Internal control testing: Building a strong foundation

With so much attention on emerging risks, artificial intelligence, and cybersecurity, it's easy to drift away from the fundamentals of good internal controls. In this article, we will get back to basics in internal control testing by focusing on control testing methodologies, pitfalls to avoid, and best practices to embrace. Along the way, we will include real-world examples to illustrate how you can incorporate improvements to your internal control testing processes.

• What is internal control testing?
• Why is internal control testing important?
• Control testing methodology: Step-by-step process
  • 1. Understand the control environment
  • 2. Risk assessment and scoping
  • 3. Define the population and sampling
  • 4. Select test procedures
  • 5. Execute the test of controls
  • 6. Evaluate results and identify deficiencies
  • 7. Report findings and recommended actions
• Control testing examples
• Documentation tips for control managers
• Common challenges in internal control testing
• Enhancing your control testing program
• Conclusion

Control testing methodology: Step-by-step process

Regardless of your role in the organization, anyone engaged in internal control testing should use a thought-out control testing methodology. A formalized control testing methodology provides a structured approach to planning, executing, and reporting control test results. Below are the common steps involved:

1. Understand the control environment

Begin by documenting and understanding the control environment. Many internal control testers will start with a simple walkthrough of a process to understand business objectives, systems involved, material accounts, significant classes of transactions (SCOTs), and the associated risks. From there, the reviewer will likely document control objectives and, if possible, the design of each control along with the roles and responsibilities of control owners.

2. Risk assessment and scoping

After building a basic risk and control matrix, the next step is prioritizing testing based on a risk assessment. Testing will focus on areas with high inherent or residual risk. In this way, the internal control team uses a risk-based approach to prioritize which controls to test and determine the scope of testing.

3. Define the population and sampling

Identify the population (e.g., all transactions processed in a year, all changes made in the last quarter) and determine the sample size based on control frequency, number of transactions, or however your control testing methodology requires. If you have access to a data analytics solution, you may be able to test the full population to avoid sampling risk.

4. Select test procedures

Select the testing technique that best fits the situation. The most common approaches include:

• Inquiry: Asking personnel about processes
• Observation: Watching processes in action
• Inspection: Evaluating documentations, reports, and transactional records
• Reperformance: Re-executing the control to verify its outcome

The most persuasive tests often involve inspection and reperformance.

5. Execute the test of controls

Internal control testing will generally occur in two phases: Test of design (TOD) and test of operating effectiveness (TOE).

A test of design determines whether the control, as designed, is capable of effectively preventing or detecting errors. It evaluates whether the control is logically designed and whether the control owner has the appropriate knowledge, access, and authority.

• Key considerations: Is the control clearly defined? Is it aligned with the associated risk? Does the control include relevant performance criteria?
• Example: For a journal entry approval control, a test of design would verify that the control includes segregation of duties, dollar amount limits, documented approval steps, and access restricted to authorized personnel.

Once the control design is deemed effective, the next step is to evaluate whether the control functions as intended over time.

• Key considerations: Is the control consistently performed? Do the right individuals execute it? Is evidence retained?
• Example testing activities: Select a sample of transactions and evaluate whether the control was executed appropriately. This may involve reviewing logs, approvals, or system-generated outputs.
• Result: If the control was performed accurately and completely for all samples, it operates effectively.

The combination of a successful test of design and operating effectiveness provides assurance that the control is both properly structured and reliably performed.

6. Evaluate results and identify deficiencies

Once the testing is completed, assess the error rate to determine whether the control was operating effectively. The terminology we use here is important. For example, a control is effective if all samples pass, and the control works as designed. A control may be considered deficient if one or more test samples fail; however, it can still be deemed effective depending on the severity of the deficiency and the presence of mitigating controls that address the associated risk.

Next, we classify the deficiency according to its severity, considering the potential impact and likelihood of occurrence:

• Control deficiency: Minor issue
• Significant deficiency: Important enough to merit attention
• Material weakness: Serious flaw that could lead to material issues

It's important to note that the term "control failure" is not generally used in these control testing examples. Control design may be effective or ineffective, and control operation might have deficiencies.

7. Report findings and recommended actions

An important final step involves preparing a report to communicate the results of internal control testing to stakeholders. The topics in the report are generally as follows:

• Summary of testing performed
• Deficiencies identified
• Root cause analysis
• Recommendations for remediation
• Management response and action plan

Supplemental sections of the report could praise the work done by the control owners and provide an overall assessment of the processes under review.

