A Comprehensive Guide to Internal Controls Testing

Published/Updated January 27, 2022


Every organization operates amid the threats of fraud, data manipulation, financial misreporting, and cybercrime. Robust internal controls are essential to manage these threats and to prevent them from affecting business continuity and integrity.

With a solid internal control system, you can protect your business-critical assets and intellectual property. You can also prevent costly errors, reduce the risk of fraud, implement appropriate risk responses, and minimize regulatory penalties.

But it’s not enough simply to implement internal controls. It’s also critical to evaluate them, so you can identify weaknesses and opportunities for improvement before gaps result in material damage.

This guide will answer your questions about internal controls testing – test types, benefits, processes, and common mistakes.

What Is Internal Control Testing?

According to COSO, an internal control is a process that can provide reasonable assurance that an organization has achieved steady operational efficiency; and can meet the control objectives related to reporting and regulatory compliance. Regulatory requirements are mandated by various laws such as the Sarbanes-Oxley Act or the European Union General Data Protection Regulation.

Healthy and adequate controls enable organizations to avoid adverse risk events and satisfy the requirements of the board of directors, customers, audit committees, and regulators.

Robust internal control testing procedures are vital to detect, mitigate, and prevent errors or misstatements in financial statements, prevent fraudulent actions, and implement proper responses to each assessed risk.

By testing and auditing your organization’s internal controls, you can confirm whether they:

  • Are consistently applied and followed;
  • Achieve the desired operational, reporting, and compliance objectives;
  • Function as intended without putting unnecessary stress on the organization;
  • Help boost operational effectiveness and efficiency;
  • Safeguard assets against loss;
  • Work well at the entity-level and across the relevant operating unit or business process.

You can conduct internal controls testing:

  • As part of an official audit to provide evidence and demonstrate compliance;
  • While preparing for an audit to evaluate control strengths and identify weaknesses.

Ultimately, the operating effectiveness of the control helps minimize control risk, while ineffective controls increase risk.

Types of Tests for Internal Controls

There are various ways to evaluate the operating effectiveness of internal controls.


Complexity: Low

In this method, the tester simply asks appropriate managers and employees about specific controls. For instance, the tester may ask functional heads about security procedures to manage visits by non-employees (such as customers). Since the technique relies on people sharing relevant and up-to-date information, it provides only a small snapshot of the big picture.

The American Institute of Certified Public Accountants (AICPA) states that inquiry alone should not be used as a testing method since it “does not provide sufficient appropriate evidence of the operating effectiveness of control.” The AICPA also discusses combining other testing procedures to provide more convincing evidence about control effectiveness.


Complexity: Low

In observation, testers make their own judgments about the strength or weaknesses of internal controls. They observe various control activities and operations to see what kinds of controls are implemented in the organization and how.

For example, they may observe if a fire suppression system is installed on the premises or if segregation of duties is followed for financial activities.

This method can be useful when there is no documentation or formal procedure about the operation of a particular control. Every minor process or control does not need to be documented, if an auditor observes that it is automatically and consistently followed.

Examination and Inspection

Complexity: Medium to High

When inquiry or observation is not sufficient, the tester may inspect the evidence of a control, such as:

  • Internal audit logs
  • Employee manuals
  • System databases
  • Visitor logs

The goal is to confirm whether these controls are operational and consistently performed. For example, the tester may check if backups are scheduled to run on a regular basis.

Re-Performance or Re-Calculation

Complexity: High

The above three methods cannot always provide sufficient evidence that a control is working as it should, so auditors may re-perform the control to gauge its effectiveness.

Re-performance can be used as a stand-alone testing method since it doesn’t rely on observation or inquiry. It gathers direct evidence to confirm or disprove that a process yields the same results every time.

Some examples of re-performance include:

  • Running manual backups and trying to restore the system to its normal operations;
  • Performing financial calculations to confirm that there are no mistakes in financial information reporting;
  • Re-performing monthly bank reconciliations.

Computer-Aided Audit Tools (CAAT)

Complexity: High

CAAT involves using technology and software to analyze large amounts of data or analyze multiple transactions simultaneously. Testers may use a spreadsheet or specialized tools, such as export-based, point-in-time sample testing solutions, or data analytics software.

