Internal audit manager
SOX testing lead
IT audit director
Compliance manager
External audit liaison
Risk assurance director
This process is used during periodic internal audit cycles, SOX compliance testing, SOC audit preparation, or any assessment of the organization’s internal control environment. It applies when each control in the testing scope must be evaluated for both design effectiveness and operating effectiveness through defined test procedures, sample selection, evidence review, and deficiency reporting. Ideal for publicly traded companies managing SOX Section 404 compliance, organizations preparing for SOC 1 or SOC 2 audits, financial institutions, and any entity with a formal control testing program.
The control testing process typically involves internal auditors or SOX testers who plan and execute the tests, control owners who provide evidence and respond to inquiries, the internal controls team who coordinates testing logistics and remediation, external auditors who may rely on internal testing results, and management who reviews and responds to identified deficiencies.
Validated control effectiveness through documented testing that confirms controls are properly designed and operating as intended. Timely deficiency identification so issues are discovered and remediated before external audit testing or regulatory examination. Efficient evidence collection because control owners provide evidence within the workflow rather than through fragmented email requests. Consistent testing standards applied across all controls in the testing scope regardless of the tester or control area. Audit-ready workpapers that document test procedures, sample selections, evidence reviewed, conclusions, and any identified deficiencies.
Your version of this process may vary based on roles, systems, data, and approval paths. Moxo’s flow builder can be configured with AI agents, conditional branching, dynamic data references, and sophisticated logic to match how your organization runs this workflow. The steps below illustrate one example.
Test planning and scope definition
The process begins when the testing lead defines the testing scope, which may include all key controls, a risk-based subset, or controls related to a specific audit objective. For each control in scope, the tester identifies the test approach (inquiry, observation, inspection, reperformance), the sample size, and the evidence required. An AI Agent can assist by pulling the control descriptions, prior year test results, and any known changes from the GRC platform.
Evidence request and collection
The tester sends evidence requests to control owners, specifying the exact evidence needed, the sample items, and the submission deadline. Control owners gather and submit the requested evidence within the workflow. An AI Agent may track evidence submission status and send reminders for outstanding items.
Test execution and evidence evaluation
The tester executes the test procedures against the submitted evidence. For each sample item, the tester evaluates whether the control was performed by the right person, at the right time, with the expected outcome, and with appropriate documentation. Exceptions are identified and documented.
Exception investigation and root cause analysis
When exceptions are identified, the tester investigates the root cause by reviewing additional evidence and discussing the exception with the control owner. The tester determines whether the exception represents a control deviation, a documentation gap, or a control design deficiency.
Deficiency classification and reporting
Identified deficiencies are classified by severity — control deficiency, significant deficiency, or material weakness — based on the likelihood and magnitude of potential misstatement or risk exposure. The testing results and deficiency findings are documented in the test workpaper and reported to the controls team and management.
Remediation tracking and retest
Management develops remediation plans for identified deficiencies. The controls team tracks remediation implementation, and the tester retests remediated controls to confirm that the deficiency has been addressed. The remediation and retest results are documented.
This process commonly relies on inputs such as the control inventory, test plans, prior year workpapers, control evidence provided by owners, and deficiency classification criteria. It may be triggered by the annual audit plan, SOX testing calendar, or SOC audit preparation timeline. Connected systems often include GRC platforms like ServiceNow GRC, Workiva, or AuditBoard, document management systems for evidence, and audit management tools.
Key decision points include which controls are in scope for testing based on risk assessment and audit objectives, whether submitted evidence is sufficient to evaluate the control’s operating effectiveness, whether identified exceptions represent isolated deviations or systemic deficiencies, and how deficiencies are classified and what remediation is required.
Evidence requests not specific enough, resulting in control owners submitting irrelevant or incomplete evidence. Evidence collection delays that compress the testing timeline and push deficiency reporting past audit deadlines. Exceptions not investigated thoroughly, leading to incorrect deficiency classifications. Deficiency remediation not tracked, allowing identified issues to persist into the external audit testing period. Workpaper documentation insufficient to support the testing conclusion if reviewed by external auditors or regulators.
Orchestrates control testing from planning through remediation across testers, control owners, the controls team, and management in a single coordinated flow.
AI Agents pull control descriptions and prior year results into the testing workflow, helping testers plan efficiently with full context.
Engages control owners within the workflow for evidence submission, inquiry responses, and exception discussions, eliminating fragmented email-based evidence collection.
Tracks evidence submission and testing progress in real time, flagging overdue evidence requests and incomplete test procedures.
Routes identified deficiencies for classification and remediation within the workflow so management can respond and the tester can schedule retesting.
Preserves complete test workpapers including test procedures, sample selections, evidence reviewed, exceptions, deficiency classifications, and remediation documentation for internal and external audit reliance.
