International Journal of Auditing

Int. J. Audit. 8: 185194 (2004)

Tests of Control in the Audit Risk

Model: Effective? Efcient?
J. H. Blokdijk*

n
he
ng
e

Lately, the Audit Risk Model has been subject to criticism. To

gauge its validity, this paper confronts the Audit Risk Model
as incorporated in International Standard on Auditing No. 400,
with the real life situations faced by auditors in auditing
nancial statements.
This
confrontation exposes
serious
deciencies in the Audit Risk Model, especially regarding tests
of control. One conclusion is that internal controls that cannot
be reperformed by an auditor, should be disregarded i
assessing control risk. Another conclusion is that tests of t
other

internal

controls

are

far

more

effective

in

focusi

specic substantive tests, than in assessing control risk

with the aim of reducing the size of a random sample. Th
paper concludes with a proposal for restructuring the audit
process.
Key words: Audit risk model, risk analysis, tests of control,
control risk, audit process, internal control and the auditor.

SUMMARY
The Audit Risk Model that is being used, on
a
worldwide basis, to underpin the audits of
nancial statements, is being criticised. This pap
er
offers an analysis of the model, resulting in
a
proposal for restructuring the audit process.
The model has been codied in Internation
al
Standard on Auditing (ISA) 400. It is essenti
ally
based on the idea that an auditors detection ri
sk
is inuenced by inherent risk and control ri
sk.
The latter risks are incurred by the audi
tee,
whereas detection risk applies to the auditor onl
y.
Inherent risk is largely determined by the activit
ies

of the auditee, but it is inuenced by e

xternal
forces. Control risk is purely internal; it
derives
from managements decisions on the
level of
internal control required. The auditor
cannot
inuence these risks; he/she can only assess
them

*Correspondence to: jh.blokdijk@thw.nl

to determine the amount of audit work required

to reduce his/her detection risk to an acceptable
level.
Control risk encompasses three aspects: the
design, the existence and the actual operation of
the controls. The auditor should test the actual
operation by performing tests of control. ISA
400 covers the assessment of inherent risk and of
the design and existence of internal control
reasonably well. So, the analysis focuses on tests of

control.
To that end, internal control is reviewed for the
three stages of preparation of nancial statements:
A. Occurrence of events and their rst recording
in the accounting system.
B. Data processing, resulting in a routine product, the trial balance.
C. Adjusting the trial balance in order to arrive
at the nal balance sheet and income
statement.
At stage C there is hardly any internal control in
the traditional sense.

ISSN 10906738
Blackwell Publishing Ltd 2004. Published by Blackwell Publishing, 9600 Garsington
Road, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA.

186

Stage A normally contains many internal

controls, but most of these cannot be reperform
ed
by the auditor, for reasons explained in the pap
er.
So, these non-reproducible internal controls
should be disregarded in risk analysis, as th
eir
eventual absence cannot be compensated by
additional audit work.
The internal controls in stage B are
reproducible in principle, but it is hardly
practicable to test the entire chain of in
ternal
controls in this stage. The few practicable t
ests
would be far more effective if used to
focus
substantive tests on specic items, rather th
an to
determine the size of random samples. Moreove
r,
tests of internal controls in this stage would nea
rly
always involve substantive tests. In ISA
400,
tests of control conceptually precede substan
tive
procedures, and serve to determine their na
ture,
extent and timing. ISA 400 moves in a sem
antic
circle that does not provide much guidance
to
auditing practice, and does not cover all relevan
t
internal controls.
On the basis of these ndings, I propose:
1. to abolish tests of control as an eleme
nt of
audit risk analysis;
2. to introduce a new stage in the audit proce
ss,

J. H. Blokdijk

hat

that encompasses both certain systemoriented and data-oriented procedures t

serve to focus substantive tests of det

ails on
items with relevant characteristics.
The structure of the audit of nancial statem
ents
would conform more with reality, as fac
ed by
auditors.

