1. C. Content: Test of Control: https://youtu.be/O1Mrpt6H_jg?t=37
What is a Test of Control?
When performing a SOC examination, we are helping our clients identify the controls that they
have, or need to implement. These controls will demonstrate to their clients that the services they
are providing or their environment is safe and secure. So once the controls are identified how do
you confirm they are working? That is where a test of control comes in. There are a number of
different ways to confirm, or test, that a control is working. Below we have outlined the five
testing methods used for testing controls as part of a SOC examination.
What are the Five Types of Audit Tests?
There are five main methods to walk through and test each control in place at the service
organization. These methods include (listed in order of complexity from lowest to highest):
inquiry, observation, examination or inspection of evidence, re-performance, and computer
assisted audit technique (CAAT).
Inquiry: Simply, the auditor asks appropriate management and staff about the controls in
place at the service organization to determine some relevant information. This method is
often used in conjunction with other, more reliable methods. For example, an auditor may
inquire of management if visitors to the data center are escorted at all times if the auditor
is not able to observe this activity while on site. No control objective or criteria should
ever be supported by controls only tested through inquiry procedures.
Observation: Activities and operations are tested using observation. This method is
useful when there is no documentation of the operation of a control, such as observing
that a security camera is in place or observing that a fire suppression system is installed.
Examination or Inspection of Evidence: This method is used to determine whether or
not manual controls are being performed. For instance, are backups scheduled to run on a
regular basis? Are forms being filled out appropriately? This method often includes
reviewing written documentation and records such as employee manuals, visitor logs,
and system databases.
Re-performance: Re-performance (sometimes called recalculation) is used when the
three above methods combined fail to provide sufficient assurance that a control is
operating effectively or this method can be used to prove by itself to demonstrate that
controls are operating effectively. This method of testing (as well as a CAAT) is the strongest
type of testing to show the operating effectiveness of a control. Re- performance requires the
auditor to manually execute the control, such as re-performing a calculation that a system
automatically calculates to confirm that the system performs the control correctly.
CAAT: This method can be used to analyze large volumes of data, or just be able to
analyze every transaction rather than just a sample of all transactions. Software is
generally used to perform a CAAT, which can range from using a spreadsheet to using
specialized databases or software designed specifically for data analytics (e.g. ACL).
2. Audit sampling methods for tests of controls
Tests of control fall into four main categories:
Inquiry: At the first stage, auditors may ask clients to explain their control processes. Simply
inquiring about procedures qualifies as a test of control, but it provides limited evidence, so it
will need to be supplemented with additional audit sampling.
Observation: The test may involve observing a business process or transaction while it’s
happening, taking note of all relevant control elements. One example of observational audit
sampling for tests of controls would be to watch the client’s year-end inventory counting
procedures.
Reperformance: The auditor might start a new transaction to repeat the internal controls
used by the client during this process. This is considered to be one of the most reliable audit
sampling methods for tests of controls because it actively gathers direct evidence rather than
relying on observation alone.
Inspection: Tests of control involve the examination of business documents for any signs of
review. Signatures, checkmarks, and stamps are all signs that internal controls have been used.
In this fourth category, audit sampling for tests of controls requires the inspector to look at a
random selection of documents over time. If only a few of them show signs of review, this
indicates a weak internal control system. However, if they are all uniformly marked with a
verifying signature, this would indicate efficient controls.