Home

Tutoring

Subjects

Live Classes

Study Coach

Essay Review

On-Demand Courses

Colleges

Games

Opening subject page...

Loading your content

  1. CPA

  3. Tests Of Controls — Perform Tests Of Control Effectiveness

CPA AUDITING & ATTESTATION (AUD) • PERFORMING FURTHER PROCEDURES AND OBTAINING EVIDENCE

Tests Of Controls — Perform Tests Of Control Effectiveness

Evaluating whether an entity's internal controls operate effectively to reduce assessed risks of material misstatement.

SECTION 1

Historical Context & Motivation

The practice of testing internal controls did not emerge overnight; it evolved over more than a century of auditing practice driven by corporate scandals, regulatory responses, and the increasing complexity of business operations. Early audits in the late nineteenth and early twentieth centuries were largely substantive in nature—auditors verified every transaction or a large proportion of them, focusing on the detection of fraud and clerical errors. As organizations grew in scale, a purely substantive approach became impractical, pushing the profession to develop a more risk-based methodology that recognized the role of internal controls as a gatekeeper against material misstatement.

The motivation behind testing controls is fundamentally economic and analytical: if the auditor can demonstrate that well-designed controls are operating effectively, the nature, timing, and extent of substantive procedures can be reduced, yielding a more efficient and focused audit. Conversely, if controls are unreliable, the auditor must expand substantive testing to compensate. Understanding this interplay is central to the modern risk-based audit model codified in professional standards such as AU-C Section 330 and PCAOB AS 2301.

1947
AICPA Tentative Statement on Auditing Standards
The AICPA formally recognized the importance of studying and evaluating internal controls as a basis for determining the scope of audit testing, marking the first institutional acknowledgment that controls influence audit procedures.
1988
SAS No. 55 — Internal Control in a Financial Statement Audit
Statement on Auditing Standards No. 55 introduced a structured framework for understanding internal control components, requiring auditors to obtain a sufficient understanding of internal control to plan the audit and assess control risk.
1992
COSO Internal Control — Integrated Framework
The Committee of Sponsoring Organizations published a comprehensive framework that became the de facto standard for designing, implementing, and evaluating internal controls, providing auditors a common language for assessing control effectiveness.
2002
Sarbanes-Oxley Act (SOX)
In response to the Enron and WorldCom scandals, SOX mandated that management of public companies assess and report on the effectiveness of internal controls over financial reporting (ICFR), and auditors of such companies must attest to that assessment under PCAOB standards.
2010–2020
Clarified Auditing Standards & PCAOB Modernization
The AICPA issued the clarified Statements on Auditing Standards (AU-C sections), while the PCAOB updated its auditing standards (including AS 2201 and AS 2301), refining guidance on performing and documenting tests of controls in both integrated and financial-statement-only audits.

The central question that tests of controls address is straightforward yet consequential: Are the entity's internal controls operating effectively throughout the relevant period such that the auditor can rely on them to reduce the assessed risk of material misstatement at the assertion level? Answering this question requires a disciplined methodology—one that specifies what evidence to gather, how much to gather, and how to evaluate deviations. The sections that follow provide a thorough treatment of that methodology.

SECTION 2

Core Principles & Definitions

Before diving into the mechanics of performing tests of controls, it is essential to establish the foundational concepts that underpin this area of auditing. A test of controls is an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. The auditor performs tests of controls in two situations: first, when the auditor's risk assessment includes an expectation that controls are operating effectively (i.e., the auditor intends to rely on controls); and second, when substantive procedures alone are insufficient to provide sufficient appropriate audit evidence at the assertion level.

