Internal controls are designed to protect an organization from fraud, loss of assets, and obstruction of overall business goals and objectives. After all the time and effort (and money, in some cases) spent on implementing an internal control system, the last thing an organization wants is for that system to fail in any area.

The best way to determine the effectiveness of internal controls is through internal audit control testing.

What is internal audit control testing?

Internal audit control testing is an activity with the ultimate goal of improving organizational operations, financial reporting, and compliance by evaluating the efficiency of the internal control system. With these goals in mind, an auditor uses a series of assessment techniques to gather a complete understanding of control procedures. Using a risk-based approach to audit testing, an auditor can focus on areas where risk is more likely to occur, identify issues and make recommendations on how to improve the effectiveness of a control. 

Let’s look at the fundamentals necessary for a successful auditing process.

What are the five process steps to an audit?

Auditors may vary their overall audit approach, but the fundamental structure for the audit process remains the same. There are five stages necessary for a successful internal audit.

Stage 1: Selection

During the selection phase, the overall objective of the audit is determined. After conducting a risk assessment, specific audit activities are outlined and, if necessary, approved by a board of directors or audit committee.

Stage 2: Planning

The auditor meets with management, department heads, or supervisors to discuss the scope of audit procedures, relay audit timelines, and to gather all necessary background information, including findings from the prior-year audit.

Stage 3: Fieldwork

Also called the execution phase, fieldwork is the physical on-site audit work. The auditor may:

  • Investigate the overall control environment
  • Interview random employees and managers
  • Review financial information
  • Inspect legal documents
  • Review policies and procedures manuals
  • Examine information technology systems
  • Perform walkthroughs
  • Distribute surveys regarding control activity requirements for specific job duties
  • Perform tests of controls (we discuss the specific procedures used to perform tests of controls in the next section)

Throughout the entire phase, the auditor stays in communication with management to relay preliminary findings.

Stage 4: Reporting

The auditor compiles all observations and findings, including recommendations of methods to improve the operating effectiveness of controls. Management reviews the conclusions and is asked to respond to recommendations in the form of an action plan. These responses are included in the final audit report.

Stage 5: Follow-up 

Within a year of issuing the final audit report, the auditor conducts a follow-up audit to determine progress made on the action plan. If necessary, additional internal audit control testing is completed.

How is internal audit control testing done?

Following generally accepted auditing standards (GAAS), an auditor evaluates an organization’s control procedures. As a result of Congress passing the Sarbanes-Oxley Act of 2002 (SOX), the business process that typically receives the most attention during internal audit control testing is the internal control over financial reporting. 

In most cases, the auditor collects sufficient appropriate audit evidence to conclude that an organization’s financial statements are clear of material misstatements. To substantiate that assertion, the auditor conducts test of controls

The four categories for test of controls

A form of substantive testing, the four types of test controls are:

Inquiry: Ask staff to verbally describe how a control activity is performed.

Observation: Observe a control procedure as it is physically performed.

Inspection: Examine documents as physical evidence that a control procedure was performed.

Re-performance: The auditor initiates a transaction and re-performs the specific steps of the control activity to judge the effectiveness of the control.

In the event that audit evidence leads the auditor to believe there are possible risks of material misstatement in the organization’s financial statements, the auditor may increase the sample size and employ tests of details. Once the origination of the errors is discovered, the auditor can make recommendations for mitigating the specific control risk.

Overall, internal audit control testing is a form of risk management. When internal auditors help find and correct weaknesses in an internal control system, an organization is better for it.

Of course, even a solid auditing process is subject to human error. ZenGRC software streamlines the internal audit control testing process by keeping tabs and flagging potential control risks.

Read “Case Study: Omada Health” to discover how ZenGRC helped a healthcare company that was struggling to manage risks. Then contact us for a demo.