What are tests of controls?

Tests of controls are audit procedures that answer a single question: did the control work, every time it was supposed to? They evaluate whether a client's internal controls operated effectively during the period under audit, determining how much the auditor can rely on those controls to reduce the extent of substantive testing.

ISA 330.8 creates the trigger: if your risk assessment under ISA 315 (Revised 2019) assumes that controls are operating effectively, you must obtain audit evidence of that effectiveness through tests of controls. This is not optional. If your risk assessment relies on a control, you test it or you redesign the response.

The nature of the test depends on what the control actually does. ISA 330.A21 distinguishes between controls that leave documentary evidence (approvals, reconciliations, system-generated exception reports) and those that do not (segregation of duties, management oversight without a sign-off). For controls that leave evidence, inspection and reperformance are the standard approaches. For controls that leave no trail, inquiry combined with observation is often the only option, but ISA 330.A22 warns that inquiry alone is never sufficient.

Timing matters. If you test a control at an interim date, ISA 330.12 requires you to obtain evidence about significant changes to that control between the interim date and period-end. A purchase order approval control tested in September means nothing if the client changed the approval threshold in November.

Key Points

  • You perform tests of controls only when you plan to rely on those controls to reduce substantive work. ISA 330.8 requires them whenever the risk assessment assumes controls are operating effectively.
  • A control that operated at planning may have stopped working by year-end. Reperformance at or near period-end matters, especially when interim testing was performed.
  • Insufficient sample sizes and missing documentation are the two findings regulators flag most in tests of controls.
  • Inquiry alone is never sufficient. ISA 330.A22 requires combining inquiry with inspection, observation, or reperformance.

Why it matters in practice

Worked example: Janssens Retail N.V.

Client: Belgian retail chain, FY2024, revenue €85M, Belgian GAAP reporter. Janssens processes approximately 11,000 purchase orders per year. The accounts payable team requires manager approval for every PO above €5,000 before the system releases payment. The engagement team decided to rely on this control to reduce the extent of substantive testing over purchases.

Identify the control and its assertion: The PO approval control addresses the occurrence and accuracy assertions for purchases. The team documented: "Control C-04: Manager approval required for all POs > €5,000 before payment release. Relevant assertions: occurrence, accuracy."

Determine the testing approach: The control produces documentary evidence (a system log showing who approved, when, and the PO amount). Reperformance is the appropriate method: select a sample, inspect each PO for the approval signature, verify the approver had authority, and confirm the PO amount matched the approved limit. Sample: 25 items selected from a population of 3,400 POs above €5,000.

Execute and evaluate: Of 25 sampled POs, 24 showed timely manager approval with an authorised approver. One PO (€7,200) showed approval by a team lead who was not on the authorised signatory list. The team lead covered for the manager during a two-week holiday period without formal delegation. Deviation rate: 4% (1/25).

Conclude on control effectiveness: A single deviation does not automatically mean the control failed, but it requires evaluation under ISA 330.17. The team concluded the control was not operating effectively for the two-week absence period and extended substantive testing over the 142 POs processed during that window. For the remainder of the year, reliance was maintained.

Key standard references

  • ISA 330.8: Requires tests of controls when the risk assessment assumes controls are operating effectively.
  • ISA 330.9: Requires designing tests of controls to obtain sufficient appropriate evidence that controls operated effectively throughout the period of reliance.
  • ISA 330.12: Requires obtaining evidence about significant changes to controls between interim testing and period-end.
  • ISA 330.17: Requires evaluating deviations detected during testing to determine the effect on the assessed risk.
  • ISA 330.A22: Inquiry alone does not provide sufficient evidence of operating effectiveness.

Related terms

Substantive ProceduresDual-Purpose TestControl RiskSampling RiskRisk of Material Misstatement

Related reading

ISA 315: Identifying and Assessing the Risks of Material Misstatement
Blog guide
How to Build an Audit Program from Scratch
Blog guide

Frequently asked questions

When must the auditor perform tests of controls?

ISA 330.8 requires tests of controls whenever the risk assessment assumes controls are operating effectively. If the risk assessment relies on a control, the auditor must test it or redesign the audit response.

Is inquiry alone sufficient as a test of controls?

No. ISA 330.A22 warns that inquiry alone is never sufficient. For controls that leave documentary evidence, inspection and reperformance are standard. For controls without a trail, inquiry must be combined with observation.

What happens if a deviation is found?

A single deviation does not automatically mean the control failed. ISA 330.17 requires evaluation. The auditor may conclude the control was ineffective for a period and extend substantive testing for that period.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook