Internal controls can serve two purposes: to protect a business from accounting fraud, asset loss, or similar financial reporting failures; and to assure that the business meets its regulatory compliance obligations.

An audit evaluates the accuracy of a company’s financial statements and the effectiveness of its internal control system to identify control weaknesses. In addition, audits typically include some form of substantive testing, which tests for risks of material misstatements and errors. These substantive audit procedures review, test, and analyze a company’s financial records.

Substantive testing is an audit that looks for flaws in financial records. These tests are required to prove that a company’s financial records are comprehensive, valid, and accurate. It’s an important concept in audits and internal control, so in this post we’ll explore all its related issues.

What Is Substantive Testing?

Substantive testing is the phase of an audit where the auditor gathers samples to identify any material misstatements in the client’s accounting records or other data. This is required to verify that a company’s financial records are complete, relevant, and accurate.

Substantive audit procedures prove that each material assertion in the financial statements is true. That said, tests may also reveal monetary errors or misstatements in the recording or presentation of transactions and balances.

Substantive testing is performed according to Generally Accepted Auditing Standards (GAAS). These standards require the auditor to understand the relevant audit controls and to assess whether those controls effectively prevent (or at least detect and correct) material misstatements that may appear in the financial statements.

The Goal of Substantive Testing

The main goals of substantive testing is to provide reasonable assurance about the validity and correctness of financial reporting or to identify material misstatements. Substantive procedures are therefore designed to obtain audit evidence about the completeness, accuracy, and validity of the data produced by the accounting system.

Types of Substantive Tests

There are three types of substantive tests, explained below.

  • Analytical procedures. Substantive analytical procedures compare several financial and operational data sets to examine whether trends and relationships are consistent. These techniques are intended to alert you to potential issues with your financial records, which you can then investigate further.
  • Test of details of transactions. A test of transactions focuses on the individual transactions that make up an account balance. This test of details is done to check for the accuracy of the financial statement transactions. Auditors typically choose a sample to test whether the details match the transaction recorded in a company’s books.
  • Tests of details of balances. A test of balances is done to check whether any material misstatement exists in the balances of the financial statements’ accounts. This test of details tries to demonstrate that the tests of control and the substantive tests related to transactions are all reasonable.

Best Practices for Substantive Testing

The auditor determines the tests’ nature, scope, and timing to assure that they meet an acceptable level of risk detection.

  • Nature. This relates to the efficacy and type of audit procedure an auditor uses based on whatever level of risk is acceptable. The lower your risk level is, the more expensive and extensive your audit procedures will be. Conversely, the procedures are less expensive (and less effective) when the acceptable level of risk is higher.
  • Extent. This is the quantity of evidence an auditor gathers, depending on how much substantive testing is conducted. Procedures requiring more tests and larger sample sizes are frequently needed when acceptable risk is low. When your risk levels are high, processes require fewer tests and smaller sample sizes.
  • Timing. This relates to how the timing of an audit event might change due to the acceptable risk level. For example, the auditor may perform audits in the middle of the month if controls are solid and the expected level of risk identification is minimal. Conversely, the auditor may audit closer to month- or year-end if the expected risk is high.

See also

Automating GRC: The Next Frontier in Risk Management

What Is Control Testing?

Control testing is an audit procedure used to determine whether internal controls effectively prevent or discover material misstatements at the appropriate assertion level.

Control tests determine whether a policy or practice is well-designed to prevent or detect significant misstatements in a financial statement. The operating effectiveness of controls focuses on three questions: how is the control applied, is it consistently applied during the year, and who applies it?

The Goal of Control Testing

Control testing’s ultimate goal is to evaluate the performance of the internal control system to improve the organization’s operations, financial reporting, and compliance.

With these objectives in mind, an auditor uses several evaluation techniques to understand control procedures. For example, using a risk-based approach to audit testing, an auditor can focus on areas where risk is most likely to occur, identify problems, and recommend improving the control effectiveness.

Types of Control Tests

  • Concurrent test. The auditor tests the understanding of a process to check the effectiveness of the control policy or practice. These tests are performed based on the discretion of the auditor. For example, auditors may inquire about the budgeting system to verify users’ familiarity with the processes.
  • Planned test of control. An auditor will look for evidence of proper and consistent application of control policies and procedures throughout the audited year.

Best Practices for Control Testing

The following best practices can help you test controls more effectively.

