Para 2.1.14 — MSO (Audit)
Original Rule Text
2.1.14 Various steps involved in compliance testing are as follows;
(i) The first step in actually conducting a compliance test will be to identify the sub-system in which the controls are to be tested. For example, if the Customs Department is to be audited, one of the sub-systems could be 'Assessment of Duty'.
(ii) The next step will be to identify the control objectives for each sub-system. For example, the control objective for the sub-system 'Assessment of Duty' could be that the tariff applied for the purpose is an approved one in accordance with the Customs Act.
(iii) The third step will be to identify the key controls that have been established to achieve the control objective for the sub-system. There may be several controls for achieving each control objective. However, because of constraints of time and resources, it may not be possible for Audit to test every one of these controls. Audit should, therefore, identify initially the key or important control for each control objective. Continuing the earlier example, one of the controls for achieving the objective mentioned at
(ii) above could be that the staff engaged in assessment work should be imparted refresher training at least once in three years. Audit may decide that this is not a key control and instead identify the stipulation that the Assessment Supervisor should test check at least 20 per cent of the assessments made by the assessment staff as a key control.
(iv) In addition, evidence gathering techniques like review of documents, review of performance, physical observation or interviews will be used to test check whether the key control function as envisaged has been achieved.
Based on the results of the test check, the auditor will arrive at a conclusion whether the controls are reliable and the extent of their reliability. If necessary, the auditor may also indicate loopholes in the internal control systems and suggest what additional controls could be introduced to remove such loopholes.
# B. Analytical Review
What This Means
Compliance testing follows four steps: (1) identify the sub-system to test (e.g., 'Assessment of Duty' in Customs), (2) identify the control objective for that sub-system (e.g., correct tariff application), (3) identify the key controls that achieve that objective (focus on the most important ones due to time constraints), and (4) use evidence-gathering techniques to verify whether the key control actually works. Based on results, the auditor concludes on control reliability and may suggest improvements.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1Step 1: Identify the sub-system to be tested
- 2Step 2: Identify control objectives for each sub-system
- 3Step 3: Identify key controls (most important ones, due to resource constraints)
- 4Step 4: Test key controls using evidence-gathering techniques
- 5Auditor concludes on control reliability and suggests improvements if needed
- 6Focus on key controls, not every single control — practical resource optimization
Practical Example
In auditing the Customs Department's 'Assessment of Duty' sub-system, the auditor identifies that the key control is the Assessment Supervisor's mandatory 20% test-check of assessments (rather than staff training frequency). The auditor then reviews the supervisor's test-check register, interviews the supervisor, and verifies a sample to determine if this key control is actually functioning — finding, for example, that only 8% of assessments were actually test-checked.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
Why test only key controls and not all controls?▼
What happens after compliance testing reveals weak controls?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.