1

Operating Effectiveness

Operating effectiveness refers to whether a control was applied consistently and as designed by qualified personnel throughout the period under audit. A control that is well-designed but inconsistently applied does not provide reliable assurance.
2

Nature of Tests of Controls

Tests of controls typically consist of inquiry (alone is insufficient), observation, inspection of documents, and reperformance. The auditor selects the type—or combination of types—that provides the most persuasive evidence for the specific control being tested.
3

Timing of Tests

The auditor must consider whether controls operated throughout the entire period of reliance. Interim testing may be performed, but the auditor must then obtain evidence about significant changes in controls during the remaining period and determine what additional testing is needed.
4

Extent (Sample Size)

The extent of testing depends on the desired level of assurance, the expected deviation rate, and the tolerable deviation rate. Greater reliance on a control requires a larger sample and a lower tolerable deviation rate, driving the sample size upward.
5

Evaluation of Deviations

Deviations from the prescribed control procedure are analyzed both quantitatively (deviation rate vs. tolerable rate) and qualitatively (nature and cause of the deviation). Even a single deviation may be significant if it indicates a systematic control failure.
✦ KEY TAKEAWAY
Think of an internal control like a quality-control checkpoint on a manufacturing line. A test of controls is analogous to an independent inspector visiting the factory, watching the checkpoint operators work, pulling samples of already-inspected products, and re-inspecting them. If the inspector finds that the checkpoint consistently catches defects, fewer end-of-line inspections (substantive procedures) are needed. But if the checkpoint operators are skipping steps or missing defects, the inspector must escalate to a full end-of-line review. The auditor's role mirrors that independent inspector.
SECTION 3

Visual Explanation — The Tests of Controls Decision Framework

Tests of Controls — Decision & Execution Framework1. Risk Assessment PhasePlan to rely on controls (assess controlrisk below maximum)?NOSubstantiveprocedures onlyYES2. Design Tests of Controls(Nature • Timing • Extent)Inquiry +CorroborationObservationof ApplicationInspection ofDocumentsReperformanceof the Control3. Execute & Evaluate ResultsDeviation rate vs. Tolerable deviation rateControls EffectiveReduce substantive testingControls Not EffectiveIncrease substantive testingDeviation ≤ TolerableDeviation > Tolerable4. Document conclusions → Impact on audit opinion
This flowchart traces the auditor's decision process from risk assessment through the design, execution, and evaluation of tests of controls, culminating in the impact on the nature and extent of substantive procedures.

The diagram above illustrates the complete lifecycle of a tests-of-controls engagement. At the top, during the risk assessment phase, the auditor determines whether to rely on controls. If the answer is no—perhaps because the entity is small with limited segregation of duties—the auditor proceeds directly to substantive procedures. If the answer is yes, the auditor designs tests of controls by selecting the appropriate nature (inquiry, observation, inspection, reperformance), timing (interim versus year-end), and extent (sample size) of the tests. After execution, the observed deviation rate is compared against the tolerable deviation rate to determine whether the controls may be considered effective.

SECTION 4

How It Works — Nature, Timing, and Extent of Tests of Controls

Nature of Tests of Controls

The nature of a test of controls refers to the type of audit procedure employed. Auditing standards identify four primary procedures, and the persuasiveness of evidence generally increases as one moves from inquiry to reperformance. Inquiry consists of asking knowledgeable personnel how a control is performed; while essential for obtaining an understanding, inquiry alone is never sufficient to support a conclusion on operating effectiveness. Observation provides evidence about the application of a control at a point in time—for example, watching a bank reconciliation reviewer initial a document—but its limitation is that behavior may change when the subject is not being observed. Inspection of documents (such as verifying that a purchase order bears an authorized signature) provides evidence that a control was applied to a specific transaction. Reperformance is the most persuasive: the auditor independently executes the control procedure and compares the result to what the client obtained, such as re-footing an invoice and matching it to the approved price list.

