Testing the Operating Effectiveness of Key Controls
10.46 In determining operating effectiveness, the audit team is concerned with many factors (e.g., how the control was applied, whether the control was performed throughout the period, did the right person perform the control, etc.). Voyager aids the audit team in designing and performing tests of key controls to determine their operating effectiveness. The tests of controls to be applied are matters of professional judgment.
10.47 The type of test will vary based on the nature of the control, whether the control is documented or undocumented, and the judgment of the audit team. The following types of tests are available in Voyager for the audit team to evaluate operating effectiveness:
• inquiry and observation
• sampling
• reperformance
• computer-assisted auditing techniques (CAAT)
• management – reperform
• management – review only
• service auditor
10.48 The nature of the control (documented or undocumented) is one of the factors that determines the type of testing that can be applied to the control. For example, although sampling allows the audit team to test the effective operation of a control over an extended period of time, it can only be used if a control is documented.
10.49 For a manual, undocumented control, the audit team can only perform inquiry and observation tests to obtain evidence that the control operated effectively throughout the period of reliance. An intended control reliance of “Tests of controls will be performed to verify that controls operate effectively” cannot be achieved by testing only manual undocumented controls using inquiry and observation.
10.50 Automated controls depend on IT general controls for reliability, consistency, continuity, accuracy and documentation that they operated effectively throughout the period. Before testing automated activities-level controls, the audit team should evaluate the IT general controls to confirm they are implemented and effectively designed. For example, to rely on a programmed edit control (an operational control), the audit team should be satisfied that IT general controls were implemented throughout the period. When IT general controls such as testing software updates are not effective, the edit control may also be ineffective or may not have operated throughout the period. Also, ineffective security access controls may mean that data was changed without being subject to the edit control programmed into the application.
10.51 For manual, documented controls, the audit team can choose the most appropriate test in the circumstance. Since controls that operate frequently require more testing, the most effective way to test these controls is to employ sampling. Audit teams should use the sampling components within Voyager to determine the sample size. Conversely, controls that operate infrequently require less testing. In these circumstances the audit team ordinarily employs reperformance. The following table provides testing guidelines for manual, documented controls. Audit teams should determine the exact sample size using the calculator within Voyager as the number of tests may vary: