Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Risk Assessment and Internal Control
Microlesson · 5-min read

SA 330 – Tests of Controls: When to Perform and Determining Extent

## SA 330: Tests of Controls

### When Must the Auditor Test Controls?

Under SA 330, the auditor shall design and perform tests of controls when:

1. The risk assessment includes an expectation that controls are operating effectively — i.e., the auditor plans to rely on controls to reduce the extent of substantive procedures; OR

2. Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

> Remember: The auditor does not have to test controls in all cases — only when they plan to rely on them or when substantive procedures cannot stand alone.

### Effect of Greater Reliance on Controls

The more the auditor relies on a control's effectiveness, the more persuasive the audit evidence obtained from tests of that control must be.

### When is a Higher Level of Assurance Sought?

A higher assurance about operating effectiveness is sought especially when:

  • The audit approach primarily consists of tests of controls (i.e., control-based approach).
  • It is not possible or practicable to obtain sufficient evidence only from substantive procedures.

### Factors Determining Extent of Tests of Controls

The auditor considers:

FactorReasoning
Frequency of control performance during the periodMore frequent controls require broader testing
Length of time the auditor relies on the controlLonger reliance → more testing needed
Expected rate of deviation from the controlHigher expected deviation → more evidence needed
Relevance and reliability of evidence at the assertion levelHigher stakes → more rigorous testing
Extent of evidence from tests of other related controlsOverlap with other tested controls can reduce individual test extent

Worked example

### Example 1

An auditor intends to rely on automated invoice-matching controls to reduce substantive testing of accounts payable. Since reliance is intended, the auditor must test these controls per SA 330 Condition 1.

Because reliance is high, the auditor must obtain more persuasive evidence — e.g., testing a larger sample of transactions, or testing across all quarters rather than just year-end.

### Example 2

An auditor is auditing related-party transactions. Due to their complex nature, substantive procedures alone cannot cover all assertion risks. Under SA 330 Condition 2, the auditor must perform tests of controls even if not originally planning to rely on them.

When determining the extent of testing for the approval-of-related-party-transactions control:

  • The control is performed monthly → test all 12 months or a representative selection.
  • Expected deviation rate is low → sample size can be moderate.
  • High audit risk at the authorization assertion → evidence must be highly reliable.

⚠️ Common exam mistakes

  • Assuming tests of controls are always mandatory — they are only required when the auditor plans to rely on controls OR when substantive procedures are insufficient alone.
  • Not increasing test extent when placing greater reliance on a control — more reliance demands more persuasive evidence.
  • Confusing 'operating effectiveness' with 'design effectiveness' — SA 330 tests of controls focus on whether controls OPERATE effectively, not just whether they are well-designed.
  • Ignoring the expected rate of deviation — a control that frequently fails needs more extensive testing, not less.
Reference: — SA 330 – The Auditor's Responses to Assessed Risks
← Previous
SA 315 — Activities for Identi
Next →
Tests of Controls – Re-perform
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic