The audit process: (T) test
Following on from the basic checks, other areas to be selected should be identified using the results of the initial interview, in conjunction with the Sift report, matters arising from the visit preparation and your judgement and experience. These are known as ‘credibility checks’ and are the ‘in depth’ tests that confirm compliance, such as the trader’s system of control is credible, or reveal the extent of non-compliance.
The amount and type of testing will depend on your evaluation of the system being audited. If the trader’s system has independent internal controls (for example, independent of the registered trader) it may be sufficient to test that the controls are working. This is more likely in the larger traders where systems based audit is appropriate. In the majority of small traders there will be few if any independent controls. Officers will then need to decide whether credibility checks, or detailed transaction testing, will give them assurance that the identified risks have been addressed.
The Finance Act 2008 Sch36 Part 3 allows compliance officers to make extracts from, or take copies or remove the stored data.
In practice, accessing the trader’s system for the removal of data requires knowledge of the system involved and how to operate it. Therefore, it is sensible that you should request that the trader does this for you. You must not attempt to inspect the operation of, or gain access to, a computer system unless you are an ‘authorised person’. Only an ‘authorised person’ has the power to obtain access to computer equipment, or inspect and check its operation. If you are not an ‘authorised person’ then you must seek the assistance of an authorised person - see CH218400.