Timing of Tests of Controls

The timing of tests of controls addresses when the testing is performed relative to the period of reliance. If the auditor tests controls at an interim date, the auditor must obtain evidence about the nature and extent of any significant changes in internal control that occurred subsequent to the interim period. The auditor bridges the gap between the interim testing date and the period-end by performing additional procedures—such as extending the sample to cover the remaining period, making inquiries about changes, or performing walkthrough procedures. A critical consideration is that the longer the remaining period after interim testing, the more additional evidence is needed. Furthermore, under PCAOB standards for integrated audits, the auditor generally tests controls close enough to the 'as of' date (fiscal year-end) that the conclusions remain relevant.

Extent of Tests of Controls — Sample Size Determination

The extent of testing is primarily a question of sample size. In attribute sampling for tests of controls, the auditor determines sample size based on the desired confidence level (typically 90% or 95%), the tolerable deviation rate (TDR), and the expected population deviation rate (EPDR). The relationship among these variables can be expressed conceptually and, in practice, is operationalized through attribute sampling tables or formulas.

ATTRIBUTE SAMPLING — SAMPLE SIZE APPROXIMATION
n = (R × (1 − EPDR)) / (TDR − EPDR)² [simplified conceptual form]
Where n = required sample size, R = reliability factor (from Poisson distribution tables; e.g., R ≈ 3.0 for 95% confidence with 0 expected deviations), TDR = tolerable deviation rate, and EPDR = expected population deviation rate. In practice, auditors typically use AICPA attribute sampling tables rather than computing the formula directly.
PRACTICAL SAMPLE SIZE (POISSON-BASED)
n = R / TDR [when EPDR = 0]
When the expected deviation rate is zero, the formula simplifies dramatically. For example, at 95% confidence (R = 3.0) with a 5% TDR: n = 3.0 / 0.05 = 60 items. At 90% confidence (R = 2.3) with a 10% TDR: n = 2.3 / 0.10 = 23 items. These results align closely with standard AICPA sample size tables.
⚠️ Inquiry Alone Is Never Sufficient
A common exam pitfall: inquiry of client personnel, standing alone, does not constitute a sufficient test of operating effectiveness of controls. The auditor must always corroborate inquiry with at least one other procedure—observation, inspection, or reperformance—to form a valid conclusion about whether a control is operating effectively.
SECTION 5

Types of Controls and Testing Approaches

Not all controls are tested the same way. The nature of the control—whether it is a manual control, an automated (IT) control, or a hybrid—significantly affects how the auditor designs and calibrates the test. Furthermore, controls operate at different frequencies (daily, weekly, monthly, quarterly, annually), and the frequency determines both the population size and the appropriate sample size.

Control Types × Testing Approach MatrixManual Controls• Performed by people• Subject to human error• Require larger samplesTesting: Inquiry + Inspectionor Reperformance; sampleof 25–60+ items typicalExample: Manager reviewsjournal entries & initialsAutomated (IT) Controls• Performed by software• Consistent execution• Test once + IT GCsTesting: Test 1 instance +verify IT General Controls(change mgmt, access, ops)Example: System rejectsPO if amt > $10,000 w/oIT-Dependent Manual• System generates report• Human reviews/acts• Both aspects testedTesting: Test reportaccuracy (IT) + samplereview actions (manual)Example: Aging reportreviewed for bad debtsFrequency-Based Sample Size GuidanceFrequencyPopulation SizeTypical SampleRationaleMany/dayThousands+25–60+Large populationWeekly525–15Moderate pop.Monthly122–5Small pop.Quarterly42Test ≥ halfAnnually11Test the instance
The matrix above classifies controls by type (manual, automated, IT-dependent manual) and shows the corresponding testing approach. The lower table illustrates how control frequency directly influences the typical sample size, ranging from the full population for annual controls to 25–60+ items for high-volume daily controls.

A key distinction in practice concerns automated controls. Because software executes identically every time (absent a code change), the auditor can test a single instance of the control and rely on that result for the entire period—provided the IT general controls (ITGCs) that govern change management, logical access, and computer operations are also tested and found to be effective. If ITGCs are not effective—for example, if unauthorized changes could have been made to application code—the auditor cannot rely on the consistency assumption and must treat the automated control with greater skepticism, possibly expanding testing or reverting to substantive procedures.

