Tests of controls may include:
- Inspection of documents supporting transactions and other events to gain assurance that internal controls have operated properly e.g. inspecting a purchase order to verify that it has been signed as evidence of authorisation.
- Inquiries about and observing of internal controls which leave no audit trail. E.g. Observing that appropriate security measures are undertaken during the pay out of wages.
- Re-performance of internal controls e.g. reconciliation of the bank accounts to ensure that the client’s bank reconciliation statements are accurately prepared.
When obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation of controls recognises that some deviations from prescribed controls may be caused by factors such as changes in key personnel, significant seasonal fluctuations in the volume of transactions and human error.
Action taken when weaknesses are identified in the ICS
- The auditors should bring this to the attention of the management immediately and discuss remedial and corrective measures (this precedes the management letter).
- The auditor should consider changing his audit approach by increasing the level of detailed substantive testing.
- The auditor should increase the sample size, i.e. test as many entries as considered necessary to avoid leaving errors and frauds undetected.
- He should record significant weaknesses in the management letter, and should also give his recommendations.
- If the weaknesses are persistent and significant, he must mention this to shareholders for appropriate action to be taken.
- If the ICS is extremely weak such that he cannot depend upon it to apply any tests, then he should qualify his report or at best give a disclaimer opinion.