search

What are the benefits of testing controls in an audit?

1 years ago
Komentar: 0
Dibaca: 171

Your internal controls provide the confidence you need that your processes will ensure compliance with regulations, legislation and best practices. Controls testing is the way you audit these controls.

Show

Controls testing should form an integral part of your audit process, which in turn is central to your wider governance, risk and compliance (GRC) strategy. Here, we delve deeper into what controls testing is, its role in an increasingly strategic approach to audit and why automation plays a key part in your success.

What is Controls Testing?

Controls testing (sometimes referred to as tests of controls or internal controls testing) is a procedure used in audit to determine whether your internal controls are sufficient to detect material errors as well as to detect potential fraud. As a result, controls testing aims to prevent misstatements in your financial reporting.

Controls testing can be done as part of the audit or in preparation for an audit, providing confidence that all controls will be working as they should when audited. With internal audit recognized as the third line of defense in risk management, it’s vital that auditors verify the effectiveness of internal controls.

Whether you are auditing to comply with SOX requirements or other sector-specific regulations, or to meet audit best practices, testing controls is an essential part of the process.

What Is the Purpose of Controls Testing?

Internal controls testing typically has two objectives:

  1. To make the audit process shorter and more efficient. Testing controls can evidence that your internal controls are effective in preventing fraud or error, and as a result, negate any need for additional audit checks.
  2. To shore up your compliance processes. Specific regulatory compliance requirements may demand that you can demonstrate effective internal controls. Even if you’re not subject to these, your own and your board’s confidence in your governance, risk and compliance processes will be enhanced via robust controls testing.

What is Automated Controls Testing?

Many internal audit teams are ramping up the rigor of their controls testing, elevating their controls testing methodology by introducing an element of automation.

Automated controls testing involves automating the processes you use for the testing of internal controls. It helps to ensure the consistency and reliability of your controls and therefore your operations.

How can Automation Help Auditors with Controls Testing?

As internal audit teams strive for greater agility, controls testing moves audit teams along the road to proactive, continuous audit.

Automation helps bring a degree of consistency and rigor to this controls testing; for your organization to truly embrace — and get the benefits of — data-driven GRC, automation is non-negotiable. Ensuring your controls testing uses empirical evidence (data) can reduce and, best case, eliminate the use of unsound subjective validation mechanisms. It also ensures testing is scheduled regularly, and can directly link real-time results on the operational effectiveness of controls to your corporate risks — as a result, driving real-time risk assessment.

Despite this, many businesses are still adopting automation piecemeal, rather than across the entire risk and control process tool stack.

Benefits of Automated Controls Testing

Automated controls testing makes testing of controls more effective and more efficient. Among the benefits:

  • Aligned, efficient compliance processes. Risk and compliance processes and internal controls can be fragmented, subjective and siloed. Automating controls testing helps to put a consistent framework around the testing process; as a result, making controls and the compliance and risk processes they inform, more effective.
  • Reduced cost of compliance. Manual controls testing can be time-consuming, labor-intensive, and run the risk of errors that need rework. By automating controls testing, this risk of human error is reduced and the time taken for intelligent controls testing is minimized.
  • Confidence in your controls. Data-driven controls testing, based on objective readings and carried out on a regular schedule, assures you that your controls work as they should. Reduce your risk of compliance breaches and know that your approach is based on real-time insights.
  • Keep pace with the compliance landscape. Because the regulatory landscape is ever-changing, your controls must be able to pivot quickly when needed, or you risk being out of step with requirements. Automated controls testing moves audits from annual or fixed-schedule reporting to continuous insight, and as a result, allows you to update your controls as needed.
  • Ability to continuously improve. Being informed by “always-on” controls testing means you can refine and improve your approach continuously. It accelerates the audit team’s path to becoming a strategic business partner, enabling you to provide unassailable, live insights to your board and key stakeholders.

For auditors looking to elevate their role to that of a strategic business partner, automated controls testing can help to avoid nasty shocks, give comfort around the operating effectiveness of controls and help you to take a proactive approach to audit.

Optimize Your Use of Technology in Controls Testing

Organizations’ shift to automated controls testing is part of a wider trend to make more effective use of technology. Surveys like PWC’s State of the Internal Audit Profession have regularly identified the need for increased use of technology in areas like audit analysis, fraud detection and continuous auditing. In tests of controls too, technology can play a key role.

This move to automated controls testing chimes, too, with a change in the audit function’s role. Internal audit has evolved significantly over the last decade, moving from cyclical audits and internal controls testing done to a set timetable, to a more consultative role, where internal audit teams assess and report continuously on the organization’s overall risk profile.

Technology is a vital component of this approach. And the internal audit team can be ideally placed to champion risk management and compliance technology, based on their experience of using technology for assurance purposes.

Centralize and Automate Your Controls Testing

Automating your controls testing will enable you to seamlessly manage the multiple policies and controls that make up your regulatory compliance strategy. It will increase the speed, rigor and efficiency of your testing while reducing costs. It will create a single source of truth for your controls reporting, and accelerate the internal audit team’s journey towards a consultative partnership with your organizational leadership.

Discover how Diligent Audit Management can help you to automate, centralize and simplify your controls testing.

Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required. 

