Your internal controls provide the confidence you need that your processes will ensure compliance with regulations, legislation and best practices. Controls testing is the way you audit these controls.
Controls testing should form an integral part of your audit process, which in turn is central to your wider governance, risk and compliance (GRC) strategy.
Here, we delve deeper into:
- What controls testing and automated controls testing are.
- Types of controls testing
- A controls testing example
- The role of controls testing in an increasingly strategic approach to audit.
- How to conduct effective controls testing
- Why automation plays a key part in your success.
What is controls testing?
Controls testing (sometimes referred to as tests of controls or internal controls testing) is a procedure used in audit to determine whether your internal controls are sufficient to detect material errors and potential fraud. As a result, controls testing aims to prevent misstatements in your financial reporting.
Controls testing can be done as part of the audit or in preparation for an audit, providing confidence that all controls will be working as they should when audited. With internal audit recognized as the third line of defense in risk management, auditors must verify the effectiveness of internal controls.
Whether you are auditing to comply with SOX requirements or other sector-specific regulations or to meet audit best practices, testing controls is an essential part of the process and helps to support all five components of internal control.
What is automated controls testing?
Many internal audit teams are ramping up the rigor of their controls testing, elevating their controls testing methodology by introducing an element of automation.
Automated controls testing involves automating the processes you use for the testing of internal controls. It helps to ensure your controls' consistency, reliability and operations.
What is the purpose of controls testing?
Internal controls testing typically has two objectives:
- To make the audit process shorter and more efficient: Testing controls can verify that your internal controls are effective in preventing fraud or error and as a result, negate any need for additional audit checks.
- To shore up your compliance processes: Specific regulatory compliance requirements may demand that you demonstrate effective internal controls. Even if your organization is not subject to regulation, confidence in your governance, risk and compliance processes will be enhanced via robust controls testing.
The 5 types of controls testing audits
There are five different ways organizations typically test their controls. Some are more complex than others, but they all give organizations some insight into how effective their controls really are.
- Inquiry: The auditor asks about the controls an organization has implemented.
- Observation: The auditor executes controls testing by observing how they respond in various situations.
- Examination: The auditor compiles and reviews information about how effective the controls are.
- Repetition: Manually repeating a control to verify that it works as intended.
- Computer-assisted audit: The auditor uses an audit solution to gather and evaluate large amounts of data.
What is an example of a controls test?
Controls testing varies widely from organization to organization and industry to industry. Examples can be everything from making sure all contracts have the correct stamps and signatures or ensuring that all doors in a secure access facility have the proper access controls.
A common example of a controls testing audit is a company network. To test the controls using inquiry, the auditor might ask what controls are in place to verify a user’s identity, assign and manage access levels and revoke access if a user’s status changes. The auditor could also use observation, in which case they would watch the access controls pop up as a user attempts to log into the system.
Conducting controls testing
Conducting controls testing isn’t just about testing the controls themselves. It’s about creating and maintaining an internal environment that’s easy to test, update and improve. Following this controls testing methodology will help:
- Identify the controls: Not every control will be tested for every audit. Identify and document all of your controls in a controls library. This gives you visibility into which controls are in place where so you can conduct the appropriate tests.
- Define the scope of the tests: Some controls should be tested more often than others, depending on how impactful it would be if that control failed. Review your controls library and prioritize so your tests can focus on the most important parts of your system.
- Be thorough, yet efficient: Your controls testing audits should provide assurances to regulators and your board that your controls are working as intended. This will require you to be thorough. At the same time, it’s important to be efficient so you don’t get interrupted by less meaningful tests. Determine if, for example, you need to test the entire control population frequently or if you can periodically review a sample.
- Mitigate any issues: Controls testing is not performed for the sake of testing. It’s for resolving any issues that arise. Create a process for surfacing, escalating and ultimately resolving any risks you identify.
How can automation help auditors with controls testing?
As internal audit teams strive for greater agility, controls testing moves audit teams along the road to proactive, continuous audit. Automated controls testing makes it easier to deliver audits that are:
- Consistent: Automation helps bring a degree of consistency and rigor to this controls testing; for your organization to truly embrace — and get the benefits of — data-driven GRC, automation is non-negotiable.
- Data-Driven: Ensuring your controls testing uses empirical evidence (data) can reduce and, best case, eliminate the use of unsound subjective validation mechanisms.
- Continuous: It also ensures testing is scheduled regularly and can directly link real-time results on the operational effectiveness of controls to your corporate risks — as a result, driving real-time risk assessment.
Despite this, many businesses are still adopting automation piecemeal rather than across the entire risk and control process tool stack.
Benefits of automated controls testing
Automated controls testing makes the testing of controls more effective and more efficient. Among the benefits:
- Aligned, efficient compliance processes: Risk and compliance processes and internal controls can be fragmented, subjective and siloed. Automating controls testing helps to put a consistent framework around the testing process; as a result, making controls and the compliance and risk processes they inform more effective.
- Reduced cost of compliance: Manual controls testing can be time-consuming, labor-intensive, and run the risk of errors that need rework. Automating controls testing reduces this risk of human error and minimizes the time taken for intelligent controls testing.
- Confidence in your controls: Data-driven controls testing, based on objective readings and carried out on a regular schedule, assures you that your controls work as they should. Reduce your risk of compliance breaches and know that your approach is based on real-time insights.
- Keep pace with the compliance landscape: Because the regulatory landscape is ever-changing, your controls must be able to pivot quickly when needed, or you risk being out of step with requirements. Automated controls testing moves audits from annual or fixed-schedule reporting to continuous insight and, as a result, allows you to update your controls as needed.
- Ability to continuously improve: Being informed by “always-on” controls testing means you can refine and improve your approach continuously. It accelerates the audit team’s path to becoming a strategic business partner, enabling you to provide unassailable, live insights to your board and key stakeholders.
For auditors looking to elevate their role to that of a strategic business partner, automated controls testing can help to avoid nasty shocks, give comfort around the operating effectiveness of controls and help you to take a proactive approach to audit.
Optimize your use of technology in controls testing
Organizations’ shift to automated controls testing is part of a wider trend to make more effective use of technology. Surveys like PWC’s State of the Internal Audit Profession have regularly identified the need for increased use of technology in areas like audit analysis, fraud detection and continuous auditing. In tests of controls too, technology can play a key role.
This move to automated controls testing also aligns with a change in the audit function’s role. Internal audit has evolved significantly over the last decade, moving from cyclical audits and internal controls testing to a set timetable to a more consultative role, where internal audit teams assess and report continuously on the organization’s overall risk profile.
Technology is a vital component of this approach. And the internal audit team can be ideally placed to champion risk management and compliance technology based on their experience of using technology for assurance purposes.
Centralize and automate your controls testing
Automating your controls testing will enable you to seamlessly manage your regulatory compliance strategy’s multiple policies and controls. It will increase the speed, rigor and efficiency of your testing while reducing costs. It will create a single source of truth for your controls reporting and accelerate the internal audit team’s journey towards a consultative partnership with your organizational leadership.
Discover how Diligent Audit Management can help you to automate, centralize and simplify your controls testing.