Welcome

Tests of controls and control deficiencies - Walkthroughs an...

ResourcesTests of controls and control deficiencies - Walkthroughs an...

Learning Outcomes

After reading this article, you will be able to explain the purpose and process of tests of controls, describe walkthrough procedures, select and apply audit sampling techniques for control testing, and clearly identify and communicate control deficiencies to management. You will understand how these procedures fit into an overall audit approach and know how to respond if controls are not operating effectively.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand how auditors evaluate internal control systems, test their effectiveness, and communicate findings. This topic specifically addresses:

  • The purposes, procedures, and selection of tests of controls during an audit engagement.
  • The concept and execution of walkthroughs to confirm system understanding and design effectiveness.
  • The principles and application of audit sampling—statistical and non-statistical—for tests of controls.
  • The identification, evaluation, and communication of control deficiencies to management and those charged with governance.
  • Methods and report formats for highlighting deficiencies and recommending improvements.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What is the main objective of tests of controls in an audit?
  2. Explain the difference between a walkthrough and a test of control.
  3. List two sampling methods used for control testing and give one scenario in which each would be most effective.
  4. Describe two key elements that should be included when reporting a control deficiency to management.

Introduction

A strong internal control environment reduces the risk of material misstatement in the financial statements. Auditors do not assume controls operate as management intends—they must gather evidence that controls exist and function effectively throughout the period. Tests of controls, including walkthroughs and sampling-based procedures, give auditors this evidence. If controls are weak or not working, deficiencies must be clearly communicated to enable remedial action and to adjust the audit approach. This article explains these critical processes.

The Purpose of Tests of Controls

Auditors use tests of controls to determine whether control procedures designed by management operate as intended and achieve the relevant audit assertions. If effective, controls may allow auditors to reduce the amount of substantive testing needed. If ineffective, reliance must shift to other audit procedures.

Key Term: Test of control
An audit procedure performed to obtain evidence as to the operating effectiveness of controls in preventing or detecting and correcting material misstatements.

Understanding and Documenting Systems: The Role of Walkthroughs

Before testing controls, auditors must first understand the system and design of relevant controls. A walkthrough involves tracing a single transaction from initiation to final entry in the financial records, observing the process, inspecting documents, and enquiring of personnel. This procedure helps verify that the control exists and operates as documented.

Key Term: Walkthrough
The process of following a transaction through each stage of a system to confirm the design and implementation of controls and to identify potential weaknesses.

Designing and Performing Tests of Controls

Only controls assessed as suitably designed and implemented are worth testing. The main methods used are:

  • Inspection: Checking documents for signatures, authorisations, or evidence of performance.
  • Observation: Watching individuals perform control procedures, such as stock counts.
  • Reperformance: Executing a control activity independently to assess effectiveness.
  • Enquiry: Questioning staff about their duties, then corroborating responses with other evidence.
  • Walkthrough: As above, but with a focus on the end-to-end process.

Worked Example 1.1

Scenario: You want to test whether purchase invoices over a certain value are authorised before payment.

Answer:
Select a sample of high-value paid invoices and inspect each for evidence of required managerial authorisation, such as a signed approval.

Sampling for Tests of Controls

It is usually inefficient to test every occurrence of a control. Instead, auditors select a sample and use the results to form a conclusion about the entire population.

Key Term: Audit sampling
The selection and evaluation of fewer than 100% of items in a population to provide a reasonable basis for conclusions about the whole population.

Sampling can be:

  • Statistical: Items are selected randomly and probability theory is used to evaluate results.
  • Non-statistical: Selection is based on professional judgement; includes methods such as haphazard, judgmental, or block selection.

Statistical sampling increases objectivity, especially in large populations, but may not always be necessary. The aim in both methods is to reduce sampling risk—the risk that the auditor’s sample is not representative.

Key Term: Tolerable deviation rate
The maximum rate of control deviations the auditor is willing to accept without altering the assessed control risk.

Key Term: Deviation
An instance where a prescribed control is not applied as designed.

Worked Example 1.2

Scenario: Out of a sample of 50 purchase orders, the auditor finds 3 were not properly authorised as required by the company’s control procedure. The tolerable deviation rate is 4%.

Answer:
The observed deviation rate is 6% (3/50), exceeding the 4% threshold. The auditor should increase substantive testing for purchases and consider reporting this as a control deficiency.

Selecting the Sample

Auditors must define the population (all items to which the procedure applies), choose a sampling method, determine sample size based on risk factors, and select actual items using an appropriate technique.

Evaluating Results

When deviations are found, auditors consider frequency and importance. If the deviation rate is higher than the tolerable threshold, or if any deviation is significant, further audit work and reporting may be required.

Communicating Control Deficiencies

Auditing standards require deficiencies found in controls to be communicated. Minor issues go to management; significant deficiencies—those with higher risk or impact—are reported to those charged with governance.

Key Term: Control deficiency
A flaw in the design or operation of a control that reduces its ability to prevent, detect, or correct misstatements on a timely basis.

Key Term: Significant deficiency
A deficiency or combination of deficiencies that merits the attention of those charged with governance.

Format and Content of Communication

Reports explaining deficiencies should:

  • Describe the nature of the deficiency and its potential effects.
  • Clearly explain consequences (e.g. risk of fraud, incomplete records, errors).
  • Make actionable recommendations naming who should implement the change and how often.
  • Include a statement that only issues identified during audit testing are included—not a comprehensive review.

Worked Example 1.3

Scenario: The auditor discovers that customer refunds can be processed without managerial review, increasing fraud risk.

Answer:
Report this deficiency to management, recommend that all refunds above a set amount require authorisation by an independent manager, and set up monthly exception reviews.

Exam Warning

Be precise: test of control results (e.g., high deviation rates) require additional substantive procedures and clear communication. Failing to escalate significant deficiencies to those charged with governance is a frequent exam pitfall.

Revision Tip

Always state both the deficiency and its consequence in deficiency reports—don’t just describe what is missing, but explain why it’s a problem.

Summary

Tests of controls are used to assess whether control activities are operating as intended throughout the period. Walkthroughs are used to confirm system understanding and validate design and implementation. Where controls function as intended, substantive work may be reduced. If deficiencies are identified through sampling or other means, they must be evaluated, reported, and their impact considered in the audit approach.

Key Point Checklist

This article has covered the following key knowledge points:

  • State the purpose and process of tests of controls in an audit.
  • Explain the walkthrough procedure for controls and its objectives.
  • Describe audit sampling methods for testing controls, including statistical and non-statistical options.
  • Define and identify control deficiencies and significant deficiencies.
  • Outline the correct format and key components for reporting control deficiencies.

Key Terms and Concepts

  • Test of control
  • Walkthrough
  • Audit sampling
  • Tolerable deviation rate
  • Deviation
  • Control deficiency
  • Significant deficiency

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.