Audit tests: difference between tests of control and substantive tests

Audit tests: difference between tests of control and substantive tests

control testing

In 2002, Congress passed the Sarbanes-Oxley Act, named after its sponsors Senator Paul Sabanes (D-MD) and Representative Michael G. Oxley (R-OOH-4). Almost all companies receive a yearly audit of their financial statements, such as the income statement, balance sheet, and cash flow statement. Lenders often require the results of an external audit annually as part of their debt covenants.

In June 2007, the PCAOB adopted Auditing Standard 2201 (Supersedes AS No. 5). This standard contains the standards over performing an audit of internal control over financial reporting that is integrated with an audit of financial statements.

They are more often regarded as procedures and policies that protect accounting data. Think of these controls as a type of insurance; no one wants to ever use them, but they are good to have in the event there’s an issue. External auditors follow a set of standards different from that of the company or organization hiring them to do the work. The biggest difference between an internal and external audit is the concept of independence of the external auditor.

The purpose of an internal audit is to ensure compliance with laws and regulations and to help maintain accurate and timely financial reporting and data collection. It also provides a benefit to management by identifying flaws in internal control or financial reporting prior to its review by external auditors. Internal control, as defined by accounting and auditing, is a process for assuring of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization. Precision is an important factor in performing a SOX 404 top-down risk assessment.

The auditor is normally focused mainly on internal control over financial reporting as it mater to the financial report that they are auditing. Internal control plays an important role in the prevention and detection of fraud.

External audits can include a review of both financial statements and a company’s internal controls. The auditor must test entity-level controls that are important to the auditor’s conclusion about whether the company has effective internal control over financial reporting. Depending on the auditor’s evaluation of the effectiveness of the entity-level controls, the auditor can increase or decrease the amount of testing that they will perform. Entity-level controls are internal controls that help to ensure that management directives pertaining to the entire entity are carried out.


They are the second level of a top-down approach to understanding the risks of an organization. An audit report is an appraisal of a small business’s complete financial status. Completed by an independent accounting professional, this document covers a company’s assets and liabilities, and presents the auditor’s educated assessment of the firm’s financial position and future. Audit reports are required by law if a company is publicly traded or in an industry regulated by the Securities and Exchange Commission (SEC). Companies seeking funding, as well as those looking to improve internal controls, also find this information valuable.

When audits are performed by third parties, the resulting auditor’s opinion expressed on items being audited (a company’s financials, internal controls, or a system) can be candid and honest without it affecting daily work relationships within the company. Wile believe that good inventory management is essential to accurate financial reporting.

PCAOB Auditing Standard 2201

What is test of control and substantive test?

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls.

  • The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts.
  • They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control.

The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control.

So, the auditors reviewed the policy on inventory management to better understand the internal controls. During the review, they found ACME adopted a good practice of disposing of inventory more than 90 days old.

This audit test inspects the effectiveness of the internal controls in preventing or detecting material misstatements. Auditors may examine the design of the control to determine its potential for mitigating the risks.

Computer SecurityResource Center

The presence of material misstatements could result in receiving an adverse opinion on internal controls and a qualified opinion on the financial statements. Material misstatements are expensive to fix, and receiving an adverse or qualified opinion generally results in a drop in stock price of a publicly traded company. The Public Company Accounting Oversight Board (PCAOB) became the primary regulator of audits of publicly traded companies.

A test of the controls found no inventory in the warehouse greater than 90 days old. Entity-level controls have a pervasive influence throughout an organization. If they are weak, inadequate, or nonexistent, they can produce material weaknesses relating to an audit of internal control and material misstatements in the financial statements of the company.

The main controls in place are sometimes referred to as “key financial controls” (KFCs). Every company like to believe that its employees and management are above reproach and would never do something to harm the organization. However, it is also a wise business move to have systems in place to ensure things are running smoothly and there aren’t any issues. Internal controls are procedural measures an organization adopts to protect its assets and property. Broadly defined, these measures include physical security barriers, access restriction, locks and surveillance equipment.

A review of transactions is also part of the evaluation of effectiveness. If errors or misstatements are found during a review, it may signal to the auditor that the control is not effective. Yet, the auditor is not required to test all of those internal controls, the test of controls.

Definitions of selected entity-level controls organized into the COSO framework

What are the four types of tests of controls?

A test of controls is an audit procedure to test the effectiveness of a control used by a client entity to prevent or detect material misstatements. Auditors may examine business documents for approval signatures, stamps, or review check marks, which indicate that controls have been performed.

They may also review Information technology controls, which relate to the IT systems of the organization. The results of the internal audit are used to make managerial changes and improvements to internal controls.

Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment. Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls.

For some companies, audits are a legal requirement due to the compelling incentives to intentionally misstate financial information in an attempt to commit fraud. As a result of the Sarbanes-Oxley Act (SOX) of 2002, publicly traded companies must also receive an evaluation of the effectiveness of their internal controls.