Your internal controls provide the confidence you need that your processes will ensure compliance with regulations, legislation and best practices. Controls testing is the way you audit these controls.
Control testing should be integral to your audit process and central to your more comprehensive governance, risk and compliance (GRC) strategy.
Here, we delve deeper into:
- What controls testing and automated controls testing are.
- Types of controls testing
- A controls testing example
- The role of control testing in an increasingly strategic approach to audit.
- How to conduct adequate controls testing
- Why automation plays a crucial part in your success.
What’s internal controls testing?
Controls testing (sometimes called tests of controls or internal controls testing) is used in audits to determine whether your internal controls are sufficient to detect material errors and potential fraud. As a result, controls testing aims to prevent misstatements in your financial reporting.
Control testing can be done as part of the audit or in preparation for an audit, providing confidence that all controls will work as they should when audited. With internal audits recognized as the third line of defense in risk management, auditors must verify the effectiveness of internal controls.
Whether you are auditing to comply with SOX requirements or other sector-specific regulations or to meet audit best practices, testing controls is an essential part of the process and helps support all five internal control components.
What is automated controls testing?
Many internal audit teams are ramping up the rigour of their controls testing, elevating their controls testing methodology by introducing an element of automation.
Automated controls testing involves automating the processes you use to test internal controls. It helps to ensure your controls’ consistency, reliability and operations.
What is the purpose of controls testing?
Internal controls testing typically has two objectives:
- To make the audit process shorter and more efficient: Testing controls can verify that your internal controls effectively prevent fraud or error and, as a result, negate any need for additional audit checks.
- To shore up your compliance processes: Specific regulatory compliance requirements may demand that you demonstrate adequate internal controls. Even if your organization is not subject to regulation, confidence in your governance, risk and compliance processes will be enhanced via robust controls testing.
The five types of controls testing audits
There are five different ways organizations typically test their controls. Some are more complex than others, but they all give organizations some insight into their controls’ effectiveness.
- Inquiry: The auditor asks about the controls an organization has implemented.
- Observation: The auditor executes control testing by observing how they respond in various situations.
- Examination: The auditor compiles and reviews information about the controls’ effectiveness.
- Repetition: Manually repeating a control to verify that it works as intended.
- Computer-assisted audit: The auditor uses an audit solution to gather and evaluate large amounts of data.
What is an example of a controls test?
Controls testing varies widely from organization to organization and industry to industry. Examples can be everything from ensuring all contracts have the correct stamps and signatures or ensuring that all doors in a secure access facility have the proper access controls.
A typical example of a controls testing audit is a company network. To test the controls using inquiry, the auditor might ask what controls are in place to verify a user’s identity, assign and manage access levels and revoke access if a user’s status changes. The auditor could also use observation, where they would watch the access controls pop up as a user attempts to log into the system.
Conducting controls testing
Conducting controls testing isn’t just about testing the controls themselves. It’s about creating and maintaining a comfortable internal environment to test, update and improve. Following this controls testing methodology will help:
- Identify the controls: Not every control will be tested for every audit. Identify and document all of your controls in a controls library. This gives you visibility into which controls are in place so you can conduct the appropriate tests.
- Define the scope of the tests: Some controls should be tested more often than others, depending on how impactful it would be if that control failed. Review your controls library and prioritize so your tests can focus on the most critical parts of your system.
- Be thorough yet efficient: Your controls testing audits should provide assurances to regulators and your board that your controls are working as intended. This will require you to be thorough. At the same time, it’s essential to be efficient, so you don’t get interrupted by less meaningful tests. Determine if, for example, you need to test the entire control population frequently or if you can periodically review a sample.
- Mitigate any issues: Controls testing is not performed for the sake of testing. It’s for resolving any problems that arise. Create a process for surfacing, escalating and resolving any risks you identify.
How can automation help auditors with controls testing?
As internal audit teams strive for greater agility, controls testing moves audit teams along the road to proactive, continuous audit. Automated controls testing makes it easier to deliver audits that are:
- Consistent: Automation helps bring consistency and rigour to this controls testing; for your organization to truly embrace — and get the benefits of — data-driven GRC, automation is non-negotiable.
- Data-Driven: Ensuring your controls testing uses empirical evidence (data) can reduce and, best case, eliminate the use of unsound subjective validation mechanisms.
- Continuous: It also ensures testing is scheduled regularly and can directly link real-time results on the operational effectiveness of controls to your corporate risks — as a result, driving real-time risk assessment.
Despite this, many businesses need to adopt automation piecemeal rather than across the entire risk and control process tool stack.
Benefits of automated controls testing
Automated controls testing makes the testing of controls more effective and more efficient. Among the benefits:
- Aligned, efficient compliance processes: Risk and compliance processes and internal controls can be fragmented, subjective and siloed. Automating controls testing helps to put a consistent framework around the testing process; as a result, making controls and the compliance and risk processes they inform more effective.
- Reduced cost of compliance: Manual controls testing can be time-consuming, labor-intensive, and run the risk of errors that need rework. Automating controls testing reduces this risk of human error and minimizes the time for intelligent controls testing.
- Confidence in your controls: Based on objective readings and carried out regularly, data-driven controls testing assures you that your controls work as they should. Reduce your risk of compliance breaches and know your approach is based on real-time insights.
- Keep pace with the compliance landscape: Because the regulatory landscape is ever-changing, your controls must be able to pivot quickly when needed, or you risk being out of step with requirements. Automated controls testing moves audits from annual or fixed-schedule reporting to continuous insight and, as a result, allows you to update your controls as needed.
- Ability to continuously improve: Being informed by “always-on” controls testing means you can refine and improve your approach continuously. It accelerates the audit team’s path to becoming a strategic business partner, enabling you to provide unassailable, live insights to your board and key stakeholders.
For auditors looking to elevate their role to that of a strategic business partner, automated controls testing can help avoid nasty shocks, give comfort around the operating effectiveness of controls, and allow you to take a proactive approach to auditing.
Optimize your use of technology in controls testing.
Organizations’ shift to automated controls testing is part of a broader trend to use technology more effectively. Surveys like PWC’s State of the Internal Audit Profession have regularly identified the need for increased use of technology in areas like audit analysis, fraud detection and continuous auditing. In tests of controls, too, technology can play a crucial role.
This move to automated controls testing also aligns with a change in the audit function’s role. Internal audit has evolved significantly over the last decade, moving from cyclical audits and internal controls testing to a set timetable to a more consultative role, where internal audit teams assess and report continuously on the organization’s overall risk profile.
Technology is a vital component of this approach. And the internal audit team can be ideally placed to champion risk management and compliance technology based on their experience of using technology for assurance purposes.
Centralise and automate your controls testing.
Automating your controls testing will enable you to seamlessly manage your regulatory compliance strategy’s multiple policies and controls. It will increase the speed, rigour and efficiency of your testing while reducing costs. It will create a single source of truth for your controls reporting and accelerate the internal audit team’s journey towards a consultative partnership with your organizational leadership.