Once an internal auditor confirms that internal controls are adequately designed, the next step is to assess their effectiveness. This means determining whether the controls are functioning as intended, consistently applied, and performed by competent personnel. Auditors seek evidence that the control activities—such as approvals, reconciliations, and segregation of duties—are operating effectively over time.
-
In the revenue cycle, internal controls must ensure that revenue is recognized only when earned, properly authorized, accurately recorded, and fully collected. One common control is the three-way match (triangulation) between the sales order, shipping document, and invoice, which ensures that revenue is recorded only for goods actually ordered and delivered.
-
Effectiveness Testing includes:
-
Observation – Watching staff perform control procedures (e.g., invoice generation after shipping confirmation)
-
Reperformance – Auditor redoes a control process to verify accuracy
-
Inspection – Reviewing documents for approvals, timestamps, or signatures
-
Inquiry – Asking staff how procedures are carried out and who performs them
-
-
Practical Example:
The internal auditor at a retail distribution company evaluates the effectiveness of revenue-related controls. A tabulation of findings is shown below:Assertion Potential Misstatement Internal Control Audit Test for Effectiveness Occurrence Revenue recorded for undelivered goods System requires shipping confirmation before billing Inspect system logs for timestamped confirmations Accuracy Invoice amounts incorrectly calculated System auto-calculates invoice based on sales order Reperform invoice calculation for sample items Authorization Sales processed without credit approval Credit limit approval required for all new customers Inspect signed approvals in system/records Completeness Some shipments not invoiced System alerts for shipped-but-not-billed items Observe alert reports and follow-up procedures -
The auditor finds that although controls are well-designed, credit approvals are sometimes skipped during system downtime and handled manually without documentation. This reveals an operational control weakness.
-
By testing effectiveness, internal auditors ensure that internal controls are not only present but functioning consistently and reliably, thereby reducing the risk of material misstatements in the revenue cycle.