Inventory the controls that should be subject to evaluation.
Before you can establish a reliable testing program, you need to make sure that all of your critical controls are identified and adequately documented. Having a complete and consistent control library includes identifying the fundamental details of each control and understanding the impact that the control has on other aspects of your organization (i.e. business units, strategic objectives, risks, policies, regulations, etc). This is not to say that you have to document every single control your organization performs before you can get started with testing, but establishing a baseline inventory containing your most critical controls is a good place to start.
Determine the factors that drive the nature and extent of required evaluations.
What we mean here is to consider the impact that this control has on your organization and use that to determine the nature and frequency of the testing that should be performed.
- Is the control critical to your organization’s ability to demonstrate adherence to key policies and/or regulations?
- Is it a key control over financial reporting at a public company?
- Is it an efficiency control that you deem is “nice to have”?
Having a method to qualify and prioritize your controls will enable your testers to focus their attention on the most important things first. Often times the purpose for the control may help drive this evaluation. For example, a SOX control over the capture of financial data in a material GL account would be a logical target, and other requirements (i.e., GDPR, PCI, HIPAA, SOC) may provide detailed guidance on the nature and frequency of testing that is required.
Employ a testing approach that balances the need for assurance with efficiency.
Various attributes of a control may drive your testing approach. For example, the level of reliance placed on a control in mitigating a critical risk may drive you to perform more frequent evaluations of the control and/or test the full population of the control vs. only reviewing a sample of instances of its execution. Also, performing design evaluations of a control before testing the control’s operation will allow you to identify issues that may exist in how the control is being performed, which can allow you to suspend operating testing until the design of the control is corrected.
Document and follow up on identified issues.
It may seem like a simple concept, but a key aspect in control testing is having a method to identify, prioritize, and mitigate issues noted during the testing process. These mitigation efforts should be tracked through to completion, and a best practice approach is to perform some level of validation of mitigating procedures by reperforming test procedures at an appropriate point in time to ensure that the issue has indeed been resolved.
Implementing a reliable process for evaluating and testing controls can be challenging, but it is certainly attainable. With the right amount of information, reliable supporting technology and, most importantly, the support of executive leadership, your organization can establish a control evaluation program that gives you a level of assurance, predictability and insight that extends well beyond that of “frothy eloquence.”