Testing design of controls 373



  • I had an interesting discussion with our auditors today that didn’t sound right and I wanted to get some feedback. We are a June 30 year end, so we have some time, but in discussing our process they wanted to make sure we had documented our ‘testing’ of the design of our controls.
    I believe that one cannot test the design as it is a subjective evaluation. One must document the controls and be able to evaluate whether one feels they meet the stated assertion and mitigate the risks, but once one starts testing, one is evaluating whether the control is operating effectively.
    Does anyone have any input or experience with their auditors on this?
    Thanks for your help



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This is a very interesting part of the audit process. The control design is closely related to control objectives. There is a need to assess the design effectiveness. The control should be properly constructed to achieve the related control objectives. You need to document the owner of the control, description of process flow, is the control properly designed? i.e. if the control is used as directed, will it accomplish its objective?. if the control is deemed deficient, what are its specific shortcomings?.
    After evaluating the control design, auditor is expected to classify the design deficiencies in to material/significent/insignificient design etc.
    BTW, Thereafter there is a need to LOOK for missing controls and develop the remediation plan which involves strengthening the controls, overhauling the controls etc.
    If you need further assistance, feel free to call me on 732-688-3802.
    Krish



  • Krish ist right about that…



  • Krish is right, but that is only part of the story.
    In evaluating control design you need to:

    1. Determine whether the controls that you have documented for the process meet ALL of the control objectives/financial statements assertions
    2. Whether there is an appropriate balance of prevent and detect controls
    3. Whether there is an appropraite balance of manual and automated controls
    4. Whether individual controls meet the requirements of SOX i.e. are they sufficiently well evidenced
      I would also recommend that you do a walkthrough test at this stage to determine that what you’ve been told in documenting the process corresponds with reality.


  • Dennis and Krish - I agree with what you are saying, but our externals are taking it a step further saying we have to document evidence that we tested the design. Translating that, they mean that we have to test that we have the right balance between prevent and detect controls, and test that we have the right balance between manual and system controls, and test that our controls are designed to meet our assertions. It is counter-inutuitive as these are subject evaluations that cannot be tested.
    I agree with the walk through though - even though it’s not required by companies, i think it’s a good practice.
    Bruce



  • Bruce, you need to show what the outcome of your tests has been. Therefore you need to document the test in terms of how and what you tested and the result of it. That enables e.g. the ext. Auditor or any other person to redo the test and verify it.



  • Thanks Holger, but how do you test the design of controls?



  • It is actually the ‘play’ of words.
    You need to ‘evaluate’ the design of controls/assess the design effectiveness of controls by seeing whether they are properly constructed to achieve the related control objective. Produce following 5 evidences for the external auditor to prove its effectiveness :-
    Owner of the control : Identify person responsible for executing the control.
    Description of the process flow : Detailed explanation of how control operates.
    Properly designed - Is the control built correctly? : if the control is used as directed will it accomplish the objective.
    Details of the internal control deficiency: If the control is deemed deficient, what are its specific shortcomings?
    Remediation Plan : How will the faulty design corrected.
    Specific methods you use for evaluating the design of controls depend upon
    . The types of control activities you are evaluating, including whether manual or programmed
    . competence of the individuals who perform the relevant control activities
    . The period of intended reliance.
    . The use of a service organization
    . Regulatory and governmental requirements
    Thanks… Krish


Log in to reply