INTRODUCTION
International regulations on auditing have b
een
based on the so-called Audit Risk Model, witn
ess
the International Standard on Auditing 400
(ISA
400), issued by the International Federa
tion of
Accountants (IFAC).
As the International Standards on Auditing h
ave
been accepted by a large number of accou
ntancy
bodies in numerous countries, the major
ity of
audits of large companies nancial state
ments
are being performed conforming with the
International Standards on Auditing (ISAs).
Consequently, these audits are based on the A
udit
Risk Model.
In recent times, the Audit Risk Model
has
come under severe criticism, especially fro
m the
Securities and Exchange Commission (SE
C) of
the United States. On October 7, 1999, the

then chairman of the SEC, Arthur Levitt, Jr.

stated: In an era that calls for greater risk
management, the industry has migrated to what
they call the risk-based model. [. . .] Because of the
challenges of executing these new standards well,
I wonder if the public interest is being better
served. We cannot permit thorough audits to be
sacriced for re-engineered approaches that are
marginally more efcient, but signicantly less
effective.
One year earlier, Mr. Levitt had requested the
Public Oversight Board to appoint a Panel on
Audit Effectiveness, which was to review and
evaluate how independent audits of the nancial
statements of public companies were performed.
The
Panel
issued
its
nal
Report
and
Recommendations
on
August
31,
2000.
It
pronounced itself satised that the model
underpinning nancial statement audits generally
is appropriate, although in need of enhancing and
updating. This rather soothing conclusion did
not exactly induce the auditing profession to seek
a critical review of the bases of the Audit Risk
Model.
The Panel, however, also concluded: Thus,
examining the efcacy of the audit process alone is

not the answer to assessing audit effectiveness. So,

the Panel seemed to share Mr. Levitts criticism, at
least partly. As it affects the audits of the nancial
statements of the largest companies in the world,
it seems useful to take a hard look at the Audit Risk
Model as the basis of such audits. To that end,
I will:
1. describe and analyse the Audit Risk Model as
developed in ISA 400;
2. analyse the process of preparing nancial
statements in connection with the ideas
underlying the Audit Risk Model;
3. analyse the auditors possibilities in the two
relevant stages in said process;
4. review ISA 400 in the light of the conclusions
reached;
5. offer a proposal for restructuring the audit
process.
The International Standards on Auditing aim
at establishing standards and providing guidance
on the structuring of an audit. On the basis of
the following analysis, I propose to revise that
structure.
Though
the
analysis
necessarily
involves some specic procedures, the proposal should be judged on the same level of
abstraction as the current International Standards
on Auditing.

Blackwell Publishing Ltd 2004

Tests of Control in the Audit Risk Model

THE AUDIT RISK MODEL ACCORDING

TO ISA NO. 400
The Audit Risk Model is essentially based on the
idea that an auditors detection risk is inuence
d
by inherent risk, and control risk. ISA
400
denes detection risk in paragraph 6 as: the ri
sk
that an auditors substantive procedures will
not
detect a misstatement that exists in an acc
ount
balance or class of transactions that coul
d be
material, individually or when aggregated wit
h
misstatements in other balances or classe
s. In
paragraph 4, inherent risk is dened as:
the
susceptibility of an account balance or class
of
transactions to misstatements
that
could
be
material, individually or when aggregated wit
h
misstatements
in
other
balances or
classes.

Int. J. Audit. 8: 185194 (2004)

187

Control risk is described in paragraph 5 as:

the
risk that a misstatement, that could
occur in
an account balance or class of transacti
ons and
that could be material, individually or
when
aggregated with misstatements in other
balances
or classes, will not be prevented or det
ected and
corrected on a timely basis by the accountin
g and
internal control systems.
Note that both inherent risk and control ri
sk are
incurred by the auditee, whereas detecti
on risk
applies to the auditor only. Once manageme
nt has
decided on the activities to be engaged in, i
nherent
risk is largely a given quantity. Management
then
decides on the acceptable level of control ri
sk, and
implements the necessary measures o
f internal
control. The auditor cannot inuence inhere
nt risk;

he/she can only indirectly inuence control risk b

procedures for material account balances and
y
advising on the internal controls that managem classes of transactions.
ISA 520 states in paragraph 10: The auditors
ent
reliance
on substantive procedures to reduce
should implement.
risk
relating
to
specic
nancial
When confronted with a draft of nanci detection
assertions may be derived from tests of details,
al
statements to be audited, the auditor canno from analytical procedures, or from a combination
of both. For the purpose of this analysis, two types
t do
more than assess inherent risk and control r of substantive procedures are distinguished:
1. Selective: tracing and testing specic items
isk,
because they are of high value, or exhibit
in order to determine his/her detection risk. This
some other characteristic, for example items
has been recognized in paragraph 42 of
that are suspicious, unusual, particularly riskISA
prone or that have a history of error (ISA No.
400, which reads as follows: The auditor sh
530, para. 25).
ould
2.
Random: selecting and testing items without
consider the assessed levels of inherent and con
regard to any characteristic.
trol
risks in determining the nature, timing and exte Only analytical procedures support the rst
category
of
substantive
procedures.
The
nt
assessment
of
inherent
risk
and
control
risk
is
of substantive procedures required to reduce au
primarily relevant for the determination of random
dit
risk to an acceptably low level. The purpose of t sample sizes; to that end, these risks must be
quantied.
his
assessment has been stated in paragraph 47: T Risky activities should be safeguarded by a
higher level of internal control than less risky ones.
he
higher the assessment of inherent and control ri Consequently, control risk cannot be meaningfully
assessed without assessing inherent risk rst. But
sk,
the more audit evidence the auditor should obta it is, in effect, the product of the two risks that the
auditor faces in planning his audit. As ISA 400
in
from the performance of substantive procedures states in paragraph 40, inherent risk and control
risk are highly related.
.
ISA 400 also states, in paragraph 45: Regardles Inherent risk is largely determined by the
activities of the auditee, but it is inuenced by
s of
the assessed levels of inherent and control external forces. Control risk is purely internal;
it derives from managements decisions on the
risks,
the auditor should perform some substant level of internal control to be implemented, and
depends on the degree of compliance by the
ive
employees. This is why internal control is a central
theme in ISA 400, which is titled Risk Assessments
and Internal Control. Paragraph 2 states: The
auditor should obtain an understanding of the
accounting and internal control systems sufcient
to plan the audit and develop an effective audit
approach.

Assessing internal control

In this respect, ISA 400 distinguishes between the
design and the operation of the accounting and
internal control systems. In order to achieve the
understanding of the systems, the auditor may,
according to ISA 400, perform a walk-through
test, that is, trace a few transactions through the
Blackwell Publishing Ltd 2004

188

accounting system (para. 15). Furthermore,

the

Int. J. Audit. 8: 185194 (2004)

J. H. Blokdijk

auditor should perform tests of control to obt

ain
audit evidence about the effectiveness o
f the

design of the systems, and of the operation of t

he
internal controls throughout the period (para. 27
).
This structure is not very clear. In practice
, a
distinction into three aspects may be more
recognizable:
1. The design of the systems, which c
an be
understood and evaluated by consulting
documentation, such as manuals, and w
hich
need not be repeated as long as the sy
stems
remain unchanged.
2. The existence of the systems (have they
been
implemented? or, in subsequent periods, ha
ve
they been unchanged?), which should
be
veried in every audit period, for example,
by
performing the above walk-through tests.
3. The actual operation of the systems, w
hich
should be veried by tests of control, a
nd
cover the entire audit period.
ISA 400 does not require the verication of the
continuing existence of systems for which
the
design has been evaluated. This may, however,
be
achieved by a walk-through test, if perform
ed
during every audit period. The verication of the
existence of internal controls in the systems mig
ht
also be done by way of tests of control; if a contr
ol
designed in a system does not in fact exist, test
s of
control will reveal this. In this respect, tests
of
control are more effective in determining
the
existence of the systems than to achieve
the
purpose stated in paragraph 27: to deter
mine
the effectiveness of their design. Of course, erro
rs
found in tests of control do shed light on th
e
effectiveness of the operation of the system,
but
much less so on the effectiveness of its design.
Even though somewhat impractically stru
ctured, the requirements in ISA No. 400
regarding the design and the existence o
f the
systems seem reasonably adequate and
practicable. This is not quite clear regarding
the

operation of the systems: the effectiveness of

tests
of control is a large question mark, as will
be
shown in the following analysis of the process
of
preparation of nancial statements and
of the
internal controls involved.

THE STAGES OF THE PREPARATION OF

FINANCIAL STATEMENTS
The preparation of nancial statements inv
olves
three stages:

