Desain Test of Control
Desain Test of Control
Desain Test of Control
In planning an audit, the auditor considers the appropriate audit approach for
designing and performing further audit procedures based on the auditor’s
assessment of the identified risks at the assertion level. These audit procedures are
referred to as (i) tests of controls and (ii) substantive procedures.
The auditor ordinarily performs both tests of controls and substantive procedures to
express an opinion on the financial statements. The objective of performing tests of
controls is to assess control risk. The results obtained from a test of controls may
cause the auditor to alter the nature, timing, and extent of the substantive procedures
to be performed and to plan and perform further tests of controls, especially when the
auditor has identified control deficiencies.
The auditor shall design and perform tests of controls to test the internal controls set
up by an entity so as to obtain sufficient appropriate audit evidence on the operating
effectiveness of relevant controls if:
(a) the auditor intends to rely on the operating effectiveness of controls; or
(b) substantive procedures alone cannot provide sufficient appropriate audit
evidence at the assertion level.
However, if the auditor has not identified any effective controls relevant to the
assertion, or if testing controls would be inefficient, which occurs quite often in small
entities, then the auditor will not intend to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures. In
such cases, it may be more efficient for the auditor to rely primarily on performing
substantive procedures.
Regardless of the assessed level of control risk or the assessed risk of material
misstatement in connection with the audit of the financial statements, the auditor
should perform substantive procedures for all relevant assertions.
1
Nature of Tests of Controls
The nature of an audit procedure refers to its purpose (i.e. is it a test of controls or
confirmation, recalculation, reperformance, or analytical procedure). The nature of
the audit procedures is of the greatest importance in responding to the assessed
risks.
The nature of the particular control influences the type of test of controls required to
obtain audit evidence about whether that control has been operating effectively. For
example, if operating effectiveness is evidenced by documentation, the auditor may
decide to inspect the document. However, documentation may not be available or
relevant for other controls (such as the assignment of authority and responsibility), or
for some types of control activities (such as control activities performed by a
computer). In such circumstances, audit evidence about operating effectiveness may
be obtained through inquiry in combination with other audit procedures (such as
observation or the use of CAATs).
The extent of an audit procedure refers to the quantity to be performed, for example,
a sample size or the number of observations of a control activity.
The timing of an audit procedure refers to when it is performed, or the period or date
to which the audit evidence applies.
2
To assess control risk for specific financial statement assertions, the auditor is
required to obtain evidence that the relevant controls operated effectively during the
entire period upon which the auditor plans to place reliance on those controls.
If the auditor obtains audit evidence about the operating effectiveness of controls
during an interim period, the auditor shall ascertain whether there are any significant
changes to those controls subsequent to the interim period and roll over the tests of
controls over the remaining period.
If the auditor plans to use audit evidence from a previous audit about the operating
effectiveness of specific controls, the auditor shall establish the continuing relevance
of that evidence by performing inquiry, combined with observation or inspection,
about whether significant changes in those controls have occurred subsequent to the
previous audit. If there have been changes that affect the continuing relevance of the
audit evidence from the previous audit, the auditor shall test the controls in the
current audit. On the other hand, if no changes have occurred, the auditor shall
spread the tests of controls over a three-year cycle. The auditor shall include in the
audit documentation the conclusions reached about relying on such controls that
were tested in a previous audit.
Tests of controls are performed only on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct, a material
misstatement in an assertion. If substantially different controls were used at different
times during the period under audit, then each is considered separately.
Furthermore, although some risk assessment procedures may not have been
specifically designed as tests of controls, they may nevertheless provide audit
evidence about the operating effectiveness of the controls and, consequently, serve
as tests of controls.
3
assessed by the auditor. An unexpectedly high sample deviation rate may lead to an
increase in the assessed risk of material misstatement, unless further audit evidence
substantiating the initial assessment is obtained.
In analyzing the deviations identified, the auditor may decide to identify all items in
the population that possess the common feature, for example, type of transaction,
location, product line or period of time, and extend audit procedures to those items.
Such deviations may be intentional, and may indicate the possibility of fraud.
If the auditor concludes that audit sampling has not provided a reasonable basis for
conclusions about the population that has been tested, the auditor may:
(a) request management to investigate misstatements that have been identified
and the potential for further misstatements and to make any necessary
adjustments; or
(b) tailor the nature, timing and extent of those further audit procedures to best
achieve the required assurance. For example, the auditor might extend the
sample size, test an alternative control or modify related substantive
procedures.
With respect to an automated control, it may not be necessary to increase the extent
of testing due to the inherent consistency of IT processing. An automated control can
be expected to function consistently unless the program is changed. Once the
auditor determines that an automated control is functioning as intended, the auditor
may consider performing tests on program change controls and to determine that the
control continues to function effectively.
Sampling Risk
Sampling risk is the risk that the auditor’s conclusion based on a sample may be
different from the conclusion if the entire population were subjected to the same audit
procedure.
There are two types of erroneous conclusions arising from sampling risk relating to a
test of controls:
4
(a) Controls appear more effective than they actually are. The auditor is primarily
concerned with this type of erroneous conclusion because it affects audit
effectiveness.
(b) Controls appear less effective than they actually are. This type of erroneous
conclusion affects audit efficiency, as it would usually lead to additional work to
establish that the initial conclusions were incorrect.
Reference:
HKSA 330 The Auditor’s Responses to Assessed Risks, issued June 2009, revised
June 2017, Hong Kong Institute of Certified Public Accountants
HKSA 530 (Clarified) Audit Sampling, issued July 2009, revised July 2010, Hong
Kong Institute of Certified Public Accountants