Your Practical Guide to Tests of Controls in Auditing

Think of tests of controls as the auditor's way of kicking the tires on your company's internal control systems. It's one thing to have a security manual that says all doors must be locked at night; it's another thing entirely to go and physically check the locks. That's what auditors do—they don't just take your word for it; they verify that your controls are actually working to prevent errors or catch fraud.

What Are Tests of Controls and Why Do They Really Matter?

An illustration showing a security camera, safe, alarm bell, businessman, and documents connected by dashed lines.

Let's stick with that security analogy. Your company’s internal controls are like a sophisticated security system designed to safeguard your financial data. These are the specific rules and processes you put in place, such as requiring two managers to sign off on any payment over $10,000. Tests of controls are simply the procedures an auditor uses to confirm that system isn't just a blueprint—it's switched on, functioning correctly, and doing its job day in and day out.

The goal here is building confidence. Before auditors can trust the numbers in your financial statements, they first need to trust the processes that produce those numbers. This makes control testing the first line of defense in almost any financial or compliance audit, whether it's for Sarbanes-Oxley (SOX), ISO 27001, or SOC 2.

The Foundation of an Efficient Audit

There's a direct and critical link between how well your controls perform and how the rest of the audit unfolds. When testing shows that your internal controls are solid and reliable, it changes the entire game plan for the auditor.

Reduced Substantive Testing: If your controls work, auditors can rely on them. This means they can dial back the amount of intensive, detailed transaction testing they have to do later.
Lower Audit Costs: Less detailed testing means fewer billable hours from the audit firm. It’s that simple. A smooth control testing phase often leads to a more predictable and affordable audit.
Increased Confidence: Strong controls tell auditors, investors, and regulators that your organization is well-managed and takes risk seriously.

In essence, investing time in your internal controls and preparing for these tests is a strategic move. It demonstrates proactive risk management and paves the way for a smoother, less disruptive audit experience.

On the flip side, if tests of controls find that a control is broken or not being followed, it raises an immediate red flag. The auditor can no longer trust your internal processes to generate accurate data. This forces them to dig much deeper with more extensive procedures to get comfortable with the numbers, which almost always increases the audit's scope, timeline, and cost.

Real-World Stakes of Control Failures

The consequences of failing controls go way beyond just a tougher audit. They expose your business to very real risks. For instance, a weak control over setting up new vendors could open the door to fraudulent payments, hitting your bottom line directly.

In a compliance audit like ISO 27001, a failed access control test might mean sensitive customer data is exposed, creating a risk of a data breach. The stakes are incredibly high, involving everything from financial loss and regulatory penalties to serious, long-term damage to your company's reputation. Effective tests of controls are the mechanism that ensures your foundational safeguards are truly protecting what matters.

Understanding the Three Core Goals of Control Testing

When an auditor starts performing tests of controls, they’re not just mindlessly ticking boxes on a checklist. They're actually on a mission with three very specific goals in mind. Each goal is designed to answer a fundamental question about how your business really operates, day in and day out.

Think of it this way: you have a rule that any company payment over $10,000 needs a sign-off from two separate managers. That's your internal control. An auditor’s job is to see if that rule is actually protecting the company like it’s supposed to. They do this by looking at it from three different angles.

Goal 1: Confirming Design Effectiveness

First, the auditor has to figure out if the control is even designed properly to begin with. Is the idea behind it solid?

For our $10,000 payment example, the question is simple: "Is requiring two signatures a good way to prevent someone from making a large, unauthorized payment?" The auditor will talk to your finance team, read the documented procedure, and use their professional judgment. If they find a loophole—like one manager being able to approve for the other—the design is flawed. It doesn't matter if people follow a broken process perfectly; a poorly designed control is ineffective from the start.

Goal 2: Verifying Consistent Application

Next up is consistency. It's great that you have a two-signature rule on paper, but is it being followed every single time? A rule that’s only followed sometimes is no rule at all in an auditor’s eyes.

This is where the real testing begins. The auditor will grab a sample of payments over $10,000 made throughout the year. They’ll then dig into the paperwork for each one, looking for proof of two distinct manager approvals. If they find even a couple of payments that slipped through with only one signature, that’s a red flag. The control isn't being applied consistently.

