Substantive Procedures vs Tests of Controls in an Audit
In any financial audit, auditors deploy two distinct testing methods: substantive procedures examine whether account balances and transactions are materially correct; tests of controls evaluate whether the company’s internal controls actually prevent or detect misstatement. The balance between them shifts based on how much the auditor trusts management’s control environment.
Substantive Procedures: Testing the Numbers
Substantive procedures directly examine the financial statements themselves. An auditor picking a random sample of accounts-receivable transactions will confirm them with customers, verify the invoices match sales orders, and ensure amounts are recorded in the correct accounting period. Substantive work is detective—it finds mistakes, omissions, or fraud after the fact.
Examples include:
- Recalculating the depreciation schedule and verifying the accumulated-depreciation balance
- Confirming accounts-payable balances by sending letters to suppliers
- Inspecting inventory count sheets and testing the pricing of items in inventory
- Vouching revenue-recognition transactions to shipping documents and customer contracts
- Testing mathematical accuracy of the balance-sheet and income-statement
Substantive procedures are the bedrock of audit evidence. They provide direct proof that a number is right or wrong. If an auditor finds that an accounts-receivable customer balance is overstated, that is substantive evidence of a misstatement. The auditor doesn’t need to trust any control—the number itself is the test.
Because substantive procedures are mandatory and give conclusive evidence, auditors always perform them, though the extent varies.
Tests of Controls: Verifying Prevention and Detection
Tests of controls examine the systems, policies, and people that are supposed to keep the numbers clean in the first place. An auditor testing controls over accounts-payable might:
- Observe whether the accounts payable clerk obtains a purchase order before processing a vendor invoice
- Verify that a manager’s signature appears on a sample of check copies, confirming approval occurred
- Rerun the automated matching routine that flags invoices not matched to a purchase order and receipt
- Interview the controller about the segregation of duties (one person requests, another approves, a third pays)
Tests of controls are preventive or detective—they ask: “Did the controls that are supposed to work actually work?” Control tests don’t find the misstated amount; they find whether the control that should have caught it was operating.
Auditors document the design and operating effectiveness of controls. A design test asks, “Does this control exist and make sense?” An operating test asks, “Did it actually run as designed during the period?” A strong operating result—a manager’s signature on 100% of check samples—gives auditor confidence that weak invoices were unlikely to slip through.
The Audit Risk Model and Control Reliance
The audit-risk model is foundational: Audit Risk = Inherent Risk × Control Risk × Detection Risk. Auditors can’t eliminate all risk, but they can manage the mix.
- Inherent risk: Is the account inherently error-prone? Inventory and revenue-recognition are high-inherent-risk; a bank account is low.
- Control risk: Are the company’s controls strong enough to prevent or catch misstatement?
- Detection risk: How much testing does the auditor need to do to catch what controls might miss?
If an account has low inherent risk and management has strong controls, the auditor can accept higher detection risk—that is, less detailed substantive testing. The auditor can take a smaller sample or skip certain procedures.
If control risk is high (weak controls, poor segregation of duties, or frequent override by management), the auditor must lower detection risk—more sampling, more confirmation, more vouching. This is the trade-off: strong controls allow the auditor to test less at the substantive level.
Practical Example: Revenue Testing
Suppose an auditor is testing a $50 million revenue balance.
Scenario A: Strong Controls
- Tests of controls show that sales order, shipment, and invoice are all matched by automated system; manager reviews exceptions weekly; no manual overrides found in sample.
- Auditor concludes control risk is low.
- Auditor performs substantive procedures on a smaller sample—perhaps 30 transactions—and focuses on unusual items (very large sales, sales to related parties).
Scenario B: Weak Controls
- Tests of controls reveal no formal sales order requirement; manager approval is sporadic; invoices and shipments are not automatically reconciled.
- Auditor concludes control risk is high.
- Auditor must test a larger substantive sample—perhaps 100+ transactions—and tests every transaction above a threshold. The auditor might even reanalyze the journal entries for round-number suspicious patterns or test the revenue cutoff at period end in detail.
In Scenario A, the auditor relies on controls to reduce substantive scope. In Scenario B, controls provide little comfort, so the auditor does the work themselves.
When Tests of Controls Are Mandatory or Optional
Auditors of public-company financial statements under the SEC or PCAOB standards must test the effectiveness of internal controls over financial reporting (ICFR). This is a parallel audit—one for the financial statements, one for the control environment itself. Tests of controls are mandatory.
For private companies or non-public entities, tests of controls are conditional. If the auditor’s risk assessment suggests control reliance will save time, they test. If the auditor intends to do a substantive-only audit (testing the account balances directly without relying on controls), they may skip control testing.
Limitations of Each Approach
Substantive procedures are thorough but slow and expensive. Testing all 500 invoices in accounts-payable takes weeks. Testing a sample of 50 is faster but carries sampling risk—you might miss a systematic error in the untested 450.
Tests of controls are efficient if controls work but offer false comfort if they are bypassed. Management can override controls (a CEO approves a fraudulent expense without scrutiny). Automated controls can fail silently if no one reviews their output. A control that was strong in January might be broken by March if a key person leaves.
Auditors protect against both by combining evidence: strong control test results reduce but do not eliminate substantive testing. Substantive evidence of a misstatement proves the control failed to prevent or detect it.
See also
Closely related
- Internal Controls — design and documentation of control systems
- Balance Sheet — primary target of substantive testing
- Income Statement — revenue and expense assertions tested
- Accounts Receivable — common audit focus area
- Accounts Payable — another high-volume audit area
Wider context
- Generally Accepted Accounting Principles — basis for control design and audit assertion
- Financial Statement Audit — the audit process overall
- Audit Risk Model — how auditors balance risk and evidence
- Risk Assessment — early planning step in audit