Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Concepts / SAs
Microlesson · 5-min read

SA-330: Auditor's Responses — Test of Controls and Substantive Procedures

## SA-330: Auditor's Responses to Assessed Risks

Two main categories of further audit procedures (FAP):

---

### 1. Test of Controls (TOC)

What: Evaluate the design, implementation, and effectiveness of internal controls to prevent, detect, and correct misstatements.

Why perform TOC?

  • To determine the NTE of substantive procedures
  • Because substantive procedures alone cannot always provide sufficient and appropriate (S&A) evidence

When to perform TOC?

  • Throughout the audit — to examine controls at all relevant times
  • At a specific point in time — e.g., physical verification of inventory on the balance sheet date

---

#### Methods of TOC

MethodNotes
InquiryCannot be performed alone — must be combined
InspectionCombined with inquiry
Re-performanceCombined with inquiry
ObservationCombined with inquiry → provides higher assurance

> Key Rule: Inquiry + Observation = highest assurance combination.

---

#### Designing TOC — Auditor Shall:

a. Perform other procedures in combination with inquiry:

  • How controls are applied
  • By whom they are applied
  • By what means
  • Consistency of application

b. Check indirect controls as well

---

#### When Deviation Is Detected:

1. Determine whether to rely on TOC

2. Determine whether additional TOC must be performed

3. Assess whether substantive procedures can address the identified risk

#### To Obtain More Persuasive Evidence:

  • Increase the extent of checking (larger sample or more items)

---

#### Experience from Previous Audit:

Prior audit experience informs assessment of:

  • Effectiveness of control environment, entity's RAP, monitoring
  • Effectiveness of general IT controls
  • Effectiveness of control application by the entity
  • RMM and risk arising from characteristics of controls
  • Risk due to lack of change in controls despite changed circumstances

---

#### When Substantive Procedures Do Not Provide S&A Evidence:

  • Auditor must obtain higher assurance on the effectiveness of internal controls

---

### 2. Substantive Procedures

What: Audit procedures to detect material misstatements at the assertion level.

#### Types:

TypeSub-typeExample
Test of DetailsTransactions (Vouching)Check purchase invoice, credit note
Test of DetailsBalances (Verification)Physical verification of PPE; obtain valuation report
Substantive ARPAnalytical Review Procedures

Best approach: Combination of Test of Details + Substantive ARP = most responsive to assessed risk.

---

#### Why Perform Substantive Procedures?

  • TOC requires auditor judgment and can be imprecise
  • Internal controls have inherent limitations (cannot be 100% relied upon)

---

#### Key Relationships:

SituationConsequence
TOC results are unsatisfactoryIncrease extent of substantive procedures
Material misstatement detected during substantive proceduresStrong indicator of significant deficiency in ICS

---

### TOC vs. Substantive — Comparison

AspectTest of ControlsSubstantive Procedures
FocusOperating effectiveness of controlsDetection of material misstatements
TimingThroughout audit / specific pointAfter risk assessment
MethodsInquiry, Inspection, Re-performance, ObservationVouching, Verification, ARP
Can replace the other?No — both requiredNo — both required

Worked example

### Example 1

During TOC on purchase authorization, the auditor inquires with the accounts payable manager about how purchase orders are approved (inquiry). The auditor then reviews a sample of 30 purchase orders to check for proper authorization signatures (inspection). Inquiry alone would not be sufficient under SA-330 — the combination of inquiry + inspection provides adequate TOC evidence about this control.

### Example 2

An auditor performs TOC on the inventory count process at year-end. Deviations are found in 3 out of 25 items tested (12% deviation rate — high). The auditor must determine: (a) whether the inventory count control can still be relied upon (likely no), (b) whether additional TOC on a larger sample is warranted, and (c) whether increased substantive procedures (e.g., extended testing of inventory quantities and pricing) are needed.

### Example 3

For a company with robust IT-based controls over revenue recognition (access controls, automated matching of sales orders to invoices), the auditor performs TOC throughout the year. Upon finding controls effective, the auditor reduces the extent of detailed transaction testing. This demonstrates how strong TOC results reduce the NTE of substantive procedures — the central purpose of performing TOC.

⚠️ Common exam mistakes

  • Performing only inquiry as TOC and treating it as complete — inquiry must always be combined with at least one other method
  • Confusing Test of Details for transactions (vouching) with Test of Details for balances (verification) — vouching checks transaction records; verification checks account balances
  • Believing that effective TOC can eliminate the need for substantive procedures — SA-330 requires substantive procedures for all material items regardless of TOC results
  • Forgetting that a material misstatement found during substantive procedures is a strong indicator of a significant deficiency in ICS — this link is a common exam point
  • Not increasing substantive procedures when TOC results are unsatisfactory — the inverse relationship between TOC reliability and extent of substantive procedures is mandatory, not optional
Reference: — SA 330
← Previous
SA-320: Materiality in Plannin
Next →
SA-450: Evaluation of Misstate
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic