An auditor wishes to evaluate the design and perform tests of controls over a client’s cash disbursements procedures. If the controls leave no audit trail of documentary evidence, the auditor most likely will test the procedures by
Observation and inquiry.
When the auditor obtains an understanding of controls relevant to the audit, (s)he performs risk assessment procedures to obtain evidence about their design and implementation. These procedures may include (1) inquiries, (2) observations of the application of the controls, (3) inspection of documents and reports, and (4) tracing transactions through the financial reporting system. Although risk assessment procedures and tests of controls differ, they may use the same types of procedures. Thus, the auditor may decide that it is efficient to test operating effectiveness and evaluate design and implementation at the same time. Furthermore, some risk assessment procedures may provide evidence about operating effectiveness. For example, the auditor may (1) inquire about the use of budgets, (2) observe comparison of budgets and actual results, and (3) inspect reports on the investigation of variances (AU-C 330 and AS No. 13). In the absence of documentary evidence, the auditor performs observation and inquiry procedures and traces transactions through the system.