Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

SA 330 — Tests of Controls (ToC): Extent, Design, Timing, Prior Audit Evidence, Deviations

## Tests of Controls (ToC) under SA 330

### What Are Tests of Controls?

Procedures performed to evaluate the operating effectiveness of controls in preventing, detecting, or correcting material misstatements at the assertion level.

---

### 1. Extent of ToC

Factors that determine how much ToC to perform:

FactorExplanation
Frequency of the controlHow often the control operates during the period
Length of reliance periodHow long the auditor plans to rely on that control
Expected rate of deviationHigher expected deviation → more testing needed
Relevance and reliability of evidenceQuality of audit evidence obtainable
Evidence from other related controlsToC of one control may reduce testing of another

---

### 2. Designing and Performing ToC

Two requirements:

Requirement 1 — Combine inquiry with other procedures:

Procedure CombinationAssurance LevelNote
Inquiry aloneInsufficient — never adequate on its own
Inquiry + ObservationModerateObservation is pertinent only at the point in time made
Inquiry + Inspection or ReperformanceHigherPreferred combination

> Key rule: Inquiry alone is NOT sufficient to test the operating effectiveness of controls.

Requirement 2 — Test indirect controls:

If the control being tested depends on another control (an indirect control), the auditor must determine whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls.

---

### 3. Timing of ToC

  • Test controls for the specific time or throughout the period for which the auditor intends to rely on them
  • Point-in-time evidence may suffice when the control is point-in-time by nature (e.g., physical inventory count at year-end)
  • Period-based reliance requires testing that shows the control operated effectively at relevant times throughout the period — may include tests of the entity's own monitoring of controls

---

### 4. Using Audit Evidence from Previous Audits

Before relying on prior-year ToC evidence, consider:

FactorConsideration
Control environment & monitoringHas the overall control culture changed?
Manual vs automated controlAutomated controls change less; manual controls are more susceptible to human variation
General IT controlsIf IT controls are weak, automated application controls may not be reliable
Personnel changesNew staff applying the same control may do so differently
Changing circumstancesAn unchanged control may pose new risk in changed conditions
Risk of MM and extent of relianceHigher reliance on control = cannot wait too long before retesting

---

### 5. When Deviations from Controls Are Detected

If deviations are found in controls the auditor intended to rely on, the auditor must:

1. Make specific inquiries to understand the deviation and its potential consequences

2. Determine which of the following applies:

  • (a) The ToC performed still provides an appropriate basis for reliance
  • (b) Additional ToC is necessary
  • (c) The risk of misstatement must be addressed using substantive procedures

Worked example

### Example 1

Invoice Approval Control — Designing ToC: A company requires a manager's signature on all purchase invoices above ₹1 lakh. The auditor wants to rely on this control throughout the year. The auditor: (i) inquires of the manager about how the control works, (ii) selects a sample of 30 invoices spread across all 12 months and inspects each for the manager's signature, and (iii) reperforms the check on 5 invoices by independently verifying amounts against approved purchase orders. This combines inquiry + inspection + reperformance — the highest assurance combination.

### Example 2

Deviation Response: During ToC testing of bank reconciliations (control = finance manager review and sign-off monthly), the auditor finds 3 of 25 reconciliations have no manager sign-off. The auditor must: make specific inquiries (e.g., manager was on leave; no backup), assess whether the control can still be relied upon for those months (unlikely), consider whether additional ToC covers the gap (probably not), and accordingly increase substantive procedures — more detailed testing of the bank balance and related ledger entries for those months.

### Example 3

Timing — Inventory Count Control: A company counts inventory on 31st March. The auditor needs to test the control over physical counting only at that point in time (not throughout the year), so point-in-time evidence from attending the count is sufficient.

⚠️ Common exam mistakes

  • Believing that management inquiry alone is sufficient to conclude controls are operating effectively — SA 330 explicitly prohibits this
  • Testing controls only at one point in time (e.g., year-end) when the auditor intends to rely on them throughout the whole year
  • Rolling forward prior-year ToC evidence without considering changes in personnel, IT systems, or the control environment
  • Ignoring indirect controls — if Control A depends on Control B working, failing to test B undermines reliance on A
  • When deviations are found, simply noting them without taking the required three-step decision: assess reliance, consider additional ToC, and adjust substantive procedures
Bare-Act text Tests of Controls — Extent, Timing, Prior Audit Evidence, and Deviations · SA 330 — The Auditor's Responses to Assessed Risks (ICAI) · click to expand
In designing and performing tests of controls, the auditor shall: (1) Perform other audit procedures in combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including: how the controls were applied at relevant times during the period under audit; the consistency with which they were applied; by whom or by what means they were applied. (2) Determine whether the controls to be tested depend upon other controls (indirect controls), and if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls in order to provide an appropriate basis for the auditor's intended reliance. When deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific inquiries to understand these matters and their potential consequences, and shall determine whether: (a) the tests of controls that have been performed provide an appropriate basis for reliance on the controls; (b) additional tests of controls are necessary; or (c) the potential risks of misstatement need to be addressed using substantive procedures.
← Previous
SA 330 — Substantive Procedure
Next →
SA 450 – Evaluation of Misstat
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic