AUD CPA Practice Questions: Assessing the Operating Effectiveness of Controls

In this video, we walk through 5 AUD practice questions teaching about assessing the operating effectiveness of controls. These questions are from AUD content area 2 on the AICPA CPA exam blueprints: Assessing Risk and Developing a Planned Response.

The best way to use this video is to pause each time we get to a new question in the video, and then make your own attempt at the question before watching us go through it.

Also be sure to watch one of our free webinars on the 6 “key ingredients” to an extremely effective & efficient CPA study process here…

Assessing the Operating Effectiveness of Controls

When performing an audit, auditors must determine whether a company’s internal controls are functioning as intended. This involves evaluating the operating effectiveness of controls, ensuring they are consistently applied and capable of preventing or detecting material misstatements. Below, we explore the key procedures used to assess operating effectiveness, distinguish these from other types of audit testing, and discuss when controls need to be retested.

How Auditors Test the Operating Effectiveness of Controls

Auditors use five main procedures to test whether a control is operating effectively:

1. Inquiry – Asking employees how a control is performed. However, inquiry alone is not sufficient to prove effectiveness because it only provides verbal confirmation without direct evidence.
2. Observation – Watching an employee perform a control (e.g., observing a manager review and approve transactions).
3. Inspection – Reviewing documentation that supports control performance (e.g., inspecting approval signatures on invoices).
4. Recalculation – Verifying a control’s accuracy by manually recomputing certain transactions (e.g., rechecking depreciation calculations).
5. Reperformance – Independently executing the control to verify that it works as intended (e.g., reprocessing a payroll transaction to confirm proper calculations and approvals).

For example, if a company has a control requiring managerial approval of journal entries, the auditor might inspect documentation of approvals, observe the approval process, or reperform the control by reviewing sample journal entries.

Distinguishing Tests of Controls from Substantive and Analytical Procedures

Understanding the difference between tests of controls, substantive procedures, and analytical procedures is essential in auditing.

• Tests of Controls assess whether a control is functioning properly. These are only necessary if the auditor plans to rely on controls to reduce substantive testing.
• Substantive Procedures focus on verifying financial statement balances and include:
  • Tests of Details – Examining individual transactions or account balances (e.g., reviewing invoices and supporting documents for revenue transactions).
  • Substantive Analytical Procedures – Evaluating trends and relationships in financial data (e.g., comparing current-year sales to prior-year trends).

For instance, if an auditor wants to assess whether a company’s accounts receivable approval process is functioning, they would test controls like managerial review of customer credit limits. If they instead want to verify the accuracy of the receivable balance, they would use substantive procedures like sending confirmation letters to customers.

Understanding vs. Testing the Effectiveness of Controls

Auditors must obtain an understanding of internal controls as part of risk assessment, but this does not mean they are testing effectiveness. Understanding involves evaluating the design and implementation of controls, whereas testing effectiveness determines whether controls are functioning as intended throughout the audit period.

For example, an auditor may learn that a company requires dual authorization for wire transfers, but unless they test sample transactions, they cannot conclude whether this control is being followed in practice.

When Auditors Must Retest Controls

Auditors may rely on prior-year testing results, but retesting is required if:

• The control itself has changed (e.g., a new IT system is implemented for transaction processing).
• The underlying data used in the control has changed (e.g., payroll calculations are now performed in a new software system).
• The control was last tested beyond the auditor’s acceptable time frame.

For example, if a company updates its accounts payable system, the auditor must retest disbursement approval controls to ensure they still function correctly within the new system.

Conclusion

Determining the operating effectiveness of controls is a critical part of an audit when reliance on controls is planned. Auditors must apply the appropriate testing procedures, differentiate control testing from substantive testing, and recognize when retesting is required due to changes in controls or data. By carefully evaluating control effectiveness, auditors ensure that financial statements are supported by a reliable internal control environment.