Internal Controls Testing: A Practical Guide
Nick Sorenson
June 28, 2021

What are Tests of Internal Controls?

Internal controls are rules and procedures established by a company to ensure business continuity, prevent fraud, and preserve the integrity and accuracy of financial reporting. A test of internal controls is an evaluation of the existing controls, either as part of an official audit or in preparation for an audit, to see if the controls are in place and identify weaknesses. 

The purpose of internal controls testing is to see if the controls are properly detecting or preventing material errors or purposeful misstatement in financial reports.

Although control audits cannot completely detect all fraud, auditors can use controls testing to test operational controls for gaps, which can significantly reduce risk. Testing reveals what situation the company is in:

  • If controls are found to be effective, control risk is low.
  • If controls are identified as vulnerable or ineffective, control risk is high. Auditors may need to perform additional tests or take further actions, as specified by the relevant regulation or compliance standard. 

What is the Purpose of Internal Controls Testing?

There are two primary purposes for internal controls testing:

  • Shortening the audit process – if a controls test shows that internal controls are effective, and are able to prevent errors or fraud in financial statements, this can eliminate the need for additional audit actions. 
  • Providing additional audit evidence to demonstrate compliance, in situations where individual substantive procedures cannot provide sufficient evidence on their own.

Types of Audit Tests of Internal Controls

There are several types of internal control tests, each one progressively more comprehensive:

  • Inquiry—auditors ask managers and employees about the controls they are implementing. This is usually combined with more reliable testing methods—controls objectives or criteria should never rely only on an inquiry.
  • Observation—auditors observe activities and operations to see how controls are implemented. This is useful in cases where there is no documentation on how to operate the control unit. For example, if there is no formal procedure to ensure security cameras are installed, the auditor can simply observe if there are security cameras at the facility.
  • Examination or inspection—auditors determine if controls are really operational, using existing documentation and logs. For example, a test of controls can involve visiting a secured facility and ensuring that doors are locked and equipped with access control devices.
  • Re-performance—the previous three methods cannot fully guarantee the effective operation of the control. Re-performance involves the auditors actually trying to perform the control to see if it is effective. For example, the audit can run backups and try to restore the system to normal operation, or manually perform a financial calculation to ensure it is correct. 
  • Computer-aided audit tools (CAAT)—auditors use technology to analyze large amounts of data automatically. A simple CAAT can be a spreadsheet, but there are specialized tools available that can test various types of internal controls.  Most CAAT solutions are focused on export based, point in time sample testing across a complete inventory of all transactions.  

Modern continuous controls platforms like Pathlock are becoming popular, which allow you to test and enforce all controls in real-time, with 100% monitoring of all activity in connected business applications.  Organizations can define controls in applications such as SAP, Oracle, Workday, Salesforce, and NetSuite, and monitor all relevant controls across various compliance frameworks such as SOX, GDPR, HIPAA, and more.

4 Steps to Build An Effective Internal Control Testing Program

The following best practices can help you test internal controls more effectively.

1. Create an Inventory of Controls

Before establishing a reliable test procedure, ensure that you take account of all key controls, and document their activity in detail. Having a complete and consistent library of controls allows you to identify the basic details of each control, and its impact on different departments or business units in the organization. It is not necessary to fully document all controls before testing, but an inventory of key controls can make testing easier and more effective.

2. Prioritize Controls Testing

Typical organizations have hundreds or even thousands of documented controls in place.  Testing all of those controls would be out of the question – the list must be rationalized and streamlined for each particular audit.  For each control under consideration, determine its effect on the organization, and use this information to determine the nature and frequency of tests that should be performed. 

Ask yourself if a control is critical to demonstrating compliance with key policies and regulations, if it has significant control over financial reporting, and if you believe it is an efficient control. Answer these questions to prioritize controls, and help testers focus their work. 

Often, the specific regulations or compliance standards the organization is subject to, such as SOX, GDPR, HIPAA, or PCI, will guide the testing process and determine the controls that are critical to test first. 

3. Design an Appropriate Test for Each Control

The testing approach is often determined by the nature of the control. For example, if the organization relies on a control to mitigate significant risks, you should evaluate it more frequently. You can also perform a design evaluation of a control before testing its operation. If you identify potential issues with the way the control works, you can suspend operational testing until the control’s design is corrected.

4. Document and Follow Up on Identified Issues

Although it may seem like a simple concept, an important aspect of test control is prioritizing and remediating issues found during testing. These remediations should be tracked until they are complete. A best practice is to check remediations by re-running the test program after allowing time for remediation, to verify all issues have been resolved.

Internal Controls Test Automation with PathLock

Internal controls testing is a time consuming and expensive process. Organizations typically have 200+ key internal controls to prove each type of compliance, and each control takes 40 or more hours to test. Furthermore, internal controls testing is a once a year, error prone process that only looks at 3-5% of the activity in a given enterprise. 

Pathlock shifts organizations towards a continuous controls monitoring approach, which proactively monitors controls and reports on violations of those controls in real-time.  Organizations can have complete visibility to their compliance status at all times, so they are always prepared for the next audit. 

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks. 

Real-time Risk Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation