Internal Control Testing Program Best Practices

One of the first phrases conjured up when one mentions Missouri is “The Show Me State.” Given my love for history, particularly that of the United States, I naturally sought to understand how this state nickname came to be.

While there are a few conflicting accounts, the one that I consistently ran across was the story of a U.S. Representative from Missouri named Willard Duncan Vandiver. As a member of the House Committee on Naval Affairs, Vandiver was attending a Naval Banquet in Philadelphia in 1899 where he stated:

“I come from a state that raises corn and cotton and cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies me. I am from Missouri. You have got to show me.”

Over time, the “show me” moniker has been used by Missourians to represent their practicality and insistence that something cannot simply be said—it must be proven.

As regular readers of my blog posts have come to expect, I’ve found a clear tie in between this little slice of Americana and one of the pressing areas that Onspring clients deal with on a daily basis: validating the overall effectiveness of their internal controls. In my former life as an internal auditor, I had countless discussions with process owners where they professed to have a full set of reliable controls that mitigate any risks that may present themselves, so no need to go any further. In the earliest, most naive point in my career, I took what they said at face value, much to the chagrin of my supervisors, who had to remind me that I was there to audit these folks, not simply ask questions. The phrase they beat into my head during those formative years was simple: “Trust…then verify.”

As I often tell my kids, sometimes the best lessons to learn are the hard ones, and I did learn a hard lesson back then. Just because someone in my own organization was telling me that they were properly controlled, I still had the responsibility to validate that this was actually the case. Yes, this seems obvious, particularly for an internal auditor, but I believe you’d be surprised at the number of organizations that do not have a fully structured approach to evaluating the effectiveness of their system of controls. Whether their approach is not formally defined and communicated, inconsistently applied and/or inefficiently managed and monitored, they are at risk of not fully understanding whether their controls are meeting their stated objectives or worse, being completely caught off guard by a critical control failure that could lead to much more serious issues.

To that end, we offer the following considerations as you evaluate the effectiveness of your control testing program:

Inventory the controls that should be subject to evaluation.

Before you can establish a reliable testing program, you need to make sure that all of your critical controls are identified and adequately documented. Having a complete and consistent control library includes identifying the fundamental details of each control and understanding the impact that the control has on other aspects of your organization (i.e. business units, strategic objectives, risks, policies, regulations, etc). This is not to say that you have to document every single control your organization performs before you can get started with testing, but establishing a baseline inventory containing your most critical controls is a good place to start.

Determine the factors that drive the nature and extent of required evaluations.

What we mean here is to consider the impact that this control has on your organization and use that to determine the nature and frequency of the testing that should be performed.

• Is the control critical to your organization’s ability to demonstrate adherence to key policies and/or regulations?
• Is it a key control over financial reporting at a public company?
• Is it an efficiency control that you deem is “nice to have”?

Having a method to qualify and prioritize your controls will enable your testers to focus their attention on the most important things first. Often times the purpose for the control may help drive this evaluation. For example, a SOX control over the capture of financial data in a material GL account would be a logical target, and other requirements (i.e., GDPR, PCI, HIPAA, SOC) may provide detailed guidance on the nature and frequency of testing that is required.

Employ a testing approach that balances the need for assurance with efficiency.

Various attributes of a control may drive your testing approach. For example, the level of reliance placed on a control in mitigating a critical risk may drive you to perform more frequent evaluations of the control and/or test the full population of the control vs. only reviewing a sample of instances of its execution. Also, performing design evaluations of a control before testing the control’s operation will allow you to identify issues that may exist in how the control is being performed, which can allow you to suspend operating testing until the design of the control is corrected.

Document and follow up on identified issues.

It may seem like a simple concept, but a key aspect in control testing is having a method to identify, prioritize, and mitigate issues noted during the testing process. These mitigation efforts should be tracked through to completion, and a best practice approach is to perform some level of validation of mitigating procedures by reperforming test procedures at an appropriate point in time to ensure that the issue has indeed been resolved.

Implementing a reliable process for evaluating and testing controls can be challenging, but it is certainly attainable. With the right amount of information, reliable supporting technology and, most importantly, the support of executive leadership, your organization can establish a control evaluation program that gives you a level of assurance, predictability and insight that extends well beyond that of “frothy eloquence.”

About the author