Partners managing multiple concurrent engagements need evidence that client controls actually work before committing to reduced substantive testing. When controls prove reliable, firms can complete engagements more efficiently while maintaining audit quality. When controls fail, expanded procedures increase effort and pressure engagement budgets. These outcomes directly affect profitability, staffing decisions, and the ability to deliver engagements efficiently.
Tests of controls evaluate whether internal controls operated effectively throughout the audit period. This article covers the fundamentals of control testing methodology, practical approaches to designing and executing tests, and how modern AI capabilities are transforming control testing efficiency.
What are tests of controls?
Tests of controls answer a fundamental question: did the control actually work throughout the audit period, or just on paper? PCAOB standards establish that tests of controls evaluate how controls were applied, whether they operated consistently throughout the period, and who performed them. The evidence gathered demonstrates whether controls operated as designed.
Testing ties directly to financial statement assertions: existence, completeness, accuracy, valuation, rights and obligations, and presentation and disclosure. Before evaluating operating effectiveness, auditors first assess whether the control's design can reasonably prevent or detect misstatements under AS 2110. Once design adequacy is established, PCAOB AS 2201 requires testing to determine whether the control functioned as intended throughout the period.
SOC 2 Type II engagements carry a distinct evidence burden. Under AICPA AT-C Section 205, practitioners must demonstrate that service organization controls operated effectively over the entire examination period—point-in-time evidence is insufficient.
Why are tests of controls important?
Tests of controls support reliance decisions that directly affect audit efficiency and engagement economics. When controls are designed and operating effectively, auditors can tailor substantive procedures accordingly, reducing unnecessary testing while maintaining audit quality. PCAOB AS 2301 makes clear that these decisions must be grounded in risk assessment and professional judgment, with conclusions appropriately documented.
Effective control testing also has a measurable impact on realization. By relying on controls where appropriate, teams can limit substantive testing to areas of higher risk and avoid expanding sample sizes by default.
The efficiency benefits are most pronounced in high-volume, system-driven environments. For clients processing large volumes of transactions through automated controls, testing those controls provides coverage across the full population. Without reliance on controls, auditors must instead increase substantive sampling across the same dataset, driving additional effort without improving assurance when controls are operating as intended.
How do the main methods of testing controls work?
Professional standards require auditors to use multiple procedures when testing controls, as inquiry alone does not provide sufficient evidence of operating effectiveness. In practice, inquiry is typically supplemented with observation, inspection, re-performance, or computer-assisted techniques to support reliable conclusions.
Inquiry
Inquiry provides useful context during walkthroughs and risk assessment, but on its own offers the lowest level of evidential reliability and must be corroborated with other procedures. Use inquiry during initial risk assessment and process walkthroughs, always corroborating responses with more reliable evidence.
Observation
Observation provides real-time evidence of procedures being performed. The fundamental limitation is point-in-time coverage: observation confirms what happened when observed, not consistent operation throughout the period.
Inspection of documentation
Inspection involves examining records and documents to obtain audit evidence. External documentation (bank statements, third-party confirmations) provides higher reliability than internally generated documents. Common examples include approval signatures, system logs, reconciliation evidence, and segregation of duties matrices.
Re-performance
Re-performance delivers the highest evidence reliability because auditors independently execute control procedures. Examples include recalculating depreciation, re-performing reconciliations, or validating matching logic in accounts payable.
Computer-assisted audit techniques
Computer-assisted audit techniques can be used to test large portions, or in some cases the full population, of transactions when controls are automated and data integrity can be relied upon. When IT general controls and relevant application controls are in place, these techniques allow auditors to identify exceptions across complete datasets rather than relying solely on manual sampling.
In practice, effective control testing combines multiple evidence types, with the approach tailored to the nature of the control and the level of assurance required.
How do tests of controls differ from substantive testing?
Tests of controls evaluate whether controls work. Substantive procedures verify whether financial statement assertions are correct.
|
Dimension |
Tests of Controls |
Substantive Procedures |
|
Primary Objective |
Evaluate operating effectiveness of controls |
Detect material misstatements in account balances and transactions |
|
Focus Area |
Control processes and procedures |
Account balances, transaction classes, and disclosures |
|
Evidence Type |
Reperformance, inspection, observation of controls |
Tests of details (confirmations, vouching) and analytical procedures |
|
Timing |
Interim period with roll-forward procedures |
Year-end or near year-end |
|
Mandatory Nature |
Required for integrated audits; required when substantive procedures alone cannot provide sufficient evidence; optional when reliance on controls is part of the audit strategy |
Always required for each relevant assertion of significant accounts |
When controls are tested and found to be operating effectively, auditors may adjust the nature, timing, and extent of substantive procedures. Lower assessed control risk can support smaller substantive sample sizes and greater use of analytical procedures.
Substantive procedures, however, remain required for each relevant assertion of significant accounts. Reliance on controls can reduce the amount of substantive testing performed, but it does not eliminate the need for substantive evidence altogether.
When should you use tests of controls in an audit?
The decision to test controls depends on engagement type, client environment, and audit strategy. Some situations mandate controls testing; others make it a strategic choice. For example, PCAOB AS 2201 requires integrated audits of public companies to test both design and operating effectiveness. There's no option to skip controls testing in these engagements. SOC 2 Type II engagements similarly mandate controls testing to demonstrate that controls functioned throughout the examination period.
For other engagement types, testing controls is permitted but not required as part of the audit strategy. In environments with high transaction volumes, automated processing, or complex system calculations, reliance on substantive procedures alone may not provide sufficient evidence, making control testing a practical necessity rather than a formal requirement.
Even when not explicitly required, testing controls often represent a choice that can reduce overall audit effort without compromising quality. Revenue recognition controls, accounts payable three-way matching, and payroll processing represent environments where testing systematic controls offers clear efficiency advantages over expanding substantive samples. The key question: will relying on controls reduce overall audit effort while maintaining quality?
Standards also permit interim controls testing with rollforward procedures. PCAOB Practice Alert No. 11 on AS 2201 establishes that firms can test important controls earlier in the engagement and update through year-end: a practical approach for managing workload during busy season.
How are tests of controls evolving with AI and automation?
AI use in audit expanded significantly in the mid-2020s, with many audit and advisory firms moving beyond experiments toward more routine use in selected workflows. This shift extends beyond large firms. The Journal of Accountancy reports that firm leaders view AI tools as important for improving audit efficiency and quality. CPA.com's 2025 Report confirms that AI-powered tools now handle data processing, documentation review, pattern recognition, and preliminary risk flagging; though professional judgment remains essential for complex assessments and final conclusions.
How to design an effective test of controls step by step
Designing effective control tests requires systematic methodology addressing risk assessment, population definition, sample sizing, execution, and conclusion formation. Follow these six sequential steps to design tests that provide sufficient appropriate evidence.
1. Identify risk and control objective
Effective control testing begins with a clear link between the control and the assertion it is intended to address, such as completeness of revenue or accuracy of expense recognition. The control attribute being tested must be clearly defined, along with explicit deviation conditions that represent control failures. Precisely document what constitutes a control deviation.
2. Define population and sampling unit
Define the audit period, sampling unit (invoices, journal entries, authorization documents), and ensure all items subject to the control are included per the AICPA Audit Sampling Guide.
3. Determine sample size
Sample size balances risk and efficiency. The AICPA Audit Sampling Guide advises auditors to use professional judgment in setting acceptable risk of overreliance, tolerable deviation rate, and expected population deviation rate. While sample size recommendations may sometimes follow frequency-based heuristics in practice, the Guide does not prescribe specific sample sizes or ranges; instead, it encourages calculation or documentation of rationale to achieve appropriate confidence levels.
4. Execute testing procedures
Perform planned procedures on each selected item. Per PCAOB AS 2315, properly voided items may be replaced while missing documentation generally constitutes deviations.
5. Evaluate deviations and reach conclusion
Calculate the sample deviation rate by dividing deviations found by sample size tested. For statistical sampling, the AICPA Audit Sampling Guide provides tables as a convenient way to calculate the upper deviation limit, but also allows other valid statistical methods or software.
If the upper deviation limit exceeds the tolerable rate, the sample results do not support concluding that the population deviation rate is at or below the tolerable rate, and the auditor should further evaluate control reliance. Assess the nature of each deviation (intentional versus unintentional), the cause (systemic versus isolated), and financial statement risks created.
6. Update risk assessments
Evaluate deficiency severity under PCAOB AS 2201: control deficiencies exist when design or operation does not prevent or detect misstatements timely; significant deficiencies merit attention by those charged with governance; material weaknesses create reasonable possibility that material misstatements will not be prevented or detected timely.
Modernize control testing with Fieldguide
Traditional control testing often requires significant manual effort to extract evidence, map documentation to control attributes, and track deviations across samples. Fieldguide helps audit and advisory teams automate these workflows while preserving firm methodology and professional judgment.
Firms using Fieldguide have demonstrated measurable efficiency gains. UHY reported a 20–30% reduction in engagement completion time, with evidence review and test procedure creation reduced from hours to minutes. By embedding automation directly into control testing workflows, teams can scale testing capacity, improve consistency, and focus more time on risk assessment and conclusions rather than administrative effort.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