A. Occurrence of events and their rst recording

in the accounting system.
B. Data processing, resulting in a routine
product, the trial balance.
C. Adjusting the trial balance in order to arrive
at the nal balance sheet and income
statement.
In stage A, internal control serves to ensure that
the events (e.g., transactions, production) conform
to managements directives, and that the rst
recording of the events conforms with reality. In
practice, these two purposes are often inseparable:
an approval stamp for goods received means that
the goods ordered from the supplier are of good
quality, and that the related data can be processed
in the accounting system. As quality control of
goods received and data processing are not
normally performed by the same person, the data
processor and, subsequently, the payments ofcer
should have evidence of the performance of the
internal control by the quality inspector.
Stage B consists of the input of the data into the
accounting system, sorting these data (assigning
them to different accounts), and of summarizing
and balancing the accounts. Internal control serves
to ensure that these operations are performed

correctly.
Stage C is the non-routine part of the preparation
of nancial statements. It mainly involves the
application of subjective judgments, such as the
determination of provisions, and other non-routine
operations, such as the determination of obligations resulting from pension plans, share option
plans and the like, and of income tax. This stage is
crucial in the preparation of nancial statements:
management normally exercises direct inuence
on this stage of the accounting process. Its
decisions may be scrutinized by a board of
directors and/or an audit committee, but the
auditor cannot conne him/herself to reading the
minutes of their meetings and ascertaining that
managements decisions have been reviewed,
which would be a test of control. The auditor
should form his/her own judgment as to the
acceptability of these, normally crucial, decisions.
Consequently, the audit in stage C should be
performed by applying substantive procedures. As
the number of accounting adjustments in stage C
is normally very small compared to the number of
accounting entries in stages A and B, this is not a
large problem in practice.
So, the issue is conned to stages A and B. These
stages differ in nature, so they merit separate

Blackwell Publishing Ltd 2004

Tests of Control in the Audit Risk Model

consideration, which will be given in the followin

g
two sections.

EVENTS AND THEIR FIRST

RECORDING: INTERNAL CONTROL
AND THE AUDITOR
As stated above, the procedures outlined in
ISA
400 to evaluate the design and to determin
e the
existence of the systems, including internal cont
rol,
seem sufciently effective; therefore, this crit
ical
review is restricted to tests of control to assess t
he
operation of the systems.
Performance of internal controls in stag
e A
should normally be evidenced in some form,
by
stamps, initials on a voucher, and the like.
The
control should be performed by the appropri
ate
employee: the system should provide for
an

Int. J. Audit. 8: 185194 (2004)

189

adequate segregation of duties. Evidence

of
performance should include the identity
of the
employee.
But how conclusive is that evidence? I
SA 400
mentions several inherent limitations of i
nternal
control, such as human error, circumven
tion of
internal controls through collusion,
and
management override. In performing t
ests of
control, can the auditor detect this? This
would
only be possible if the auditor were
able to
reperform the internal controls involved.
The problem can be illustrated with an ex
ample
given in Blokdijk et al. (1995, p. 63) de
scribed
below. This example involves invoices for g
oods or
services received. It does not yet deal
with the
circumstance that many internal controls in
stage
A are no longer evidenced in visible form, b
ut are

embedded in the automated systems (see

Similar considerations apply to the receipt of
next
goods
and the performance of services. Some
section).
goods
could
be traced afterwards, though that may
Regarding those invoices, the auditor can easi
be
highly
impractical. Most ofce supplies,
ly
reperform the computation of the nal amount a however, are simply used up, and as to services,
it is virtually impossible to ascertain that the
nd
of a sales tax amount included in it. Reperforma windows actually have been cleaned if the audit
takes place three months after. For the most
nce
of the internal control on the price invoiced is m important aspects of those purchases, the auditor
cannot do much more than look for evidence of the
ore
difcult: it may be in agreement with a pric performance of internal control.
So, there are internal controls that cannot be
e list
from the supplier that the auditor may consult, reperformed by the auditor. The issues raised
in these circumstances have been explored
but
employees in the purchasing department are pa extensively in Dutch auditing literature. The best
English translation I have been able to nd for this
id
by their company to obtain a better price. type of internal controls is: non-reproducible
internal controls.
The
Sometimes, investigative techniques designed
difference may partly or wholly end up in t
to
overcome the restrictions outlined above, do
heir
own pockets by way of kick-backs. Only a exist, but an independent auditor is not allowed to
thorough knowledge of that particular ma use them. An example is the situation in which an
auditor has suspicions about a credit note
rket
would enable the auditor to uncover suc purportedly granted by his/her client to another
company audited by a partner of his/her own
h a
deception; as he/she cannot be expected to audit rm. The professional rule of condentiality
does not permit the former auditor to consult the
have
such expertise in all the markets where his/ latter on this document.
her
clients do business, he/she must rely on the syst Non-reproducible internal controls
em
Even though there are internal controls that can be
of internal control.
reperformed, such as those involving arithmetical
operations, the most important ones often cannot
be reperformed. The fundamental causes have
been categorized as follows:
1. Expertise: the auditor cannot possibly acquire
sufcient expertise to form, entirely by
him/herself, a conclusive opinion on all the
technical and/or commercial events that are
to be reected in the nancial statements (e.g.,
product yield rates, purchase prices).
2. Presence: the auditor cannot possibly be ever
present on the clients premises in order to
ensure the correct recording of transactions
and (relevant) events; apart from economic
considerations, this is unacceptable in that
it would jeopardize the clients and/or the
auditors independence.
3. Inadmissibility of investigative techniques:
the independent auditor is not entitled to
use certain techniques that are available to
government auditors (such as informing other
Blackwell Publishing Ltd 2004

