Test of Control and Substantive Testing in Audit Procedure
- Nhung Nguyen
- 5 days ago
- 6 min read
Updated: 5 days ago
Introduction
Auditing is fundamentally about obtaining sufficient and appropriate evidence to support an auditor’s opinion on financial statements. To achieve this objective, auditors perform various audit procedures designed to assess risks and gather evidence.
Two of the most important categories of audit procedures are Tests of Control and Substantive Testing. Understanding the differences between these procedures is essential because they directly influence audit planning, audit efficiency, and the level of assurance provided.
This article explains what Tests of Control and Substantive Testing are, how they differ, and how auditors use them during the audit process.
Understanding Audit Risk and Audit Procedures
Before discussing testing procedures, it is important to understand why auditors perform them.
Auditors face various risks, including:
Risk of material misstatement
Fraud risk
Control failures
Human errors
Financial reporting inaccuracies
Audit procedures are designed to reduce audit risk to an acceptably low level.
Generally, auditors respond to risks using:
Risk assessment procedures
Tests of controls
Substantive procedures
What is Test of Control?
Tests of Control are procedures performed to evaluate whether internal controls implemented by management are operating effectively.
Simply put:
Test of Control answers the question:
"Can auditors rely on the company’s internal controls?"
If controls function effectively, auditors may reduce the amount of substantive testing required.
Objectives of Tests of Control
The primary objectives include:
Assess whether controls exist
Determine whether controls are properly designed
Verify whether controls operate effectively
Evaluate consistency of control performance
Effective controls reduce the likelihood of material misstatements.
Examples of Internal Controls Auditors Test
Common controls tested include:
Authorization Controls
Examples:
Purchase approvals
Payment approvals
Management authorization
Segregation of Duties
Examples:
Different employees perform authorization and recording functions
Separation between cash handling and accounting
Reconciliation Controls
Examples:
Bank reconciliations
Inventory reconciliations
Account reconciliations
IT Controls
Examples:
User access restrictions
Password controls
System change approvals
Methods Used in Tests of Control
Auditors commonly perform:
Inquiry
Asking employees how controls operate.
Example:
Interviewing accounting staff regarding approval procedures.
Observation
Watching employees perform control activities.
Example:
Observing inventory count procedures.
Inspection
Reviewing documents and evidence.
Example:
Examining signed approval documents.
Reperformance
Independently executing controls.
Example:
Recalculating approval thresholds.
What is Substantive Testing?
Substantive Testing refers to procedures performed to detect material misstatements directly in financial statement balances, transactions, and disclosures.
Simply put:
Substantive Testing answers the question:
"Are the financial statement figures actually correct?"
Unlike Tests of Control, substantive testing focuses directly on financial information.
Objectives of Substantive Testing
Substantive procedures aim to:
Detect material errors
Identify fraud indicators
Verify account balances
Confirm transaction accuracy
Support audit conclusions
Types of Substantive Testing
Substantive procedures generally fall into two categories.
1. Substantive Analytical Procedures
Auditors analyze relationships between financial information.
Examples:
Comparing current year revenue to previous years
Gross margin analysis
Trend analysis
Ratio analysis
These procedures identify unusual fluctuations requiring investigation.
2. Tests of Details
Tests of details involve directly examining supporting evidence.
Examples include:
Cash Testing
Bank confirmations
Bank reconciliations
Cash count verification
Accounts Receivable Testing
Customer confirmations
Invoice inspection
Aging analysis
Inventory Testing
Physical inventory counts
Cost testing
Pricing verification
Revenue Testing
Sales invoice examination
Contract review
Cut-off testing
Key Differences Between Test of Control and Substantive Testing
Aspect | Test of Control | Substantive Testing |
Purpose | Evaluate effectiveness of controls | Detect material misstatements |
Focus | Internal processes and controls | Financial statement balances |
Main Question | Are controls reliable? | Are figures accurate? |
Timing | Throughout audit period | Often near period-end |
Outcome | Determine reliance on controls | Obtain direct audit evidence |
Relationship Between Tests of Control and Substantive Testing
These procedures are interconnected.
Scenario 1: Strong Internal Controls
If controls operate effectively:
Lower control risk
Reduced substantive testing
Greater audit efficiency
Scenario 2: Weak Internal Controls
If controls fail:
Higher control risk
Increased substantive testing
Larger sample sizes
More detailed procedures
Auditors rarely eliminate substantive procedures completely, even when controls are strong.
Example: Revenue Audit
Consider a company with sales approval controls.
Step 1: Test Controls
Auditors verify:
Sales approvals exist
Credit checks are performed
Management authorization works
If controls pass:
Auditors may reduce transaction testing.
