Tips for an effective internal controls testing program

Internal Controls Testing
Internal Controls Testing

4 Tips to build an effective internal control testing program

The cornerstone of any successful risk management program is effective internal controls. All companies deal with fraud threats, data manipulation, financial misstatement, and cybercrime, but robust internal controls are essential to manage these threats and prevent them from affecting the business.

Having effective and targeted internal controls can protect your company's assets and intellectual property to prevent costly errors, reduce the risk of fraud, and decrease the chance of non-compliance. However, implementing internal controls is not enough. Internal controls should be continuously evaluated and tested to identify weaknesses and opportunities for improvement.

What Are Internal Controls?

Internal controls are a tool that should be constantly refined to help the company reach its intended objectives. Internal controls are the protocols, procedures, and activities that protect organizations from financial, operational, and strategic risk. Organizations using technology to produce financial reporting need internal controls to guard against cybersecurity threats and to assure compliance with regulations.

The core purposes of internal controls are to:

  • Identify risks

  • Mitigate risks, and

  • Control the distribution and manipulation of information

And internal controls provide reasonable assurance that the following objectives are met:

  • Protection of assets

  • Accuracy of financial statements

  • Compliance with laws and regulations, and

  • Effectiveness and efficiency of operations

What is internal control testing?

Internal controls testing seeks to determine if your controls properly detect and prevent material errors or intentional misstatements in financial reports. Control testing cannot detect all errors and fraud but can uncover gaps, significantly reducing risk. 

By testing your internal controls, you can verify the following:

  • Assets are adequately protected

  • Internal controls are performing as intended

  • Internal controls are uniformly applied and followed

  • Operational, reporting and compliance objectives are met

Internal controls testing can be performed as part of your normal audit cycle or at any time to evaluate your controls' strengths and identify gaps and deficiencies. Sound controls help your organization avoid risk and satisfy the requirements of the board of directors, customers, auditors, and regulators.

How to test internal controls


Inquiry is a low-complexity control testing method where the tester asks applicable managers and employees about controls under their responsibility. For example, auditors can request management to provide data about hardware, software, applications, and networks. 

The American Institute of Certified Public Accountants (AICPA) recommends that inquiry be combined with other testing methods because it "does not provide sufficient appropriate evidence of the operating effectiveness of control." 


Observation is another low-complexity method of internal control testing in which auditors evaluate the strength or weaknesses of the control. In this method, the observer will watch the control activity to understand how controls are implemented in your organization.

For example, observation testing may be conducted by a visit to the data center to verify physical access control. Observation is helpful when there is no documentation or formal procedure about the control process.

Inspection of evidence

Inspection of evidence is a medium-high complexity method of control testing used to determine if controls are truly operational by examining documentation and logs. This method also helps the auditor determine that the controls are consistently applied. 

For example, the auditor may review documentation to ensure that backups are scheduled regularly, and if any backups are missed or errors occur, that documentation is kept. Another example is to inspect whether documentation logs are reviewed regularly. 


Reperformance is a higher complexity control testing method used when the above tests do not satisfy the auditor. Reperformance is used to provide the auditor with a greater level of assurance about the effectiveness of controls. 

Reperformance is the most common method used to measure the effectiveness of automated controls. This testing procedure gives the auditor the highest assurance because the tester performs the complete process using automated software. For example, the tester will use software to reperform a calculation and compare the results with the recorded results.  

Computer-assisted audit technique (CAAT)

The CAAT method of testing uses technology to analyze large amounts of data. One of the most significant advantages of CAAT is that large amounts of data can be tested without sample transactions restricting the tester's work.

CAAT may range from a simple spreadsheet to machine learning and artificial intelligence to gain deeper insights into data. 

4 tips for effective control testing

Inventory the controls under evaluation

Before implementing your testing program, ensure that your critical controls are identified and sufficiently documented. A control library should include details of the control's details and an understanding of the control's impact on other aspects of your organization, such as objectives, risks, policies, and regulations. 

It is not necessary to document every control in your organization before testing. However, establishing an inventory of your critical controls is essential.

Create a priority list of controls for testing

Most organizations have hundreds of controls in place; testing them would be a significant undertaking. To ensure your testing program is productive, prioritize the controls you plan to test. The following questions can help you to determine the priority of your testing:

  • Is it a key control over financial reporting?

  • Is the control essential in demonstrating compliance with policies, laws, or regulations?

A prioritized list of controls will allow your testers to focus their efforts. The purpose of the control may also help guide you in determining the controls that need to be tested. For example, SOX, GDPR, and HIPAA controls should be a priority.

Balances assurance and efficiency

The characteristics of the control typically determine the approach you use to test a control. For example, the more you rely on a control to mitigate a significant risk, the more frequently you should test the control. 

Performing design evaluations of a control before testing its operation will allow you to identify issues. If potential problems are identified in how the control is performed, you can suspend operational testing until the control design is corrected.

Document and follow up on identified issues

It may seem obvious, but an essential aspect of control testing involves identifying, prioritizing, and mitigating issues noted during the testing process. Your mitigation efforts should be followed and to completion. A best practice approach is to validate mitigating procedures by reperforming your test procedures to ensure that the issue is resolved.

Automating controls testing with SafePaaS

Controls testing is a time-consuming and expensive process. SafePaaS delivers continuous compliance by monitoring your controls in real-time with on-demand compliance reporting. 

With SafePaaS, you'll pass your audit without surprises, with all potential risks secured before they materialize. And SafePaaS has integrations to all your critical financial applications that affect your controls audit - Oracle, SAP, JD Edwards, PeopleSoft, NetSuite, Workday, and more. 

With SafePaaS' seamless API integrations to your ERP application, you can choose from our comprehensive repository of predefined, industry-best-practice rules. SafePaaS locks down all your controls so you can concentrate on your business, not your audit.

Continuous Controls Monitoring

SafePaaS monitors and identifies risks in financial transactions from applications like Oracle ERP Cloud and E-Business Suite and remediates them with built-in remediation capabilities. 

Risk-impact on finances

With the use of automation, you can prioritize your most important policy violations by measuring access risk-to-cost 

Best-practice industry-focused rule catalog

SafePaaS has thousands of rules that provide immediate coverage of your compliance requirements, including SOX, GDPR, and HIPAA. 

Real-time access risk mitigation

SafePaaS enables quick analysis and response to potential risk by reviewing identity access in real-time with fine-grained capabilities.

Out-of-the-Box Integrations

SafePaaS API integrations enable provisioning workflows with ServiceNow, SailPoint, Okta, Azure AD, or any other IDM and ITSM.

Cross-application SOD analysis

All entitlements and roles are analyzed across all applications in one single platform.

Want to learn more about how SafePaaS can help you automate controls testing?

Want to learn more?