How to Test Your Internal Controls

Based on the COSO framework, internal control consists of five integrated components:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring Activities

What Are Monitoring Activities?

Monitoring activities are these actions that an organization develops and performs to ascertain whether the components of internal control are present and functioning. These activities are performed on an ongoing basis or a separate evaluation.

  • An ongoing evaluation refers to regular management and supervisory activities. For example, managers monitor and provide feedback on day-to-day performance to ensure employees follow the organization’s best practices and develop work teams to enhance individual employee skills and capabilities. Ongoing evaluation activities can help management build a sound working environment and ensure employees work towards the organization’s goal.
  • A separate evaluation is another type of monitoring activity, and it refers to how an organization evaluates internal controls by testing them and communicating the test results in a timely manner to those parties responsible for taking correction actions, including senior management and the board of directors, as appropriate. The Sarbanes-Oxley Act (SOX) requires public organizations to test and document their internal controls over financial reporting. A separate evaluation of internal controls is a more formal monitoring activity compared with ongoing monitoring. There are four performing methods for separate evaluation.

Performing Methods for Separate Evaluation

  1. Observation: Observation may be the first thing when an auditor walks in an organization. Is the organization neat and clean? Do the employees look depressed or unhappy? What attitude does the management have when talking to auditors? All observations will be a part of evaluation for the organization’s tone at the top. Auditors also observe business processes to evaluate internal controls. Usually, auditors and business owners or managers select critical operations that have impact on financial reporting to observe, such as the financial reporting process, the revenue process, the procurement process and the treasury process, etc. Observing internal controls in the actual environment helps auditors determine the effectiveness and efficiency of each internal control. For example, in the procurement process, one control may be worded “all purchase orders are approved based on the delegation of authority prior to placing purchases.” If an auditor finds that buyers place orders without purchase orders or before purchase orders’ approval, the auditor should challenge whether the control is in place and effective.
  1. Walkthrough: A walkthrough refers to tracking documents and data through the financial reporting system from the inception of the transaction to their termination. A walkthrough provides a good understanding of the accounting system and business processes, and helps to evaluate internal controls. The walkthrough is the most effective way to understand the flow of transactions and the likely sources of potential misstatement, because a walkthrough allows the person performing walkthrough to identify points at which necessary controls are not in place or not designed effectively. Usually, a single transaction will be selected to walk through. For example, an organization has implemented the new customer due diligence review process before a new customer is set up in the accounting system and a new contract with the new customer is signed. A walkthrough of the process can track a new customer request going through the setup of the new customer in the accounting system to determine if the review process is properly performed prior to the setup and signing a new contract. Walkthroughs, similar to testing, can be relied upon as audit evidence and therefore should be properly documented.
  2. Inspecting Documents: Inspecting documents refers to the review of relevant evidentiary documentation to test internal controls to determine whether internal controls are effective and efficient. The nature of the control testing will provide appropriate evidence on which management and auditors can depend. This method is more sophisticated compared with other methods because it requires a proper testing methodology that defines population, sample selections, evidence and testing frequency, and provides guidelines to conduct tests. For instance, an internal control may describe that “management receives and reviews a quarterly variance analysis report, and explains any financial statement line item with a prior period difference of $250,000 and 10% or the absence of expected variances.” To test the control, we must define the population and evidence of the control, develop the testing attributes based on the control description, conduct the testing by reviewing and examining the evidence documentation, and then draw a conclusion based on the test result. There is a brief summary for the control testing below.
    Control Description Management receives and reviews a quarterly variance analysis report, and explains any financial statement line item with a prior period difference of $250,000 and 10% or the absence of expected variances.
    Objective of the Control Financial results and variance explanations are properly reviewed by management.
    Risk of the Control Large variances may be the result of fraud, inaccurate financial statement or erroneous transactions.
    Frequency Quarterly
    Testing Attributes 1. Variance analysis report is reviewed.

    2. If applicable, there is documented explanation to the differences.

    3. There is evidence of management’s review, such as sign-off.

    Population All monthly variance analysis reports during the testing period.
    Evidence Monthly variance analysis reports

    The evidence of management review

  3. Re-performance: Re-performance is a form of audit evidence and is usually adopted by auditors. It is the auditor’s independent execution of procedures of controls that were originally performed as part of an organization’s internal control. Re-performance offers the highest level of assurance that a process is in place and operating effectively. But re-performance is time-consuming. Auditors often use the testing method on the critical financial schedules, such as recalculating amortization spreadsheets or roll-forward schedules to ensure the accuracy.

Usually, organizations and auditors use the combination of the four testing methods. Regardless of which methods are used, management and auditors need to document internal control testing, which is very important for private companies and required by SOX and Auditing Standards of PCAOB (Public Company Accounting Oversight Board). Management and auditors must document the procedures performed, evidence obtained, and conclusions reached with respect to relevant financial statement assertions.

We will provide a download file, 10 Steps to Test Internal Controls, including more regarding the testing method and Inspecting Documents. Please click the button below to download the file and let us know when you have any comments or questions.

Download 10 Steps to Test Internal Controls


Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.