With the adoption of such laws, regulations and rules as SOX 404, HIPPA, and PCI, businesses are experiencing a significant increase in demands for robust testing programs, To ensure that testing and monitoring resources are properly allocated, you need to have a good understanding of the various forms of control testing and their role in the Monitoring process.

There are four methods of testing (in order of complexity and necessary resources): Inquiry (ask if the control exists), Observation (observe if the control exists), Compliance (determine whether the control complies with business practices and procedures) and Reperformance ( test whether the control performs as specified).

Test Types
Examples of Control Tests

Ask if there is a control.

Question the personnel responsible for or who perform the control; conduct a “Table Top” review of the process and controls with management; distribute questionnaires and surveys; etc. Some specific examples of Inquiry testing:

  • Reconciliation of accounts
    • Ask responsible personnel if the reconciliation of accounts process is performed.
  • Automated Maker/Checker
    • Ask a user of the system if there is maker/checker functionality for a specific task (i.e. management approval of T&E reports)
  • Annual Business Continuity Plan (BCP) Test
    • Ask personnel who support the process whether a BCP Test took place. In effect, “inquire” of the people responsible whether there is a control for the risk.

Appropriate for Low Risk Processes

Observe that the control actually exists.

Typical methods of Observation Tests: Walkthrough the operations area to observe controls being performed or ask to be shown that the control exists or provided with evidence that the control was performed. Examples:

  • Reconciliation of accounts
    • Ask for a copy of the reconciliation paperwork
    • Observe an employee perform a reconciliation
    • Refer to reconciliation management reporting to show whether a reconciliation was performed.
  • Automated Maker/Checker
    • Look at the computer terminal to observe that the application has a process to record manager approval
    • Refer to database reports to show the employee name and approving manager name are recorded.
  • Annual BCP Test
    • Ask for a copy of the BCP Test documentation
    • Observe the conduct of a BCP Test

Appropriate for Low and Medium Risk Processes

Confirm that the control complies with the business' procedures.

Typical methods of Compliance Tests: Review a sample of activity for documented evidence that the process and associated controls were performed according to procedures (such as a log was completed, the reconciliation form had the required sign-off, etc.)

  • Reconciliation of accounts
    • Review the paperwork to confirm that the required steps for the reconciliation were taken (i.e. are accounts and line items checked off, did the person performing the reconciliation sign/initial the document, did the manager sign/initial the document, etc.).
  • Automated Maker/Checker
    • Confirm with the development organization that supports the application if the maker/checker functionality is compliant (i.e. the person who inputs report cannot approve the report, the report is not treated as valid until approval recorded, etc.)
    • Review computer code
  • Annual BCP Test
    • Review the documentation from the last BCP Test to determine whether the test was conducted in accordance with the test plan.

Appropriate for Medium and High Risk Processes. Should be performed on a scheduled, periodic basis and formally documented.

Confirm that the control performs properly.

Typical methods of Re-Performance Tests: Similar to Compliance, examine a sample of the activity for documented evidence that the process and associated controls were preformed according to procedures.  In re-performance also trace the information back to supporting or source documentation and recalculate the math or re-perform the decision process. Based upon the available information, determine if you would agree with the original decision of the person performing the function.

  • Reconciliation of accounts
    • Re-perform a sample of the reconciliations referring to the source data to determine if the same results can be achieved. Note, this is not confirming the reconciliation was performed, it is confirming that the reconciliation achieved the correct results.
  • Automated Maker/Checker
    • Perform tests on the system using various hypothetical test cases to determine if the functionality performs as specified by the business and as required by Policy.
  • Annual BCP Test
    • Re-perform the BCP test or sample a portion of the test.

If this is an automated control, determine whether the business has a robust baseline testing procedure. If the procedure is robust, you can stretch out the Re-performance testing cycle for Medium Risk processes in reliance on the baseline testing. For High Risk processes, and Medium Risk processes that are manual or lack a rigorous baseline testing process, the business should conduct periodic and documented re-performance tests on at least an annual basis.

©2009 ISRMC, LLC