What Are Examples of Tests of Controls in an Audit?
Learn how auditors assess the operational effectiveness of a company's internal controls to determine the reliability of its financial processes.
An audit of a company’s financial statements involves evaluating the effectiveness of its internal controls. These controls are the policies and procedures management puts in place to ensure financial reporting is reliable and to prevent or detect errors and fraud. Auditors perform tests of controls to determine whether these internal systems are operating as designed, and the results directly influence the rest of the audit strategy.
If an auditor finds that a company’s internal controls are effective, they can place more reliance on them, which allows for less detailed testing. Conversely, if tests reveal that controls are weak or not functioning properly, the auditor must expand the scope of their other audit procedures to compensate for the higher risk of material misstatement in the financial statements.
Types of Control Testing Procedures
Auditors use several methods to test the effectiveness of a company’s internal controls, with inquiry being a common starting point. This involves the auditor asking targeted questions to employees responsible for performing specific control activities. For example, an auditor might ask an accounting clerk to describe the process for approving a new vendor before payment is made.
Observation provides direct evidence of a control in action. This procedure involves the auditor watching a process as it is being performed by company staff. An example is an auditor observing the client’s employees as they conduct the year-end physical inventory count. By watching the count, the auditor can assess whether the company’s prescribed procedures for counting, tagging, and recording inventory are being followed.
Inspection involves the examination of documents and records to find evidence that a control has been performed. An auditor might inspect a sample of expense reports to look for a manager’s signature, which would serve as evidence of the approval control. The presence of signatures, stamps, or electronic approvals indicates that the control was applied.
Reperformance offers a high level of audit assurance by having the auditor independently execute a control procedure that was originally performed by the company. This goes beyond inspection by verifying that the control was done correctly. For instance, an auditor might reperform the aging of accounts receivable to verify that the company’s system for identifying overdue accounts is functioning accurately.
Examples in the Revenue and Receivables Cycle
Within the revenue cycle, a control is the requirement for credit approval before extending terms to a new customer to mitigate the risk of non-payment. An auditor would select a sample of new customer accounts created during the year and examine the customer’s file for documented evidence of a credit check and a formal approval from an authorized manager.
Another control in this cycle is the authorization of sales orders before they are fulfilled to ensure that all sales are legitimate and approved under company policy. An auditor might first ask the sales manager to explain the order approval process and then select a sample of sales orders, inspecting each one for the required signature or electronic authorization stamp.
A control to ensure revenue is recorded accurately is the matching of shipping documents to sales invoices. This confirms that the company only bills customers for goods that have actually been shipped. An auditor would select a sample of sales invoices and inspect the attached shipping documents, verifying that the quantities and items match, and might also reperform the matching process for a few transactions.
Segregation of duties is a broad control that prevents one individual from having too much control over a transaction. In the revenue cycle, the person who handles cash receipts should not also be the person who can issue credit memos. An auditor would inquire about who is responsible for each function and observe the employees in their day-to-day roles to confirm that these incompatible duties are performed by different people.
Examples in the Purchasing and Payables Cycle
In the purchasing cycle, a control is the proper authorization of purchase orders (POs) before they are sent to vendors. This ensures that all purchases are for legitimate business needs and are approved by management. An auditor would select a sample of POs and examine them for evidence of approval, such as a manager’s signature, verifying it aligns with the company’s established authorization limits.
Another control is the verification of goods received, where personnel compare the goods to the original purchase order to ensure the correct items and quantities were delivered. An auditor would ask receiving personnel to describe their procedures and then inspect a sample of receiving reports for evidence that a comparison to the PO was performed, often noted with a signature or stamp.
The three-way match is a control in the payables process designed to prevent improper payments. Before paying a vendor invoice, the accounts payable department should match the invoice to the corresponding purchase order and receiving report. An auditor would test this by selecting a sample of paid invoices and independently matching the details—such as item, quantity, and price—across all three documents.
To prevent duplicate payments, many companies have a control where invoices are marked “paid” once the check is issued. An auditor would select a sample of payment vouchers and examine the corresponding vendor invoices to see if they have been physically or electronically canceled. The absence of such a mark on a paid invoice could indicate a weakness that might allow it to be processed for payment a second time.
Documenting Test Results
After performing tests of controls, the auditor documents the work performed and the conclusions reached in their audit workpapers. This documentation serves as the evidence of the procedures conducted and includes several components.
Workpapers will typically contain the following information:
- The specific control that was tested and its objective, such as ensuring all payments are valid.
- The source of the evidence and the sampling method used, including the population from which a sample was drawn and the sample size.
- A clear description of the test itself, outlining the exact steps taken during the procedure.
- The results of the test, noting any instances where the control did not function as intended, and a conclusion on the control’s overall effectiveness.