SecureHiveDocs
Sign InGet Started
Audit Management

Control Tests

Test individual security controls, collect evidence, and document findings

What are Control Tests?

A Control Test is a specific test of a security control within an audit instance. It represents the actual testing work being performed to verify that a control is operating effectively. Control tests include test objectives, procedures, evidence collection, and findings documentation.

Control-Specific

Each test is linked to a specific control from the framework (e.g., A.9.1.1 - Access control policy).

Test Execution

Tests include objectives, procedures, evidence requirements, and results documentation.

Control Test Structure

Understanding Control Test Components
How control tests organize testing activities
Control Test (A.9.1.1 - Access control policy)
├── Control (Links to framework control)
├── Test Objective (What to verify)
├── Test Procedure (How to test)
├── Assignments (User assignments)
│ ├── EXECUTOR (Performs test)
│ ├── REVIEWER (Reviews work)
│ └── APPROVER (Approves test)
├── Evidence (Supporting documents)
├── Question Responses (Auditor answers)
└── Findings (Issues discovered)

Control tests are the core of audit execution. They link controls to actual testing work, assignments, evidence, and findings.

Creating a Control Test

Step-by-Step Guide
Create a new control test within an audit instance
1

Navigate to Audit Instance

Go to Audit ManagementPrograms → Select program → Select cycle → Select instance → Go to "Controls" tab.

2

Select Controls to Test

Click "Add Controls" and select controls from the framework that you want to test in this audit instance. Control tests are automatically created for selected controls.

3

Configure Test Details

For each control test, fill in:

  • Test Objective: What you're trying to verify
  • Test Procedure: Step-by-step testing instructions
  • Risk Level: High, Medium, or Low
  • Planned Start Date: When testing will begin
  • Planned End Date: When testing should complete
4

Assign Users

Go to the "Users Assigned" tab and assign users to execute, review, or approve the test. Workflows can auto-assign users based on workload and expertise.

5

Save Test

Review all information and click "Save". The test is now ready for execution.

Control Test Fields Explained

Control Information

Control

The security control being tested (e.g., A.9.1.1 - Access control policy). Linked from the framework.

Test Objective

What you're trying to verify (e.g., "Verify that access control policy is documented and implemented").

Test Procedure

Step-by-step instructions for performing the test (e.g., "Review policy document, verify implementation, interview team").

Test Configuration

Risk Level

High, Medium, or Low. Determines priority and assignment patterns.

Status

Not Started, In Progress, Completed, Failed, or Partially Failed.

Result

Pass, Fail, Partial, or Not Applicable. Set after test completion.

Timeline

Planned Start Date

When testing is scheduled to begin.

Planned End Date

When testing should be completed.

Actual Dates

Actual start and end dates are updated automatically as work progresses.

Assignments

Control tests can have multiple user assignments:

  • EXECUTOR: Performs the test
  • REVIEWER: Reviews executor's work
  • APPROVER: Approves the test
  • CONTRIBUTOR: Provides evidence
  • OBSERVER: Read-only access

Control Test Workflow

From Creation to Completion
1

Create Test

Select control, configure test objective and procedure, set risk level and dates.

2

Assign Users

Assign executor, reviewer, and approver. Workflows can auto-assign based on workload.

3

Execute Test

Executor performs test, answers questions, uploads evidence, documents findings.

4

Review

Reviewer checks evidence quality, verifies test procedure was followed, approves or requests changes.

5

Approve

Approver reviews work, sets test result (Pass/Fail/Partial), and marks test as completed.

Test Components

Evidence

Supporting documents that prove the control is operating effectively:

  • • Policy documents
  • • System screenshots
  • • Configuration files
  • • Interview notes
  • • Reports and logs
Question Responses

Answers to assessment questions about the control:

  • • How is the control implemented?
  • • Who is responsible?
  • • What evidence exists?
  • • How is effectiveness measured?
Findings

Issues discovered during testing:

  • • Control gaps
  • • Implementation issues
  • • Documentation problems
  • • Compliance violations

Example Control Test

A.9.1.1 - Access control policy
A typical control test structure

Test Details

Control: A.9.1.1 - Access control policy

Test Objective: Verify that access control policy is documented and implemented

Risk Level: High

Status: In Progress

Planned Dates: January 20 - February 5, 2026

Assignments

• Sarah Johnson (EXECUTOR) - Active

• Mike Davis (REVIEWER) - Pending

• John Smith (APPROVER) - Pending

Test Procedure

1. Review access control policy document

2. Verify policy is approved and published

3. Check implementation in access management system

4. Interview IT security team

Best Practices

Clear Test Objectives

Write specific, measurable test objectives that clearly state what you're trying to verify.

Detailed Procedures

Provide step-by-step test procedures so executors know exactly what to do.

Appropriate Risk Levels

Set accurate risk levels to ensure high-risk tests get appropriate attention and resources.

Sufficient Evidence

Ensure executors collect comprehensive evidence that clearly demonstrates control effectiveness.

Next Steps

Workflows

Learn how workflows automate assignment creation for control tests

Learn About Workflows

Audit Instances

Return to learn about audit instances

Learn About Instances