Testing Control Procedures (Controls Assurance Program Management)

On this page

Methods to Test Your Control Procedures

There are different ways to test your control procedures:

  • The Control Self Assessment (CSA) is a questionnaire that enables control owners to indicate whether the related control is still in operation and functioning as documented. Control owners are often required to complete a CSA annually. However, CSAs may often need to be completed more frequently, depending on individual circumstances, such as the inherent level of risks related to the controls, frequency of operation, findings observed in previous evaluations of the control, or changes in control ownership. If the owner indicates that the control has changed or is no longer in operation, the system flags the control as non-compliant, which indicates that the organization needs to take follow-up action. For example, the organization can decide to remove the non-compliant control from operation.

  • A Design Test is used to document the evaluator assessment of whether the control is properly designed to achieve stated objectives and mitigate related risks. If a control is properly designed, the control meets the stated objective, and the evaluator proceeds to test the controls operating effectiveness. If, however, the control is ineffectively designed, the control must be identified as non-compliant. The design test should be conducted based on your company calendar and business objectives.

  • An Operating Test evaluates whether a control procedure is in place and operating as intended. Key controls should be tested monthly or quarterly, with the sample size to be dictated by the frequency of the controls operation and total population of relevant control activities during the period.

For each of the control tests, you can use 2 test creation methods: Generating Tests from a Compliance Engagement, and manually adding a specific control test.

Generate tests from a compliance engagement

You can generate multiple control tests from a compliance engagement record. For more information on Compliance Engagements, see Creating a Compliance Engagement.

Users: Compliance Tester

  1. Select the record containing the controls you want to test and go to the Testing tab.
  2. In the Test Generation section, do the following:
    1. Define the scope of the testing, Full or Partial.
    2. Select 1 or more control tests you want to create.
    3. (Optional) Define meta data to be populated in every assessment.
    4. Click Queued.
  3. Click Generate Tests.

Complete a control self assessment

Use the Control Self Assessment questionnaire to determine whether a control is still operating as intended.

Here are the tasks:

  1. Create a control self assessment by selecting the target control procedure, providing the Compliance Engagement information, and completing the Workflow section.

  2. Submit a control self assessment. The Submitter can submit a Control Self Assessment using 1 of 2 different methods. They can either submit the test from an open Control Self Assessment record, or they can open My Open Control Self Assessments report, and complete the same 2 fields in bulk.

  3. Review a control self assessment for accuracy. Add comments as needed with the error and a correction.

  4. Approve, reject, or reassign the record.

Download the source file of the diagram here: Controls Assurance Program Management Control Self Assessment Diagram

Controls Assurance Program Management - Complete a control self assessment process flow diagram

Complete a design test

Here are the tasks to complete a design test:

  1. Create a design test by selecting the target control procedure, providing the Compliance Engagement information, and completing the Workflow section.

  2. Submit a design test by answering any questions, adding evidence, completing the Open Tasks/Activities, and either submitting or reassigning the record.

  3. Review the design test for accuracy. Add comments as needed with the error and a correction.

  4. Approve, reject, or reassign the record.

Download the source file of the diagram here: Controls Assurance Program Management Design Test Results Diagram

Controls Assurance Program Management - Completing a Design Test process flow diagram

Complete an operating test

Here are the tasks to complete an operating test:

  1. Create a operating test by selecting the target control procedure, providing the Compliance Engagement information, and completing the Workflow section.

  2. Submit a Operating Test by answering any questions, adding evidence, completing the Open Tasks/Activities, and either submitting or reassigning the record.

  3. Review the Operating Test for accuracy. Add comments as needed with the error and a correction.

  4. Approve, reject, or reassign the record.

Download the source file of the diagram here: Controls Assurance Program Management Operating Test Results Diagram

Controls Assurance Program Management - Completing an Operating Test process flow diagram