What are the benefits of testing controls in an audit?

Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:

  1. Test of details 
  2. Substantive analytics
  3. Test of controls

This article focuses on the third option.

Below you will see:

  • The Right Response
  • Not Testing Controls (including video about the same)
  • The Decision Regarding Testing 
  • How to Test Controls
  • Required Tests
  • Which Controls to Test
  • Three-year Rotation of Testing
  • Interim or Period-End Testing

The Right Response 

Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).

By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)

Not Testing Controls

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high. 

Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time. 

The Decision Regarding Testing 

But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.

Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.

How to Test Controls 

Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

What are the benefits of testing controls in an audit?

Risk Assessment

Your approach to testing controls depends on risk. 

For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use. 

Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.

Test Supports Effectiveness

Now it’s time to test for effectiveness. 

Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)

The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty. 

The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed. 

The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections. 

Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment. 

And what about substantive tests?

You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.

Test Doesn’t Support Effectiveness

If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance. 

So, when should you test controls? First let’s look at required tests and then optional ones. 

Required Audit Tests of Controls

Here are two situations where you must test controls:

  • When there is a significant risk and you are placing reliance on controls related to that risk
  • When substantive procedures don’t properly address a risk of material misstatement

Let me explain.

Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually. 

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant. 

Optional Audit Test of Controls

We just covered the two situations when testing is required. All other control testing is optional.

What are the benefits of testing controls in an audit?

Prior to making the decision about testing, consider the following:

  • Do you anticipate effectiveness? There’s no need to test an ineffective control. 
  • Does the control relate to an assertion for which you desire a lower control risk? 
  • Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach. 
  • Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
  • Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
  • How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test. 
  • Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic. 

Three-Year Rotation of Testing

As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs. 

So should you test controls at interim or after year-end?

Interim or Period-End Testing

Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?

It depends.

What are the benefits of testing controls in an audit?

Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective. 

Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate

If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).

Conclusion

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.

Get my free accounting and auditing digest with the latest content.

Thanks for joining me here at CPA Scribo. Charles Hall

Q&A What

Pos Terkait

Welche Marke steckt dahinter Lidl
Welche Marke steckt dahinter Lidl

Welche ist die beste sims 4 erweiterung
Welche ist die beste sims 4 erweiterung

What is a VPN tunnel interface?
What is a VPN tunnel interface?

Who is responsible for establishing and maintaining the internal controls to achieve the objectives?
Who is responsible for establishing and maintaining the internal controls to achieve the objectives?

What is high speed internet 24x7
What is high speed internet 24x7

At what temperature will the volume of a gas at 0 c double itself
At what temperature will the volume of a gas at 0 c double itself

Why would your ex unblock you on Instagram?
Why would your ex unblock you on Instagram?

When the object is placed at centre of curvature then the image is formed at?
When the object is placed at centre of curvature then the image is formed at?

Wo finde ich das e mail passwort bei t online
Wo finde ich das e mail passwort bei t online

What is the inverse converse and Contrapositive of If two angles are congruent then they have the same measure?
What is the inverse converse and Contrapositive of If two angles are congruent then they have the same measure?

Periklanan

BERITA TERKINI

Cara menggunakan mysql timestamp from string
1 years ago . by ShavenBrainstorming
Langkah langkah membuat web menggunakan HTML dan CSS?
1 years ago . by OverheatedCabbage
Bagaimana cara mengonversi file txt ke google sheets?
1 years ago . by DeprivedAppeasement
Bagaimana Anda mengganti huruf tertentu dengan python?
1 years ago . by FunctioningApartheid
Apa upaya kita untuk mengatasi krisis air bersih?
1 years ago . by BeardedAnnoyance
Bagaimana cara membekukan area yang dipilih di excel?
1 years ago . by CrackingMolasses
Bagaimana Anda mengonversi bilangan bulat negatif menjadi byte dengan python?
1 years ago . by Wage-priceAccomplice
Apakah infeksi bakteri pada Miss V bisa sembuh sendiri?
1 years ago . by FrayedDaddy
Database mana yang digunakan di phpmyadmin?
1 years ago . by ParamountCounselor
Cara menggunakan semua jenis acara javascript
1 years ago . by CondemnedMirth

Toplist Popular

#1
Top 7 unterschied griechischer joghurt und joghurt griechischer art 2022
1 years ago
#2
Top 9 ibc container 600 liter gebraucht 2022
1 years ago
#3
Top 7 excel hintergrundfarbe auslesen ohne vba 2022
1 years ago
#4
Top 6 dji mavic air 2 wann welcher filter 2022
1 years ago
#5
Top 7 rosen schwarze flecken am stiel 2022
1 years ago
#6
Top 8 wann wird es wieder später dunkel 2022 2022
1 years ago
#7
Top 6 em nome do pai em nome do filho 2022
1 years ago
#8
Top 8 zdf neben der spur -- erlöse mich 2022
1 years ago
#9
Top 8 como melhorar dor no calcanhar 2022
1 years ago
#10
Top 7 vinho é bom para pressão alta 2022
1 years ago

Periklanan

Terpopuler

Periklanan

Tentang Kami

Legal

Dukungan

Social

homeendejahikoptzhth
Copyright © 2024 ketajaman Inc.