Test of controls - F8

Test of control (TOC) or compliance testing is an audit procedure that aims to test whether the company's internal control systems are operating effectively. It is performed if auditors perceive that the internal controls of the company are strong. If the result of TOC is that the internal controls are really strong, then auditors can perform less work later (probably rely more on substantive analytical procedure rather than test of details).

In exam, TOC is required when the question asks for procedures on the "systems", do not suggest substantive procedure. Again, suggesting TOC is a common sense thing. From the previous article on audit procedures, I have explained about AEIOU + CR, they can be useful as TOC. When you are asked to describe the procedure, you can extend your sentence by adding "to ensure that..." as this will be the control objectives (we do TOC to ensure that control objectives are being achieved by the internal controls). I will provide a number of examples below but you should not aim to remember the procedures. What you should do is to identify the internal controls and then suggest TOC to test these internal controls.

Inventory system

Stocktake (counting inventory) - TOC can be "observe the count teams, ensuring that they are counting in accordance with the clients inventory count instructions". Auditors can also "make test count to ensure that the counting team does not make mistake during the count". A test count means that auditors will count a sample of inventory and compare to the amount counted by the staff.
Authorisation of inventory movements - TOC can be "inspect the authorisation letter to ensure that it is signed by the personnel with the authority to prepare it".

Sales system

Recording of sales transaction - TOC can be "inspect numerical sequence of sales invoices as any breaks will mean that invoices are missing and so sales not recorded correctly".
Discount is given to certain customers - TOC should be "review a sample of sales invoices for evidence of authorisation of discount allowed".

Purchases system

Authorisation of purchase - TOC can be "examine a sample of purchase order to ensure that they have been appropriately authorised".
Control on goods inwards - TOC can be "inspect a sample of GRN to confirm that stores inwards staff sign for goods received.

Cash system

Prompt banking - TOC can be "review bank statement for evidence of frequent banking of cash".
Bank reconciliation - TOC can be "reperform bank reconciliation to ensure that the bank reconciliation is properly done".

Payroll system

Tax is deducted correctly from salary - TOC can be "for a sample of employees' monthly pay, recalculate the amount to be paid as tax to ensure that correct amounts are paid to taxation authorities".
Recording of payroll expenses - TOC can be "for a sample of amounts paid for payroll, match to entries in general ledger to ensure that gross and net pay have been recorded correctly".

The company's internal controls may be SPAM SOAP (a mnemonic for internal controls), the purpose of TOC is to obtain sufficient appropriate audit evidence that these SPAM SOAP are running effectively. Auditors will reperform TOC when the company's internal control systems have changed and at least once in every 3 audits.

One of the common reasons for failure in F8 is the failure to distinguish between TOC and substantive procedure. I hope that you now have better idea of their differences. Suggesting TOC is a matter of audit common sense, just think of how to test whether the internal controls are running well and write down the procedures. Your procedures must be logically so always imagine yourself doing TOC.