Substantive Procedures vs Tests of Controls: Key Differences
eTHE #1 EXAM CONFUSION
Substantive Procedures vs. Tests of Controls: The Clearest Explanation You'll Find
AA examiners repeatedly report that candidates confuse these two core audit procedures. This post breaks down the distinction with real examples so you never mix them up again.
Master ISA 330: Controls vs. Substantive Testing
Build detailed procedure-writing skills with CIA Part 2 frameworks plus exam-focused practice:
In This Article
- Substantive vs. Tests of Controls in 60 Seconds
- Why This Distinction Matters (Exam Perspective)
- Side-by-Side Comparison Table
- The Fundamental Difference Explained
- Tests of Controls: Examining Client Performance
- Substantive Procedures: Testing Account Balances
- Examples by Audit Cycle (Sales, Purchases, Payroll)
- Decision Tree: Which One Do I Use?
- CIA Part 2 Context (Control Testing Framework)
- What Examiners See (Real Marking Feedback)
- Why Students Confuse These (And How to Fix It)
- Common Mistakes We See
- Frequently Asked Questions
Substantive vs. Tests of Controls in 60 Seconds
| Aspect | Tests of Controls | Substantive Procedures |
| Question Being Asked | Did the client perform the control effectively? | Is the account balance correct? |
| Focus | Client's performance of control | Auditor's assessment of balance |
| Evidence Sought | Evidence client performed control (e.g., approval signatures) | Evidence balance is fairly stated (e.g., confirmations, recalculations) |
| ISA Standard | ISA 330 | ISA 330, ISA 500 |
| Common Error | Writing substantive procedures instead | Writing tests of controls instead |
I see this error on nearly every exam session: a student writes a test of controls when the examiner asks for substantive procedures, or vice versa. The examiners have commented repeatedly that this is one of the most common weaknesses among AA candidates. Here's what typically happens: the student identifies a control weakness or area of concern, and without thinking clearly about what they're testing, they write a procedure. But it's the wrong type. The examiner gives zero marks because it doesn't answer the question. In this post, I'm going to give you a simple framework to distinguish these two fundamentally different types of audit work. By the end, you'll have a decision tree you can apply to every procedure-writing question in your exam. You'll understand not just the difference, but why the distinction matters — because it changes what evidence you gather, how you test, and what conclusions you can draw. Let's start with the core concept, then work through real examples from different audit cycles.
Why This Distinction Matters (And Why Examiners Care)
Understanding the difference between substantive procedures and tests of controls is fundamental to audit work. Here's why:
1. Different Evidence Requirements: If you're testing whether management performed a control, you need evidence that they actually did it. If you're testing whether a balance is correct, you need evidence about the balance itself. They're completely different pieces of evidence. For example, an approval signature proves a control was performed. A supplier confirmation proves a payables balance is correct. These answer different questions.
2. Different Risk Responses: If you find that a control is not operating effectively, you have to adjust your substantive testing — you'll do more detailed testing of account balances because you can't rely on the control. If you test a balance and find a misstatement, that tells you something about the control environment. The two types of testing work together.
3. Different Standards and Frameworks: Tests of controls are covered in ISA 330 Testing Controls. Substantive procedures are covered in ISA 500 Audit Evidence. CIA Part 2 Sections 2161-2165 cover control testing methodologies. The frameworks are different because the objectives are different.
4. Exam Marks at Stake: Examiners have explicitly stated: "Candidates must ensure that they can distinguish between a substantive procedure and a test of control. Many candidates lose marks in this type of requirement by mixing up these procedures." (MJ24 examiner report). If you write the wrong type, you get zero marks for that procedure, even if it's well-written. There's no partial credit. Getting the type right is foundational.