Tests of Control vs. Tests of Detail

A test of control refers to any auditing procedure to evaluate internal controls. Its goal is to find evidence of how effectively the controls operate to prevent or detect risks of material misstatements. Such a test mainly supports control risk assessment.

This test is almost always performed when the risk of a control failure is believed to be low. It enables testers to verify this assessment, and its result helps determine the nature, timing, and extent of the test of details.

A test of detail verifies that balances, disclosures, and financial statements are correct and accurate. It is required to obtain sufficient and appropriate audit evidence, especially if the analytical procedure is inapplicable or insufficient. A test of detail is critical to determine the audit conclusion.

Finally, a test of details is based on detection risk – the risk that you might not detect that something is amiss. Thus, to get a low level of detection risk, you should perform additional tests of details.

The Internal Controls Testing Process

Create a Controls Inventory

Before testing, create an inventory of your controls to understand all of the internal controls currently in place. This will streamline the testing process. Make sure it includes the details of each control and their impact on different business units.

Create a Priority List

To maximize testing effectiveness, it’s essential to prioritize controls testing, especially if you have hundreds or thousands of controls in place. To do this, follow these strategies:

  • Prioritize audit tests based on the effect of the control on the organization;
  • Determine if a control is critical to proving compliance with internal policies, external regulations, or auditing standards;
  • Check whether a control is essential to maintain internal control over financial reporting.

Also, make sure to:

  • Determine the audit’s objective;
  • Perform “walk-throughs” to understand how the control should work;
  • Determine the nature and frequency of tests to be performed;
  • Plan remediations;
  • Gather required background information;
  • Get the approval of the audit committee or board.

Design a Test for Each Control

Your audit approach (type and frequency of audit) depends on the type of control you want to test and its criticality. If a particular control is critical for mitigating a significant risk, it should be tested more frequently. The test itself should be detailed with a comprehensive report on the control’s efficiency. Evaluate the control’s design before testing. Fix design flaws first and then resume testing.

Document Identified Issues

Document all issues found during the testing process to help you prioritize fixes and remediations. Relay preliminary findings to senior management to keep them informed of testing status. Include recommendations in the final audit report to improve the effectiveness of internal controls.

Check Remediation Status

After identifying weaknesses and gaps, implement corrective actions. Track implementation of those actions and verify that issues have been resolved.

Mistakes to Avoid While Testing Internal Controls

To assure that your auditor’s tests work the way they’re supposed to, avoid these common mistakes.

Not Understanding the Controls Environment

If you understand the existing controls environment, you can better assess the risks of material misstatement, which can help design and implement appropriate audit responses.

When you lack this understanding, you may be unable to assess the risks associated with the internal controls adequately. As a result, you may fail to obtain sufficient audit evidence and struggle to implement appropriate risk responses and corrective actions. This knowledge gap hurts the quality of the overall audit opinion.

Not Understanding Which Controls are Relevant

For maximum testing effectiveness, understand which controls are relevant to the audit. Here, “relevant” means controls that:

  • The auditor deems relevant;
  • Will be tested for operating effectiveness;
  • Address significant risks (such as fraud risk), or risks for which substantive procedures do not provide sufficient appropriate audit evidence on their own;
  • Support journal entries;
  • Are essential to assess the risks of material weaknesses at the enterprise level.

Not Determining Design Effectiveness

Evaluate each control’s design effectiveness to find evidence about design insufficiencies. For instance, is a control performed manually when it could be automated? You can identify these opportunities by observation, inspection, or re-performance. If the design is deemed ineffective, document the significant deficiency in the audit report.

Not Performing Audit Procedures Tailored to the Organization’s Risks

Some testers simply perform the same testing procedures that were performed for other organizations. This approach can be problematic because different risks for different organizations may require different audit responses. Avoid this mistake, and make sure your audit procedures are responsive to your specific risks.

ZenGRC Offers a Superior Risk Management Solution

Looking for a centralized, integrated platform for a single-pane-of-glass view into your risk environment? Try ZenGRC from Reciprocity.

With ZenGRC, you can strengthen your cybersecurity defenses, implement business continuity and disaster recovery plans, and manage all your compliance, audit, governance, and policy management applications. Get a complete view of your control environment, and implement continuous monitoring to mitigate business exposure.

ZenGRC is a single source of truth that ensures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

Schedule a free demo to explore ZenGRC.

Improve How You Manage
Internal Controls