Fatskills
Practice. Master. Repeat.
Study Guide: **Internal Controls: Testing & Remediation – A Practical Guide**
Source: https://www.fatskills.com/accounting/chapter/internal-controls-testing-remediation-a-practical-guide

**Internal Controls: Testing & Remediation – A Practical Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

Internal Controls: Testing & Remediation – A Practical Guide


What Is This?

Internal controls are policies, procedures, and systems that ensure accuracy, compliance, and efficiency in an organization’s operations. Testing and remediation verify whether controls work as intended and fix gaps when they don’t.

Why use it?
- Prevent fraud, errors, and financial misstatements.
- Ensure compliance with laws (e.g., SOX, GDPR, HIPAA).
- Improve operational efficiency by catching control failures early.


Why It Matters

  • Financial integrity: Weak controls lead to fraud (e.g., Enron, Wirecard) or regulatory fines.
  • Operational risk: Broken controls cause system failures (e.g., IT outages, supply chain disruptions).
  • Trust & reputation: Stakeholders (investors, customers, auditors) demand proof of effective controls.


Core Concepts


1. Test of Controls (TOC)

  • Definition: A procedure to verify whether a control is operating effectively.
  • Types:
  • Design testing: Does the control theoretically prevent/ detect issues?
  • Operating effectiveness testing: Does the control actually work in practice?
  • Methods:
  • Inquiry: Ask employees how they perform the control.
  • Observation: Watch the control in action (e.g., approval workflows).
  • Inspection: Review documents (e.g., logs, signatures, system reports).
  • Reperformance: Manually re-execute the control (e.g., recalculating totals).

2. Control Deficiencies

  • Definition: A flaw in a control that increases risk of misstatement, fraud, or non-compliance.
  • Severity levels:
  • Deficiency: A minor gap that doesn’t materially impact operations.
  • Significant deficiency: A serious flaw that could lead to material errors (reported to management).
  • Material weakness: A severe gap that could result in material misstatement (reported to auditors and stakeholders).

3. Remediation Plans

  • Definition: A structured approach to fix control deficiencies.
  • Key components:
  • Root cause analysis: Why did the control fail? (e.g., poor training, system bugs, unclear policies)
  • Corrective actions: Steps to fix the issue (e.g., retraining, system patches, policy updates).
  • Timeline & ownership: Who is responsible, and by when?
  • Validation testing: Re-test the control after remediation to confirm it works.


How It Works


1. Control Testing Workflow

graph TD
A[Identify Controls] --> B[Design Test Procedures]
B --> C[Execute Tests]
C --> D[Document Findings]
D --> E[Assess Deficiencies]
E --> F[Report to Management]
F --> G[Remediate Gaps]
G --> H[Re-test Controls]

2. Remediation Process

  1. Prioritize deficiencies (material weaknesses first).
  2. Assign owners (e.g., IT for system controls, HR for training).
  3. Implement fixes (e.g., automate approvals, update access controls).
  4. Re-test to confirm the control now works.
  5. Monitor for recurring issues.

Hands-On / Getting Started


Prerequisites

  • Basic understanding of business processes (e.g., procurement, payroll, IT access).
  • Access to control documentation (e.g., policies, flowcharts, system logs).
  • Tools: Excel (for tracking), audit management software (e.g., MetricStream, ServiceNow GRC).

Step-by-Step: Testing a Purchase Approval Control

Scenario: Verify that all purchase orders (POs) over $10,000 require manager approval.


1. Design the Test

  • Control: "POs > $10,000 must be approved by a manager."
  • Test procedure:
  • Sample 20 POs > $10,000 from the last 3 months.
  • Check for manager signature/email approval.
  • Note any exceptions.

