Browse Auditing and Attestation (AUD)

Choosing Between Tests of Controls and Substantive Procedures

Feb 7, 2025

How auditors decide whether evidence should come from control testing, substantive testing, or both.

On this page

Audit evidence is not gathered by performing every possible procedure. The auditor designs a response to assessed risks, then chooses the mix of tests of controls and substantive procedures that will provide sufficient appropriate evidence for each relevant assertion.

The AUD exam often tests this decision as a planning and evidence question. If the auditor plans to rely on controls, the controls must be tested. If controls are ineffective, not relevant, or not tested, the auditor usually increases substantive procedures. Even when controls are strong, substantive procedures are still required for material classes of transactions, account balances, and disclosures.

    flowchart TD
	    A["Assess risk of material misstatement"] --> B{"Plan to rely on controls?"}
	    B -- "No" --> C["Design primarily substantive procedures"]
	    B -- "Yes" --> D["Test design and operating effectiveness"]
	    D --> E{"Controls effective?"}
	    E -- "Yes" --> F["Use reliance strategy and adjust substantive extent"]
	    E -- "No" --> G["Revise risk assessment and expand substantive work"]
	    C --> H["Evaluate whether evidence is sufficient"]
	    F --> H
	    G --> H

The Core Difference

Tests of controls evaluate whether a control is designed and operating effectively. Substantive procedures look directly for material misstatements in amounts, transactions, or disclosures.

Procedure type Primary question Examples Evidence focus
Test of controls Did the control operate effectively? Inspect approval evidence, observe segregation of duties, reperform a reconciliation Control design and operation
Test of details Is this transaction, balance, or disclosure misstated? Confirm receivables, inspect invoices, recalculate depreciation Direct evidence about amounts and assertions
Substantive analytical procedure Does a recorded amount make sense compared with an expectation? Compare gross margin, payroll per employee, or interest expense to independent expectations Plausibility of recorded amounts

A control test may support lower control risk. A substantive procedure supports the auditor’s conclusion about whether the financial statements are materially misstated. The two categories can work together, but they answer different questions.

When Tests of Controls Matter

An auditor tests controls when the audit strategy depends on control reliance or when standards require control testing. In an integrated audit of an issuer, the auditor must test internal control over financial reporting because the engagement includes an opinion on ICFR. In a financial statement audit of a nonissuer, the auditor may choose to test controls if reliance is efficient and appropriate.

Controls testing is more likely when:

  • The control is relevant to a material assertion.
  • The control is expected to be designed effectively.
  • The control operates frequently enough to be tested.
  • The entity has reliable documentation or electronic evidence of performance.
  • Substantive procedures alone would be inefficient or insufficient.
  • The auditor needs evidence about operating effectiveness for an integrated audit or reliance strategy.

Testing controls does not mean the auditor can ignore substantive work. It means the auditor may reduce the extent, change the timing, or adjust the nature of substantive procedures if the control evidence supports the planned reliance.

When Substantive Procedures Carry the Audit

Substantive procedures become the main response when controls are weak, informal, not relevant, not tested, or not operating effectively. They are also central for high-risk estimates, unusual transactions, significant nonroutine entries, and areas where management bias may affect recognition or valuation.

Common reasons to emphasize substantive procedures include:

Condition Audit consequence
Controls are poorly designed Do not rely on them; obtain direct evidence from transactions and balances
Controls fail operating-effectiveness testing Revise control risk upward and expand substantive procedures
Entity is small and controls are informal Use substantive work unless controls can still be evaluated and tested reliably
Significant fraud risk exists Add targeted substantive procedures and unpredictable elements
Year-end balance is highly judgmental Test assumptions, source data, and management’s estimate directly

Substantive procedures include both tests of details and substantive analytical procedures. Tests of details are usually stronger for existence, rights, occurrence, accuracy, and valuation. Substantive analytical procedures are stronger when the auditor can build a precise expectation from reliable independent data.

How the Mix Changes

The auditor does not choose between controls and substantive procedures once for the whole audit. The mix changes by assertion and account.

Assertion or risk Likely evidence mix
Revenue occurrence with strong automated approval controls Test relevant controls, then perform targeted substantive procedures near cutoff and unusual entries
Inventory existence in a warehouse with weak count controls Observe physical inventory and perform expanded substantive count procedures
Payroll completeness in a stable system with strong HR controls Test access and change controls, then perform analytical and selected detail procedures
Complex fair value estimate Use substantive procedures over assumptions, models, source data, and specialist evidence
Cash existence Confirmation and bank reconciliation testing remain important even if controls are strong

The stronger exam answer usually links the procedure to the assessed risk. A generic statement such as “perform more audit work” is weaker than “increase substantive testing of year-end manual revenue entries because cutoff and occurrence risk are elevated.”