SECTION 6

Worked Example — Designing and Evaluating a Test of Controls

Consider the following scenario: An auditor is performing the annual audit of Apex Manufacturing, Inc. for the fiscal year ended December 31, 20X4. During risk assessment, the auditor identified that the company processes approximately 15,000 purchase orders per year. A key control over the completeness and authorization of purchases is that the purchasing manager reviews and approves each purchase order above $500 before it is transmitted to the vendor. The auditor plans to rely on this control and assess control risk below maximum for the purchasing/payables cycle.

Testing the Purchase Order Approval Control at Apex Manufacturing

Step 1 — Identify the Control and Relevant Assertion

The control is the purchasing manager's review and approval of purchase orders exceeding $500. The relevant assertion is authorization (occurrence/existence). The auditor must determine whether the control operated effectively throughout the year ended December 31, 20X4.
Assertion: Authorization of purchase transactions

Step 2 — Determine the Nature of the Test

Because this is a manual control that leaves documentary evidence (the manager's initials or electronic signature on the PO), the auditor selects inspection of documents as the primary test, supplemented by inquiry of the purchasing manager to understand the process. The auditor will inspect each sampled purchase order for evidence of the manager's approval before the order was transmitted to the vendor.
Nature: Inquiry + Inspection of purchase orders

Step 3 — Determine the Timing

The auditor plans to perform interim fieldwork in October 20X4 and final fieldwork in February 20X5. Controls will be tested over the period January 1 through September 30 at interim. During final fieldwork, the auditor will inquire about changes to the purchasing process for October through December and extend the sample to cover the remaining period, selecting additional items from the last three months of the year.
Timing: Interim (Jan–Sep) with rollforward testing (Oct–Dec)

Step 4 — Determine the Extent (Sample Size)

The auditor sets the confidence level at 95% (risk of assessing control risk too low = 5%), the tolerable deviation rate at 5%, and the expected population deviation rate at 0% based on prior-year results. Using the simplified formula n = R / TDR with R = 3.0: n = 3.0 / 0.05 = 60. The auditor selects 45 POs from the interim period (January–September) and 15 POs from the rollforward period (October–December), for a total sample of 60 items drawn randomly from the population of approximately 15,000 POs exceeding $500.
Extent: 60 purchase orders (45 interim + 15 rollforward)

Step 5 — Execute the Test and Evaluate Results

Upon inspection, the auditor finds that 59 of the 60 purchase orders bear the purchasing manager's approval prior to transmission. One PO in the interim period lacks any evidence of approval. The observed deviation rate is 1/60 = 1.67%. The auditor investigates the nature of the deviation: the specific PO was for $525 and was processed by a temporary employee during the manager's vacation, and it was subsequently approved upon the manager's return. The auditor evaluates this deviation qualitatively—it represents a one-time substitution of personnel rather than a systematic control failure. Because the observed deviation rate of 1.67% is below the 5% tolerable deviation rate, and the qualitative analysis suggests no pervasive breakdown, the auditor concludes the control operated effectively and maintains the planned reduction in substantive testing for the purchasing cycle.
Conclusion: Observed deviation rate (1.67%) < TDR (5%) → Controls effective; planned reliance is supported
SECTION 7

Strengths, Limitations, and Comparisons

Tests of controls occupy a specific and consequential niche in the audit process. Their value lies in their ability to provide evidence about the reliability of the client's internal processes, which in turn shapes the entire audit strategy. However, they also carry inherent limitations that the auditor must understand and manage. The table below summarizes the principal strengths and limitations.