2. Execute the Test

Sample PO #12345: $12,000
- Approval: ✅ (Manager: Jane Doe, Date: 2024-05-10)
Sample PO #12346: $15,000
- Approval: ❌ (No manager signature)

3. Document Findings

PO # Amount Approved? Issue (if any)
12345 $12K None
12346 $15K Missing manager approval

4. Assess Deficiencies

  • Finding: 1/20 POs lacked approval (5% failure rate).
  • Severity: Significant deficiency (could lead to unauthorized spending).
  • Root cause: No automated alert for missing approvals.

5. Remediate

  • Action: Implement a system flag for POs > $10K without approval.
  • Owner: IT team.
  • Timeline: 2 weeks.
  • Validation: Re-test 20 POs after the fix.

Expected Outcome:
- 100% compliance in the next test.
- Reduced risk of unauthorized spending.


Common Pitfalls & Mistakes


1. Testing Too Few Samples

  • Mistake: Testing only 2-3 controls instead of a statistically valid sample.
  • Fix: Use sampling guidelines (e.g., AICPA’s audit sampling tables) or test 100% for critical controls.

2. Ignoring Root Causes

  • Mistake: Fixing symptoms (e.g., re-training one employee) without addressing systemic issues (e.g., unclear policies).
  • Fix: Use the "5 Whys" technique to dig deeper.

3. Overlooking Compensating Controls

  • Mistake: Declaring a control "failed" without checking if another control mitigates the risk.
  • Fix: Map controls to risks (e.g., if approvals fail, does a budget limit prevent overspending?).

4. Poor Documentation

  • Mistake: Writing vague findings (e.g., "Control is weak").
  • Fix: Document:
  • What was tested.
  • How it was tested.
  • Evidence (e.g., screenshots, logs).
  • Who performed the test.

5. Skipping Re-Testing

  • Mistake: Assuming remediation worked without validation.
  • Fix: Always re-test after fixes.


Best Practices


For Testing Controls

  • Align with risks: Focus on controls that mitigate high-impact risks.
  • Use a mix of methods: Combine inquiry, observation, and inspection for thoroughness.
  • Automate where possible: Use tools (e.g., ACL, IDEA) to test large datasets.

For Remediation

  • Prioritize material weaknesses: Fix these first to avoid audit failures.
  • Assign clear owners: Avoid "someone will handle it" ambiguity.
  • Set deadlines: Use SMART goals (Specific, Measurable, Achievable, Relevant, Time-bound).
  • Monitor trends: Track recurring deficiencies to identify systemic issues.

For Documentation

  • Be specific: Instead of "Control failed," write "PO #12346 lacked manager approval."
  • Include evidence: Attach screenshots, logs, or emails.
  • Use templates: Standardize reports for consistency.


Tools & Frameworks

Tool/Framework Use Case When to Use
Excel/Google Sheets Basic tracking of tests and findings. Small teams or simple controls.
ACL Analytics Data analysis for control testing. Large datasets (e.g., 10K+ transactions).
MetricStream End-to-end GRC (Governance, Risk, Compliance). Enterprise-wide control management.
ServiceNow GRC IT and operational control testing. Organizations using ServiceNow ITSM.
COSO Framework Designing and assessing internal controls. Aligning with global standards.
COBIT IT control testing and governance. IT-heavy environments.


Real-World Use Cases


1. Financial Reporting (SOX Compliance)

  • Industry: Public companies (U.S. SOX 404).
  • Control: "Journal entries > $50K require CFO approval."
  • Test: Sample 30 entries; verify CFO sign-off.
  • Remediation: Automate alerts for missing approvals.

2. Healthcare (HIPAA Compliance)

  • Industry: Hospitals, insurers.
  • Control: "Patient records are accessed only by authorized staff."
  • Test: Review access logs for unauthorized attempts.
  • Remediation: Revoke access for terminated employees; implement role-based access.

3. Supply Chain (Vendor Fraud Prevention)

  • Industry: Manufacturing, retail.
  • Control: "Vendor payments require 3-way match (PO, receipt, invoice)."
  • Test: Sample 50 payments; check for matches.
  • Remediation: Train AP staff; flag mismatches in ERP system.


Check Your Understanding (MCQs)


Question 1

You test a control requiring manager approval for expenses > $5K. Out of 25 samples, 3 lack approval. What is the most appropriate next step?

A) Ignore the findings—3/25 is not a big deal.
B) Report a material weakness to auditors immediately.
C) Investigate the root cause and remediate before reporting.
D) Retrain all managers and re-test next year.

Correct Answer: C Explanation: A 12% failure rate (3/25) is significant but not necessarily a material weakness. Investigate the root cause (e.g., unclear policy, system error) and fix it before escalating.
Why the Distractors Are Tempting:
- A: Underestimates risk; even small failures can indicate systemic issues.
- B: Overreacts; material weaknesses require evidence of material impact.
- D: Skips root cause analysis; retraining may not fix the real issue.


Question 2

A control deficiency is classified as a "material weakness" if:

A) It is a minor gap in a non-critical process.
B) It could lead to a material misstatement in financial reports.
C) It was caused by a single employee’s mistake.
D) It has been present for less than 30 days.

Correct Answer: B Explanation: A material weakness is severe enough to potentially cause a material misstatement (e.g., fraud, regulatory violation).
Why the Distractors Are Tempting:
- A: Describes a deficiency, not a material weakness.
- C: Severity depends on impact, not cause (a single mistake can still be material).
- D: Duration doesn’t determine severity; a short-lived issue can still be material.


Question 3

Which of these is the BEST way to test the operating effectiveness of a control requiring dual approval for wire transfers?

A) Ask the finance team if they follow the policy.
B) Review a sample of wire transfers and verify both approvals.
C) Check if the policy document exists.
D) Observe one wire transfer approval process.

Correct Answer: B Explanation: Inspection (reviewing samples) is the most reliable method for testing operating effectiveness. It provides objective evidence.
Why the Distractors Are Tempting:
- A: Inquiry alone is weak; people may not admit failures.
- C: Tests design, not operating effectiveness.
- D: Observation is useful but limited to a single instance.


Learning Path

  1. Foundations
  2. Learn basic control types (preventive, detective, corrective).
  3. Study COSO or COBIT frameworks.
  4. Understand risk assessment (e.g., inherent vs. residual risk).

  5. Testing Controls

  6. Practice designing test procedures for common controls (e.g., approvals, reconciliations).
  7. Learn sampling techniques (statistical vs. judgmental).
  8. Use tools like Excel or ACL for data analysis.

  9. Remediation

  10. Master root cause analysis (e.g., fishbone diagrams, 5 Whys).
  11. Develop remediation plans with clear owners and timelines.
  12. Practice writing findings reports.

  13. Advanced Topics

  14. Automate control testing (e.g., Python scripts for log analysis).
  15. Integrate controls with IT systems (e.g., SIEM for security controls).
  16. Study audit standards (e.g., PCAOB, ISO 19011).

Further Resources


Books

  • Internal Control: A Manager’s Journey – K.H. Spencer Pickett (practical guide).
  • COSO Enterprise Risk Management – COSO (framework reference).
  • IT Control Objectives for Sarbanes-Oxley – ISACA (IT-specific controls).

Courses

Tools

Communities



30-Second Cheat Sheet

  1. Test of Controls: Verify if controls work via inquiry, observation, inspection, or reperformance.
  2. Deficiency levels: Deficiency < Significant deficiency < Material weakness.
  3. Remediation steps: Root cause → Fix → Re-test → Monitor.
  4. Sample size matters: Test enough items to be statistically valid (e.g., 25-50 for critical controls).
  5. Document everything: Findings, evidence, and remediation actions.

Related Topics

  1. Risk Management: Identifying and mitigating risks that controls address.
  2. IT Auditing: Testing controls in IT systems (e.g., access controls, change management).
  3. Compliance Frameworks: SOX, GDPR, HIPAA, and how controls align with them.


ADVERTISEMENT