Skip to content

A simple analogy to explain the difference between controls and substantive testing

Picture of Yusuf Moolla
TL;DR
• In this analogy, controls testing = building insurance, substantive testing = contents insurance.
• You usually need both, for peace of mind.
• If you only pick one, understand the gap that this leaves.

 

In a previous article we explained the difference between controls testing and substantive testing when reviewing algorithmic systems. The concept is important to know when you’re thinking about a point-in-time internal review, commissioning an external review, or for your ongoing quality checks.

This article provides an easy way to explain it to others. The analogy is not a perfect match, but it works well enough.

Think about home insurance and the difference between building/structure and contents coverage. We know that building insurance covers the foundation, walls, roof etc. Contents insurance covers belongings, the day-to-day stuff.

If you only have contents insurance and your house collapses due to foundation failure, you’re out of luck. Your contents coverage won't help with restoring the structure.

If you only have building insurance and thieves steal your TV, you get nothing either.

Controls testing is similar to building insurance. It checks whether the framework is in place. Do you have proper change management? Monitoring systems? Do you track what your algorithms are doing?

Substantive testing is like contents insurance. It looks at what’s going on inside the algorithmic process. Directly looking at models and flows to check if they’re fair (often on a sample basis). Or recalculating the expected outputs and comparing that to the actual outputs, to find errors.

Just like with home insurance, you need both, in most cases. A solid governance framework that misses certain scenarios won’t help you. Neither will great detective work that ignores systemic process failures. If you only have one, you won’t get the full picture.

The analogy breaks down in places (many analogies do), but the essence is similar. You need to look both outside and inside. The foundation needs to be right, and you need to catch the possible day-to-day problems too.

Most algorithmic reviews benefit from combining both types of testing. Sometimes you only need one, but then know which gaps you're accepting when you make that choice.

 

Disclaimer: The info in this article is not legal advice. It may not be relevant to your circumstances. It was written for specific contexts within banks and insurers, may not apply to other contexts, and may not be relevant to other types of organisations.