Substantive testing: Key definitions, goals, and best practices

Key Takeaway: Substantive testing detects material misstatements at the assertion level using analytical procedures and tests of details. PCAOB inspections in 2024 still flag substantive deficiencies in revenue, allowance for credit losses, and fair value, with the overall Part I.A rate at 39%. New standards AS 1000, AS 2310, and ISA 240 (Revised) reshape how teams document, confirm, and use technology in substantive procedures.

Substantive testing is the audit work that directly detects material misstatements in financial statements — distinct from controls testing, which evaluates whether internal controls operate effectively. Under PCAOB AS 2301 and ISA 330, auditors design substantive procedures (also called substantive audit procedures) to respond to risks of material misstatement at the assertion level, regardless of how strong an entity's controls appear.

What is substantive testing?

Substantive testing refers to the detailed procedures auditors use during an engagement to obtain evidence that financial statements are presented fairly and accurately. Also called substantive procedures or substantive audit procedures, this work verifies that account balances, transactions, and disclosures are free from material misstatement. It differs from tests of controls, which evaluate the operating effectiveness of internal controls rather than the accuracy of accounting records.

Substantive procedures address significant risks identified during planning and surface errors in the accounting records themselves. Under the International Standards on Auditing (ISA) and PCAOB auditing standards, substantive testing falls into two categories: substantive analytical procedures and tests of details.

How substantive procedures map to financial statement assertions

Substantive procedures are designed to respond to risks of material misstatement at the assertion level, not just the account level. The relevant assertions are existence/occurrence, completeness, accuracy/valuation, rights and obligations, cutoff, and presentation/disclosure. For example, testing accounts receivable existence typically requires positive confirmations, while testing completeness requires a search for unrecorded receivables (subsequent cash receipts, shipping logs near year-end). Weak assertion mapping is a recurring PCAOB inspection findings theme, especially for revenue and allowance for credit losses.

Types of substantive testing

The two primary categories of substantive tests sit at different points on the evidence spectrum:

1. Substantive analytical procedures: Compare current financial data to prior periods, forecasts, budgets, or industry data to identify anomalies. Per PCAOB AS 2305, expectations must be precise enough to identify a material misstatement. These procedures are typically efficient for large, predictable populations like payroll or rent expense.
2. Tests of details: Verify individual transactions, balances, and disclosures by inspecting source documents, confirming amounts with third parties, recalculating, or vouching/tracing entries. Tests of details are required for higher-risk, less predictable accounts when analytical evidence alone cannot reduce risk to an acceptable level.

Seven common substantive audit procedures

Under ISA 500 and AU-C 500, auditors draw from seven recognized procedure types, often paired with inquiry (which alone is rarely sufficient):

• Inspection of records or documents — examining source documents, contracts, or accounting records.
• Inspection of tangible assets — physically observing inventory or fixed assets.
• Observation — watching a process or procedure being performed.
• External confirmation — obtaining written responses from third parties (banks, customers, legal counsel).
• Recalculation — verifying the mathematical accuracy of documents or records.
• Reperformance — independently executing procedures originally performed as part of the entity's controls.
• Analytical procedures — evaluating financial information through plausible relationships.

External confirmations and reperformance typically produce the strongest evidence; inquiry and observation are corroborative.

What is the goal of substantive testing?

The goal of substantive testing is to obtain sufficient appropriate audit evidence to support the auditor's opinion on whether the financial statements are free from material misstatement. Specific objectives include:

• Detecting material misstatements: Identify errors or fraud that would distort financial reporting at the assertion or financial statement level.
• Providing assurance on financial information: Give investors, creditors, regulators, and management confidence in the accuracy and completeness of reported numbers.
• Evaluating the reliability of internal controls: Surface patterns of error or irregularity that may indicate control design or operating effectiveness weaknesses requiring remediation.
• Supporting the audit opinion: Build the evidence base for an independent opinion on whether the financial statements are fairly presented in accordance with the applicable reporting framework.

What are best practices for substantive testing?

Effective substantive testing requires a methodical, risk-based auditing approach. The practices below align with PCAOB AS 2301, ISA 330, and current inspection expectations.

Planning and risk assessment

1. Understand the entity and its environment: Develop a working knowledge of the client's industry, business model, and internal control environment. Pay particular attention to subjective measurements, regulatory interpretations, and complex or unusual transactions where the risk of material misstatement is higher.
2. Perform risk assessment procedures: Assess risks of material misstatement at both the assertion and financial statement levels. This assessment drives the nature, timing, and extent of substantive procedures and should be updated when market conditions or control weaknesses shift.
3. Incorporate prior findings: Use prior-year findings from external auditors, internal audit, second line, or management's own monitoring to inform where substantive tests of details will have the most impact.

