What are tests of controls?
Regulators keep flagging the same problem: audit files where the team said they'd rely on controls, but the testing was a tick box exercise (or missing entirely). The risk assessment assumes the control works and the audit program says "test the control," but the working paper contains nothing beyond a brief inquiry note. That gap between planned reliance and actual evidence is what ISA 330 targets.
Tests of controls are audit procedures that evaluate whether a client's internal controls operated effectively during the period under audit. They determine how much the auditor can rely on those controls to reduce the extent of substantive testing. ISA 330.8 creates the trigger: if your risk assessment under ISA 315 (Revised 2019) assumes that controls are operating effectively, you must obtain audit evidence of that effectiveness through tests of controls. If your risk assessment relies on a control, you test it or you redesign the response.
The nature of the test depends on what the control actually does. ISA 330 .A21 distinguishes between controls that leave documentary evidence (approvals, reconciliations, system-generated exception reports, automated workflow logs) and those that don't (segregation of duties, management oversight without a sign-off). For controls that leave evidence, inspection and reperformance are the standard approaches. For controls that leave no trail, inquiry combined with observation is often the only option, but ISA 330 .A22 warns that inquiry alone is never sufficient.
Timing matters. If you test a control at an interim date, ISA 330.12 requires you to obtain evidence about significant changes to that control between the interim date and period-end. A purchase order approval control tested in September means nothing if the client changed the approval threshold in November.
Key Points
- You perform tests of controls only when you plan to rely on those controls to reduce substantive work. ISA 330.8 requires them whenever the risk assessment assumes controls are operating effectively.
- A control that operated at planning may have stopped working by year-end. Reperformance at or near period-end matters, especially when interim testing was performed.
- Insufficient sample sizes and missing documentation are the two findings regulators flag most in tests of controls.
- Inquiry alone is never sufficient. ISA 330 .A22 requires combining inquiry with at least one other procedure (inspection, observation, reperformance, or a combination).
Why it matters in practice
Worked example: Janssens Retail N.V.
Client: Belgian retail chain, FY2024, revenue €85M, Belgian GAAP reporter. Janssens processes approximately 11,000 purchase orders per year. The accounts payable team requires manager approval for every PO above €5,000 before the system releases payment. The engagement team decided to rely on this control to reduce the extent of substantive testing over purchases.
Identify the control and its assertion. The PO approval control addresses the occurrence and accuracy assertions for purchases. The team documented: "Control C-04: Manager approval required for all POs > €5,000 before payment release. Relevant assertions: occurrence, accuracy."
Determine the testing approach. The control produces documentary evidence (a system log showing who approved, when, and the PO amount). Reperformance is the appropriate method: select a sample, inspect each PO for the approval signature, verify the approver had authority, and confirm the PO amount matched the approved limit. Sample: 25 items selected from a population of 3,400 POs above €5,000.
Execute and evaluate. Of 25 sampled POs, 24 showed timely manager approval with an authorised approver. One PO (€7,200) showed approval by a team lead who wasn't on the authorised signatory list. The team lead covered for the manager during a two-week holiday period without formal delegation. Deviation rate: 4% (1/25).
Conclude on control effectiveness. A single deviation doesn't automatically mean the control failed, but it requires evaluation under ISA 330.17 . The team concluded the control wasn't operating effectively for the two-week absence period and extended substantive testing over the 142 POs processed during that window. For the remainder of the year, reliance was maintained. This is the part that separates real testing from just ticking and bashing through a sample: a deviation forces you to think about what went wrong, how long the failure window lasted, what it means for the rest of the population, and whether your overall reliance strategy still holds.
Key standard references
- ISA 330.8 requires tests of controls when the risk assessment assumes controls are operating effectively.
- ISA 330.9 requires designing tests of controls to obtain sufficient appropriate evidence that controls operated effectively throughout the period of reliance.
- ISA 330.12 requires obtaining evidence about significant changes to controls between interim testing and period-end.
- ISA 330.17 requires evaluating deviations detected during testing to determine the effect on the assessed risk.
- ISA 330 .A22 states that inquiry alone doesn't provide sufficient evidence of operating effectiveness.
Related terms
Related reading
Frequently asked questions
When must the auditor perform tests of controls?
ISA 330.8 requires tests of controls whenever the risk assessment assumes controls are operating effectively. If the risk assessment relies on a control, the auditor must test it or redesign the audit response.
Is inquiry alone sufficient as a test of controls?
No. ISA 330.A22 warns that inquiry alone is never sufficient. For controls that leave documentary evidence, inspection and reperformance are standard. For controls without a trail, inquiry must be combined with observation.
What happens if a deviation is found?
A single deviation does not automatically mean the control failed. ISA 330.17 requires evaluation. The auditor may conclude the control was ineffective for a period and extend substantive testing for that period.