190

J. H. Blokdijk

government auditors about other taxpayers

),

Int. J. Audit. 8: 185194 (2004)

or that may be used by the police (su

ch as
wiretaps, search of private premises an
d the
like). (Blokdijk et al., 1995, p. 64)

The inability of auditors to reperform importan

t
internal controls severely limits the effective
ness
of tests of control. Fortunately, not all n
onreproducible internal controls are indispensable
to
the audit. A lack of internal control in accep
ting
sales orders may lead to bad debts, but the audi
tor
will notice these in the course of the substa
ntive
procedures and insist on proper provisions. T
he
client may incur losses, but the auditor is a
ble to
ensure that these are truly and fairly reect
ed in
the nancial statements. But the examples g
iven
above show that many internal controls are
indispensable to the quality of audit evidence. A
s
such the auditor cannot do more than rely on th
e
audit trail of the performance of the controls.
In evaluating the design of a system, the audi
tor
should ensure that all internal controls he/sh
e
deems indispensable for his/her purpose,
are
provided for. If not, he/she should conclude that
the nancial statements of the entity are
not
auditable; the best he/she can do is to disclaim
an
opinion.
The same goes if indispensable internal contro
ls
provided for in the design appear not t
o be
performed at all: in other words, if the exist
ing
system differs from the design. Therefore,
continuing existence of the system should b
e a
separate audit objective, which can be attained
by
tests of control. One walk-through test for ever
y
type of transaction is, however, more effective t
han
a number of tests of control of randomly selecte
d
items that may include some types of transactio
ns
more than once, and others not at all.
Tests of control may reveal that indispens
able
internal controls are not performed in all instanc
es.
In that case, the Audit Risk Model demands mor
e

substantive tests, but to what end? These

tests
would only be effective if the auditor is a
ble to
determine that the items tested are correct,
notwithstanding the lack of internal control
on
them. This would be possible only by performi
ng
these internal controls, which the auditor is un
able
to do if the control is non-reproducible. Extendi
ng
substantive procedures does not solve the pro
blem
encountered.
The Audit Risk Model does not present a real
istic
solution to the problem of missing but
indispensable non-reproducible internal cont
rols.
In that case, the design and the existence
of a

system are important for the determination of

the auditability of the entity, not for the extent
of substantive procedures. A lack of compliance
in the actual operation of non-reproducible
internal controls cannot be remedied by the
auditors substantive procedures. Therefore, nonreproducible internal controls should not be
included in risk analysis, or in determining control
risk.

At the time of the audit, the auditor has to deal

with systems in operation; internal controls on the
design and implementation of new or improved
systems are not relevant at this stage.
The internal controls in systems in operation
include at least: general ICT controls, being: (a)
change
controls;
and
(b)
access
controls;
application controls, being; (c) programmed controls; and (d) user controls. The signicance of tests
of these controls will be discussed below.

DATA PROCESSING: INTERNAL

CONTROL AND THE AUDITOR

(a) Change controls

Stage B comprises input of relevant data, sorting,

summarizing
the
items
and
balancing
the
accounts. These are all operations that the auditor
can reperform, so he/she is able to verify the
effectiveness of the operation of the internal
controls involved in data processing. These
internal controls are not non-reproducible.
But data processing has been automated in
virtually all companies that are obliged to have
their nancial statements audited. This means that
internal controls, including many of the nonreproducible internal controls described above,
have been embedded in the automated systems.