Strengths and limitations of tests of controls across key audit dimensions
DimensionStrengthsLimitations
Audit EfficiencyEffective controls allow significant reduction in the nature, timing, and extent of substantive procedures, saving time and cost.If controls are not effective, the time spent on tests of controls is wasted, and additional substantive testing must still be performed.
Evidence QualityReperformance and inspection provide persuasive evidence about whether controls operated throughout the period.Observation provides only point-in-time evidence. Inquiry alone is insufficient. Controls without documentary evidence are harder to test.
Sampling RiskStatistical and nonstatistical sampling methods provide structured, defensible bases for drawing conclusions from samples.Sample results may not be representative of the population. The risk of assessing control risk too low (Type II error) can lead to under-auditing.
IT ControlsAutomated controls offer consistency and may be tested with very small samples (even one instance) if ITGCs are effective.Reliance on automated controls depends on effective ITGCs. A failure in change management or access controls can invalidate the entire testing basis.
Management OverrideWell-designed controls with segregation of duties reduce the opportunity for fraud and misstatement.Controls cannot fully prevent management override of controls. The auditor must always perform certain substantive procedures (e.g., journal entry testing) regardless of control effectiveness.
✦ KEY TAKEAWAY
Tests of controls and substantive procedures are complementary, not substitutes. Even when controls test as effective, certain substantive procedures are mandatory—particularly for significant risks, journal entry testing (per AU-C 240), and assertions where controls alone cannot provide sufficient evidence. Think of it like a dual-factor authentication system: the control test is the first factor, and the substantive test is the second. Both contribute to the auditor's overall level of assurance, and neither alone is always sufficient.
SECTION 8

Connection to Advanced Theory — Integrated Audits and Rotational Testing

For students preparing for the AUD section of the CPA exam, it is important to understand how tests of controls in a standard financial statement audit relate to the more comprehensive requirements of an integrated audit under PCAOB standards (applicable to issuers, or public companies). In an integrated audit, the auditor simultaneously expresses an opinion on the financial statements and on the effectiveness of internal control over financial reporting (ICFR) as of year-end. This dual objective significantly elevates the importance and rigor of tests of controls.

Comparison of tests of controls in financial statement audits vs. integrated audits
DimensionFinancial Statement Audit (AU-C 330)Integrated Audit (PCAOB AS 2201 / AS 2301)
ObjectiveObtain evidence that controls are operating effectively to justify reduced substantive testingObtain evidence sufficient to opine on the effectiveness of ICFR as of year-end, in addition to the financial statement opinion
When RequiredTests of controls are optional; the auditor may choose a purely substantive approachTests of controls are mandatory for all significant accounts and relevant assertions
TimingInterim testing is common; rollforward evidence bridges to period-endControls must be tested as of the reporting date; some testing must be close to year-end
ExtentSample size varies based on planned reliance and tolerable deviation rateGenerally more extensive testing; every significant process requires control testing regardless of the substantive approach
Rotational TestingNot specifically addressed; reliance on prior-year results is limited by the need for current-period evidencePermitted for less-significant controls in multi-location audits, but significant controls must be tested every year

An additional advanced concept is the notion of rotational testing and benchmarking of automated controls. Under PCAOB guidance, if an automated application control has been tested in a prior year and the relevant ITGCs (particularly change management controls) have been tested and found effective in the current year, the auditor may reduce the extent of direct testing of the automated control. This concept of benchmarking allows the auditor to accumulate evidence about automated controls over multiple audit periods, recognizing that software behaves consistently absent deliberate changes. This efficiency gain is one of the principal benefits of IT-dependent audit approaches and is increasingly relevant as entities automate more of their financial processes.

