The procedure to test the effectiveness of controls in support of a reduced assessed control risk is called tests of controls. A test of controls is an audit procedure to test the effectiveness of a control used by a client entity to prevent or detect material misstatements.
To assess control risk as high, an auditor must expect that substantive procedures alone will provide sufficient appropriate evidence. Areas, where substantive procedures alone may not provide sufficient appropriate evidence, include a routine recording of significant classes of transactions, such as revenue or purchases. These areas often highly automated with little or no manual intervention.
(a) Nature: If controls exist that the auditor expects to rely upon, undertake tests of these controls, and otherwise undertake substantive testing.
(b) Timing: To aid the ability to meet deadlines and scheduling of staff, tests of controls sometimes scheduled before year-end. Testing then extended (rolled forward) until year-end.
(c) Extent: The more the auditor relies on controls, the greater the extent of tests of controls. For tests of controls related to documents, extent determined by reference to sampling theory. Controls related to accounting routines (e.g. bank reconciliations) usually tested by re-performing a small number.