Documenting and testing control systems

Documenting and Testing Control Systems

Ascertaining how the system operates

Procedures used to obtain evidence regarding the design and implementation of controls include:

  • enquiries of relevant personnel;
  • observing the application of controls;
  • tracing transactions through systems; and
  • inspecting documents, such as internal procedure manuals.

In addition to this, auditors can also use their prior knowledge of the client and the operation of the systems in prior years. However, it must be noted, that auditors cannot simply rely on their systems knowledge from the prior year's audit; much can happen in a year and systems knowledge must be updated and the systems tested once more.

It should also be noted that ISA 315 specifies that enquiry, alone, is not sufficient to understand the nature and extent of controls.

Documenting client systems

Possible ways of documenting systems include:

  • narrative notes (which can prove bulky if systems are large or complex)
  • flowcharts (which can make a complex system easier to follow)
  • organisation charts - showing roles, responsibilities, and reporting lines
  • Internal Control Questionnaire (ICQ)
  • Internal Control Evaluation Questionnaire (ICE).

ISA 315 states that the method adopted is a matter of auditor judgement.


An ICQ is a list of possible controls for each area of the Financial Statements. The client is asked to review the list and confirm which are applicable to their system.


In contrast to ICQ's an ICE lists control objectives. Client's are then asked to confirm how they meet that objective.

For example; an ICQ might ask a client: "does a supervisor authorise all weekly timesheets?" An ICE would ask "how does the company ensure that only hours worked are recorded on timesheets?"

Testing the system

Having documented the systems the auditor needs to assess whether:

  • they are actually implemented; and
  • they are effective.

In order to assess the operating effectiveness of controls in preventing and detecting material misstatement the auditor performs tests of controls. These are designed to gather evidence concerning:

  • how controls were applied during the period;
  • the consistency of application; and
  • who (or what) they were applied by.

Typical methods of controls testing include:

  • observation of control activities, e.g. the inventory count; and
  • computer aided audit techniques (as seen in the audit evidence chapter).
Created at 10/3/2012 5:47 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 11/2/2016 11:23 AM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Control;control systems

Recent Discussions

There are no items to show in this view.