Banks turn to CTA for regulatory compliance


Continuous monitoring is automated testing’s ultimate goal


The numerous new and expanding consumer financial protection-related regulations developed for financial institutions in recent years have raised the stakes for control test automation (CTA) in the banking industry.


Banks have traditionally reacted to new or changing regulations by adding workload to existing team members or introducing additional staffing for implementation and compliance, but this approach has its limits. Increasingly, financial institutions are turning to technology to meet their regulatory compliance needs, and CTA is a major component of this movement.


CTA enables testing of controls based on full data populations rather than just samples, reducing the demand on staff and decreasing the possibility of testing gaps and human error. CTA also facilitates more frequent testing, including continuous monitoring — which is the goal toward which leaders across many industries aspire.


Banking and asset management CFOs said in a recent Grant Thornton survey that regulatory compliance is their top concern, and CTA can help ease those concerns. Identifying opportunities to automate testing allows for efficient and effective monitoring of regulatory compliance as risk and compliance professionals continue to balance ever-increasing regulatory demands and burdens while also responding to resource and budget constraints. New or changing regulations whose compliance burdens may be able to be reduced through implementation of CTA include:

  • Section 1071 small business data collection: Testing can be automated to confirm that banks are collecting the necessary data from small business loan applicants.
  • Community Reinvestment Act: Strong controls are necessary to ensure regulators of data reliability. CTA can be a valuable asset in the testing of controls designed to confirm that banks are meeting data collection and reporting requirements. CTA also may assist in determining the extent of a bank’s service in low-to-moderate-income neighborhoods.
  • Section 1033 personal data disclosure rules: CTA can be used to test controls designed to enable banks to comply with rules that keep consumers well-informed of the details of their accounts, funds and transactions.
Headshot of Zac Taylor

“Where we can be very concrete in a value or amount, in a data type, in a context that’s fixed and consistent, CTA can handle that all day long.”

Zac Taylor

Grant Thornton Principal, Technology Modernization

In general, controls with binary outcomes are the best candidates for CTA. Does Person X still have an account? Did Person X get sent the required disclosure? Did they check a box confirming they had received a copy of the privacy policy? Questions such as these don’t need human interpretation if the control and the testing are set up properly.


“Where we can be very concrete in a value or amount, in a data type, in a context that’s fixed and consistent, CTA can handle that all day long,” said Zac Taylor, a Technology Modernization Principal for Grant Thornton. “When human intervention or human interpretation is required, we are not, in my opinion, to the point where we have enough confidence in artificial intelligence-type tools to have them make those decisions across the banking industry due the possibility to cause consumer harm or introduce bias. The artificial intelligence tools are developing and there are very interesting tools on the horizon that many of our banking clients are looking forward to as our understanding of these models improves.”



Related resources


CTA basics


Advances in technology have introduced new capabilities for control test automation, creating added value for internal and external auditors as well as for management — wherever controls are embedded in an organization’s business processes or reporting.


When technology is used to test the operating effectiveness of controls:

  • The full population of data could be tested, rather than just a sample.
  • Automated testing, which once was manual, can relieve personnel from labor-intensive, often repetitive work.

Take a deeper dive into CTA

Get a detailed analysis of the use of CTA related to internal control over financial reporting — and an illustrative example of CTA over a user-access provisioning control. This publication co-produced and published by Grant Thornton and the AICPA sheds light on CTA relevant to organizations and their internal and external auditors.

Many of today’s advanced automation technologies were in their infancy in 2013 when the revised Internal Control — Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described how technology can support ongoing evaluations of controls.


The COSO framework described how continuous monitoring techniques can provide a high standard of objectivity and enable efficient review of large volumes of data at a low cost. The framework indicated that, combined with robust review and analysis of results by knowledgeable personnel, automated monitoring can provide for efficient, effective ongoing testing.


Today’s most tech-savvy companies and internal and external auditors are delivering on COSO’s vision. CTA activities are being designed and implemented in organizations’ continuous monitoring activities, providing management with valuable feedback and even customized alerts when deviations exceed acceptable thresholds.


CTAs also are being designed and implemented as supervisory control activities, such as authorizations and approvals or reconciliations. When implemented skillfully and reviewed and monitored by competent personnel, CTAs can provide benefits that include:

  • More frequent or continuous testing of controls.
  • More timely information for decision-making.
  • Identification of errors or issues that may be missed due to human error or the limitations of a sample-based approach.

CTA industry insights


A powerful tool


Regardless of the industry, CTA can be a powerful tool for internal and external auditors, as well as compliance and risk professionals, who are testing the operating effectiveness of controls to support or gather evidence about the effectiveness of internal control over financial reporting (ICFR). Manual tests of these controls often are labor-intensive and rely upon sampling, while automated tools and techniques have the potential to reduce the need for repetitive human labor while extending testing to the entire population.


Within ICFR, uses of CTA may vary widely based on industry. Take revenue recognition, for example. A company in an industry or sector with a subscription-based business model that recognizes revenue over time may have different CTA opportunities than a company with a point-in-time revenue model based on discrete individual sales. Outside of ICFR, CTA can be implemented for controls over operations, reporting or compliance objectives. These CTA opportunities also may vary widely based on the industry.


An amended Consumer Financial Protection Bureau rule has limited the typical late fees that credit card holders can be charged to $8 per incident. CTA can assist with compliance with that rule, as a financial institution can create a CTA to verify that for each customer and billing cycle, the late fee charge never exceeds $8.


When fully built out, CTAs such as this can be created to test numerous controls, with documentation of transactional loads, the number of records that passed through, and the portion of records that passed and failed. CTA platforms also can be built that contain hundreds of CTA tools for banks. Functionality can also be provided for new tools to be added by writing dynamic queries or statements and creating test steps and mock data to examine whether the CTAs perform as expected.


“These platforms can make a significant impact on the bottom line of a company. They perform well and can be inexpensive to run while reducing significant risk to the institution.” Taylor said.


Getting started


All controls are not created equal with respect to CTA, as automated testing can be easier to implement for some controls than for others, such as those that are objective rather than subjective. The best candidates for CTA often are controls with attributes that can be clearly defined, such as tolerances, distinct values or pass-fail conditions.


In the banking industry, for regulatory compliance purposes, binary controls responding to rules and regulations that are clearly defined are excellent candidates for CTA.

Headshot of Leslie Watson-Stracener

“Financial institutions continue to seek opportunities to validate internal controls and regulatory testing that is occurring at the transaction level.”

Leslie Watson-Stracener

Grant Thornton Managing Director, Risk Advisory


“Financial institutions continue to seek opportunities to validate internal controls and regulatory testing that is occurring at the transaction level,” said Leslie Watson-Stracener, Risk Advisory Managing Director for Grant Thornton. “These opportunities exist within the lending and depository areas as well as aggregate reporting requirements.”


Examples of situations where control testing can be automated include the following:

  • To determine whether customers are military service participants who qualify for relief from debt under the Servicemembers Civil Relief Act, a lender can automate a connection to the Department of Defense database to determine each customer’s active-duty status.
  • Testing of controls related to integrated disclosures required by the Truth in Lending Act and the Real Estate Settlement Procedures Act. “We’ve continued to see financial institutions seek out automation of testing within the mortgage lending arena as they seek to comply with multiple regulations,” Watson-Stracener said.

As with most automation efforts, a CTA is only as good as the information it relies on. Whole population testing is ineffective if the population is not complete or the input data is not accurate. When the information used is complete and accurate, a CTA can be run on large volumes of transactions or activities quickly and with more precision than human testers.


This is one of the biggest benefits of CTA programs. If an organization sends tens of thousands of checks to vendors every year, CTA may be used to test whether all the checks match the amounts on the respective invoices and were approved based on the organization’s policies or procedures in a tiny fraction of the time it would take a human to test only a sample of such transactions. CTA is generally designed to extract information directly from existing systems or applications, further reducing human effort.


Nonetheless, human involvement in the form of strong governance is essential for developing and maintaining a CTA program and related IT environment that accomplishes the desired objectives. Responsibilities and accountabilities need to be established for designing, implementing and maintaining effective governance over the IT environment — including general IT controls — that will support a CTA program.


When CTA is being implemented, validation often requires test runs, with manual testing compared to CTA results to verify accuracy and consistency. Controls may need to be modified and CTAs recalibrated several times before automation is ready to be implemented.


Another critical role for humans in CTA implementation resides in the appropriate treatment of deviations and control failure rates. Leaders need to carefully determine an acceptable failure rate for a control or control objective to appropriately evaluate the results and conclude on operating effectiveness. In some cases — for example, a security access approval — that acceptable failure rate may be zero.


Many times, though, an acceptable failure rate may be greater than zero. Consider, for example, a control that requires a manager to approve an employee’s expense reimbursement forms. If the acceptable failure rate is zero for this control attribute, what happens when a manager takes a two-week vacation? The acceptable failure rate for such a control could be set at something higher than zero, with the provision that a separate control or control attribute is implemented, such as deviations being investigated by finance to identify whether an appropriate delegate designated by the manager approved expense reimbursements when the manager was unable to do so.


Great care needs to be taken in developing and implementing CTA programs; the considerations become more complicated as the controls and automated testing becomes more complex. Nonetheless, precision in the development and implementation phase often is worthwhile because of the additional, timely insights that CTA can provide later with a reduction of manual labor that can offset the costs associated with automation.


An effective CTA program — whether it’s used as a monitoring activity, supervisory control, or both — can lead to better risk management by enabling detailed analysis; pattern and deviation identification; and more timely decisions. These are benefits that can provide an important edge in an environment where effective controls are essential. 



Zac Taylor

Zac Taylor is a Principal within Grant Thornton’s Organizational and Operational Transformation practice.

Dallas, Texas

  • Asset management
  • Banking
  • Life sciences
  • Technology, media & telecommunications
  • Manufacturing, Transportation & Distribution
  • Construction & real estate
Service Experience
  • Advisory
  • Operations and performance
Content disclaimer

This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

For additional information on topics covered in this content, contact a Grant Thornton professional.

Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.


CTA insights from other industries



More banking insights