Welcome

Tests of controls and control deficiencies - Design vs opera...

ResourcesTests of controls and control deficiencies - Design vs opera...

Learning Outcomes

After this article, you will be able to distinguish between the design and operating effectiveness of internal controls, explain how and why auditors test controls, and recognise and report deficiencies. You will also learn how to describe, evaluate, and recommend control improvements using exam-style methodology and understand the impact of control weaknesses on the nature, timing, and extent of further audit procedures.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand tests of controls and reporting control deficiencies—especially the difference between good design and effective operation. The following syllabus points are covered:

  • The five components of internal control and control activities relevant to financial statement preparation.
  • Identifying, evaluating, and providing recommendations for internal control deficiencies, including design and operating effectiveness issues.
  • Describing, performing, and interpreting tests of controls on accounting systems (e.g., sales, purchases, payroll).
  • Explaining how the results of control testing affect substantive procedures.
  • Communicating deficiencies to management and those charged with governance.
  • Reporting requirements under ISA 265 for control deficiencies and significant deficiencies.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. Define the difference between a control deficiency in design and a deficiency in operating effectiveness.
  2. Which of the following are valid methods of testing the operating effectiveness of a control?
    a) Enquiry only
    b) Observation
    c) Inspection of documents
    d) Reperformance
  3. True or false? If controls are poorly designed, there is little benefit in performing extensive tests of their operating effectiveness.
  4. A company's purchase order process requires dual signatures for authorisation, but in practice only one manager regularly signs. Identify and categorise this control issue.

Introduction

Internal controls are measures put in place by management to ensure reliability of financial reporting, safeguard assets, and assist in preventing and detecting fraud and error. Auditors must understand and evaluate controls relevant to the audit, judge whether they are suitably designed, test if they operate as described, and report deficiencies.

Key Term: test of control
An audit procedure performed to assess the operating effectiveness of controls in preventing, detecting, or correcting material misstatements.

Components and Types of Control Deficiency

Understanding Control Design

For a control to be effective, it must first be well designed—meaning it is capable, if operated as intended, of preventing or detecting a material misstatement.

Key Term: design deficiency
A flaw in the structure or procedure of a control, resulting in a control that is incapable of meeting its objective—even if performed correctly.

A design deficiency occurs when, for example, authorisation of payments is not required at all, or key duties are not separated. This means errors or fraud could occur and go undetected because the right check is missing from the process.

Operating Effectiveness

A control with sound design can still fail if not applied properly or consistently in practice.

Key Term: operating effectiveness deficiency
A situation in which a well-designed control is not performed as prescribed or is inconsistently applied, so it does not function as intended.

A common example is a manager who signs invoices without checking supporting documentation—here, the control exists in design but fails in operation.

Worked Example 1.1

Scenario:
Regal Ltd's sales system requires all new customer accounts to be approved by the credit manager before allowing credit sales. Documentation review during the audit shows several accounts without evidence of credit checks or manager approval.

Question:
Is this a design or operating effectiveness deficiency?

Answer:
This is an operating effectiveness deficiency. The procedure is well designed (all new accounts require approval), but in practice it is not being applied, so the control does not function as intended.

Auditors’ Evaluation and Testing of Controls

When Are Tests of Control Performed?

The auditor decides whether to rely on controls when assessing risk. If controls are expected to reduce the risk of material misstatement, their operating effectiveness must be tested.

Common tests of control methods:

  • Enquiry (limited evidence; rarely sufficient alone)
  • Observation (watching the process occur)
  • Inspection (checking for evidence the control operated, e.g., signatures)
  • Reperformance (auditor executes the control independently)

If controls are poorly designed, operating effectiveness is irrelevant—they cannot prevent or detect errors regardless of performance, so substantive procedures must be increased.

Worked Example 1.2

Scenario:
A company's purchasing controls require that all purchase orders are sequentially numbered, signed by two authorised personnel, and matched to invoices before payment. Through inspection, the auditor finds invoices matched to unsigned purchase orders, despite the policy.

Question:
What type of test would best confirm the operating effectiveness of this control?

Answer:
The auditor should inspect a sample of purchase orders and related invoices for evidence of both required signatures and matching, confirming whether the control is performed as specified.

Control Deficiency: Categories and Reporting

When a control cannot prevent or detect misstatements on a timely basis, or is missing altogether, a deficiency exists.

  • Design deficiency: Control not capable of achieving its objective.
  • Operating deficiency: Control not performed as intended, or not performed consistently.

Auditors must evaluate whether deficiencies are significant (likely to result in material misstatement) and communicate these in writing to management and, if significant, also to those charged with governance.

Key Term: significant deficiency
A control deficiency (or combination) important enough to merit attention by those charged with governance.

Impact on Audit Approach

If controls are not designed or do not operate effectively, the auditor cannot reduce substantive procedures for that area. The inefficiency of controls may increase overall audit work.

Exam Warning

Failure to distinguish clearly between design and operating effectiveness deficiencies is a common cause of lost marks on exam control questions. Always explain both what the control is and whether it can—and does—operate as intended.

Auditor Communication and Recommendations

All deficiencies, whether in design or operation, should be reported, with clear explanation, consequence, and practical, cost-effective recommendations.

A report to management (also called “management letter”) typically includes:

  • Description of the deficiency (and whether it is design or operating)
  • Potential consequence or risk
  • Specific, actionable recommendation

Worked Example 1.3

Scenario:
Bank reconciliations are required monthly but, due to staff shortages, were performed only twice in the year. As a result, several discrepancies went undetected for months.

Question:
How should the auditor classify and report this issue?

Answer:
This is an operating effectiveness deficiency. The control was well designed (monthly reconciliations) but not operated regularly. The auditor should report this deficiency in the management letter, explain the potential for undetected errors, and recommend resources are allocated to ensure monthly reconciliations are performed.

Revision Tip

When evaluating a deficiency, always state whether it relates to design or operation and make your recommendation as specific as possible for exam purposes.

Summary

Control deficiencies may arise from poor design or failures in operating effectiveness. Auditors test controls using enquiry, observation, inspection, and reperformance. Deficiencies are reported to management, with significant matters highlighted for those charged with governance. If controls are weak or ineffective, more substantive testing is needed.

Key Point Checklist

This article has covered the following key knowledge points:

  • Define and differentiate control design deficiencies and operating effectiveness deficiencies.
  • Explain why and how auditors test controls, and identify appropriate test methods.
  • Describe when tests of controls are useful or unnecessary.
  • State how deficiencies should be reported and communicated under ISA 265.
  • Apply exam technique for recommending improvements, specifying the nature and impact of each deficiency.

Key Terms and Concepts

  • test of control
  • design deficiency
  • operating effectiveness deficiency
  • significant deficiency

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.