Side-by-Side Comparison Table
| Dimension | Tests of Controls | Substantive Procedures |
|---|---|---|
| Primary Objective | Evaluate whether a control is designed adequately and operating effectively | Obtain sufficient audit evidence about the correctness of account balances |
| What Are We Testing? | The client's performance of a control procedure | The account balance itself or assertions about transactions |
| Typical Evidence | Signatures, initials, approval stamps, system logs, exception reports, documented evidence of client action | Confirmations, recalculations, bank statements, supplier invoices, inventory counts, management representations |
| Example Question | "Did the approval manager actually review and approve the transaction before it was processed?" | "Is the accounts receivable balance of £2.5m accurately stated in the financial statements?" |
| Sample Procedure | "Review the purchase order approval register and select 20 invoices over £10,000; verify that the purchase order was approved by a manager with appropriate authority before the invoice was paid." | "Obtain the accounts receivable aged listing as of year-end; select 10 balances over £100,000; confirm directly with customers the outstanding balance as of year-end." |
| When Risk Assessment Shows… | …control risk is LOW → you can rely on controls, so TEST controls to verify they're working, then reduce substantive testing | …control risk is HIGH → you can't rely on controls, so DO MORE substantive testing to detect misstatements directly |
| Connection to Management Assertions | Supports your assessment of whether controls mitigate risks to management assertions (existence, completeness, accuracy, etc.) | Directly addresses whether management assertions are fairly stated in the financial statements |
| ISA Standard | ISA 330 The Auditor's Responses to Assessed Risks | ISA 500 Audit Evidence and ISA 330 |
The Fundamental Difference Explained (The Question You're Answering)
Here's the simplest way to remember the distinction: ask yourself which question you're answering.
Tests of Controls ask: "Did the client perform this control effectively?"
Example: Did the finance manager actually review and approve invoices before payment?
Substantive Procedures ask: "Is this account balance correctly stated?"
Example: Is the accounts payable balance of £5m accurate as of year-end?
Notice the focus: Tests of controls focus on the client's actions — did they do what they're supposed to do? Substantive procedures focus on the financial statement amounts — are they correct? These are fundamentally different questions, which means your testing approach is completely different. This is why CIA Part 2 Section 2162-2165 emphasizes understanding control objectives and testing methodologies — you're evaluating control effectiveness, not testing balances.
Tests of Controls: Examining Client Performance of Controls
A test of control examines whether the client performed a control procedure as designed. You're looking for evidence that management did what they were supposed to do to prevent or detect misstatements.
Key Components of a Test of Control Procedure:
- Action Verb: Review, inspect, observe, test, examine, verify
- What You're Testing: Evidence the control was performed (signatures, approvals, system logs, exception reports)
- Sample/Population: "10 transactions over £50,000" or "20% of all expense reports"
- What Success Looks Like: "All invoices should have evidence of three-way matching (PO, GRN, invoice)"
Example of a weak test of control (won't score marks): "Review purchase order approvals." This is too vague — you haven't told the examiner how you're testing, what population, or what you're looking for as evidence.
Example of a strong test of control (will score marks): "Select 15 purchase orders over £25,000 from the purchase order register; inspect each PO to verify that it was approved by a manager with appropriate spending authority; document the approval evidence (signature, date, manager name) for each transaction; report any POs without evidence of approval." Now the examiner knows exactly what you're testing — the client's performance of the approval control. Understanding control design helps you write good tests of control.
A critical examiner quote: "A test which starts with 'check' is unlikely to provide sufficient detail as to how exactly the auditor will test the control...The test needs to 'review for evidence that sales orders are agreed to GDNs' to gain 1 mark." (SD24 examiner report). The word "check" is too vague. You need to specify what evidence you're looking for.
Substantive Procedures: Testing Account Balances Directly
A substantive procedure directly tests whether an account balance or transaction is fairly stated. You're gathering evidence about the correctness of a financial statement amount, not about whether a control worked.
Key Components of a Substantive Procedure:
- What You're Testing: The account balance or transaction amount itself
- Assertion Being Addressed: Existence, completeness, accuracy, valuation, rights/obligations
- Source Documents/Evidence: Confirmations, invoices, bank statements, recalculations, inventory counts
- Sample/Population: "All receivables over £200,000" or "a sample of 25 transactions"
- Success Criteria: "Amounts should match the ledger and be supported by appropriate documentation"
Example of a weak substantive procedure: "Review receivables for accuracy." This doesn't tell the examiner how you're testing or what evidence you're seeking.
