← Blog

Test of Controls: Design, Execute & Optimize Audits

Pubblicato: 2026-05-05
test of controls internal audit compliance management substantive testing DORA compliance
Test of Controls: Design, Execute & Optimize Audits

What are auditors really trying to prove when they run a test of controls? Not whether a policy exists. Not whether a control owner can describe the process. They’re trying to establish whether a control operated reliably over time, in a way that supports reliance.

That distinction matters because a test of controls isn’t a paperwork exercise. It’s a verification exercise. In regulated environments, especially under frameworks like DORA, NIS2, and GDPR, the practical question is whether the system produced a repeatable outcome, left defensible evidence, and can withstand scrutiny when someone independent retraces the path.

Teams often approach control testing too late and too narrowly. They focus on passing the audit step rather than deciding where testing effort will reduce audit effort later. That’s the gap. Good control testing is as much about resource allocation as it is about compliance.

What Is a Test of Controls

A test of controls is an audit procedure used to obtain evidence about whether a control operated effectively during a defined period. The key phrase is operated effectively. A control can be well written, well intentioned, and still fail in practice because the execution is inconsistent, undocumented, or bypassed.

For experienced audit and compliance teams, the control itself is only part of the picture. The actual object of testing is the operating system around that control. Who performed it. When they performed it. What evidence was generated. Whether exceptions were handled. Whether the activity can be reconstructed later.

Reliability over time

A useful way to think about a test of controls is this: the auditor isn’t testing a statement, but a pattern of behaviour. If a control is supposed to prevent unauthorised access, detect incomplete approvals, or enforce evidence retention, the test needs to show that the mechanism worked across the period of reliance, not only on the day someone was asked about it.

That’s why the strongest tests usually connect several layers:

  • Policy intent that defines what the control is meant to do
  • Process execution showing how the control is carried out
  • System evidence such as logs, approvals, version history, or configuration records
  • Exception handling that shows what happened when the control identified a problem

A control that can’t be reconstructed from evidence is hard to rely on, even if everyone involved believes it worked.

More than a pass or fail

In practice, a test of controls produces a judgement about reliability, not just compliance. Some controls fail because their design is weak. Others fail because the design is fine but the organisation can’t prove consistent operation. Those are very different problems and they lead to different remediation work.

This is why mature teams treat testing as a system verification discipline. They don’t ask only, “Did we do the control?” They ask, “Can an auditor independently verify that this control functioned as intended throughout the period?”

The Purpose of Testing Internal Controls

The immediate purpose of testing internal controls is to support a risk judgement. If a control is shown to be effective, auditors can rely on it more. If it isn’t, they have to do more direct checking elsewhere.

A hand adjusts a control knob with labels for design effectiveness and operating effectiveness test of controls.

That relationship is explicit in audit practice. When controls are found to be effective, control risk is assessed as low, allowing auditors to place greater reliance on the control environment and significantly reduce substantive testing requirements. When controls are identified as ineffective, control risk is assessed as high, which requires expanded substantive testing. Auditors should also obtain more persuasive audit evidence from tests of controls the greater the reliance placed on the effectiveness of a control, as explained in this discussion of test of controls audit strategy.

Design effectiveness and operating effectiveness

These two ideas are often blurred together, but they aren’t the same.

Design effectiveness asks whether the control is capable of addressing the risk if it’s used as intended. A segregation-of-duties rule that still allows one administrator to approve and execute a sensitive change has a design problem. A review control with no defined evidence standard also has a design problem.

Operating effectiveness asks whether the designed control worked in practice during the period under review. A strong access review process on paper still fails the test if reviews were skipped, late, incomplete, or impossible to evidence.

A simple operational process shows the difference clearly. In finance, invoice matching is a design question before it’s a testing question. If the process doesn’t require the right artefacts to be compared, no amount of later testing fixes the weakness. That’s why a practical process explainer like this guide to flawless invoice processing is useful. It shows how the structure of the control determines what evidence an auditor can later expect to see.

Why this matters in audit planning

Control testing only has value if it changes the audit approach. That is the point.

If the controls around access management, approvals, reconciliation, or evidence retention are dependable, the auditor can narrow the amount of direct transactional verification required. If those controls are weak, the audit burden shifts. More transactions must be inspected directly. More exceptions must be chased manually. More work lands on the business at the worst possible time.

Practical rule: Test controls where success changes the audit plan. If a positive result won’t reduce later work, the test may not be worth the effort.

The strategic role of testing internal controls is therefore straightforward. It helps determine where reliance is justified, where assurance must come from direct examination, and where the organisation is carrying hidden operational risk.

Test of Controls vs Substantive Testing

A useful analogy is a factory line. Test of controls asks whether the safety systems, machine guards, and automated shutoffs worked as intended during production. Substantive testing asks whether the products coming off the line are correct.

Both matter, but they answer different questions.

A comparison chart outlining the key differences between test of controls and substantive testing in auditing.

Two different audit questions

A test of controls is concerned with the process that should prevent or detect error. Substantive testing is concerned with the result that may still contain error.

