In this case, there will be a need to increase the level of substantive testing in order to reduce the audit risk to an acceptable level².
Paragraph 8 of ISA 330 The Auditor’s Responses to Assessed Risks states that an auditor shall design and perform TOC to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if:
In short, TOC is performed to evaluate whether the controls are working effectively for two main purposes, i.e. to reduce substantive audit procedures or to obtain additional audit evidence.
In designing and performing TOC, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control.
The next questions are on how to design the TOC and extent of work necessary to make a conclusion regarding whether the TOC provides an appropriate basis for reliance on the controls.
Types of TOC
There are 5 types of TOC, which are:
Inquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly, other audit procedures are performed in combination with inquiry. In this regard, inquiry combined with inspection or reperformance may provide a higher level of assurance than inquiry and observation, since an observation is pertinent only at the point in time at which it is made.
In the upcoming second and last part of this article, more aspects of the TOC will be further discussed which includes the timing, nature and extent of the TOC and also considerations for smaller entities which will further illustrate how TOC can help to improve efficiency of the audit fieldwork. There will also be a flowchart for determining when to use TOC in combination with substantive procedures.
¹ The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control.
² If the internal controls are strong and the auditors can rely upon them, the audit work can be reduced by lowering the quantity of substantive tests. However, if the internal controls are weak, the auditors will have to perform more substantive tests so that the overall audit risk can be minimised.