Principles and approach


As a department:

  • set minimum sample sizes for testing based on the number of transactions and the frequency with which controls are exercised;
  • produce a test plan from your assessment of risks and controls; and
  • provide a template for recording your testing – this may include the purpose, population, sample selection methodology, findings and conclusion.

How testing works

Test that the control operates effectively over time (eg. that reconciliations are signed off monthly as having been completed correctly) and that the underlying transactions are accurate (eg. that an individual reconciliation was accurate when you performed it a second time). This is what’s known as compliance and substantive testing

Testing can look for indicators of fraud or error, such as analysing expenses paid on the same date to see if a claim has been split due to authorisation levels

Effective testing

Take responsibility for designing efficient and effective testing:

  • Ensure there’s no bias in your sample selection methodology in order for your testing results to be credible
  • Consider breaking your testing population down into chunks based on the value of the transaction in order to target it better
  • Testing should refer to the organisation’s risk appetite/key risk indicators where relevant
  • Ensure there’s no bias when testing across a number of business areas exercising the same controls
  • Analyse data extracted from systems to test large volumes of information

Effectively document your testing:

  • Enough information should be provided so that it could be performed again
  • The same conclusion should be reached by an independent reviewer
  • Retain evidence of the material errors you find in case it’s disputed
  • Re-visit your test plan in light of your test findings

Consider other evidence of the operation of controls/accuracy of data:

  • Analyse management information (MI) produced by the business and what that tells you about risk
  • See if controls have been tested by risk oversight functions or the department themselves (may be required for Sarbanes Oxley)

Talk through your findings with local management to ensure they’re valid, avoid ‘surprises’ and reduce potential challenge at a later stage.

Hints and tips

Multiple-choice questions