Control testing examples

To illustrate how control testing looks in the real world, here are five common tests of controls examples across different business processes:

Example 1: Accounts payable (Three-way match)

• Control objective: Prevent overpayments and ensure invoice accuracy
• Control description: Invoices are matched to purchase orders and receiving reports before payment
• Test scope: All invoices from the most recent completed quarter
• Test population/sample: 25 invoices
• Test procedure: Inspect a sample of paid invoices and verify documentation of the three-way match
• Expected result: All sampled invoices should have properly matched documentation

Example 2: User access review

• Control objective: Prevent unauthorized access to financial systems
• Control description: Quarterly review of user access by system owners
• Test scope: All application users and service accounts
• Test population/sample: Full population
• Test procedure: Verify evidence of periodic access reviews and timely removal of users who no longer require access
• Expected result: All reviews completed; inappropriate access removed timely

Example 3: Manual journal entry approval

• Control objective: Ensure validity of journal entries
• Control description: All manual journal entries must be approved by a supervisor
• Test scope: All manual journal entries year to date
• Test population/sample: 25 journal entries
• Test procedure: Inspect a sample of journal entries and verify evidence of supervisor approval
• Expected result: All entries should show documented approval from the designated reviewer

Example 4: Change management

• Control objective: Ensure that changes to systems are authorized and tested
• Control description: Changes require approval, testing, and documentation
• Test scope: All changes year to date
• Test population/sample: 5 changes
• Test procedure: Review change requests for required approvals and testing evidence
• Expected result: All sampled changes follow documented procedures

Example 5: Physical inventory count

• Control objective: Ensure inventory records are accurate
• Control description: Annual physical inventory count with reconciliation to records
• Test scope: 20 retail locations
• Test population/sample: 100 inventory tickets per store location
• Test procedure: Observe count procedures and inspect reconciliation documentation
• Expected result: Inventory discrepancies are investigated and resolved

Documentation tips for control managers

In internal control testing, good documentation is critical to support test results and satisfy audit requirements. As such, there are things to keep in mind. First, documentation should be clear and concise. Internal control testing documentation should summarize control objectives, procedures, and outcomes with enough detail so that another auditor can follow along and reperform the test if needed. Next, include supporting evidence for all conclusions, such as screenshots, emails, logs, reports, etc. As much as possible, use consistent formats and templates to improve readability and efficiency. Finally, track issues, action plans, and remediations as close to real-time as possible. Maintaining records of deficiencies, status updates, and resolutions when these arise will help to record the facts accurately.

Common challenges in internal control testing

As with any assurance program, internal control managers will face challenges. Some challenges are related to the evidence and control owners, while others come from the control testing methodology. Examples include:

1. Incomplete documentation: A lack of well-defined controls can hinder testing. To overcome this issue, work with the process and control owners to understand how controls should be designed, operated, and documented.
2. Control owner turnover: New personnel may not understand control expectations. Providing a basic introduction to risk and control and how to capture control evidence can help them confidently take on the new responsibility.
3. Inadequate evidence: Testers can't find or obtain proper evidence of control execution. This common issue can often be resolved by creating standardized checklists and a consistent filing system.
4. Sample selection errors: Inadequate sampling can result in misleading conclusions, as it inherently carries the risk of overlooking errors. To reduce this risk, consider leveraging data analytics to perform full population testing, which can provide more comprehensive and accurate insights.
5. Overreliance on inquiry: Relying solely on inquiry reduces the reliability of audit evidence. Experienced auditors recognize that inquiry alone is rarely sufficient. Whenever possible, enhance the credibility of findings by incorporating inspection, observation, or reperformance.

Overcoming these issues requires strong collaboration with process owners, proper training, and continual monitoring of controls.

Enhancing your control testing program

An internal control testing program should evolve and mature over time. To strengthen and advance your program, implement continuous monitoring and auditing of controls. Consider adopting several best practices to enhance effectiveness and sustainability.

• Automate control activities and evidence collection where possible, such as through access reviews or exception reports, to enhance efficiency and consistency.
• Integrate data analytics to detect anomalies and validate the effectiveness of controls more precisely.
• Provide targeted training to ensure control owners understand their responsibilities and perform controls accurately.
• Maintain a centralized control library that documents each key control's purpose, frequency, and testing history for easy reference and continuity.
• Adopt a rolling testing strategy, performing control tests throughout the year rather than concentrating them solely during audit season, to support continuous monitoring and timely remediation.

It’s worth noting that these best practices take time, effort, and resources to implement. When seeking to enhance your control testing methodology, plan accordingly to ensure sustainable improvements. Incorporating combined assurance can be especially effective – encouraging control owners to regularly review and assess their controls helps ensure they are operating as intended and supports a culture of accountability and continuous improvement. 

Conclusion

Managing risk, improving business operations, and demonstrating accountability rely on internal control testing. By adopting a structured control testing methodology, using a relevant test of controls process, and analyzing control testing examples, internal control managers can significantly enhance the reliability and performance of their control environment.

Whether you're new to control testing or looking to optimize an existing program, focus on clarity, consistency, and continuous improvement. With the right foundation, your internal control testing efforts can deliver real strategic value.