  • Prioritize testing of controls. Large organizations routinely have hundreds or even thousands of documented controls. For each control under consideration, determine its effect on the organization to determine the nature and frequency of testing. In addition, consider the specific regulations or compliance standards that the organization must follow, such as the Sarbanes-Oxley Act (SOX) or General Data Protection Regulation (GDPR). Requirements for these standards will often guide the testing process and determine which controls to test first.
  • Design an appropriate test for each control. The nature of the control often determines the testing approach. For example, if the organization relies on controls to mitigate significant risks, you should test those controls more frequently. You may also evaluate the design of the control before testing its operation.
  • Documenting and tracking identified problems. An essential aspect of control testing is quickly remedying issues encountered during testing. Always check corrections by rerunning the test program after allowing time for the remediation to verify that all problems have been resolved.

How Do the Main Objectives of Tests of Controls and Substantive Procedures Differ?

When we talk about control tests, we refer to audit procedures that verify the operating effectiveness of controls related to preventing or detecting material misstatements. That is not the same as substantive testing, which (as we described above) is a phase in the audit process to determine the fairness of financial information.

For objectives, control testing evaluates the performance of the internal controls that govern the accounting system. At the same time, substantive testing provides sufficient appropriate audit evidence on the completeness, accuracy, and validity of the actual data produced by the accounting system.

Control testing is completed before substantive testing, and results from control testing will influence the scope of substantive testing. For example, if an auditor determines that an organization’s controls are weak, he or she may recommend more thorough substantive testing. In this sense, we can say that the procedures are different but related.

While each procedure has its purpose in audits, both audit techniques are essential for the risk management of internal controls of a business.

What Are Substantive Procedures?

Substantive procedures refer to the audit tests or methods auditors use to assess your business’s financial statements. These procedures aim to provide conclusive evidence for verifying the completeness, accuracy, existence, occurrence, measurement, and valuation (audit assertions) of the financial records of your business.

The primary objective behind performing substantive procedures is to assure that there are no material misstatements in your company’s financial records and that all the relevant information is correctly disclosed. These procedures include the following activities:

  • Testing the applicable classes of transactions, account balances, and disclosures;
  • Reconciling the financial statements and accompanying notes to the underlying accounting records;
  • Evaluating material journal entries and other adjustments made during the preparation of the financial statements;
  • Making inquiries about any suspicious transactions.

What Are Examples of Substantive Analytical Procedures?

Substantive analytical procedures use plausible relationships to evaluate the numbers in financial statements. For example, an auditor may expect payroll to be 30 percent of total expenses simply because you have seen that ratio in the past.

Based on that plausible relationship (the percentage of payroll to total expenses) the auditors can then search for and create evidence by using percentages and comparisons to the prior year.

Another way to think of it: numbers usually behave in specific ways, so an auditor can use these relationships to form audit opinions when reviewing your company’s financial statements.

Here are some common examples of substantive analytical procedures:

  • To test occurrence, the auditor can compare monthly sales of the current year to the previous year. He or she can also compare the percentage of expenses to sales for the current year with that of the prior year.
  • To test cut-off, the auditor can compare profit margins from the last few months of the audit period to those after the period-end.
  • To test solvency and going concern, the auditor can compare the current ratio to that of the previous year.
  • To test accuracy and occurrence, the auditor can compare the current year’s profit margins with those of the previous period.
  • To test the completeness and accuracy of pension or post-employment benefit plans, the auditor can divide the actual value of plan assets by the actual accrued liability and compare it to the prior year.
  • To test the financial strength and going concern of an entity, the auditor can divide the total debt by the total assets and compare it to the prior year.
  • To test inventory existence and occurrence, the auditor can divide the cost of goods sold by the average inventory and compare it to the prior year.

Add ZenGRC to Your Internal Control Plans

The key to creating good controls testing habits is simplifying the audit process and leveraging technology to make it easier for you and your team. Tools such as ZenGRC enable groups to gather and document the evidence required by controls quickly.

ZenGRC provides meaningful insight into how your organization compares to your peers with benchmarks. In particular, the audit efficiency benchmark compares the average time to complete an audit per frame, the issue count per frame, and the level of effort spent managing and supporting audits, including evidence collection and reuse.

Of course, even a robust audit process is subject to human error. ZenGRC streamlines testing internal audit controls by monitoring and flagging potential control risks.

Schedule a free demo to learn how ZenGRC’s audit management workflows can optimize your process.

Automating GRC: The Next Frontier
in Risk Management