Guide for Building an Internal Control Testing Program

Similar to the way a test in school or for a job can indicate how well you understand a subject or process, testing your organization’s control environment determines how well it is functioning to keep your organization secure and compliant. This is where an internal control testing program comes in. However, simply having such a program isn’t enough without consistent application, monitoring and management of said controls.

What Are Internal Controls?

A critical aspect of risk management, internal controls are the comprehensive inventory of your company’s operations, policies and procedures that enable compliance, risk reporting and risk reduction. These controls must function effectively to keep your business compliant and help mitigate risks as much as possible. Testing allows you to evaluate your internal controls.

Testing internal controls can be done manually or as part of your automation processes from built-in software. The problem with relying on manual control testing is that consistency isn’t guaranteed because a human tester can make mistakes. It can also slow down your risk management. An automated test of controls provides the consistency you need for trustworthy results.

According to Deloitte, while it’s often possible to leverage certain existing internal processes as internal controls, many businesses fail to do so. Such processes include your:

• IT system access and security
• Reconciliation controls
• Duty segregation
• Inventory counts
• Budget analysis
• Organization performance reviews

Once you have defined the essential controls based on your company’s needs, you can create a formal internal control testing system. The first step is a proper risk assessment.

Why Is Risk Assessment Necessary in Defining Controls?

To define functional controls, you must thoroughly understand your business risks. This includes understanding the human and digital resources needed to prevent and fix those risks, who you answer to (board, CEO, customers, etc.), company objectives, and industry and federal regulatory changes. Proper assessment of risks and mitigation is key to developing appropriate controls and testing them.

For example, controlling security risks in a medical facility often focuses on protecting patient medical records and medical devices used for medication distribution from hacking. Financial facilities must follow strict regulations for investor and customer security and trust.

Educational facilities must protect student data from identity theft and information such as performance reviews from being shared without parental consent. They must also prevent cheating by protecting access to tests and rubrics.

What Is Internal Control Testing?

Internal control testing checks how well your designated controls can find existing or prevent future errors and cybersecurity risks. Testing these controls is usually part of a formal audit or in preparation for one. If your internal testing process shows that your controls are effectively functioning, your control risk is low — not foolproof, but low.

Your company and industry’s compliance standards will determine what steps to take if your existing controls are weak. This auditing process may involve reviewing documentation and interviews with those who operate such controls. Stronger controls with documentation to back them up can shorten the auditing process.

5 Types of Tests for Internal Controls

The auditing control testing methodology involves five main tests:

1. Inquiry: This is the most straightforward internal control test but not the most effective. Expect external auditors to ask several questions about your controls during an interview. Questions will likely focus on what controls are implemented and who uses them. For example, the auditor may ask where your data security records are stored or procedures to manage non-employee visits.
2. Observation: In this test, auditors will step back and observe your business practices as they note how your organization applies the controls. This type of testing may be necessary when no official control documentation exists. As auditors observe the processes, they evaluate any cybersecurity vulnerabilities. An ideal place to conduct such an observation may be at the company’s data center. During the review, auditors may note a lack of security cameras or too much open access in areas with sensitive data.
3. Inspection: This type of testing is more hands-on as the auditor dives deeper into existing logs and documentation about the operational capacity of the controls. In this case, a visit to a data center would go beyond observation to possibly include checking for locked doors, watching footage from security cameras and reviewing access logs. Auditors may check the documentation for the implementation of necessary version updates. Observation may also be a part of this type of test.
4. Re-performance: Now the auditor gets to take real action. To ensure all things run properly, the auditor will independently perform the control in real time. They may also compare their results with previously recorded data from company documentation or observation. When carrying out the process, the auditor may re-perform calculations or manual backups.
5. Computer-assisted: The computer-assisted audit technique (CAAT) uses technology for large amounts of data analysis and testing. The auditor gains deeper insights into company data and processes while efficiently using their time. The techniques used may include sampling, predictive analytics or statistical analysis, further helping auditors spot discrepancies. Thanks to more extensive and user-friendly compliance software, this type of testing has become more common.

Best Practices of the Internal Controls Testing Process

Knowing how to test internal controls effectively is a must for accurate results. Therefore, auditors and other stakeholders should utilize these best practices.

Create a Control Inventory

Do you know what all your controls are? Take the time to account for all of your key controls and their related activity. Provide user-friendly and efficient information so that someone who has never used the control for the first time can understand how it works.

You should also document how one control affects another as part of your overall business, team and department workflow. Having an effective inventory makes testing easier while reducing the likelihood of extensive auditing.

Define Control Priorities

Establishing a control hierarchy is worth it. After all, you may have hundreds or even thousands of controls in various departments, especially for a large organization. Prioritize and organize controls based on how much risk is involved if the control fails.

You may want to group your controls in terms of Priority 1, 2 and 3 ranking, with Priority 1 focusing on controls that have the greatest risk and may need more extensive testing. You may also have to rely on industry regulations, such as HIPAA for medical devices, to prioritize control levels.

Design Appropriate Tests

There are five different types of basic tests used for internal control testing. Some auditors may use more than one type of testing for a control. The control and its designated actions determine the best approach.

Document Extensively

You can never have too much documentation when doing control testing. Solid documentation includes the control actions, how often it’s been tested, the steps used to test it and the results from previous testing. Proper documentation is essential to tracking any issues with these controls that need to be fixed.

Every time you re-run a test program, you should document the process from start to finish. Use the documentation to compare current results to past ones.

Mistakes To Avoid While Testing Internal Controls

Being aware of these common mistakes can help you avoid retesting and ensure your controls catch everything they should.

• Not Understanding the Environment — Different companies have different digital infrastructures. That’s why it’s essential to understand all the processes, tools and user behaviors to design the right test effectively. Understanding the environment helps you determine which tools are relevant to the audit. If you’re unsure where to start due to a lack of documentation, focus on controls that address significant risks, such as fraud, hacking, or identity theft, or controls that auditors need for testing operations and that support other functions in the workflow.
• Not Testing After Defining Controls — Don’t stop after you define the controls or review documentation of data about the controls. Effective internal control testing should provide proof that the controls function as stated. That’s why observation and re-performance techniques are essential to ensure the controls live up to their security tasks.
• Generic Testing — You should tailor your internal control tests to the specific controls and prioritize the risks in that particular department or company. A combination of different types of tests may be necessary for practical assessment.
• Lack of Re-assessment — Risks can change frequently based on cyberattacks that may have happened elsewhere. Pay attention to new industry and federal initiatives that can affect your standing. Reassessing this inside and outside the company strengthens your protection against lingering vulnerabilities that can strike at any time. Compliance automation and reporting make ongoing re-assessment easier.
• Only Looking at the Documentation — Thorough documentation is essential for anyone using the controls regularly or an auditor testing them. However, only reviewing company documentation without actually testing the processes isn’t an effective way to gain enough information about the controls, especially when dealing with cybersecurity concerns. Updated documents should work in concert with more efficient and automated testing methods, such as CAAT. The documentation should guide how to use the tools and record results but should not be used as a one-size-fits-all assurance that the controls continuously work as they should.

There are many considerations for effective control testing. If you aren’t up to speed on the latest testing methods and products, your business can be vulnerable to cybersecurity threats and non-compliance. To learn more about internal control testing, schedule a demo with an Onspring expert today.