When should an audit stop at design failure instead of testing operating effectiveness?
Stop at design failure when the control is not defined well enough to test or when the design does not address the risk. Operating effectiveness testing asks whether a designed control operated as intended over time. If management cannot identify the control owner, frequency, trigger, evidence, population, and expected action, there may be no reliable operating test to perform.
In the Keystone example, suppose finance reviews cloud-tool spending only when a cost center manager asks about a charge. That informal action may help, but it does not identify all tools, classify data, confirm security review, or remove access. Internal audit can report a design gap instead of forcing a sample test that would create false precision.
The exam-friendly rule is simple: test design first. If design fails, report the design issue and recommend that management define the control before internal audit tests operating effectiveness in a later engagement.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.