AUD control-testing coverage for walkthroughs, deviations, deficiency communication, and integrated audit work.
This chapter moves from understanding controls to testing whether they actually operate as expected. The central question is how control-testing results change risk assessment, reliance decisions, and required communication.
Control-testing questions are about reliance. A procedure matters because it supports, limits, or destroys the auditor’s ability to reduce substantive testing based on control effectiveness.
| Issue | What the auditor is deciding | Common exam trap |
|---|---|---|
| Walkthroughs, reperformance, and inspection | Whether the control is designed and operating as described. | Treating inquiry alone as enough evidence of operating effectiveness. |
| Deviations | Whether exceptions are isolated, systemic, or severe enough to change planned reliance. | Counting deviations mechanically without considering cause, frequency, and effect on assessed risk. |
| Deficiency communication | Whether a deficiency is a control deficiency, significant deficiency, or material weakness. | Assuming every exception is communicated at the same level or to the same party. |
| Integrated audit ICFR testing | Whether internal control over financial reporting is effective for a public company. | Confusing financial-statement audit evidence with the separate opinion on ICFR effectiveness. |
| Step | AUD question to ask | Audit effect |
|---|---|---|
| 1. Identify the control objective | Which assertion, risk, or financial reporting objective should the control address? | A test is only useful if it connects to the planned reliance decision. |
| 2. Test design before operation | Is the control suitably designed, and can it prevent or detect the relevant misstatement? | Operating evidence does not fix a poorly designed control. |
| 3. Select operating-effectiveness evidence | Will inspection, reperformance, observation, inquiry, or a combination support operation? | Inquiry alone rarely provides enough evidence for reliance. |
| 4. Evaluate deviations | Are exceptions isolated, systemic, severe, or linked to control deficiency? | Deviations change risk assessment and substantive testing. |
| 5. Communicate and revise the plan | Does the issue require governance communication, ICFR reporting, or more substantive work? | Control testing results should affect both communication and audit response. |
| Checkpoint | Ask before relying on controls | Audit effect |
|---|---|---|
| Control objective | Which assertion, risk, or reporting objective should the control address? | Reliance is only useful when tied to a specific audit risk. |
| Design suitability | Could the control prevent, detect, or correct the relevant misstatement if performed properly? | Operating evidence cannot cure poor design. |
| Evidence strength | Does inspection, observation, reperformance, inquiry, or system evidence support operation? | Inquiry alone is usually insufficient for operating effectiveness. |
| Deviation meaning | Are exceptions isolated, recurring, systemic, severe, or caused by a design gap? | Deviation analysis changes assessed risk and planned procedures. |
| Communication level | Is the issue a control deficiency, significant deficiency, material weakness, or ICFR reporting matter? | Communication should match severity and engagement context. |