A control that is only followed 95% of the time is considered ineffective from an audit perspective. Consistency isn't about trying your best; it's about reliable, repeatable execution.

Goal 3: Establishing Continuity Over Time

Finally, the auditor needs to know that the control wasn't just a flavor of the month. It has to have been working continuously throughout the entire audit period. A control that was rock-solid in January but completely forgotten by December is not a reliable one.

This is why auditors don't just pull their samples from a single week or month. They’ll intentionally select transactions from the beginning, middle, and end of the year. Testing payments from March, July, and November gives them confidence that the two-signature rule was an embedded part of your operations all year long. This is a critical piece of a strong audit risk assessment, as it proves your defenses were up for the entire financial period.

Nailing these three pillars—effective design, consistent application, and continuity over time—is the key to passing any audit with flying colors.

The Different Types of Controls Auditors Will Test

A diagram illustrating the hierarchical relationship between IT general, application, and manual controls.

When an auditor starts a test of controls, they’re not just looking at one specific thing. They’re really examining a layered defense system that your organization has built to protect its assets and keep its data accurate. It's a lot like securing a high-tech facility: you have guards at the main gate, keycard locks on individual labs, and a lab manager who personally signs off on sensitive experiments. Each layer has a distinct job.

In the audit world, these layers are sorted into different types of controls. Getting a handle on these categories is key because it tells you exactly what auditors are looking for and how all your safeguards are meant to work together. The three main players here are General IT Controls (ITGCs), Application Controls, and Manual Controls.

General IT Controls: The Foundation of Your Tech Environment

First up are General IT Controls, or ITGCs. Think of these as the foundational policies and procedures that apply to your entire technology ecosystem. They aren't tied to a single business process; instead, they create a stable and secure environment for all your applications and systems to live in. Going back to our facility analogy, ITGCs are the perimeter fence, the security guards, and the universal access policies for the whole campus.

These controls are the absolute bedrock of your information security. If your ITGCs are weak, it throws the reliability of every single piece of software running on top of them into question. That's why auditors spend so much time here—a failure at this level can have a domino effect across the entire organization.

Auditors commonly test ITGCs like:

Access Controls: How are user accounts created, modified, and, most importantly, deleted? Auditors love to check if a terminated employee's access was revoked immediately.
Change Management: What's the formal process for updating applications or infrastructure? An auditor will dig through change logs to make sure every modification was properly approved and tested before going live.
Data Center and Network Operations: This covers everything from physical security at data centers to data backup procedures and disaster recovery plans.

The importance of these foundational controls is reflected in frameworks like ISO 27001. Rigorously testing these controls is non-negotiable for achieving and maintaining certification.

Application Controls: Safeguards Built into Your Software

Where ITGCs are broad, Application Controls are hyper-specific. These are the safeguards built directly into your software applications to make sure data is handled correctly from start to finish. If ITGCs are the facility's main security, then application controls are the smart locks on the doors to sensitive rooms, like the accounting department's server room.

These controls are typically automated and designed to ensure the data being processed is complete, accurate, and valid. For instance, your accounting software might have an application control that physically prevents a user from entering a duplicate invoice number, stopping a potential overpayment in its tracks.

Auditors test these by checking the software's configuration and watching the control in action. Other common examples include:

Input Validations: A new user signup form that rejects a password if it doesn’t meet specific complexity requirements.
Automated Calculations: A payroll system that automatically calculates overtime pay based on preset rules, taking human error out of the equation.
Sequential Numbering: A sales system that assigns a unique, sequential number to every invoice, making it easy to spot if one goes missing.

Manual Controls: The Human Element of Oversight

Finally, we have Manual Controls. These are the procedures performed by actual people, completely outside of an IT system. This is the human layer of review and verification. In our facility analogy, this is the finance director who physically reviews and signs a stack of printed checks before they get mailed.

These controls are essential in situations that require professional judgment or where automation just isn't practical. The flip side is that, because they rely on people, they are often seen as more susceptible to error or being overridden. To test a manual control, an auditor will look for physical evidence—like a signature or an approval stamp on a report—and will often interview the person responsible for performing it.

