The 5 Tests Of Controls To Verify Cybersecurity Measures

An audit contains various steps like planning and preparation, selecting a focus area, creating a checklist, informing various teams, and so on. However, it cannot take place without the tests of controls. In fact, both SOC 1 and SOC 2 audits require testing relevant controls to ensure compliance validity.

Hence, let’s understand what are the types of tests of controls that are conducted during the audit, with their benefits, and if there is any way we can automate such tests. 

TL;DR A test of control audit is conducted to ensure that all required controls are operational and functioning effectively.   Auditors use various techniques such as computer-assisted audit techniques (CAAT), along with methods like examination, inquiry, observation, inspection, and re-performance.  Test of controls ensures control functionality, verifies cybersecurity measures, and avoids substantive auditing.

What are tests of controls?

Tests of control are a step in the audit process that assesses if the company’s internal controls are working efficiently or not. If any controls are found to be inadequate or not working properly, it could indicate potential fraud or errors that would need to be disclosed in the audit report. 

While implementing compliance, the auditor conducts a test of controls to evaluate if all the measures and evidence are in place. If they are, it implies that the control risk is low. If the controls are reported to be ineffective, it implies that risk of control failure is high and hence, the system reported to be vulnerable to cyber threats. 

Nicole Tharp Hemmer (CISSP and CISA) mentioned in an article with Linford & Co, an auditing firm, that

What are the five tests of controls?

There are five main methods in the audit process to test controls:

1. Inquiry

Inquiry is the first test during auditing, where the external auditors ask the company’s management questions about what controls they are implementing and the respective functions. However this stage cannot be relied on as a full-proof control testing as there is limited evidence available. It is usually combined with more detailed methods of testing. 

2. Observation

Observation is a method of auditing controls by simply observing business processes in real-time. This method is adopted when there is no trail or documentation of controls. Auditors observe how controls are implemented across the company and evaluate it for vulnerabilities. 

3. Inspection of evidence

During inspection or examination of evidence, auditors assess the operational efficiency of the internal controls. For example, during a regulatory framework audit, the auditor may open documentation for a third-party vendor and check whether due diligence has been conducted. 

4. Re-performance

Re-performance is a manual method of auditing controls. Auditors directly execute control elements and check for its effectiveness by comparing it with the evidence provided. For example, an auditor could simulate a data loss and ask to restore all the data in the system. This test would verify whether the backup and recovery controls function as intended.

5. Computer-assisted audit techniques (CAAT)

CAAT is generally used to audit huge amounts of data and controls. Lately, CAAT has become the most used method of auditing due to technological advancements in auditing and compliance software. 

GRC (Governance, risk, and compliance) tools can conduct a real-time test of controls with an attached status of their functioning and evidence pertaining to them, making audits accurate. They can be plugged directly into existing systems using integrations and open APIs to automate evidence collection from any tool stack you use. 

Sprinto is an example of how software can automate the audit process, from evidence collection to control flagging and proactive monitoring to detecting incidents and mitigating them with an integrated audit dashboard. 

The platform gives the auditor time-stamped evidence from all the organization’s assets while mapping controls to the required frameworks. It eliminates audit fatigue by over 90% and can conduct multiple audits simultaneously. 

The following video explains how evidence is collected in Sprinto: 

Why do we need to perform a test of controls?

A test of controls determines whether a business’s internal controls are adequate to detect risks, scan vulnerabilities, and protect its system from cyber threats. Various international frameworks, such as SOC 2, ISO 27001, and NIST, mandate the performance of tests of controls. 

Jason Emmons (CISA) and Weston Nelson (CISA, CRISC) note in their article with Moss Adams,

Apart from that, here are four more reasons to conduct control tests:

1. Ensures control functionality: Performing tests of controls ensure that all safeguards are functioning effectively to detect risks and mitigate vulnerabilities.

2. Verifies cybersecurity measures: It verifies that cybersecurity measures are robust and in place, protecting your systems and customers from threats and attacks.

3. Confirms security framework capabilities: The effectiveness of controls confirms that your security framework can prevent potential breaches and maintain the integrity and safety of your data and operations.

4. Avoids costly substantive audits: Internal control testing helps avoid the need for substantive procedures, which are costly and time-consuming. They are highly detailed and involve confirming every element of the evidence provided to the auditor.

How to perform control testing?

Performing a test of control is important as it ensures comprehensive risk management and compliance with regulatory requirements. The following four steps provide concise methods to streamline your control testing process:

1. Build a library of controls

Start by listing and documenting all key controls in detail. An inventory allows you to understand the basic details of each control and its impact on different departments or business units within the organization. Having a well-organized library of key controls simplifies the testing process. 

2. Prioritize your controls

Prioritize controls by evaluating their impact on the organization, particularly in compliance with key policies and regulations and financial reporting. Focus on controls critical for demonstrating compliance with SOC 2, GDPR, HIPAA, or PCI standards. 

3. Develop separate approaches for specific controls

Controls mitigating significant risks should be evaluated more frequently. Consider performing a design evaluation before testing operational effectiveness. If potential issues are identified in the control’s design, address these before proceeding with operational testing.

3. Document and monitor constantly

During testing, prioritize and document any issues that are identified. Track remediation efforts until completion to make sure that each issue is fully resolved. A best practice is to re-run the test program after remediation to verify that all issues have been addressed. 

Automating control testing with Sprinto

The auditing process has evolved significantly over time. Initially conducted through field visits and manual paperwork checks, auditors later adopted spreadsheets and checklists to verify items. Today, these manual methods have been replaced by GRC solutions, streamlining the entire process.

The five tests of controls inquiry, observation, inspection, re-performance, and CAAT can be conducted with compliance automation software integrated with audit management. Sprinto is an example of one such platform. 

Sprinto leads your path to audit success with an integrated audit dashboard that automates control testing and evidence collection. It also automates audit sampling, avoiding going back and forth between documentation and logs. 

Furthermore, the platform makes complying with industry standards like SOC 2, ISO 27001, HIPAA, etc easier by mapping key controls to its requirements directly. It produces compliance health and gap reports, vendor risk reports to help you prepare for the audit better. 

Frequently asked questions

What is substantive testing in audits?

Substantive testing involves evaluating the completeness, accuracy, and validity of data within documentations, evidence, logs, due diligence or transactions. It aims to detect material misstatements.

How do tests of controls help auditors?

Test of controls helps auditors determine whether tasks are carried out correctly and if the controls are functioning as intended. They verify whether specific procedures or policies are operating effectively to prevent or detect errors or fraud.

What is an example of a control test?

An example of a control test could be checking the approval process for invoices to ensure that all invoices over a certain amount are approved by authorized personnel.

What is the difference between control testing and substantive testing?

Control testing provides indirect evidence by assessing the reliability of internal controls to prevent or detect errors. Meanwhile, substantive testing provides direct evidence by examining actual documentation, transactions, and financial data irrespective of internal controls.