Assessing Internal Controls in an Audit
Effective internal controls reduce audit risk and allow auditors to reduce substantive testing. This guide explains how auditors assess control design and operating effectiveness, and how controls work influences audit strategy.
The decision of whether to test internal controls — and which ones — is one of the most important judgement calls in audit planning. Get it right and you design an efficient, risk-responsive audit. Get it wrong and you either over-audit (wasting time testing controls that aren't reliable) or under-audit (placing reliance on controls that fail). This guide explains how to make that judgement well.
Why the Controls Assessment Matters
Where controls are effective, the auditor can place reliance on them and reduce the extent of substantive testing. Where controls are weak or the auditor decides not to rely on them, substantive procedures must be sufficient on their own to provide the required level of assurance. The controls/substantive split is the key efficiency lever in audit planning.
Design vs Operating Effectiveness
Two separate questions must be answered. First: is the control designed effectively — is it capable of preventing or detecting a material misstatement if it operates as intended? A well-designed control that never actually runs is useless. Second: is the control operating effectively — has it been consistently applied throughout the period? Both must be satisfied before the auditor can rely on a control.
IT General Controls (ITGCs)
Most financial data is produced by IT systems. ITGCs — access controls, change management, operations controls — are the foundation that application controls rest on. If ITGCs are weak (e.g. multiple users share a superuser password, or application changes are not tested before deployment), the automated application controls that rely on those systems cannot be trusted. Testing application controls without testing ITGCs is a common quality shortfall.
Testing Controls
Tests of controls include: inspection (reviewing authorisation signatures, access logs, exception reports); re-performance (independently re-doing the control — for example, re-performing a bank reconciliation); observation (watching the control being performed — but only provides evidence for the point in time observed); and inquiry (asking the person performing the control to describe and demonstrate it). Sample sizes depend on the control's frequency and the degree of reliance planned.
Communicating Deficiencies
Control deficiencies identified during testing must be communicated in accordance with ISA 265. Significant deficiencies go in writing to those charged with governance. All deficiencies go to management. A quality management letter frames each deficiency in terms of risk, impact, and recommended remediation — not just as a list of weaknesses.
Further Reading
Study with Learnsignal: Audit CPD for qualified accountants. Browse CPD.
This page was last updated:
Learnsignal Education Team
Expert Tutor at Learnsignal
Qualified professional with years of experience in teaching and helping students achieve their accounting qualifications.
View all posts by Learnsignal Education Team
