## Tests of Control and Evaluation of Control Risk

### What Are Tests of Control?

Tests of control are audit procedures performed to evaluate whether internal controls are designed appropriately and operating effectively throughout the period.

### The Evaluation Process

#### Step 1 — Compare Results to Preliminary Assessment

After performing tests of control, the auditor evaluates:

Are the controls designed as expected?
Are they operating as contemplated in the preliminary assessment of control risk?

#### Step 2 — Evaluate Deviations

If deviations are found, the auditor must decide whether:

The assessed level of control risk needs to be revised upward (controls weaker than assumed)
The preliminary assessment remains valid

#### Step 3 — Modify Substantive Procedures (if needed)

If control risk is revised upward, the auditor modifies the nature, timing, and extent of planned substantive procedures:

Dimension	How it Changes When Control Risk Rises
Nature	More reliable/persuasive procedures (e.g., external confirmations instead of internal docs)
Timing	Perform closer to year-end rather than interim
Extent	Increase sample sizes

### Key Principle

> The objective of tests of control is to confirm or revise the auditor's initial risk assessment — not to independently detect misstatements. That is the job of substantive procedures.

Worked example

### Example 1

Example — Revising Control Risk Upward:

An auditor initially assesses control risk as LOW for the purchases cycle, assuming purchase orders always require two approvals. During tests of control, 15% of sampled purchase orders show only one approval. The auditor concludes controls are NOT operating as assumed, revises control risk to MODERATE/HIGH, and responds by:

Increasing the sample size for substantive tests of purchase transactions
Performing cut-off tests at year-end rather than at an interim date
Requesting external supplier confirmations instead of relying on internal records

### Example 2

Example — No Revision Needed:

An auditor tests bank reconciliation controls and finds only 1 exception in a sample of 50 (2% deviation rate, below the tolerable rate of 5%). The preliminary assessment of LOW control risk is confirmed. Planned substantive procedures remain unchanged.

⚠️ Common exam mistakes

Confusing tests of control (do controls work?) with substantive procedures (are balances correct?) — they have different objectives
Forgetting that a REVISION of control risk must always flow through to a modification of substantive procedures — you cannot revise risk upward and leave the audit plan unchanged
Assuming that zero deviations in the sample means zero risk — controls could still fail outside the sample period

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →