Take control testing to a new level with CTA


Automation widens coverage and decreases manual tasks


Advances in technology have introduced new capabilities for control test automation that are creating added value for internal and external auditors as well as for management — wherever controls are embedded in an organization’s business processes or its reporting.


When technology is used to test the operating effectiveness of controls:

  • The full population of data can be tested, rather than just a sample.
  • Automated testing that once was manualcan relieve personnel from labor-intensive, often repetitive work.

Take a deeper dive into CTA

Get a detailed analysis of the use of CTA related to internal control over financial reporting — and an illustrative example of CTA over a user-access provisioning control. This publication co-produced and published by Grant Thornton and the AICPA sheds light on CTA relevant to organizations and their internal and external auditors.

Many of today's advanced automation technologies were in their infancy in 2013 when the revised Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described how technology can support ongoing evaluations of controls.


The COSO framework described how continuous monitoring techniques can provide a high standard of objectivity and enable efficient review of large volumes of data at a low cost. The framework indicated that combined with robust review and analysis of results by knowledgeable personnel, automated monitoring can provide for efficient, effective ongoing testing.


Today’s most tech-savvy companies and internal and external auditors are delivering on COSO’s vision. CTA activities are being designed and implemented in organizations’ continuous monitoring activities, providing management with valuable feedback and even customized alerts when deviations exceed acceptable thresholds.


CTAs also are being designed and implemented as supervisory control activities, such as authorizations and approvals or reconciliations. When implemented skillfully and reviewed and monitored by competent personnel, CTAs can provide benefits that include:

  • More frequent or continuous testing of controls.
  • More timely information for decision-making.
  • Identification of errors or issues that may be missed due to human error or the limitations of a sample-based approach.


CTA industry insights


A variety of uses


Regardless of the industry, CTA can be a powerful tool for internal and external auditors who are testing the operating effectiveness of controls to support or gather evidence about the effectiveness of internal control over financial reporting (ICFR). Manual tests of these controls often are labor-intensive and rely upon sampling, while automated tools and techniques have the potential to reduce the need for repetitive human labor while extending testing to the entire population.


Within ICFR, the uses of CTA may vary widely based on industry. Take revenue recognition, for example. A company in an industry or sector with a subscription-based business model that recognizes revenue over time may have different CTA opportunities than a company with a point-in-time revenue model based on discrete individual sales.


Outside of ICFR, CTA can be implemented for controls over operations, reporting or compliance objectives. These CTA opportunities also may vary widely based on the industry.


Getting started


All controls are not created equal with respect to CTA, as automated testing can be easier to implement for some controls than for others, such as those that are objective rather than subjective. It would be more straightforward to set up an automation that compares all vendor billings and reimbursements and sends an alert if the amount of a check sent to a vendor does not equal the amount billed on the invoice. It’s more difficult to create an automated test to tell you whether the amount on the invoice is reasonable considering the services the vendor provided. The best candidates for CTA often are controls with attributes that can be clearly defined, such as tolerances, distinct values or pass-fail conditions. These may include:

  • Authorizations, approvals, verifications and controls over standing data.
  • Segregation of duties.
  • Certain general IT controls, such as authorization, provisioning, deprovisioning, privileged access and security configuration controls.

As with most automation efforts, a CTA is only as good as the information it relies on. Whole-population testing is ineffective if the population is not complete or the input data is not accurate. When the information used is complete and accurate, a CTA can be run on large volumes of transactions or activities, quickly and with more precision.


This is one of the biggest benefits of CTA programs. If an organization sends tens of thousands of checks to vendors every year, CTA may be used to test that all of the checks match the amounts on the respective invoices and were approved based on the organization’s policies or procedures in a tiny fraction of the time it would take a human to test only a sample of such transactions. CTA is generally designed to extract information directly from existing systems or applications, further reducing human effort.


Nonetheless, human involvement in the form of strong governance is essential for developing and maintaining a CTA program and related IT environment that accomplishes the desired objectives. Responsibilities and accountabilities need to be established for designing, implementing and maintaining effective governance over the IT environment — including general IT controls — that will support a CTA program.


When CTA is being implemented, validation often requires test runs, with manual testing compared to CTA results to verify accuracy and consistency. Controls may need to be modified and CTAs recalibrated several times before automation is ready to be implemented.


Another critical role for humans in CTA implementation resides in the appropriate treatment of deviations and control failure rates. Leaders need to carefully determine an acceptable failure rate for a control or control objective to appropriately evaluate the results and conclude on operating effectiveness. In some cases — for example, a security access approval — that acceptable failure rate may be zero.


Many times, though, an acceptable failure rate may be greater than zero. Consider, for example, a control that requires a manager to approve an employee’s expense reimbursement forms. If the acceptable failure rate is zero for this control attribute, what happens when a manager takes a two-week vacation? The acceptable failure rate for such a control could be set at something higher than zero, with the provision that a separate control or control attribute is implemented, such as deviations being investigated by finance to identify whether an appropriate delegate designated by the manager approved expense reimbursements when the manager was unable to do so.


Great care needs to be taken in developing and implementing CTA programs; the considerations become more complicated as the controls and automated testing become more complex. Nonetheless, precision in the development and implementation phase often is worthwhile because of the additional, timely insights that CTA can provide later with a reduction of manual labor that can offset the costs associated with automation.


An effective CTA program — whether it’s used as a monitoring activity, supervisory control, or both — can lead to better risk management by enabling detailed analysis; pattern and deviation identification; and more timely decisions. These are benefits that can provide an important edge in an environment where effective controls are essential.



Content disclaimer

This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

For additional information on topics covered in this content, contact a Grant Thornton professional.

Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.


CTA industry insights




Our featured insights