Internal controls can serve two purposes: to protect a business from accounting fraud, asset loss, or similar failures of financial reporting; and to assure that the business meets regulatory compliance obligations.
An audit evaluates the accuracy of a company’s financial statements and the effectiveness of its system of internal controls, seeking to identify control weaknesses. Audits typically include some form of substantive testing, which tests for material misstatements and errors. These substantive audit procedures review, test, and analyze a company’s financial records.
Substantive testing is a type of audit that looks for flaws in financial records. These tests are required as proof to back up the claim that a company’s financial records are comprehensive, valid, and accurate.
What Is Substantive Testing?
Substantive testing is known as the phase of an audit where the auditor gathers samples to identify any material misstatements in the client’s accounting records or other information. This proof is required to support the judgment that a company’s financial records are complete, relevant, and accurate.
Substantive audit procedures provide evidence about the truth of each material assertion in the financial statements. On the other hand, tests may also reveal monetary errors or misstatements in the recording or presentation of transactions and balances.
Substantive testing is performed according to Generally Accepted Auditing Standards (GAAS). These standards require the auditor to understand the controls relevant to the audit, and to assess whether those controls are designed effectively to prevent (or at least detect and correct) material misstatements that may appear in the financial statements.
The Goal of Substantive Testing
The main goal of substantive testing is to provide reasonable assurance about the validity and correctness of financial reporting, or to identify material misstatements. Substantive procedures are therefore designed to obtain audit evidence about the completeness, accuracy, and validity of the data produced by the accounting system.
Types of Substantive Tests
There are three types of substantive tests, explained below.
- Analytical procedures. Substantive analytical procedures entail comparing several financial and operational data sets to examine if trends and relationships are consistent. These techniques are intended to alert you to potential issues with your financial records, which you can then investigate further.
- Test of details of transactions. A test of transactions focuses on the individual transactions that make up an account balance. This test of details is done to check for the accuracy of the financial statement transactions. Auditors typically choose a sample to test whether the details match the transaction recorded in a company’s books.
- Tests of details of balances. A test of balances is done to check whether any material misstatement exists in the balances of the financial statements’ accounts. This test of details tries to demonstrate that the tests of control and the substantive tests related to transactions are all reasonable.
Best Practices for Substantive Testing
The auditor determines the tests’ nature, scope, and timing to assure that they meet an acceptable level of risk detection.
- Nature. This relates to the efficacy and type of audit procedure used by an auditor based on whatever level of risk is acceptable. The methods are more expensive and extensive if the acceptable level of risk is low. Conversely, the procedures are less expensive (and less effective) when the acceptable level of risk is higher.
- Extent. This is the quantity of evidence an auditor gathers depending upon how substantive testing is conducted. Procedures that need more tests and larger sample sizes are frequently required when acceptable risk is low. When it’s high, processes require fewer tests and smaller sample sizes.
- Timing. This relates to how the timing of an audit event might change due to the acceptable risk level. The auditor may perform audits in the middle of the month if controls are solid and the expected level of risk identification is minimal. Conversely, the auditor may audit closer to month- or year-end if the expected risk is high
What Is Control Testing?
Control testing is an audit procedure used to determine whether internal controls effectively prevent or discover material misstatements at the appropriate assertion level.
Control tests determine whether a policy or practice is well-designed to prevent or detect significant misstatements in a financial statement. The operating effectiveness of controls focuses on three questions: how is the control applied, is it consistently applied during the year, and who applies it?
The Goal of Control Testing
Control testing’s ultimate goal is to evaluate the performance of the internal control system to improve the organization’s operations, financial reporting, and compliance.
With these objectives in mind, an auditor uses several evaluation techniques to understand control procedures fully. For example, using a risk-based approach to audit testing, an auditor can focus on areas where risk is most likely to occur, identify problems, and recommend improving the effectiveness of a control.
Types of Control Tests
- Concurrent test. The auditor obtains an understanding of a process that also provides evidence on the effectiveness of the control policy or practice. These tests are performed based on the discretion of the auditor. For example, auditors may inquire about the budgeting system to verify users’ familiarity with the processes.
- Planned test of control. An auditor will look for evidence of proper and consistent application of control policies and procedures throughout the audited year.
Best Practices for Control Testing
The following best practices can help you test controls more effectively.
- Prioritize testing of controls. Large organizations routinely have hundreds or even thousands of documented controls. For each control under consideration, determine its effect on the organization, and then use this information to determine the nature and frequency of testing that you should perform.In addition, consider the specific regulations or compliance standards that the organization must follow, such as the Sarbanes–Oxley Act (SOX) or General Data Protection Regulation (GDPR). Requirements for these standards will often guide the testing process and determine which controls to test first.
- Design an appropriate test for each control. The nature of the control often determines the testing approach. For example, if the organization relies on controls to mitigate significant risks, you should test that control more frequently. You may also evaluate the design of the control before testing its operation.
- Documenting and tracking identified problems. An essential aspect of control testing is to remediate issues encountered during testing quickly. Always check corrections by rerunning the test program after allowing time for the remediation to verify that all problems have been resolved.
How Do the Main Objectives of Tests of Controls and Substantive Procedures Differ?
When we talk about control tests, we refer to audit procedures that verify the operating effectiveness of controls related to preventing or detecting material misstatements.
On the other hand, we have already said that substantive testing is a phase in the audit process to determine the fairness of financial information. For example, the auditor gathers samples and evidence to ascertain the extent of misstatements in the client’s account balances in this phase.
In terms of objectives, control testing evaluates the performance of the internal control system that monitors the accounting system. At the same time, the substantive testing audit approach provides sufficient appropriate audit evidence on the completeness, accuracy, and validity of the actual data produced by the accounting system.
Control testing is completed before substantive testing; and results from control testing will influence the scope of substantive testing. If an auditor determines that an organization’s controls are weak, he or she may recommend more thorough substantive testing. In this sense, we can say that the procedures are different, but definitely related.
While each procedure has its own purpose in audits, both audit techniques are essential for the risk management of internal controls of a business.
Add ZenGRC to Your Internal Control Plans
The key to creating good controls testing habits is to simplify the audit process and leverage technology to make it easier for you and your team. Tools like Reciprocity’s ZenGRC platform enable groups to quickly gather and document the evidence required by controls.
ZenGRC provides meaningful insight into how your organization compares to your peers with benchmarks. In particular, the audit efficiency benchmark shows comparisons of the average time to complete an audit per frame, the issue count per frame, and the level of effort spent managing and supporting audits, including evidence collection and reuse.
Of course, even a robust audit process is subject to human error. ZenGRC software streamlines the process of testing internal audit controls by monitoring and flagging potential control risks.
Schedule a free demo to learn how ZenGRC’s audit management workflows can optimize your process.