In IT and compliance work, that distinction becomes practical very quickly:

  • A test of controls might examine whether privileged access changes require approval and generate logs.
  • A substantive test might inspect a set of actual access changes to determine whether inappropriate access was granted.

One asks whether the mechanism is reliable. The other asks whether the output is correct.

Comparison at a glance

Attribute Test of Controls Substantive Testing
Primary focus Whether a control operated effectively Whether transactions, balances, or outputs are accurate
Main question Can the auditor rely on the control? Is there a misstatement or error in the result?
Typical evidence Logs, approvals, configurations, reperformance results, workflow records Transaction details, reconciliations, recalculations, third-party support
Timing Often across the period of reliance Often closer to period end or focused on completed populations
Audit effect Can reduce further substantive work if effective Directly detects error regardless of control quality

Why teams confuse them

The confusion usually comes from mixed evidence. A single artefact can sometimes support both lines of work, but the purpose still differs. An approval record may support a control test if it proves the approval control operated. The same record may support substantive work if it helps verify a specific transaction.

That overlap is useful, but it shouldn’t obscure the method. Control testing is about reliance. Substantive testing is about detection.

If you test a control and discover it isn’t dependable, you haven’t wasted the effort. You’ve answered the reliance question early enough to change direction.

For managers planning audit effort, this distinction matters because it affects staffing, timing, and evidence design. Process owners can often support a control test through better workflow records and stronger traceability. They can’t offset a weak control environment with confidence alone. If reliance isn’t available, substantive work expands.

Designing and Executing Control Tests

The mechanics of a strong test of controls are usually simple. The discipline lies in choosing the right procedure, defining the population properly, and collecting evidence that another person can independently evaluate.

A hand-drawn process flow showing three steps of inspection, observation, and inquiry leading to a test result.

Start with the control objective

Before choosing a testing method, define the control in operational terms:

  1. Risk addressed. What failure is the control supposed to prevent or detect?
  2. Control action. What activity, rule, or system behaviour addresses that risk?
  3. Evidence expected. What record should exist if the control worked?
  4. Population and period. Over what set of events and what time frame will you test?

If any of these are vague, the test will drift. Weak test design often starts with a broad policy statement and no precise evidence expectation.

Match the procedure to the type of control

The core methods are familiar, but they don’t carry equal weight.

  • Inquiry is useful for understanding the process and identifying where evidence should exist. It isn’t enough on its own for IT control operating effectiveness. AICPA SOC 1 guidance requires it to be combined with stronger procedures such as re-performance or CAATs, and the same source notes that in GDPR audits, ineffective design in third-party evidence uploaders causes 40% failure rates in operational tests, while re-performance of RBAC role mappings achieves 98% precision in this analysis of audit procedures and testing methods.
  • Observation helps when the control includes a human step that can’t be inferred cleanly from records alone. It’s good for understanding how work is done, but weak if used as the main basis for period-wide assurance.
  • Inspection works when the control leaves records such as approvals, tickets, exception logs, or configuration snapshots.
  • Re-performance is often the strongest option for IT controls because it shows whether the control logic produces the expected outcome when independently replayed.
  • CAATs become necessary when scale or automation makes manual inspection too shallow.

For teams refining IT governance structure, a practical reference point is the COSO IT framework article, because it forces the same useful question: what is the control meant to prove, and where should the evidence come from?

Field note: Ask for the evidence path before asking for the sample. If the owner can’t identify the system record, the sample selection won’t save the test.

Sampling should follow risk, frequency, and automation

Sampling is where many tests become either too weak or unnecessarily expensive. There isn’t one universal sample size that makes sense across all controls.

Use these factors instead:

  • Control frequency. Daily controls and quarterly controls don’t need the same treatment.
  • Automation level. Automated controls can often be tested differently from manual ones because the execution is more consistent.
  • Expected deviation risk. If you already suspect inconsistency, the sample should be designed to reveal it, not to confirm a preferred outcome.
  • Change history. A stable configuration is tested differently from one that changed repeatedly during the period.

For security teams, this same thinking carries into adjacent assurance work. A technical guide on how to optimize network security auditing is useful for the same reason. It focuses on evidence quality, repeatability, and control validation rather than checklist completion.

A practical walkthrough helps here:

Build the test so failure is informative

A good control test does more than confirm success. It tells you what kind of failure occurred.

If the evidence exists but doesn’t show the required action, that points to an operating failure. If no useful evidence exists at all, that often indicates a design or documentation defect. If the control worked for some cases but not others, the population or ownership model may be unstable.

That’s why execution needs a clear workpaper trail:

  • define the control and assertion
  • describe the test method
  • identify the population
  • explain the sample rationale
  • record each exception
  • conclude on reliance, not only on completion

Without that chain, the test result won’t stand up to challenge.

Documenting Evidence for Traceability

A control test without traceable evidence is only a conversation. Audits don’t rely on conversations for long.