Example of a strong substantive procedure: "Obtain the aged receivables list as of year-end; select 12 balances totaling 80% of the total receivables balance; agree each balance to the sales invoice and check the invoice date to verify the sale occurred before year-end; contact the customer directly to confirm the outstanding balance as of year-end; for any differences identified, discuss with management and document the reason." Now the examiner knows you're directly testing whether the receivables balance is fairly stated. You're using confirmations and direct evidence to assess the balance, not testing whether a control was performed.
Another critical examiner point: when testing revenue, use Goods Dispatched Notes (GDNs) as your starting point, not receivables. "When listing these types of detailed tests, the key point when the sale should be recognised is when the goods have been dispatched and so tests should begin or end with the GDN rather than the sales order." (D23 examiner report). Understanding revenue recognition principles helps you design effective substantive tests.
Examples by Audit Cycle (Sales, Purchases, Payroll)
Let me show you the distinction with real examples from the three most common audit cycles. In each case, I'll show a test of control and a substantive procedure on the same area.
Sales Cycle — Sales Order Approval:
Test of Control: "Select 10 sales orders over £50,000 from the period; review each order to verify it was approved by a sales manager before goods were dispatched; examine the order file for evidence of manager approval (signature, email approval, or system log showing approval); document the manager name and approval date for each order."
Why this is a test of control: you're examining evidence that the CLIENT performed the approval before goods left the warehouse.
Substantive Procedure: "Obtain the sales invoice listing for the final week of December and first week of January; select 8 sales transactions each month; trace each transaction to the Goods Dispatched Note (GDN) to verify that goods were shipped in the correct accounting period; agree the amount on the invoice to the sales order and GDN; if timing appears incorrect, investigate with management."
Why this is substantive: you're testing whether revenue is recognized in the correct period — you're directly verifying the account balance, not the client's approval control.
Purchases Cycle — Three-Way Matching:
Test of Control: "Select 12 invoices over £30,000 from the purchase ledger; for each invoice, inspect the purchase order file to verify that a three-way match was performed (PO matched to Goods Received Note matched to supplier invoice); document evidence of matching review (initials, approval stamp, or system record); report any invoices without evidence of three-way matching."
Why this is a test of control: you're examining the CLIENT'S evidence of performing the three-way matching control.
Substantive Procedure: "Obtain the trade payables ledger as of year-end; select 15 invoices from the list, stratified to capture high-value items; recalculate invoice amounts using supplier statements and contracts; verify that amounts are recorded in the correct accounting period by examining GRN dates; for any differences, contact the supplier to confirm the outstanding balance and timing."
Why this is substantive: you're directly testing whether payables amounts are correct, not testing whether the matching control was performed.
Payroll Cycle — Authorization of Wage Rate Changes:
Test of Control: "Obtain the payroll system report showing all wage rate changes in the period; select 20 rate changes; for each change, review the supporting documentation (manager authorization, HR approval, signed change form); verify that the change was approved by someone with appropriate authority; document the approver name and date for each change; identify any changes without evidence of authorization."
Why this is a test of control: you're examining evidence that the CLIENT authorized wage changes before they were processed in the system.
Substantive Procedure: "Obtain the payroll expense report for December; select 10 employees with wage rates that changed during the year; recalculate their gross pay for November and December using their wage rate and hours; agree the calculation to the payroll register; verify the wage rate used was accurate as of each period; identify any employees paid at incorrect rates."
Why this is substantive: you're directly testing whether payroll amounts are correct, not testing the authorization control.
Notice the pattern: tests of controls ask "Did the client do it?" and look for evidence of client action. Substantive procedures ask "Is the amount correct?" and look for direct evidence about the account balance. Both matter in your audit plan, but they answer different questions.
Master Procedure Writing with Real Scenarios
Practice writing both types of procedures with detailed feedback and marking guides:
Decision Tree: Which One Do I Use?
Use this decision tree when you're faced with a procedure-writing requirement and you're not sure which type the question is asking for:
QUESTION 1: Are we testing whether the CLIENT PERFORMED a control procedure?
(Examples: Did management approve invoices? Did someone reconcile the bank statement? Did the system prevent duplicate transactions?)
✓ YES → This is a TEST OF CONTROL
Look for evidence the client performed the action (signatures, approvals, system logs, reconciliations).