This is a huge deal for regulations like SOX, which puts a lot of weight on management review controls. Even as tech advances, the need for robust manual checks isn't going away. The ISO 27001 certification market growth, projected to hit $74.56 billion by 2035, is partly driven by the need to validate a healthy mix of all control types, including the 37 organizational controls that frequently rely on manual processes.

Comparison of Control Types: ITGC vs Application vs Manual

To make these distinctions clearer, here's a side-by-side look at the three types of controls.

Control Type	Scope	Purpose	Example	Common Testing Method
General IT Controls (ITGCs)	Entity-wide, across all systems and networks.	Establish a reliable and secure IT environment.	Terminating an ex-employee's system access within 24 hours.	Inspecting system logs and HR records.
Application Controls	Specific to a single software or application.	Ensure completeness, accuracy, and validity of data processing.	An ERP system preventing the entry of duplicate invoice numbers.	Attempting to enter a duplicate and confirming the system rejects it.
Manual Controls	A specific business process, performed by a person.	Provide human oversight, judgment, and review where automation is not feasible.	A department manager reviewing and signing monthly expense reports.	Inspecting signed reports and inquiring with the manager.

Understanding where each control fits helps everyone—from IT managers to auditors—ensure that the organization’s defenses are strong at every level.

Tests of Controls Versus Substantive Testing

If you’re new to the world of audit, it can feel like you’re learning a whole new language. Two terms that often trip people up are “tests of controls” and “substantive testing.” They might sound alike, but they have completely different jobs. Getting the distinction right is key to understanding an auditor's entire game plan.

Let's break it down with an analogy. Imagine a master chef baking a cake for a major competition.

A test of controls is like the chef checking the oven's temperature gauge while the cake is baking. Is it holding steady at the 350°F the recipe demands? This step doesn't involve tasting the cake; it’s all about making sure the process is working as it should.
Substantive testing is the moment of truth: the chef cuts a slice and tastes it. Is the cake actually good? Is it moist, flavorful, and cooked through? This step ignores the oven dial and focuses entirely on the quality of the final product.

In an audit, tests of controls answer the question, “Are the company’s internal processes reliable?” Substantive testing, on the other hand, asks, “Are the final numbers in the financial statements correct?”

How Control Strength Dictates the Audit Strategy

The relationship between these two tests isn't just academic; it’s the strategic core of any modern, risk-based audit. What an auditor finds during control testing directly influences how much, when, and what kind of substantive work they'll need to do later.

When tests show that your internal controls are strong and consistently followed, it tells the auditor they can place a certain level of trust in your company’s processes. This trust translates to a low assessment of control risk, which in turn allows the auditor to scale back their detailed substantive testing. After all, why taste-test every single cupcake if you've already proven the oven works perfectly?

But what happens if control testing reveals weaknesses? Maybe approvals are regularly skipped, or access reviews aren't being done on time. The auditor can no longer rely on your internal processes to catch errors. This high assessment of control risk forces them to dig deeper with more extensive substantive testing. They now have to do the painstaking work of "tasting" a much larger sample of transactions to get comfortable with the final numbers.

A strong control environment isn't just about good governance—it's a strategic advantage that makes your audit more efficient and less disruptive. Weak controls almost guarantee a more intense and expensive examination.

The Key Differences in a Nutshell

To keep it simple, just remember that these two procedures look at different things at different stages of the audit.

Purpose: Tests of controls check the effectiveness of a process, while substantive testing validates the accuracy of an outcome.
Timing: Tests of controls nearly always happen before substantive testing. Their results determine how much substantive work is even needed.
Evidence: A control test looks for proof that a process was followed (like a manager's signature on a report). A substantive test looks for actual dollar-value errors in the data (like an invoice with the wrong amount).

Ultimately, both are indispensable tools for an auditor. They work together to build a complete picture of a company’s financial health—one checks the recipe, and the other tastes the cake. This two-pronged approach ensures the final opinion on the financial statements is built on a solid, reliable foundation.

How Auditors Design and Perform Tests of Controls

When an auditor walks through your door to perform tests of controls, they aren't just winging it. Their approach is a structured, methodical process designed to efficiently gather solid evidence about the health of your internal processes.

Think of them as a home inspector. They don't just glance at the house; they use a specific set of tools and techniques to check the foundation, wiring, and plumbing. Each test is chosen for a specific purpose, and the same is true in an audit.

