Skip to main content

Tests of Controls

After the auditor obtains an understanding of internal control and identifies controls relevant to the audit, the next decision is whether to test those controls. Tests of controls are audit procedures performed to evaluate whether controls are operating effectively—that is, whether they are actually functioning as designed throughout the period under audit. The results of tests of controls directly affect the auditor's assessment of control risk and, in turn, the nature, timing, and extent of substantive procedures.

This section covers the purpose of tests of controls, when they are required versus optional, the types of tests of controls, how auditors evaluate operating effectiveness, the timing of tests, how results are used to assess control risk, the relationship between control risk and substantive testing, and dual-purpose tests.

info

Tests of controls are performed under AU-C 330 (AICPA) and AS 2301 (PCAOB). They are distinct from the auditor's initial understanding of internal control (which is obtained through risk assessment procedures under AU-C 315 / AS 2110). Risk assessment procedures tell the auditor what controls exist; tests of controls tell the auditor whether those controls are working.

Purpose of Tests of Controls

The purpose of tests of controls is to evaluate the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level. When controls are operating effectively, the auditor can assess control risk at a level below maximum, which allows the auditor to reduce the extent of substantive procedures.

In other words, tests of controls answer the question: "Is this control actually working in practice?"

Example: Gies Co. has a policy requiring two authorized signatures on all disbursements over $10,000. The auditor's understanding of internal control identified this control as relevant to the completeness and occurrence assertions for expenses. To test whether this control is operating effectively, the auditor selects a sample of disbursements over $10,000 and inspects the supporting documentation for evidence of two signatures. This is a test of controls.

When Tests of Controls Are Required vs. Optional

Tests of controls are required in the following situations:

SituationWhy Testing Is Required
The auditor's risk assessment assumes controls are operating effectivelyIf the auditor plans to rely on controls to reduce substantive testing, the auditor must test those controls to support the lower assessed level of control risk
Substantive procedures alone are insufficientWhen the nature of the risk is such that substantive procedures alone cannot provide sufficient appropriate evidence (e.g., highly automated processes with no paper trail)
Integrated audit (issuers)PCAOB standards require auditors of issuers to test controls as part of the audit of internal control over financial reporting (ICFR) under AS 2201

Tests of controls are optional when:

  • The auditor plans to assess control risk at the maximum level and use a purely substantive approach
  • The auditor determines that testing controls would not be efficient (i.e., the cost of testing controls exceeds the benefit of reduced substantive procedures)
Exam Tip

A common CPA exam question asks: "When must the auditor test controls?" The answer is when the auditor intends to rely on controls to reduce the assessed level of control risk, or when substantive procedures alone are not sufficient to reduce detection risk to an acceptably low level. For issuer audits, testing controls is always required for the ICFR opinion.

Types of Tests of Controls

Auditors use four primary procedures to test the operating effectiveness of controls:

Inquiry

Inquiry involves asking personnel who perform or oversee the control about how it operates, how consistently it is applied, and whether exceptions have occurred. Inquiry alone is not sufficient to test operating effectiveness—it must be combined with other procedures.

Example: The auditor asks Kingfisher Industries' accounts payable clerk how she verifies that a vendor invoice matches the purchase order and receiving report before processing payment. The clerk describes the three-way matching process in detail. While informative, this inquiry alone does not provide evidence that the control is actually being performed.

Observation

Observation involves watching the control being performed. It provides evidence about how the control operates at the point in time the auditor observes it but does not provide evidence about how the control operated at other times during the period.

Example: The auditor observes the warehouse supervisor at MAS Inc. counting incoming shipments and comparing them to the packing slip before signing the receiving report. This observation provides evidence that the receiving control is being performed on the day observed.

Inspection

Inspection involves examining documents, records, or reports for evidence that a control was performed. This is often the most practical method for testing controls that leave a documentary trail.

Example: The auditor selects a sample of journal entries at BIF Partners and inspects each for evidence of supervisory approval (an authorized signature or electronic sign-off). The presence of the approval signature provides evidence that the journal entry review control operated for those specific entries.

Reperformance

Reperformance involves the auditor independently executing the control procedure to determine whether the same result is achieved. This provides the strongest evidence of operating effectiveness.

Example: Illini Entertainment has an automated control that rejects sales transactions exceeding a customer's credit limit. The auditor reperforms this control by attempting to process test transactions that exceed credit limits and verifying that the system correctly rejects them.

ProcedureEvidence StrengthBest Used When
InquiryLowest (must be supplemented)Gaining understanding; always used in combination with other procedures
ObservationModerate (point-in-time only)Controls that leave no documentary evidence; physical controls
InspectionStrongControls that produce documents or records (signatures, approvals, reconciliations)
ReperformanceStrongestAutomated controls; calculations; reconciliations
caution

Inquiry alone is never sufficient as a test of controls. It must always be supplemented with at least one other procedure (observation, inspection, or reperformance). This is a frequently tested concept on the CPA exam.

Evaluating Operating Effectiveness

After performing tests of controls, the auditor evaluates whether the controls operated effectively throughout the relevant period. Key considerations include:

  • How the control was applied — Was it applied consistently, or only sporadically?
  • By whom — Was the control performed by qualified, authorized individuals?
  • Frequency — For controls that operate on each transaction (e.g., approvals), effectiveness is evaluated for each occurrence tested. For controls that operate periodically (e.g., monthly reconciliations), the auditor tests a sufficient number of occurrences
  • Deviations — Were there exceptions (deviations from the prescribed control)? If so, what is the rate of deviation, and does it exceed the tolerable rate?