Step 2: Perform Substantive Testing
Auditors still perform:
Revenue cut-off testing
Invoice inspection
Customer confirmations
This combination provides sufficient audit evidence.
Advantages and Limitations
Test of Control Advantages
Improves audit efficiency
Reduces unnecessary testing
Evaluates system reliability
Limitations
Controls may be bypassed
Human errors remain possible
Controls may appear effective but fail occasionally
Substantive Testing Advantages
Provides direct evidence
Detects actual misstatements
Supports audit opinion strongly
Limitations
Time-consuming
More costly
Larger samples may be required
Modern Audit Trends
Modern audits increasingly rely on:
Data analytics
Continuous auditing
Automated control testing
AI-assisted sampling
ERP-integrated audit tools
Technology is changing how both Tests of Control and Substantive Testing are performed.
Best Practices for Auditors
Effective auditors typically:
Understand business processes thoroughly
Perform proper risk assessments
Balance efficiency with sufficient evidence
Document procedures carefully
Maintain professional skepticism
The goal is not simply completing procedures—but obtaining reliable evidence.
Conclusion
Tests of Control and Substantive Testing are two fundamental components of audit procedures. While Tests of Control focus on evaluating whether internal controls operate effectively, Substantive Testing directly verifies the accuracy of financial information.
Neither approach works effectively in isolation.
A successful audit combines both procedures appropriately based on risk assessment, control effectiveness, and professional judgment. Understanding how these procedures interact allows auditors to perform more efficient audits while maintaining audit quality and reliability.
Source: Internet
Take away Quiz:
What is the primary objective of performing a Test of Control in an audit?
A.
To determine if the financial statement figures are mathematically accurate.
B.
To evaluate the effectiveness of the internal processes implemented by management.
C.
To provide a direct opinion on the valuation of the company's total assets.
D.
To identify all instances of fraud within the organization's payroll department.
Which of the following is an example of a control related to the 'Segregation of Duties'?
A.
The manager reviews the bank reconciliation at the end of every month.
B.
The same employee is responsible for both handling cash and recording the transaction in the ledger.
C.
Employees are required to use complex passwords that expire every 90 days.
D.
One employee authorizes a purchase while a different employee records the transaction in the accounting system.
An auditor decides to watch a client's staff perform their annual physical count of warehouse stock. Which method of testing control is being used?
A.
Inspection
B.
Reperformance
C.
Inquiry
D.
Observation
How does substantive testing differ from a test of control?
A.
Substantive testing evaluates the design of the internal control system.
B.
Substantive testing focuses on internal processes, while tests of control focus on account balances.
C.
Tests of control are only performed if substantive testing fails to provide enough evidence.
D.
Substantive testing is performed to detect material misstatements in financial information.
Which of the following would be classified as a Substantive Analytical Procedure?
A.
Comparing the current year's gross margin percentage to the prior year's percentage.
B.
Recalculating the depreciation expense for the year to ensure the math is correct.
C.
Sending a confirmation letter to a customer to verify their outstanding balance.
D.
Checking if a sales manager signed off on a high-value customer invoice.
If an auditor identifies that a company's internal controls are weak, what is the most likely impact on the audit plan?
A.
The auditor will increase the extent of substantive testing and use larger sample sizes.
B.
The auditor will rely entirely on the risk assessment procedures and issue an opinion immediately.
C.
The auditor will decrease the amount of substantive testing to save time.
D.
The auditor will eliminate tests of details and only perform analytical procedures.
In the context of a cash audit, which procedure is considered a 'test of details'?
A.
Inquiring if the petty cash box is kept in a locked drawer.
B.
Evaluating if the company has a policy for mandatory vacations for accounting staff.
C.
Obtaining and reviewing bank confirmations directly from the financial institution.
D.
Observing the cashier as they process a customer's payment.
What is a known limitation of relying on Tests of Control?
A.
They are significantly more time-consuming than substantive testing in every scenario.
B.
They cannot be used in audits of companies that use IT systems.
C.
Controls may be bypassed by management or fail due to human error.
D.
They provide too much direct evidence about misstatements.
During a revenue audit, why might an auditor perform 'cut-off testing' as a substantive procedure?
A.
To determine if the IT system's password complexity meets industry standards.
B.
To confirm that the sales manager has the authority to sign contracts.
C.
To verify that credit checks were performed for all new customers.
D.
To ensure that transactions are recorded in the correct accounting period.
Which of the following scenarios describes the auditor's 'reperformance' of a control?
A.
The auditor independently calculates the interest expense to see if it matches the client's automated calculation.
B.
The auditor reviews the list of employees who have access to the payroll system.
C.
The auditor asks the IT manager to explain how user access is granted.
D.
The auditor watches the warehouse manager lock the gates at the end of the day.
Comments