Execution-Based Control Testing

Execution-based control testing allows you to assess the effectiveness of controls by directly using the control execution tasks that occurred within a defined test period. This feature integrates control execution data with advanced effectiveness testing, providing a streamlined and auditable testing workflow.

Overview

In many organizations, controls require tasks to be executed according to a predefined schedule (e.g., monthly access right reviews). Execution-based testing collects these tasks and uses them as the test source, removing the need to manually upload population files.

All control executions scheduled within the test period are automatically included as the source for the control test.

Preconditions

Before initiating an execution-based test you must ensure that control execution is enabled in the configuration of the control:

Activating Execution-Based Testing

Execution-based testing is configured within the control test plan.

1. Create or open a control test plan.

2. Ensure the test period matches a period in which execution tasks are scheduled.

3. On the second page: Sample Generation, enable the option: Use control execution

This activates the automatic collection of execution tasks for the test source.

Starting the Control Test

Once the test period has ended, the tester can initiate the control test as usual.

Execution-based testing consists of:

1. Source Upload & Sampling

2. Evidence Upload

3. Testing

4. (Optional) Review

These follow the standard CERRIX test workflow, but with additional execution-based functionality.

Source Upload & Sampling

When execution-based testing is enabled, CERRIX automatically loads all execution tasks planned within the test period.

What you will see:

• A summary of all execution tasks found.

• A count of execution tasks that were not yet completed. (In normal scenarios, all tasks should be completed when effectiveness testing begins.)

Sample generation:

The source uploader only needs to provide the sample size. After sample generation, the evidence uploader can begin their work.

Notes

• Completed execution tasks included in a test sample cannot be deleted or reopened to safeguard audit integrity.

• If no execution tasks are found in the test period, CERRIX assumes the control did not occur and therefore cannot be tested.

• The original source remains accessible through the Source documents section.

Evidence Upload

The evidence uploader sees all selected samples, each corresponding to a specific control execution. For example:

Automatic evidence linking

If the control execution includes evidence, this evidence is automatically copied into the sample.

Linked evidence is marked with a link icon, indicating that it originated from a control execution rather than a manual upload. For example:

Situations the evidence uploader may encounter

Testing & Reviewing

The tester and reviewer can assess samples as they normally would. Both roles can access:

• The source document

• The linked control execution tasks

• Automatically or manually uploaded evidence

Additional execution-based indicators

• A warning appears when a task is not completed.

• A warning appears when a task was completed after the evidence uploader finished their work.

• Linked evidence from execution tasks displays a link icon; manually uploaded evidence does not.

Additional Notes

• If there are no execution tasks within the period of the control test, it is assumed that the control didn't occur.

• Execution tasks that were deleted or rescheduled outside the test period before sampling took place are not included in the population. After sampling it is not possible to delete and even rescheduling the task will not remove it from the source of the testplan.

• This mechanism ensures a fully auditable snapshot: Execution tasks used in a test cannot be removed from the testplan after sampling, ensuring the integrity of the sample.