The practical standard is simple. Evidence has to be sufficient, relevant, and durable enough that someone else can verify what happened, when it happened, and which control it supports. In regulated environments, that pushes teams away from ad hoc screenshots and shared-folder habits toward records with timestamps, version history, and clear ownership.

A hand-drawn illustration showing documents connected by chains leading to an evidence file and traceability icon.

What traceability actually means

Traceability is the ability to move in both directions:

  • from the policy to the control
  • from the control to the evidence
  • from the evidence to the specific execution event
  • from the execution event to the responsible role

That chain matters more as controls become more automated. In IT audits under GDPR and DORA, tests of controls for automated access management systems such as RBAC and TOTP 2FA prioritise operating effectiveness, and the consistency of IT processing means a single validation of an automated control can suffice for the period if no significant changes occur, reducing sample sizes by up to 80% compared with manual controls, as outlined in the European Court of Auditors methodology on tests of controls.

The implication is practical. If you want to rely on a system-enforced control, you need reliable evidence that the configuration was in place, that change management didn’t undermine it, and that logs are complete enough to support re-performance.

Weak evidence patterns

Most documentation problems are predictable.

Weak pattern Why it fails
Undated screenshots They don’t establish period coverage or execution timing
Exported files without version context Reviewers can’t tell which state of the record they represent
Approval emails outside the control record Evidence becomes fragmented and easy to dispute
Narrative-only explanations They describe intent, not operation

A smaller operational team may recognise the same issue from day-to-day admin work. Even a basic guide on how to automate receipt management for UK freelancers reinforces the same principle: documents become usable evidence only when they stay connected to workflow, dates, and responsibility.

One system of record

The most defensible evidence model is one where the policy, control, owner, and artefacts stay linked in a single chain of custody. That’s also why teams benefit from a structured view of audit evidence and how to maintain it. The point isn’t documentation for its own sake. It’s preserving enough context that the test result can be challenged and still hold.

The best evidence isn’t the largest attachment. It’s the record that lets an independent reviewer reproduce the conclusion.

When to Test Controls and When to Reconsider

Not every control should be tested for reliance. That sounds obvious, but many audit plans still treat control testing as the default option and substantive work as the fallback. In practice, the decision should be economic and operational.

There’s a known gap here. Guidance often acknowledges that auditors must choose between tests of controls and substantive procedures based on efficiency, but it doesn’t provide a practical framework for deciding when testing becomes economically unjustifiable. That pain point is described directly in this discussion of the test of controls decision problem.

When testing is worth it

Testing controls usually makes sense when the control is stable, the evidence is accessible, and a positive result will materially reduce later audit work. That tends to be true for well-governed automated controls, mature review workflows, and processes with clear logs and ownership.

Use these questions:

  • Will a successful test change the audit approach?
  • Can the control be evidenced without reconstruction work?
  • Has the design already been validated well enough to justify operating tests?
  • Is the control executed consistently enough to support period reliance?

When to pivot

Sometimes the better answer is to stop trying to rely on the control and move directly to substantive procedures.

That’s often the right choice when:

  • the control has a history of exceptions
  • ownership is unclear
  • evidence is scattered across email, chat, and local files
  • the process changed repeatedly during the audit period
  • a failed test would merely send the team back to extensive substantive work anyway

The important point is that this isn’t failure. It’s disciplined planning. If a control test is likely to consume time without producing dependable reliance, the better strategy is to say so early and design the audit around direct verification instead.

From Control Testing to Continuous Assurance

The mature view of a test of controls is that it shouldn’t be a once-a-year scramble. It should be one part of a broader assurance model where evidence, ownership, and system behaviour are visible all the time.

That matters because the scale is not trivial. Organisations typically have 200+ key internal controls for each compliance requirement, with each control requiring 40 or more hours to test, which can add up to 8,000+ hours annually according to this practical guide to internal controls testing. At that level, manual reconstruction is not a serious operating model.

What continuous assurance changes

Continuous assurance doesn’t mean constant audit activity. It means the organisation maintains enough structure that control effectiveness is demonstrable without rebuilding the evidence chain from scratch each time.

That usually requires:

  • controls tied clearly to owners and systems
  • evidence attached close to execution, not collected months later
  • logs and approvals retained in a reviewable form
  • changes in design or configuration surfaced early
  • periodic re-validation of the controls that matter most

For teams working toward repeatable assurance across frameworks, it helps to think in terms similar to SOC 2 certification readiness. The useful mindset isn’t “How do we pass the audit window?” It’s “Can we prove how the system behaved when asked?”

A well-designed test of controls supports that model. It gives the auditor a basis for reliance. More importantly, it gives management a basis for trust in the operating environment.

AuditReady helps regulated teams build that evidence chain in practice. The platform is designed for DORA, NIS2, GDPR, and similar audit environments where traceability matters more than presentation. Teams can define scope and responsibilities, link policies to controls, attach encrypted evidence, preserve immutable audit trails, and produce structured audit packs without turning compliance into a document chase. If you want a calmer way to maintain audit-ready records, take a look at AuditReady.