Answer for this question is changed to bring it in line with SA 330. This question was asked in N09 when standards on auditing were not fully incorporated in ICAI material hence had old outdated answer. It is better to go with SA based better answer.
See ONLY highlighted text, it is summary of text below it.
Definition: – Audit Procedures to evaluate operating effectiveness of controls in preventing, detecting and correcting material misstatements at assertion level.
Test of controls may be defined as an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
Which Controls Should be Tested: – 1. While determining RMM it was expected that the control will operate effectively 2. Where substantive procedures alone are not sufficient. Higher level of assurance regarding operating effectiveness will be required in such cases.
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls when:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (i.e., the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or (Rate of goods purchased is approved by purchase manager (who is new to organisation), latter system checks it with rates in agreements and average of past 3 / 6 months. Software based control is expected to function effectively so let’s check it)
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
A higher level of assurance may be sought about the operating effectiveness of controls when the approach adopted consists primarily of tests of controls, in particular where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. (In banks interest and other charges are automated, they are system generated entries in such situations test of controls are must they cannot be ignored, in fact we will check them in greater details)
Nature of test of controls: – Perform audit procedures in combination of inquiry to obtain audit evidence about operating effectiveness, which includes 1. By whom & what means they are applied / 2. Consistency of there application / 3. How controls are applied during the year / 4. Determine whether other controls (indirect controls) need to be tested
In designing and performing tests of controls, the auditor shall:
(a)Perform other audit procedures in combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under audit. 3 (Are there any changes during the year, if yes have separate evaluation)
(ii) The consistency with which they were applied. 2 (Whether every transaction is evaluated carefully, automated controls are consistent but human based controls can be more or less depending on people or product involved, MD related purchases may be compromised in rates)
(iii) By whom or by what means they were applied. 1 (By Purchase Manager by Signing PO, By Software by matching customer code and rejecting un registered names)
(b) Determine whether the controls to be tested depend upon other controls (indirect controls), and if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. 4 (Software based controls may depend on general IT / EDP controls of access controls, development controls etc so we will have to check them also)
Inquiry alone not sufficient: – Observation / Inspection / Reperformance. Inquiry + Inspection or Reperformance is better than Inquiry + Observation / As Observation gives evidence only for point of time.
Nature of checking depends on type of control we are checking. Eg If documents are important inspection should be done.
Further explanation of point (a) above
Inquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly, other audit procedures are performed in combination with inquiry. In this regard, inquiry combined with inspection or reperformance may provide more assurance than inquiry and observation, since an observation is pertinent only at the point in time at which it is made.
The nature of the particular control influences the type of procedure required to obtain audit evidence about whether the control was operating effectively. For example, if operating effectiveness is evidenced by documentation, the auditor may decide to inspect it to obtain audit evidence about operating effectiveness.
Sir, I’m asking about Q1 of ch 3 of PM of ca final which is “Briefly discuss the compliance procedure and their use in evaluation of internal controls.”