To get the job done, auditors lean on four core techniques. They often use these in combination to build a complete picture of how a control is designed and, more importantly, how well it actually works in the real world.

The Four Core Testing Techniques

The auditor's toolkit is straightforward but incredibly effective. Each technique provides a different kind of evidence, moving from understanding a process in theory to proving it works in practice.

Inquiry: This is where it all starts—a simple conversation. The auditor asks your team members to explain how a control works. For example, they might ask a payroll manager, "Can you walk me through the process for approving overtime hours?" Inquiry is a great first step, but it only confirms how a process is supposed to work, not how it actually does.
Observation: The next step is to see the control in action. An auditor might watch an employee physically swipe their keycard to enter a secure server room. Or they could observe the finance team performing the monthly bank reconciliation. Observation provides proof that a control is being performed at a specific moment in time.
Inspection: This is where the paper trail (or digital trail) becomes critical. Inspection involves examining documents, records, and system logs for evidence that a control was executed. An auditor will inspect signed expense reports, review system access logs, or examine change management tickets to find the required approvals. This technique gives them tangible proof.
Re-performance: As the most rigorous technique, re-performance involves the auditor independently executing the control themselves to see if they get the same result. For instance, an auditor might re-calculate the depreciation on a fixed asset to verify the company's automated calculation is correct. This provides the highest level of assurance that a control is truly effective.

This visual shows how tests of controls fit into the bigger picture, acting as a gateway to the more detailed substantive testing phase of an audit.

Flowchart illustrating audit procedures: tests of controls versus substantive testing leading to audit opinion.

The flowchart makes it clear: control testing is the initial gate. If controls are strong, the rest of the audit can be more streamlined. If they're weak, much more extensive work is needed.

The Art and Science of Audit Sampling

It’s completely unrealistic for an auditor to inspect every single transaction a company processes in a year. Instead, they use a technique called audit sampling to select a representative handful of items to test.

The whole point is to draw a reliable conclusion about an entire population of transactions based on the results from that much smaller sample. Deciding on the right sample size isn't a guess—it's a calculated decision based on several key factors:

Confidence Level: How certain does the auditor need to be? A higher confidence level means a larger sample.
Tolerable Deviation Rate: What is the maximum failure rate the auditor is willing to accept before calling the control ineffective? A lower tolerance requires a bigger sample.
Expected Deviation Rate: Based on past audits or initial walkthroughs, how often does the auditor expect the control to fail? A higher expected failure rate also drives the sample size up.

For a critical financial control, an auditor might test a sample of 60 items. If they find zero errors, they can conclude with a high degree of confidence that the control is working effectively across the board. Our comprehensive audit readiness checklist offers more detail on how to prepare for these sampling procedures.

Documenting Every Step of the Way

The final, non-negotiable part of performing tests of controls is documentation. In the world of auditing, if it isn’t documented, it didn’t happen.

Auditors maintain meticulous workpapers that detail everything:

The specific control being tested
The testing method used (inquiry, observation, etc.)
The sample size and how it was selected
The evidence examined (e.g., invoice numbers, report dates)
The results of the test and the final conclusion

This rigorous documentation creates a clear, defensible trail that supports the auditor's final opinion. The explosive growth in ISO 27001 certifications—with China alone holding over 295,000 certificates—underscores the global demand for well-documented control testing.

Auditors report that thorough control testing, which requires deep inspection of evidence, can reduce audit failures by up to 40%, a pattern confirmed in annual surveillance audits.

Automating Evidence Discovery for Smarter Audits

Let's be honest: manual control testing can be a soul-crushing grind. The traditional approach is slow, frustratingly manual, and a magnet for human error. It often leaves audit teams buried under a mountain of paperwork and endless digital files. But there's a modern approach that completely flips the script on the evidence-gathering process.

We'll look at how AI-powered platforms are built to cut out the most tedious part of control testing: the inspection phase. Instead of auditors having to manually hunt through hundreds of policy documents, system logs, and security reports, there’s a much smarter way to get the job done.

From Manual Scavenger Hunt to Automated Analysis

Think about the old way of performing tests of controls. An auditor asks for a huge pile of evidence. Then, they spend days—sometimes weeks—just reading through everything, highlighting key sections, and trying to manually map each piece of proof back to a specific control in a massive spreadsheet. It’s an inefficient scavenger hunt for information, plain and simple.

