In addition to the specification of process controls, another essential aspect of an internal control system is the regular review of controls for adequacy and effectiveness. This task is also the responsibility of the process owner. In the course of the process-compliant execution of the work processes, you should also ensure that the controls used are implemented properly.
In practice, this review of process controls (also referred to as a control test) is often performed by means of random sampling on a quarterly or semi-annual basis. Within the scope of these control tests, all process controls of a business process are analyzed and reviewed in particular with regard to the following questions:
- Was the control evidence provided during the period under observation?
- Were the process objectives achieved with the help of the controls?
It is recommended to keep a verifiable record of the considerations and results of these control tests!
The definition of these control tests typically takes place in the course of the process documentation and the definition of the process controls. This makes it easier for you to estimate the frequency at which the control tests should be performed. As a rule of thumb, the more frequently the process is performed, the shorter the interval of the control tests should be set.
If you discover any control gaps or potential for improvement in the course of the control tests, you can initiate measures to improve them. By doing so, the processes of the area under consideration advance from documentation to a continuous improvement process. From this point on, the process, including the process controls, is regularly evaluated and improved.