Documentation and Reassessment

The audit file should show why the evidence mix was appropriate. The auditor documents the assessed risks, controls selected for testing, the nature and extent of testing, results, and any changes to planned substantive procedures.

If control testing identifies deviations, the auditor considers:

  • Whether the deviation is isolated or systemic.
  • Whether the control failed for the entire period or only part of it.
  • Whether compensating controls exist and were operating.
  • Whether the risk assessment should be revised.
  • Whether additional substantive procedures are needed.
  • Whether control deficiencies should be communicated.

Testing is iterative. Evidence obtained during fieldwork can change the plan.

Exam Traps

Do not choose an answer that says strong controls eliminate substantive procedures. Some substantive procedures are required for material areas.

Do not choose an answer that says inquiry alone is enough to test operating effectiveness. Inquiry can support understanding, but control testing usually needs inspection, observation, reperformance, or system-generated evidence.

Do not assume a reliance strategy is always more efficient. If controls are weak, difficult to test, or unrelated to the assertion, substantive procedures may be the better response.

Quick Review

  • Tests of controls evaluate design and operating effectiveness.
  • Substantive procedures detect material misstatements in amounts and disclosures.
  • Reliance on controls requires control testing.
  • Ineffective controls usually increase substantive work.
  • The evidence mix is designed by assertion, risk, and audit objective.

Controls vs. Substantive Procedures Knowledge Quiz

### Why does an auditor perform tests of controls? - [ ] To directly confirm every account balance with third parties - [x] To evaluate whether controls are designed and operating effectively - [ ] To eliminate the need for substantive procedures - [ ] To replace the auditor's risk assessment > **Explanation:** Tests of controls evaluate design and operating effectiveness; they do not directly prove financial statement amounts. ### What is the main purpose of substantive procedures? - [ ] To determine whether the audit committee is independent - [ ] To test whether every employee understands company policy - [x] To detect material misstatements in transactions, balances, and disclosures - [ ] To determine the audit fee > **Explanation:** Substantive procedures provide direct evidence about possible misstatements. ### If an auditor plans to rely on controls, what must the auditor do? - [ ] Accept management's description of the controls - [ ] Perform only analytical procedures - [x] Test the relevant controls for operating effectiveness - [ ] Eliminate all tests of details > **Explanation:** Control reliance must be supported by evidence that the controls operated effectively. ### What is the likely audit response when control testing identifies a systemic deviation? - [ ] Keep the original plan unchanged - [x] Revise the risk assessment and expand or modify substantive procedures - [ ] Issue an adverse opinion immediately - [ ] Stop testing the related account > **Explanation:** A systemic control failure usually increases control risk and requires a revised audit response. ### Which procedure is a test of controls? - [ ] Confirming accounts receivable balances with customers - [ ] Recalculating depreciation expense - [x] Inspecting purchase orders for evidence of required approval - [ ] Comparing gross margin to prior-year expectations > **Explanation:** Inspecting approval evidence tests whether an authorization control operated. ### Which procedure is a substantive test of details? - [ ] Observing whether an employee performs a control - [x] Vouching recorded sales transactions to shipping documents - [ ] Asking management whether controls changed - [ ] Reviewing the design of an approval workflow > **Explanation:** Vouching recorded transactions to support directly tests occurrence and accuracy. ### Which statement about strong controls is correct? - [ ] Strong controls remove the need for any substantive procedures - [ ] Strong controls automatically eliminate fraud risk - [ ] Strong controls make documentation optional - [x] Strong controls may allow the auditor to reduce the extent of some substantive procedures > **Explanation:** Effective controls may support reduced substantive extent, but some substantive work remains necessary. ### Why might an auditor choose a primarily substantive approach? - [ ] The auditor wants to ignore assessed risk - [x] Controls are informal, weak, not relevant, or not tested - [ ] The client has requested a shorter audit - [ ] Substantive procedures are prohibited for nonissuers > **Explanation:** If controls cannot support reliance, the auditor obtains evidence directly from substantive procedures. ### Inquiry alone is usually insufficient to test operating effectiveness because: - [ ] Inquiry is never allowed in an audit - [ ] Inquiry always proves fraud - [x] It does not show that the control actually operated as described - [ ] It is useful only for tax engagements > **Explanation:** Inquiry should usually be combined with inspection, observation, reperformance, or other evidence. ### In an integrated audit of an issuer, controls testing is required because: - [x] The auditor reports on internal control over financial reporting as well as the financial statements - [ ] The auditor is not allowed to perform substantive procedures - [ ] Management chooses all audit procedures - [ ] Confirmations are prohibited for issuers > **Explanation:** Integrated audits include an opinion on ICFR, so control testing is part of the engagement objective.
Revised on Monday, June 15, 2026
Audit Sampling