Control Tests
Control tests verify that individual security controls are operating effectively. Each test is linked to a framework control within an audit instance, and follows a structured workflow from assignment through execution, review, and approval.
Control test structure
Control Test (A.9.1.1 - Access control policy)
├── Test Objective & Procedure
├── Assignments (Executor, Reviewer, Approver)
├── Evidence (uploaded documents)
├── Question Responses (auditor answers)
└── Findings (issues discovered)Creating control tests
Control tests are created automatically when you add controls to an audit instance. Navigate to your instance’s Controls tab, click Add Controls, and select controls from the framework. A control test is generated for each selected control.
Configuring a test
For each control test, set the test objective (what you are verifying), the test procedure (step-by-step instructions for the executor), the risk level (High, Medium, or Low), and planned start and end dates.
Assignment roles
Each control test can have five assignment roles:
| Role | Responsibility |
|---|---|
| Executor | Performs the test — collects evidence, answers questions, documents findings |
| Reviewer | Reviews the executor’s work for quality and completeness |
| Approver | Gives final sign-off and sets the test result |
| Contributor | Provides evidence or information but does not execute the test |
| Observer | Read-only access to monitor progress |
Assignments can be made manually or auto-assigned through workflows and templates based on workload capacity, department, and expertise.
Test workflow
Create and assign
Select controls from the framework. Configure test objectives, procedures, risk level, and dates. Assign an executor (manually or via auto-assignment).
Execute the test
The executor performs the test following the documented procedure, answers assessment questions, uploads evidence (policy documents, screenshots, configuration files, interview notes), and documents any findings.
Review
The reviewer checks evidence quality, verifies the procedure was followed correctly, and either approves the work or requests changes.
Approve and close
The approver reviews the complete test package, sets the result (Pass, Fail, Partial, or Not Applicable), and marks the test as completed.
Test statuses and results
Tests progress through these statuses: Not Started, In Progress, Completed, Failed, and Partially Failed.
After completion, the test result is recorded as Pass (control operating effectively), Fail (control deficiency identified), Partial (partially effective), or Not Applicable.
Evidence
Evidence supports the test conclusion and can include policy documents, system screenshots, configuration exports, interview notes, audit reports, and operational logs. Each piece of evidence is linked to the specific control test and preserved in the audit record.
Question responses
During test execution, auditors answer structured questions about the control: how it is implemented, who is responsible, what evidence exists, and how effectiveness is measured. Responses are captured alongside evidence for a complete audit trail.
Findings
When a test reveals a control gap, implementation issue, documentation problem, or compliance violation, the executor documents a finding with a severity level, description, and linked remediation action. Findings flow through to the audit instance’s findings tab and can update the risk register.
Best practices
Write clear, specific test objectives that are measurable. Provide detailed step-by-step procedures so executors know exactly what to do. Set risk levels appropriately so high-risk controls receive the attention they need. Collect comprehensive evidence that clearly demonstrates control effectiveness. Use workflows to automate the executor → reviewer → approver handoff and reduce manual coordination.