Designing substantive procedures

1. Tailor procedures to risks: Match procedure intensity to the assessed risk. Higher-risk areas — significant accounts, fraud risk areas, complex estimates — warrant more substantive work; lower-risk areas need less.
2. Use a mix of analytical procedures and tests of details: Combine the two to obtain more comprehensive evidence. Introduce unpredictability — varying nature, timing, or extent year over year — to respond to fraud risks (a focus area of ISA 240 (Revised), effective for periods beginning on or after December 15, 2026).
3. Select appropriate sample sizes and sampling methods: Choose between statistical sampling (most commonly monetary unit sampling, or MUS, for tests of details on AR or inventory) and non-statistical sampling based on population, tolerable misstatement, and expected misstatement. MUS works well for populations with low expected error rates; classical variables sampling is used when more misstatements are expected. Increasingly, technology-assisted analysis (TAA) lets auditors test entire populations — a shift the PCAOB has explicitly supported.

Performing substantive procedures

1. Apply professional skepticism: Maintain a questioning mindset and evaluate critically all evidence obtained from journal entries, source documents, and underlying records. Where possible, obtain third-party confirmations or independent sources to validate completeness and accuracy.
2. Document procedures and findings: Record what was tested, how it was tested, and what was found. Under PCAOB AS 1000, audit documentation standards require the final audit file to be assembled within 14 days of the report release date — effective for fiscal years beginning on or after December 15, 2024 for firms auditing more than 100 issuers, and December 15, 2025 for all other registered firms.
3. Follow up on exceptions: Investigate every exception or discrepancy to determine root cause, evaluate magnitude, and assess the impact on the financial statements.

Reviewing and concluding

1. Evaluate the sufficiency and appropriateness of evidence: Sufficiency addresses quantity; appropriateness addresses relevance and reliability. Reliability is highest when evidence comes from independent external sources, is generated by effective controls, or is obtained directly by the auditor. A large volume of low-reliability evidence does not substitute for a smaller amount of high-reliability evidence.
2. Conclude on the accuracy of financial statements: Determine whether the financial statements are presented fairly in accordance with the applicable reporting framework.
3. Communicate findings: Brief management and those charged with governance on issues identified and the implications for internal controls and significant risks.

Substantive testing vs. control testing: What's the difference?

The audit process combines two complementary types of work. Control testing evaluates whether internal controls operate effectively; substantive testing directly verifies the accuracy and completeness of financial information. The relationship is inverse — strong, effective controls reduce the extent of substantive procedures required, while weak or untested controls increase it.

Even when controls are highly effective, substantive procedures cannot be eliminated entirely — PCAOB AS 2301 requires substantive work for all relevant assertions of each material class of transactions, account balance, and disclosure.

Reducing misstatements with technology and data analytics

Auditors increasingly rely on technology to extend coverage and reduce manual error in substantive procedures. According to a 2025 Center for Audit Quality survey, 45% of institutional investors view AI-enhanced risk assessment as a key benefit of integrating AI into audits. The PCAOB has also signaled support for Technology-Assisted Analysis (TAA) amendments, encouraging full-population testing where feasible.

1. Automated data extraction: Pulls data directly from source systems, reducing manual entry error and providing systematic checks on completeness and accuracy of inputs used in substantive testing.
2. Advanced data analytics: Lets auditors analyze full populations rather than samples, refocusing effort on anomalies and trends that may indicate misstatement.
3. Continuous monitoring: Real-time analysis surfaces transaction-level anomalies earlier, narrowing the window between event and detection.
4. AI and machine learning: Detects intricate patterns and exceptions traditional methods miss, supporting fraud detection in line with ISA 240 (Revised) expectations for technology-aware procedures.
5. Blockchain: Distributed-ledger evidence supports transaction integrity and reduces misstatement risk in scope-eligible processes.
6. Cloud-based audit platforms: Enable secure collaboration and real-time access to financial data across the engagement team.
7. Digital documentation and workflow automation: Captures every substantive testing step in a reviewable record — increasingly necessary given the 14-day documentation completion rule under AS 1000.

When auditors deploy these tools, they must still document how the tool was used, validate the completeness and accuracy of input data, and ensure the analysis produces sufficient appropriate evidence at the assertion level.

Elevate your SOX program

Keeping pace with the changing auditing landscape requires management to adopt technology that supports compliance, improves audit quality, and reduces human error. Optro's centralized platform automates audit workflows, connects critical data, and provides real-time visibility into status. Handle SOX compliance from a single location for documenting controls, testing them, tracking deficiencies, and managing timely remediation.