QUESTION 2: Are we testing whether an ACCOUNT BALANCE is correctly stated?
(Examples: Is receivables balance accurate? Is inventory valued correctly? Is payroll expense overstated?)
✓ YES → This is a SUBSTANTIVE PROCEDURE
Look for evidence about the balance itself (confirmations, recalculations, bank statements, counts).
Also check the question requirement carefully. If it says "describe audit procedures the auditor should perform," look for clues: If the scenario emphasizes a control weakness or control design issue, the question is likely asking for tests of controls. If it emphasizes a potential misstatement or balance risk, it's likely asking for substantive procedures. Read carefully — examiners often signal the type of answer they want through scenario emphasis.
CIA Part 2 Context: Control Testing Framework (Sections 2162-2165)
CIA Part 2 covers control testing in detail because internal auditors often spend significant time testing controls. The framework emphasizes:
1. Understanding Control Objectives: Before you test a control, you need to understand what risk it's designed to mitigate and what the control is supposed to achieve. ISA 315 Identifying and Assessing Risks of Material Misstatement emphasizes this — you identify risks, then identify the controls meant to respond to those risks.
2. Testing Design vs. Operating Effectiveness: CIA Part 2 distinguishes between testing whether a control is designed to mitigate risk (do the documentation and process make sense?) and testing whether it's operating effectively (is the client actually performing it?). Both matter. A control might be well-designed but not performed consistently.
3. Sampling for Control Testing: CIA Part 2 Section 2164 covers sampling methodologies for control testing. You typically sample a smaller number of transactions for control testing than for substantive testing, because you're testing whether the process works consistently, not testing every transaction in an account balance.
For AA candidates, understanding the CIA Part 2 framework helps you design effective tests of controls that actually address control objectives, not just go through the motions of testing.
What Examiners See (Real Marking Feedback From Reports)
"Candidates must ensure that they can distinguish between a substantive procedure and a test of control. Many candidates lose marks in this type of requirement by mixing up these procedures." — MJ24 AA Examiner Report
"Many candidates fail to score well in this type of requirement because their procedures are vague or too brief. Tests must be sufficiently detailed noting clearly which source document should be used and for what purpose." — MJ24 AA Examiner Report
"A test which starts with 'check' is unlikely to provide sufficient detail as to how exactly the auditor will test the control...The test needs to 'review for evidence that sales orders are agreed to GDNs' to gain 1 mark." — SD24 AA Examiner Report
"When listing detailed tests, the key point when the sale should be recognised is when the goods have been dispatched and so tests should begin or end with the GDN rather than the sales order." — D23 AA Examiner Report
— Based on ACCA AA Examiner Reports (MJ24, SD24, D23) & eduyush Student Performance Data
The theme from examiners is consistent: students either write procedures that are too vague, mix up substantive and control procedures, or miss key details like using the right source document. The fix is to be specific: specify the document you're reviewing, the population you're sampling from, what evidence you're looking for, and what you'll do if you find an exception. This shows the examiner exactly what you're testing and why.
Why Students Find This Confusing (And How to Fix It)
The confusion comes from several places:
Confusion 1: Both involve examining documents and looking for evidence. But the type of evidence is different. When testing controls, you're looking for evidence the client acted. When testing balances, you're looking for evidence the amount is correct. Example: A supplier invoice is evidence that a purchase occurred (substantive). An approval signature on that invoice is evidence that management approved the purchase (control). Same document, different evidence.
Confusion 2: Students test controls when they should test balances, and vice versa. Often this happens because the student focuses on what's in the scenario rather than what the question asks. If the scenario mentions a control weakness, students write about testing that control. But if the question asks "describe substantive procedures for accounts receivable," you're testing the balance, not the control. Read the question requirement carefully, not just the scenario.
Confusion 3: Students use vague language like "check," "review," or "examine" without specifying HOW or WHAT. Examiners want detail. Instead of "review the approval process," write "select 10 invoices over £20,000, examine the purchase order file for each invoice to verify that it was approved by a manager with appropriate spending authority, and document the approval evidence for each transaction." The detail shows you understand what you're testing.
