Breadcrumb

What are tests of control in auditing?

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedNov 20202 min read

Auditors have a full set of tools at their disposal when performing an audit for a client. These include tests of control, which provide a way to take a closer look at the client’s internal control systems. Here’s what tests of controls involve and how they’re used.

What are tests of internal controls?

A test of control describes any auditing procedure used to evaluate a company’s internal controls. The aim of tests of control in auditing is to determine whether these internal controls are sufficient to detect or prevent risks of material misstatements. A robust internal control system is essential for businesses to keep their financial records accurate.

While a financial audit won’t automatically uncover all irregularities, auditors may use tools like tests of control to test the systemic operating controls. This, in turn, reduces the client’s risk. If the controls are operating efficiently, the control risk is low. However, if they are found to be weak or ineffective, the control risk is high. This means that the auditor will have to perform additional tests during the audit.

Tests of control vs. tests of detail

A test of controls involves many similar audit procedures to a test of detail, but the outcomes are different. While a test of controls supports control risk assessment, a test of details is performed to support the overall audit opinion of a company’s balance sheet and accompanying transactions. Tests of control are only performed when the auditor believes that the control risk is low, enabling them to verify this assessment. However, a test of details is almost always required to obtain sufficient audit evidence.

Purposes of tests of control

There are several reasons to perform tests of control in auditing. If a company’s internal controls are working effectively, it reduces the need for additional substantive audit procedures, which can be time-consuming and costly. Another purpose of these tests is to obtain further audit evidence to support the auditor’s statements.

Audit sampling methods for tests of controls

Tests of control fall into four main categories:

Inquiry: At the first stage, auditors may ask clients to explain their control processes. Simply inquiring about procedures qualifies as a test of control, but it provides limited evidence, so it will need to be supplemented with additional audit sampling.
Observation: The test may involve observing a business process or transaction while it’s happening, taking note of all relevant control elements. One example of observational audit sampling for tests of controls would be to watch the client’s year-end inventory counting procedures.
Reperformance: The auditor might start a new transaction to repeat the internal controls used by the client during this process. This is considered to be one of the most reliable audit sampling methods for tests of controls because it actively gathers direct evidence rather than relying on observation alone.
Inspection: Tests of control involve the examination of business documents for any signs of review. Signatures, checkmarks, and stamps are all signs that internal controls have been used. In this fourth category, audit sampling for tests of controls requires the inspector to look at a random selection of documents over time. If only a few of them show signs of review, this indicates a weak internal control system. However, if they are all uniformly marked with a verifying signature, this would indicate efficient controls.

A single test of controls is usually insufficient to draw any conclusions, so auditors will draw from all four types of control tests for greater assurance. An inquiry should be combined with inspection or reperformance for more accurate results.

When errors are found during the tests of internal controls, auditors can take this process to the next step by increasing their audit sampling size. The greater the number of errors, the greater the chance that there is a systemic controls issue.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.