By using technology built for SOX teams, organizations can reduce the errors that lead to material misstatements and improve accuracy in financial reporting. See how Optro's SOX management solution can streamline audit procedures and help your team meet requirements in today's regulatory climate.

Frequently asked questions

What is the difference between substantive analytical procedures and tests of details?

Substantive analytical procedures use expected relationships among financial and non-financial data — ratios, trend analysis, regression against forecasts — to identify anomalies in account balances. Tests of details verify individual transactions, balances, and disclosures by inspecting source documents, confirming with third parties, recalculating, or vouching/tracing entries. Analytical procedures are typically more efficient for large, predictable populations like payroll; tests of details are required for higher-risk, less predictable accounts. Per PCAOB AS 2305, analytical procedures used as substantive tests must develop expectations precise enough to identify a material misstatement.

How do financial statement assertions drive the design of substantive procedures?

Substantive procedures are designed to respond to risks of material misstatement at the assertion level — existence/occurrence, completeness, accuracy/valuation, rights and obligations, cutoff, and presentation/disclosure — not just at the account level. Testing accounts receivable existence requires positive confirmations; testing completeness requires search procedures for unrecorded items like subsequent cash receipts or shipping logs near year-end. Mapping each procedure to a specific assertion is a recurring PCAOB inspection theme, particularly for revenue and allowance for credit losses.

How does the strength of internal controls affect the nature, timing, and extent of substantive testing?

When controls are tested and deemed operating effectively, auditors can reduce the extent of substantive procedures, perform them at an interim date rather than year-end, and rely more on analytical procedures. When controls are ineffective or not tested, auditors must perform more extensive tests of details at or near year-end. Regardless of control reliance, PCAOB AS 2301 requires substantive procedures for all relevant assertions of each material class of transactions, account balance, and disclosure — controls testing never eliminates substantive testing entirely.

How is AS 2310 changing the external confirmation process?

AS 2310 (The Auditor's Use of Confirmation), effective for audits of fiscal periods ending on or after June 15, 2025, modernizes confirmations by addressing electronic platforms and intermediaries, and requires auditors to maintain control over the confirmation process from selection through receipt. The standard effectively requires confirmation of cash held at financial institutions and tightens evaluation of non-responses and exceptions. PCAOB inspections in 2024 flagged firms that sent positive confirmations but failed to perform sufficient alternative procedures when none were returned.

Where are PCAOB inspectors finding the most substantive testing deficiencies?

The PCAOB's 2024 inspection cycle showed an aggregate Part I.A deficiency rate of 39%, down from 46% in 2023, with deficiencies concentrated in revenue (especially multi-element arrangements), allowance for credit losses, fair value measurements, and long-lived asset impairments. Common root causes include insufficient testing of the accuracy and completeness of data used in substantive analytical procedures, failure to test management's significant assumptions, and inadequate alternative procedures for unreturned confirmations. Remediation playbooks from leading firms emphasize testing controls over information produced by the entity (IPE) and using technology-assisted analysis to expand coverage in high-risk areas.

When are substantive procedures alone sufficient versus requiring control testing?

Substantive procedures alone may be sufficient for classes of transactions or balances where controls are not relied upon and substantive tests can provide sufficient appropriate evidence at the assertion level — typically lower-volume, non-routine items like property acquisitions or debt issuances. Under PCAOB AS 2301 and ISA 330, when an entity processes high-volume routine transactions electronically (e.g., e-commerce revenue), substantive procedures alone generally cannot provide sufficient evidence, and the auditor must test relevant controls. For significant risks and any risk that cannot be addressed by substantive procedures alone, control testing is required.

Does substantive testing apply to IT audits and SOX testing?

Substantive testing extends to IT audits, SOX 404 testing, and operational/compliance audits whenever the objective is to directly validate the accuracy or existence of data rather than the operating effectiveness of a control. In SOX testing, substantive procedures may validate the underlying data supporting a control — for example, recalculating a reconciliation when control reliance is reduced. In IT audits, substantive procedures might involve re-extracting data from a source system to confirm the integrity of a report used in financial reporting.

About the authors

Sara Siegal is a Manager of Product Solutions at Optro. As an experienced auditor, prior to joining Optro, Sara spent 10 years at Sempra, a F500 energy infrastructure company where she managed both SOX/ICFR and internal audits. She began her career in PwC’s Risk Assurance practice, where she specialized in information technology audits. Connect with Sara on LinkedIn.