Demonstrating assurance over internal controls

Audit's primary function is to provide assurance on the effectiveness of risk management and the strength of the control environment within an organization. By centralizing and automating parts of the audit program, Audit can simplify internal controls management and promote collaboration across the organization. In this article, we discuss how to test controls using the Projects app.

This article illustrates how to test controls using an Anti Bribery and Corruption Internal Control Framework project template, which is useful for small to mid-sized audit functions and teams. The workflow outlined in this article is appropriate for more complex types of audits where narratives are defined, walkthroughs are performed to verify control design, and tests are performed to verify the operating effectiveness of controls. This is one approach, but you can achieve the same or similar objectives using other project templates.

What does it mean to test controls?

Testing controls is the process of:

  • determining key and non-key controls
  • identifying which controls will be tested
  • evaluating each key control based on its design and operational effectiveness

If testing indicates that a control is not operating as expected or designed, Audit notes an exception and works with the business to manage a remediation plan.

Where do I test controls?

You can test controls using the Projects app.

The big picture

  • Projects are used to document objectives, risks, and controls, test the design and effectiveness of controls, and capture issues.
  • Assessments are used to document the evaluations of the design and operational effectiveness of controls.

Ultimately, the testing results in a project can roll up into your organization's assurance score, which gives you a real-time picture of how well your organization is mitigating risk.


Ready for a tour?

Let's take a closer look at these features in context.

1. Set up your project

The first step is understanding the best method to set up data in the system so that you can report out appropriately. You can create projects to define objectives, risks, and controls, evaluate the design and operational effectiveness of controls, and compile information for reporting purposes. Projects can be created from scratch, from a template, or from an existing project.


The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows. There is a variety of project templates are typically used to jumpstart audits and create re-usable templates. These include:

  • Internal Audit (Operational) Templates
  • SOC/SSAE 16/ISAE 3402 Audit Templates
  • Internal Audit (Financial & Internal Control) Templates
  • the Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework)

Set up a project

You can choose between two different types of project workflows, depending on whether their audits are operational or more comprehensive (such as SOX or ICFR reviews). After you set up a project, Projects enforces a simple workflow in the audit. This helps you identify relevant audit procedures and manage issues.


Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments.

Document objectives

Objectives form the basis of a project, and they are also the organizing containers for the work done in a project. Each objective states the subject matter under examination and how performance will be assessed. Objectives can be defined so that the work can be divided up into manageable tasks for members of the audit team to complete.

Document narratives

Narratives provide a way of understanding how your organization's internal controls fit into a business process. Many organizations rely on flowcharts as a primary method to visualize and show the detailed workflow within a given area. Any audio or visual content can be attached to support narrative documentation, and you can associate controls for referencing purposes.

Document risks and controls

Documenting risks and controls results in the production of a risk control matrix (RCM). A RCM is a combination of identified risks and corresponding controls (the measures or courses of action for how the risk will be mitigated).


Depending on the organization, and the size of the audit function, assessing the inherent and residual risk may be the responsibility of different teams. Larger organizations typically leverage operational risk or compliance risk assessments to support the audit work.


Once risks and controls are documented, process owners can set up a schedule in Projects to assure that control activities are being performed consistently.

2. Evaluate control design and effectiveness

Many Audit functions look to the business to take on some of the responsibilities of evaluating control design and effectiveness. Simple tasks, such as updating a control walkthrough and documenting control effectiveness test steps, are accessible by the owners themselves. This allows for the assessment of those controls to be truly owned by the business.

Evaluate control design

Audit can work with control owners to evaluate the design of a control through attestation and / or attachment of evidence, define action plans to implement missing controls, or explain why a control is not necessary.


Frontline staff in an organization can use the Mission Control app to manage the controls they have access to, outside of the Projects app. Mission Control is an app that presents control information from Projects in a simplified and centralized view.

Define a test plan

Test plans identify how you will test the control. You can define test plans to specify the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.


Inspirations, a catalog of risk scenarios and tests collected from Diligent initiatives worldwide, offers a series of analytic testing ideas by process. For more information, see Tools & Templates.

Evaluate control effectiveness

Evaluating control effectiveness involves documenting detailed testing results, and specifying whether or not the control passed or failed. Once you have finished evaluating the effectiveness of the control, you can markup portions of text and link to evidence, such as policy or procedure manuals, regulations, SLAs/SLSs, and contracts.


To avoid manual scoring of control effectiveness, you can use Assessment Drivers to automate different control assessments. You can link a metric created in the Results app to a control assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

3. Demonstrate assurance

Projects provides the ability to automatically aggregate risk assessments, testing results, and issues across the entire project into a single assurance metric (percentage) that can be used for reporting purposes. As walkthrough and tests pass, assurance increases.


If you've taken a top-down approach and are managing your organization's strategic risks in the Strategy app, you can demonstrate assurance by rolling up testing results from projects that have been put in place to mitigate or manage strategic risks.

What's next? 

Monitor progress of your SOX programs

You can view and monitor the progress of your SOX programs through Storyboards. It takes just a few minutes to install the pre-configured SOX Storyboard Toolkit and have your storyboards populated with data. For more information, see SOX Storyboard Toolkit.

Enroll in an Academy course

Continue to build your knowledge on the concepts introduced in this article by taking Managing internal controls with Internal Controls Management (previously ControlsBond).

Academy is Diligent's online training resource center. Academy courses are included at no extra cost for any user with a HighBond subscription.

For more information, see Course Catalog.