The purported improvement in the design of the

system can be evaluated on the basis of the
documentation of the change control procedures,
and of implementation test results. In practice,
however, many small changes are allowed on a less
formal basis, under the heading maintenance.
These changes are normally made in order to make
programs run faster, but they sometimes result in
the elimination of internal controls. For the auditor,
tracing these changes is problematical: a walkthrough test in an automated system is very hard
to perform, if at all possible.
An effective way may be to compare the
program in operation with an independently

Blackwell Publishing Ltd 2004

Tests of Control in the Audit Risk Model

controlled copy of an executable or a s

ource
statement program (Jenkins et al., 1995, pp.
285,
286). This copy should be retained by the audito
r
after evaluating the original design of the syste
m.
This comparison is a rather costly procedure
. In
principle, tests of control might achieve the
objective just as well, if effective and efcient o
nes
can be designed. Jenkins et al. recognize, howev
er,
that direct tests of programmed procedures
are
substantive in nature, and are normally carried
out
by reperformance (p. 288).
De Koning (2002) mentions another possibi
lity.
If all program changes are logged on a productio
n
library, the auditor may be able to discover
all
unauthorized temporary changes. In that case, t
he

Int. J. Audit. 8: 185194 (2004)

191

auditor should focus his/her substantiv

e tests
to the transactions processed under the
modied
program; in other words, use it as a ba
sis for
selective substantive procedures. Simply
deciding
that internal control risk is higher than
expected
and, as a consequence, selecting a larg
er random
sample is not very effective.
A more important development is, h
owever,
that many companies give their employe
es the
possibility to change parameters in the co
mputer
programs they are authorized to use, in
order to
enhance the exibility of the activities. This
means
that the system changes continually,
which
frustrates the comparison of the prog
ram in
operation with an earlier copy retained
by the
auditor. Furthermore, direct internal control
on the

setting of these parameters is either non(b) Access controls

existent or
non-reproducible by the auditor.
Tests of access control are highly important: a single
Internal control may, however, be exercised in breach of security in this respect can be devastating.
a
Access control serves to prevent addition to,
different way than by immediate control of ever modication of, and deletion of recorded data
y
and the outcome of computer operations by
individual transaction. For example, internal unauthorized persons. Access control is especially
control on sales prices could take the form important if the evidence of performance of nonof
reproducible internal controls described as part of
frequent and extensive review by management stage A above, no longer has the visible form of
of
initials or stamps, but is recorded in a eld of a
gross margins. To test such a control, however, record in the clients data base. The value of the
it
internal control depends on the employee who
is not sufcient to verify that these reviews performs it, so only the authorized person or
have
persons should be able to modify the content of
been performed. The internal control is not such a eld in the record involved.
nonIn view of the fact that a single incident may
reproducible. To ascertain the value of the revie have material consequences, a test of access control
ws,
would only be effective if the auditor is able to
the explanation recorded should be tested, whic have an exception report generated, preferably by
h
means of his/her own audit software, that shows
can only be done by applying substantive all additions, modications and deletions by
procedures. Normally, it will not be necessar unauthorized persons. But again: if exceptions are
y to
reported, the conclusion should not simply be that
test all the explanations: it is more efcient to u more random substantive procedures are required.
se
It is far more effective to use such a report as the
the records of the review to focus the audit basis for a selective substantive procedure, to focus
ors
the auditors substantive tests on the specic
selective substantive tests. This, however, is transactions involved.
an
analytical review procedure, not a test of
the
(c) Programmed controls
controls.
These are of two kinds: hard and soft. Hard
programmed controls prevent the operator from
continuing with the program if an error made is
not corrected. Soft programmed controls (e.g.,
plausibility controls) give a signal that invites a
reaction but may be ignored; those controls are
merely control possibilities.
In order to have real internal control, the signals
should be dealt with by a different, authorized
person, who records his/her reaction. A test of
control by an auditor would involve these
recordings; the auditor would have to be
convinced
about
their
completeness.
Cost/
effectiveness
of
such
a
test
of
control
is
questionable. In many cases, however, this internal
control is non-existent, or is performed by the
supervisor of the person who operates the
program. In the latter case, the segregation of
duties is questionable, which negatively affects the
value of a test of this control.
Blackwell Publishing Ltd 2004

192

Programmed controls mainly serve to enable t

he

Int. J. Audit. 8: 185194 (2004)

J. H. Blokdijk

operator of the program to correct uninten

ded
errors; as such they are very helpful. Tests
of the

operation of programmed controls, however,

do
not seem to contribute greatly to audit
effectiveness or efciency.