This is where automated evidence discovery completely changes the game. With an AI platform, you can upload all your documentation at once—every policy, procedure, report, and log. From there, the system takes over the heavy lifting.

An AI agent reads and actually understands the content of every file. It intelligently maps each piece of evidence to the right controls from your chosen framework, whether that's ISO 27001 or SOX. In an instant, you get an organized, audit-ready trail with direct links right back to the source document.

This shift turns the audit from a document-chasing exercise into a strategic review. When evidence discovery is automated, auditors can spend their valuable time analyzing the strength of your controls, not just looking for paperwork.

Instantly Identifying Gaps and Weaknesses

One of the biggest wins with this approach is seeing what’s missing, right away. The AI doesn't just find what's there; it shines a spotlight on what isn't.

Spot Gaps Instantly: The system immediately flags controls that don’t have enough supporting evidence. This shows you exactly where your documentation is weak before an auditor even starts their detailed review.
Fix Problems Faster: By pinpointing these gaps early, your team can jump into action to gather the missing info or improve the underlying process, making you far more prepared for the audit.
Lower Your Audit Risk: This proactive approach cuts down on the chances of control failures and avoids the costly substantive testing that follows. You get a clear, near real-time picture of where you stand.

For example, this is how an AI-powered platform can present an analysis, instantly showing which areas are covered and which have gaps.

The screenshot shows how evidence is automatically linked to specific requirements, giving you a clear and verifiable audit trail that makes the review process much smoother.

The Future of Efficient Compliance

Automating evidence discovery makes your tests of controls faster, far more accurate, and a whole lot less disruptive to your team's daily work. It frees everyone from the administrative headache of evidence collection, so they can focus on what really matters: designing and strengthening the controls that protect your organization.

This method is a perfect match for complex frameworks that demand extensive documentation. For instance, successfully navigating comprehensive ISO 27001 audits is much more achievable when the evidence-mapping is handled for you. This technology doesn't just make audits easier; it makes them more effective, building a stronger foundation for your entire governance, risk, and compliance program.

Common Questions About Tests of Controls

When you're in the trenches of an audit, theory goes out the window and practical questions pop up. Let's tackle some of the most common scenarios you'll likely face during control testing.

What Happens If a Test of Controls Fails?

First off, don't panic. A failed test of controls simply means a process you thought was working reliably isn't. The auditor will flag this as a "control deficiency."

Their immediate next step is to figure out how serious the failure is. Is it a minor hiccup or a major weakness that could let material errors slip through? Based on that judgment, they'll have to increase their substantive testing. Since they can't trust the broken control, they need to dig deeper into the actual transactions to make sure the final numbers are correct. You'll get a formal finding with a recommendation, which is your cue to fix the underlying process.

Can Auditors Rely on Last Year's Test Results?

Sometimes, but it’s the exception, not the rule. If a control is fully automated and has seen zero changes since the last audit, an auditor might be able to "benchmark" it. This means they confirm nothing in the system has been altered and can then rely on prior evidence.

This shortcut never applies to manual controls, though. Anything involving human action has to be re-tested every single year because people and processes can change. And if you've had any significant system or process updates, all bets are off—auditors will need to perform fresh tests from scratch.

How Do You Test a Control That Leaves No Paper Trail?

This is a great question. Many of the most critical controls are preventative and don't generate a neat log file. Think about a locked door to a data center—its job is to stop unauthorized people from getting in, so there’s no "paper trail" of the attempts it blocked.

In these situations, auditors get creative and use a mix of methods:

Observation: They might physically watch an employee swipe a keycard to see if the process works as described.
Inquiry: They'll sit down with managers and ask detailed questions about how access rights are approved, who reviews them, and how they’re revoked when someone leaves.

By combining what they see with what they're told, auditors can piece together enough evidence to feel confident the control is working, even without a traditional audit trail.

Ready to stop the manual scavenger hunt for evidence? AI Gap Analysis automates the tedious work of mapping your documents to compliance controls. It instantly shows you where the gaps are so you can fix them long before the auditors arrive. Learn how AI Gap Analysis can accelerate your next audit.