📝 CPA Exam Tip
On the AUD exam, questions frequently test whether you can distinguish between a financial statement audit (where tests of controls are optional) and an integrated audit (where they are mandatory). Remember: under AU-C 330, the auditor may choose a substantive-only approach. Under PCAOB AS 2201, testing of controls is required because the auditor must opine on ICFR effectiveness. Know which standard framework the question is referencing.
SECTION 9

Practice Problems

PROBLEM 1 — CONCEPTUAL
An auditor plans to rely on the operating effectiveness of a client's control over credit approval for new customers. The control requires that a credit analyst review each new customer application, verify the customer's credit history, and sign the application before the customer is approved. Which of the following is true regarding the auditor's approach to testing this control? (A) Inquiry of the credit analyst alone is sufficient to conclude on operating effectiveness. (B) The auditor must use inquiry in combination with at least one other procedure such as inspection or reperformance. (C) Observation of the credit analyst performing the review is sufficient for the entire period. (D) Tests of controls are unnecessary if the auditor plans to perform substantive procedures over receivables.
PROBLEM 2 — BASIC CALCULATION
An auditor sets the confidence level at 95% (reliability factor R = 3.0), the tolerable deviation rate (TDR) at 6%, and the expected population deviation rate (EPDR) at 0%. Using the simplified Poisson-based formula n = R / TDR, what is the required sample size for the test of controls?
PROBLEM 3 — INTERMEDIATE
An auditor tested a sample of 40 disbursement transactions to determine whether the accounts payable supervisor reviewed and approved each payment before processing. The auditor found 3 deviations. The tolerable deviation rate was set at 5%. The auditor established a 90% confidence level (reliability factor for 3 deviations at 90% confidence ≈ 6.68). Calculate the upper deviation rate and explain whether the auditor should rely on this control.
PROBLEM 4 — APPLIED
Ridgeline Corp. is a publicly traded company subject to an integrated audit under PCAOB standards. The company uses an automated three-way matching control in its ERP system that matches purchase orders, receiving reports, and vendor invoices before authorizing payment. The control was tested and found effective in the prior-year audit. In the current year, the auditor confirmed that IT general controls (change management, logical access, computer operations) are effective, and there were no changes to the application's matching logic. Describe the auditor's approach to testing this automated control in the current year, and explain the concept of 'benchmarking' in this context.
PROBLEM 5 — CRITICAL THINKING
Consider the following scenario: During the interim phase (January through September), an auditor tested a monthly management review control over the bank reconciliation process and found zero deviations in a sample of 4 out of 9 monthly reconciliations. During rollforward testing for the remaining period (October through December), the auditor found that in November, the CFO who normally performs the review was out on medical leave and no one was assigned to perform the reconciliation review. Analyze how this deviation affects the auditor's overall conclusion about control effectiveness for the full year, and discuss what additional procedures, if any, the auditor should consider.
SUMMARY

Summary — Tests of Controls: Performing Tests of Control Effectiveness

Tests of controls are audit procedures performed to evaluate the operating effectiveness of an entity's internal controls in preventing, or detecting and correcting, material misstatements at the assertion level. The auditor designs these tests by considering three dimensions: the nature of the procedure (inquiry, observation, inspection, or reperformance—with inquiry alone never sufficient), the timing (interim testing with rollforward procedures or testing near period-end), and the extent (sample size determined by the tolerable deviation rate, expected deviation rate, and desired confidence level). The simplified Poisson-based formula n = R / TDR provides a practical starting point when zero deviations are expected.

After execution, the auditor compares the observed deviation rate against the tolerable deviation rate and performs both quantitative and qualitative analysis of any deviations found. For automated controls, testing a single instance may suffice if IT general controls are effective, and benchmarking may reduce retesting in subsequent years. In an integrated audit under PCAOB standards, tests of controls are mandatory because the auditor must opine on the effectiveness of ICFR. Regardless of the audit type, the results of tests of controls directly influence the nature, timing, and extent of substantive procedures—effective controls allow for reduced substantive testing, while control failures require expanded substantive work to maintain the overall level of audit assurance.

Varsity Tutors • CPA Auditing & Attestation (AUD) • Tests Of Controls — Perform Tests Of Control Effectiveness