In this video, we walk through 5 AUD practice questions teaching about testing automated and manual controls. These questions are from AUD content area 2 on the AICPA CPA exam blueprints: Assessing Risk and Developing a Planned Response.
The best way to use each video is to pause each time we get to a new question in the video, and then make your own attempt at the question before watching us go through it.
Also be sure to watch one of our free webinars on the 6 “key ingredients” to an extremely effective & efficient CPA study process here…
Testing Automated and Manual Controls
In an audit, evaluating transaction-level internal controls is crucial to assessing the design and implementation of controls that prevent errors and fraud. This includes testing automated and manual controls, segregation of duties, physical and logical controls, and reconciliations.
Automated vs. Manual Controls
Automated Controls
Automated controls are system-driven and enforce rules without human intervention. These controls are ideal for high-volume, repetitive processes where standardization improves efficiency and reduces errors.
Examples of Automated Controls:
- A system prevents duplicate invoice entries, rejecting any attempt to enter the same invoice number twice.
- A purchase order system requires approval above a certain threshold, ensuring compliance with company policies.
- A payroll system automatically flags employees without approved hours, preventing unauthorized payments.
Testing Automated Controls:
Auditors test automated controls by:
- Attempting to bypass the system (e.g., entering duplicate transactions to see if the system rejects them).
- Reviewing system logs to confirm that the control is consistently enforced.
- Inspecting configuration settings to ensure controls are correctly designed and cannot be easily overridden.
Manual Controls
Manual controls involve human judgment and are often necessary for non-routine transactions where system rules alone may not be sufficient. These controls require intervention, such as reviewing documents, authorizing transactions, or performing reconciliations.
Examples of Manual Controls:
- A manager approves expense reports, ensuring they comply with company policies before reimbursement.
- A supervisor reviews contracts for legal risks before signing.
- A cashier manually counts cash at the end of the day, verifying the register balance.
Testing Manual Controls:
Auditors test manual controls by:
- Reviewing documentation (e.g., signed approvals or review notes).
- Observing control execution to see if employees follow procedures correctly.
- Interviewing personnel to verify their understanding of the control process.
Segregation of Duties (SoD): Preventing Fraud and Errors
Segregation of duties (SoD) ensures that no single person has too much control over a financial process. This prevents fraud by requiring multiple people to initiate, approve, and review transactions.
Examples of Segregation of Duties Violations:
- A payroll clerk can both process payroll and approve transactions, allowing them to issue unauthorized payments.
- An accountant records journal entries and performs bank reconciliations, enabling them to hide fraudulent transactions.
- A procurement employee can create vendors and process payments, making it easy to pay a fake vendor.
Testing for SoD Issues:
Auditors test for SoD failures by:
- Reviewing access logs to see who can perform conflicting tasks.
- Testing transactions to see if the same person is initiating and approving payments.
- Interviewing employees to determine if duties are properly segregated.
Best Practice: Even in temporary situations, such as when an employee is on leave, duties should not be combined without adding compensating controls like secondary approvals.
Physical and Logical Controls: Protecting Assets and Data
Physical Controls
Physical controls restrict unauthorized access to assets, preventing theft and misuse.
Examples:
- Keycard access to inventory storage prevents unauthorized employees from taking stock.
- Security cameras in cash-handling areas discourage theft.
- Locked filing cabinets for sensitive documents reduce the risk of unauthorized viewing.
Logical Controls
Logical controls protect digital assets and sensitive data from unauthorized access.
Examples:
- Role-based system access prevents unauthorized employees from viewing payroll records.
- Multi-factor authentication (MFA) ensures only authorized users can log in.
- Firewalls and encryption protect data from cyber threats.
Testing Physical and Logical Controls:
Auditors test these controls by:
- Inspecting access logs to see if unauthorized users attempted access.
- Attempting to access restricted areas or data (with proper authorization).
- Reviewing system settings to confirm access restrictions are properly configured.
Reconciliations: A Key Detective Control
While preventative controls stop errors before they happen, reconciliations act as detective controls, identifying issues after transactions occur.
Common Reconciliations:
- Bank reconciliations ensure that cash records match bank statements.
- Accounts payable reconciliations identify duplicate or fraudulent vendor payments.
- Inventory reconciliations confirm that physical inventory matches accounting records.
Testing Reconciliations:
Auditors test reconciliations by:
- Reviewing reconciliation reports to ensure they are performed regularly.
- Checking for unexplained discrepancies and how they were resolved.
- Observing employees performing reconciliations to verify accuracy.
Example: If an employee misdirects customer payments to their personal account, a cash receipts to bank deposit reconciliation would catch the issue by identifying missing deposits.
Final Thoughts
Testing the design and implementation of internal controls ensures that a company’s financial processes are reliable and secure. Auditors assess automated and manual controls, segregation of duties, physical and logical protections, and reconciliations to determine whether they effectively prevent or detect errors and fraud. By understanding these principles, auditors can provide valuable insights into improving a company’s control environment.
