What are the differences between tests of controls and substantive tests of transactions?

The purpose of audit tests

The purpose of audit tests, or audit procedures, is to allow the auditor to collect sufficient appropriate audit evidence to be able to conclude with reasonable assurance that the financial statements (FS) are free of material misstatement. If sufficient appropriate audit evidence cannot be obtained, or the evidence points to a material misstatement in the FS, the auditor will have to issue a modified audit opinion.

Misstatements will find their way into published financial statements only if three events all happen:

1. An error is made in the first place. The risk of that happening is known as ‘inherent risk’, and assessing that is a very big part of audit planning (not the subject of this article).
2. The client’s internal control system does not prevent, identify or correct the error. This is known as ‘control risk’.
3. The auditor does not detect the error during the audit. This is known as ‘detection risk’.

There are therefore two lines of defence preventing an error that has occurred from ending up in the published FS: the internal control system and the work auditor carries out.

If the client’s internal control system is good, there is a reduced likelihood that there will be an error in the FS and the auditor will reduce the amount of audit work to be carried out. If the internal control system is poor, the auditor will have to perform much more work as the audit is the only defence left against a material misstatement appearing in the published FS.

Therefore, the auditor must:

1. Assess the effectiveness of the internal control system. This means investigating both its design and its operation. The operation of the internal controls is assessed by carrying out tests of control.
2. Obtain additional, direct evidence about the amounts shown in the FS. This evidence is obtained using substantive testing.

Consider the receivables amount in the SOFP. One way in which this could be misstated would be if it were incorrectly valued, perhaps because a large balance was owed by a customer who was unlikely to pay.

The controls that would help to prevent that include:

• Take up credit references on new customers.
• Establish a credit limit.
• Producing aged receivables analyses.
• The follow up amounts that are not paid on time.

The operation of these controls needs to be tested. For example:

• Look at the client’s files where credit references are kept to ensure that every customer was investigated. The auditor would inspect the references.
• Look for evidence of new orders being rejected if they would breach the credit limit. This could be tested by inspecting copies of notifications sent to customers. The auditor might also consider using test data to observe if an order exceeding the credit limit is actually rejected.
• Inspecting notes made by the credit controller of conversations held with slow payers and perhaps enquiring about the follow-up procedures that are carried out.

Each of these audit tests are testing a control or control procedure. They are therefore tests of control. These tests are not investigating the receivables balance in the SOFP. I repeat, a test of control tests controls, not amounts in the FS.

Tests of control can be grouped into:

Enquiry and confirmation. For example, ask the credit controller about the way in which customers are encouraged to pay and ask how these customers are identified and how often they are followed up. This is a relatively weak source of evidence because the credit controller might exaggerate his or her efforts.

Inspection. For example, the credit references or notes made by the credit controller of conversations.

Observation. For example, observing the credit controller at work.

Recalculation and reperformance. For example, ensuring that the aged receivables analysis seems to be accurate.

Even when internal control systems are very good, the auditor will always carry out tests on the figures in the FS. The work has to address all the assertions made by each material figure. For example, valuation, completeness, existence etc. These tests are substantive tests and consist of:

• Analytical procedures and
• Tests of detail.

So, staying with receivables, the auditor would calculate the receivables collection period. If this were not too large and broadly in line with previous periods, the auditor would have gained some evidence about valuation (ie most debts not very old).

Tests of detail would include:

• Writing to customers asking them to confirm the amount owed (existence and ownership).
• Tracing, by inspection, some sales invoices to the Dr side of customers’ accounts (existence and ownership).
• Observation/inspection of amounts received after year end. This gives evidence about valuation because if a payment is received subsequently the debt was obviously not bad.
• Recalculation of bad debt provisions.

Substantive tests therefore include analytical procedures in addition to the four classes of audit procedures available for testing controls, so giving the well-known mnemonic AEIOU:

Analytical procedures

Enquiry and confirmation

Inspection

Observation

RecalcUlation and reperformance

Remember if the tests of control show that controls are not operating correctly, the auditor will have to increase the substantive tests. For example, if the client does little to assess customers’ credit worthiness to ensure, as far as possible, that debts are recoverable, the auditor will have to do much more work on the receivables figure in the SOFP to be satisfied that the amount is valued at a true and fair amount.