Tests of Internal Control Operating Effectiveness
SCOPE
AU-C 330 offers guidance to auditors when designing and implementing responses to risks of material misstatements identified under AU-C 330. (AU-C 330)
DEFINITIONS OF TERMS
Source: AU-C 330.04. For definitions related to this standard, see Appendix A, “Definitions of Terms”: Substantive procedure, Test of controls.
OBJECTIVE OF AU-C SECTION 330
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement through designing and implementing appropriate responses to those risks. (AU-C Section 330.03)
OVERVIEW
AU-C 330 and 315 are the centerpiece of the risk assessment standards. Together, these two sections provide detailed guidance on how to apply the audit risk model described in Section 320. That model describes audit risk as:
AR = RMM × DR
where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The RMM is a combination of inherent and control risk. Although the standard describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.
AU-C 330 provides guidance on the design, performance, and evaluation of further audit procedures, which consist of tests of controls (an element of RMM), and substantive procedures, which are related to detection risk.
The assessment of the risk of material misstatement serves as the basis for the design of further audit procedures. Further audit procedures should be clearly linked and responsive to the assessed risks.
To reduce audit risk to an acceptably low level, the auditor should:
Determine overall responses to address the assessed risks of material misstatement at the financial statement level, and
Design and perform further audit procedures responsive to the assessed risks of material misstatement at the relevant assertion level.
(AU-C 330.05–.06)
NOTE: Further audit procedures consist of either tests of controls or substantive tests. Often, a combined approach using both tests of controls and substantive procedures is an effective approach.
Audit procedures performed in previous audits and example procedures provided by illustrative audit programs may help the auditor understand the types of further audit procedures that can be performed. However, prior-year procedures and example audit programs do not provide a sufficient basis for determining the nature, timing, and extent of audit procedures to perform in the current audit. The assessment of the risk of material misstatement in the current period is the primary basis for designing further audit procedures in the current period.
REQUIREMENTS
Overall Responses
The overall responses to financial-statement-level risks of material misstatement may include:
Emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence.
Assigning more experienced staff or those with specialized skills.
Using specialists.
Providing more supervision.
Incorporating additional elements of unpredictability in the selection of further audit procedures.
Making general changes to the nature, timing, or extent of further audit procedures, such as performing substantive procedures at period end instead of at an interim date.
(AU-C 330.A1)
Designing Further Audit Procedures
The auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to and clearly linked with the assessment of the risk of material misstatement. (AU-C 330.06) In designing further audit procedures, the auditor should consider matters such as:
The significance of the risk.
The likelihood that a material misstatement will occur.
The characteristics of the class of transactions, account balance, or disclosure involved.
The nature of the specific controls used by the entity, in particular whether they are manual or automated.
Whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements.
(AU-C 330.07)
Regardless of the audit approach selected, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.
Tests of Controls
The auditor should test controls when:
The auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures, or
Substantive procedures alone will not be sufficient. Section 330 provides guidance on determining when substantive procedures alone will not be sufficient.
(AU-C 330.08)
NOTE: When determining whether to rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures, the auditor may consider matters such as the following:
The incremental cost of testing controls, which includes the cost of testing not just the controls that have a direct effect on the assertion, but also those controls upon which the direct controls depend. When considering incremental testing costs, consider that the costs of evaluating control design have already been incurred (because the auditor must evaluate control design on every audit) and that the incremental cost of obtaining audit evidence about the effective operation of controls may not be substantial.
In many circumstances, audit evidence obtained from tests of controls may be relevant for more than one period. That is, the costs of testing controls may provide benefit for three audit periods.
The benefits to be derived from testing controls. In many cases, testing controls may have benefits that extend beyond the relevant assertion to be addressed by the substantive procedures. For example, testing controls may provide audit evidence about the reliability of the entity’s IT system, which can allow the auditor to rely on other information produced by the system to perform substantive tests. For example, information obtained from a reliable IT system can contribute to more reliable analytical procedures.
The auditor will perform risk assessment procedures to evaluate