(d) User controls

Apart from programmed controls, user contro
ls
mainly consist of the possibility of revie
wing
computer generated reports on the input or
on
the initial data processing. In effect, this is
also
a control possibility: if the control is perform
ed
by the operator of the computer program or
by
his/her supervisor, it is not based on a segregati
on
of duties, and thus of questionable value to
the
auditor.
The auditor may perform a test of a user contr
ol
by checking the reports generated with supporti
ng
documentation. This would be a substantive
procedure, equivalent to the old-fashioned
bottom-up approach to substantive auditing, th
at
involved tracing accounting entries from t
heir
input in the accounting system to the trial balan
ce.
Since those days, the top-down approach h
as
proven to be far more effective; it starts from th
e
trial balance and goes back to the individual entr
ies
and their supporting documentation, to the exte
nt
determined by risk analysis. Tests of user contro
ls
have limited signicance for the auditor; moreov
er,
in order to be effective, they should consist
of
substantive procedures.
It should be noted that both programmed
and
user controls are, in effect, input controls. They
do
not cover the process of sorting, summarizing, a
nd
balancing. Internal control on these comp
uter
operations is based entirely on change and acce
ss
controls; in many cases it is tacitly left to t
he
auditor and his/her substantive procedures.
At the data processing stage, effective tes
ts of

control either involve substantive tests or

serve
to focus substantive procedures. In the
Audit
Risk Model, tests of control conceptually pr
ecede
substantive procedures, and serve to deter
mine
their nature, extent and timing. To that end, te
sts
of control do not seem to be effective.

TESTS OF CONTROL: A REVIEW

OF ISA 400
According to paragraph 30 of ISA 400, tes
ts of
control may include:

Inspection of documents supporting transactions and other events to gain audit evidence
that internal controls have been operated
properly,
for
example,
verifying
that
a
transaction has been authorized.
Inquiries about, and observation of, internal
controls which leave no audit trail, for example,
determining who actually performs each
function, not merely who is supposed to perform it.
Reperformance
of
internal
controls,
for
example, reconciliation of bank accounts, to
ensure they were correctly performed by the
entity.
From the wording in paragraph 30 it is obvious
that this list is not meant to be all-inclusive: other
effective tests are allowed. But in a number of US
auditing textbooks I have not found any other
types of tests of control, which leads me to suspect
that in practice, tests of control are limited to those
mentioned above.
Tests of control by inspection of documents
consist of inspecting the audit trail of internal
controls performed. If the internal controls cannot
be reperformed by the auditor, the audit trail
means that the controls seem to have been

performed. Nonetheless, the inspection makes

sense: without the audit trail the audit evidence
presented by the document is of less or no value.
This makes it clear when the test should be
performed: at the moment the auditor wishes to
verify an accounting entry with a supporting
document. The test should be an integral part of
a substantive test! Inspection of documents as a
test of control preceding substantive procedures is
a ritual without signicance.
Inquiries about, and observation of, internal
controls do not provide strong audit evidence,
as some auditing textbooks readily admit. When
the auditor has turned his/her back, client
personnel may go on in their normal efcient
way, which may make the internal control
non-existent.
Reperforming the internal control is only
possible
for
internal
controls
that
can
be
reperformed by the auditor. The example given,
reconciliation of
bank
accounts,
is
highly
enlightening indeed: if this control has not been
performed, the auditor would do it him/herself,
and correctly call it a substantive procedure. As a
test of control preceding substantive procedures,
reperformance seems to be an inconsistency in the
structure of audits.

Blackwell Publishing Ltd 2004

Tests of Control in the Audit Risk Model

In ISA 400, paragraph 27 requires tests of con

trol
to provide evidence about the effectiveness of t
he
operation of the internal controls throughout
the
period. Logic also demands that the oper
ation
of all relevant controls throughout the pe
riod
are covered by tests of control: if in the ch
ain of
internal controls some links are missing, the test
s
cannot be deemed effective. ISA 400 doe
s not
contain such a requirement.
ISA 400 does not mention any internal control
s
in the data processing stage of the accounti
ng
process (stage B), with one exception I will refer
to
presently. In paragraph 8, under (b), some intern
al
controls in that stage are mentioned, suc
h as
changes to computer programs and access to da
ta

Int. J. Audit. 8: 185194 (2004)