How to Fix It: For each procedure you write, ask yourself: "Am I testing whether the client performed a control, or am I testing whether an account balance is correct?" If the former, it's a test of control. If the latter, it's substantive. Write the answer accordingly. And include specific detail — the document, the population, the evidence, the sample size. This clarity will earn you marks and help you avoid confusion.
Common Mistakes We See
❌ Mistake 1: "Review Customer Records for Accuracy" (Missing Detail)
What Happens: The student writes this thinking it's a substantive procedure, but it's too vague. The examiner has no idea what you're actually testing or how you'll verify accuracy. Fix: "Obtain the receivables aged list as of year-end; select 8 balances over £250,000; send a direct confirmation to each customer asking them to confirm the balance owed as of year-end; follow up on any non-responses or exceptions with a second confirmation."
❌ Mistake 2: "Check That Invoices Are Approved" (Too Generic for Controls)
What Happens: The student is trying to write a test of control but hasn't specified the sample, the evidence, or what "check" means. Fix: "Select 15 sales invoices over £15,000 from the month of June; trace each invoice to the purchase order file to verify that a manager approved the order before goods were dispatched; examine the approval evidence (signature, email, or system log); report any invoices without prior approval."
❌ Mistake 3: Testing Receivables When Asked About Revenue (Wrong Balance)
What Happens: The question asks "describe substantive procedures for revenue," but the student writes "review after-date cash receipts" — that's a receivables procedure, not revenue. Fix: "Obtain the sales invoice listing from the final week of December and first week of January; select 6 transactions each month; trace to the Goods Dispatched Note to verify timing is correct; agree invoice amounts to the sales order."
❌ Mistake 4: Writing a Substantive Procedure When Asked for a Test of Control
What Happens: The question asks about testing whether the approval control is operating, but the student writes "recalculate invoice amounts" — that's testing balance accuracy, not control performance. Fix: "Select 12 invoices; for each one, inspect the approval file to verify that a three-way match (PO, GRN, invoice) was documented before payment; report any invoices paid without evidence of three-way matching."
Frequently Asked Questions
Q1: Can a Single Procedure Be Both a Test of Control and Substantive?
No. Each procedure answers one question: either "Did the client perform the control?" (test of control) or "Is the balance correct?" (substantive). However, your overall audit strategy might include both. For example, you might test whether the approval control is operating effectively (test of control), and if it is, you can reduce your substantive testing of that transaction stream. If the control isn't operating, you do more substantive testing. So you do both types of procedures, but each individual procedure is one or the other.
Q2: If a Scenario Mentions a Weak Control, Am I Supposed to Write Tests of Control or Substantive Procedures?
Read the question requirement. If it says "describe tests of controls," write tests of controls — you're testing whether the weak control is operating or whether management has compensating controls. If it says "describe substantive procedures," write substantive procedures — you're testing the account balance directly because you can't rely on the weak control. The scenario is context, but the question requirement tells you what type of procedure to write. Many students get this wrong by focusing on the scenario instead of the requirement.
Q3: How Much Detail Do I Need to Write?
Enough that someone reading your procedure could actually perform it without asking you questions. For a test of control, specify: the document you're reviewing, the sample size and selection method, what evidence you're looking for, and what you'll conclude if you find exceptions. For substantive procedures, specify: the source of data, the sample (number and selection method), what you're testing, and how you'll verify (confirmations, recalculations, etc.). One mark per well-described procedure — "well-described" means detailed enough that it's clear what you're doing.
Q4: Why Does ISA 330 Cover Both Tests of Controls and Substantive Procedures?
ISA 330 covers the auditor's response to assessed risks. Depending on your risk assessment, your response might be to test whether controls are effective (tests of controls), or to do detailed testing of account balances (substantive procedures), or both. The standard addresses both because auditors use both depending on the situation. Understanding when to use each is key to audit efficiency.
Master Procedure Writing & ISA 330 Framework
Stop confusing these two core procedures. Practice with detailed scenarios and real exam marking guides.
Ace Your ProceduresPopular posts
Featured product
Featured product
ACCA Books
Get 50% off original BPP & KAPLAN ACCA books. Study smarter, save bigger today!
BPP Online lectures
BPP online lectures at India pricing – under £55/subject. Learn smart, pay less.
Leave a comment