Evaluating Deviations

A deviation occurs when a control is not performed as designed. When deviations are found, the auditor must:

  1. Determine the nature and cause of the deviation
  2. Evaluate whether the deviation is an isolated incident or indicates a systematic weakness
  3. Assess whether the deviation rate exceeds the tolerable deviation rate established during planning
  4. Determine the effect on the assessed level of control risk

Example: The auditor selects 40 purchase orders from Illini Security and tests whether each was approved by an authorized manager before the goods were ordered. The auditor finds that 3 out of 40 purchase orders lack the required approval. The auditor must evaluate whether this 7.5% deviation rate exceeds the tolerable deviation rate and whether the nature of the deviations (e.g., all three were for low-dollar supply purchases) affects the conclusion about control effectiveness.

Timing of Tests of Controls

Testing at an Interim Date

The auditor may perform tests of controls at an interim date (before year-end) and then determine whether additional evidence is needed for the remaining period (from the interim date to year-end). Factors to consider include:

  • The significance of the assessed risks
  • The specific controls tested and the results
  • The length of the remaining period
  • Whether the control environment changed during the remaining period
  • Whether substantive procedures will be performed for the remaining period

Updating Tests from Prior Periods

If the auditor tested controls in a prior-year audit and found them effective, the auditor may consider whether to rely on that evidence in the current year. However:

  • The auditor must test controls at least once every three years (and more frequently for higher-risk areas)
  • If the control has changed, the prior-year evidence is not relevant
  • The auditor should test some controls every year, rotating which controls are tested in detail
Exam Tip

For the CPA exam, remember the rule of thumb: the auditor must test controls in the current period if the auditor plans to rely on them. Prior-year evidence can supplement but generally cannot replace current-year testing, except that the PCAOB allows a rotation approach for lower-risk controls (testing at least every third year).

Using Results to Assess Control Risk

The results of tests of controls determine the auditor's assessed level of control risk:

Test ResultsAssessed Control RiskEffect on Substantive Testing
Controls are operating effectively with few or no deviationsBelow maximum (low to moderate)Substantive procedures can be reduced in nature, timing, or extent
Controls have some deviations but within tolerable limitsModerateSubstantive procedures are performed at a moderate level
Controls have significant deviations or are not operating effectivelyMaximum (or near maximum)Substantive procedures must be expanded to compensate for the lack of control reliance
Controls were not tested (substantive approach)MaximumFull substantive procedures are required

Example: After testing Gies Co.'s three-way matching control over accounts payable, the auditor finds no deviations in a sample of 50 transactions. The auditor assesses control risk for the existence/occurrence assertion for accounts payable at a low level and reduces the extent of substantive testing—for example, by selecting a smaller sample for vouching of disbursements.

Relationship Between Control Risk and Substantive Testing

Control risk and substantive testing have an inverse relationship. This is a core concept in audit risk:

Audit Risk=Inherent Risk×Control Risk×Detection Risk\text{Audit Risk} = \text{Inherent Risk} \times \text{Control Risk} \times \text{Detection Risk}

When control risk is assessed lower (because controls are effective), the auditor can accept a higher level of detection risk, which means less extensive substantive testing is needed to achieve the desired level of audit risk.

When control risk is assessed at maximum (because controls are ineffective or not tested), the auditor must set detection risk lower, which requires more extensive substantive testing.

Control Risk AssessmentDetection RiskSubstantive Testing
LowHigher acceptable levelLess extensive
MaximumLower required levelMore extensive

Dual-Purpose Tests

A dual-purpose test is a single audit procedure that simultaneously serves as both a test of controls and a substantive test. This approach is efficient because it allows the auditor to obtain evidence about both control effectiveness and the accuracy of account balances or transactions from the same sample.

Example: The auditor selects a sample of 50 sales invoices from MSA Records. For each invoice, the auditor:

  • Test of controls: Inspects whether the invoice was approved by an authorized supervisor before shipment (testing the operating effectiveness of the approval control)
  • Substantive test: Verifies that the invoice amount, date, and customer agree to the shipping documents and customer order (testing the accuracy and occurrence of revenue)

Key Considerations for Dual-Purpose Tests

  • The sample must be designed to meet the objectives of both tests (i.e., the sample size must be sufficient for both purposes)
  • Deviations found during the test of controls portion must be evaluated separately from misstatements found during the substantive portion
  • A deviation does not necessarily mean a misstatement occurred, and vice versa
  • If control deviations are found, the auditor must consider whether the planned level of substantive testing remains appropriate
Exam Tip

Dual-purpose tests save time and are commonly used in practice. On the CPA exam, remember that findings from each component must be evaluated independently. A control deviation (e.g., missing approval) is a control issue; a dollar misstatement (e.g., wrong price on the invoice) is a substantive issue. Both may be found in the same transaction but have different implications.

Summary: Tests of Controls in the Audit Process

StepDescription
1. Obtain understandingUnderstand the entity's internal controls through risk assessment procedures (AU-C 315 / AS 2110)
2. Identify relevant controlsDetermine which controls are relevant to financial statement assertions
3. Decide whether to testDetermine whether to rely on controls (combined approach) or use a substantive-only approach
4. Design tests of controlsSelect appropriate procedures: inquiry + observation, inspection, or reperformance
5. Perform testsExecute procedures on selected samples across the relevant period
6. Evaluate resultsAssess deviation rates, nature of deviations, and effect on control risk assessment
7. Determine substantive responseAdjust the nature, timing, and extent of substantive procedures based on the assessed level of control risk