193

les, but these have not been reect

ed in the
paragraphs on tests of control.
IFAC has also issued ISA 401, on Auditing
in a
Computer Information Systems
Environment.
Nowadays, a separate Statement on Aud
iting on
this subject does not recognize reality. More
over, it
consists only of generalities without a w
ord on
tests of control.
The one exception I referred to above
is the
example given of reperformance of
internal
controls: reconciliation of bank accounts. Th
is does
cover the stage of data processing, but
it is a
substantive procedure.
The above leads to the conclusion tha
t tests of
control in ISA 400 are either hardly effe
ctive or
substantive procedures. ISA 400 moves in
a
semantic circle that does not provide
much

guidance to auditing practice. Moreover, ISA

400
does not cover all relevant internal controls.

parameters
is
dubious;
substantive
procedures are more effective, or at least more
efcient.
5. Tests
on
access
control
and
on
nonDISCUSSION AND CONCLUSION
reproducible internal controls embedded in
computer
information
systems
may
be
In the preceding sections the following conclusio
effective if they are used to select items to be
ns
subjected to substantive tests.
have been drawn:
6. Tests of control on input of data are not
1. Tests of control might be effective to
efcient; top-down substantive procedures
determine the existence of a system, bu
are both more effective and more efcient.
t a
The overall conclusion is, that separate tests of
walk-through test is more efcient.
control do not make much sense; if useful, their use
2. Tests of control on events and their lies in focusing substantive tests rather than in
rst
assessing internal control risk.
recording (stageA) consist mainly in
As to tests of control, the Audit Risk Model does
determining the quality of evidence to be us not t reality as confronted by auditors in auditing
ed
nancial statements. In order to serve as the basis
in substantive tests.
for regulation, it should be thoroughly revised.
3. Non-reproducible internal controls on even
ts
and their rst recording do not merit a role i A proposal for restructuring the
audit process
n
quantitative risk analysis, as a lack of s On the basis of these ndings, I propose:
uch
to abolish tests of control as an element of audit
controls cannot be compensated by the
risk analysis; and
auditors work.
to introduce a new stage in the audit process,
4. The effectiveness
of
tests
of
that comprises both certain system-oriented
control
on
and data-oriented procedures that serve to
program changes and on the setting of
focus substantive tests of details on items with
relevant characteristics.
In my view, the audit would consist of the
following main stages:
1. acquiring
knowledge
of
the
business
(including the design and the existence of the
accounting system and of internal control),
and risk analysis;
2. applying those analytical procedures that
serve to assist the auditor in planning the
nature, timing, and extent of other audit
procedures (ISA 520, paragraph 7 (a));
3. performing tracing procedures as indicated
above, as the basis for selective substantive
procedures;
4. applying substantive procedures, including
those analytical procedures that are more
effective or efcient than substantive tests of
details (ISA 520, paragraph 7 (b)); and
5. deciding on the audit opinion: overall review
(ISA 520, paragraph 7 (c)), and reporting.
In risk analysis, the assessment of control risk
should only be based on the design and the
existence of internal controls. The operation of
Blackwell Publishing Ltd 2004

194

internal controls should not be taken into accou

nt,

Int. J. Audit. 8: 185194 (2004)

J. H. Blokdijk

which would mean that control risk no lon

ger
could be set at low.
This structure of the audit of nancial statem
ents

will conform more to reality as faced by auditors

De Koning, F. (2002), Beoordeling van de interne
.
controle in het kader van de accountantscontrole.
The challenge will lie in devising ever
Maandblad voor Accountancy en Bedrijfseconomie. 76,
more
jaargang, pp. 272280.
effective tracing procedures, to be embedde Jenkins, B., Cooke, P. & Quest, P. (1995), An Audit
Approach to Computers. London: The Institute of
d in
Chartered Accountants in England and Wales.
audit software. Imagination may be the key
to
restoring condence in the effectivenessof AUTHOR PROFILE
auditing.
J. H. Blokdijk is professor emeritus of auditing
at
the
Vrije
Universiteit
Amsterdam,
The
ACKNOWLEDGEMENTS
Netherlands, and a retired partner of KPMG in The
Helpful comments were provided by Profe Netherlands. He is a research fellow at Nyenrode
University, The Netherlands. His research has
ssor
covered a wide range of auditing issues.
Dan A. Simunic, University of British Columbia.

REFERENCES
Blokdijk, J. H., Drienhuizen, F. & Wallage, Ph. (1995),
Reections on Auditing Theory, a Contribution from the
Netherlands. Deventer: Kluwer.

Blackwell Publishing Ltd 2004

Int. J. Audit. 8: 185194 (2004)