Control Testing: Methods, Best Practices, and Benefits

Introduction

Many fast-scaling fintechs have written compliance policies. Far fewer have actually tested whether those policies work.

That gap matters. Regulators and sponsor banks want evidence that controls function reliably in practice — documentation alone isn't enough.

FinCEN's $1.3 billion penalty against TD Bank in 2024 for AML program failures, and the FCA's £21 million fine against Monzo in 2025 for inadequate financial crime controls, carry the same message: no credible control testing program is an enforcement risk, not just an audit concern.

This article covers what control testing is, the four core methods, a practical step-by-step process, and best practices for fintech and financial services companies operating under BSA/AML, UDAAP, GDPR, and related frameworks.

TLDR

  • Control testing confirms that internal controls are properly designed and actually operating as intended.
  • Four core testing methods apply: inquiry, observation, inspection of evidence, and reperformance — plus CAATs for automated population-level coverage.
  • Effective testing follows a five-step process: scope, sample, execute, evaluate, and remediate.
  • Key benefits include reduced regulatory risk, stronger audit readiness, and catching control gaps before regulators do.
  • For fintechs, a risk-based approach focused on BSA/AML, UDAAP, and data access controls is non-negotiable.

What Is Control Testing?

Control testing is the systematic process of evaluating whether an organization's internal controls are properly designed and consistently operating to prevent or detect errors, fraud, compliance violations, or material misstatements.

Internal Controls in the Fintech Context

In fintech and banking, internal controls encompass the rules, policies, procedures, and automated checks that govern how a business manages risk across four main domains:

  • Financial reporting — approval workflows, reconciliation processes, segregation of duties
  • Transaction monitoring — AML alert reviews, SAR filing procedures, threshold logic
  • Customer data protection — access controls, data retention policies, breach response
  • Regulatory compliance — KYC/CDD procedures, UDAAP complaint handling, Reg E dispute processing

The Two Dimensions Every Control Must Satisfy

Every internal control must pass two assessments before it can be considered effective:

  1. Design effectiveness — Is the control logically structured to address the specific risk?
  2. Operating effectiveness — Is it actually being performed correctly and consistently over time?

Each failure mode points to a different fix. A design failure means the control needs to be restructured from scratch; an operating failure typically signals a training gap, staffing issue, or process breakdown that requires a targeted remediation plan. That distinction shapes how your compliance team responds.

Design Effectiveness vs. Operating Effectiveness

Design Effectiveness

Design effectiveness asks: Would this control work if followed correctly?

Testing design effectiveness means evaluating whether the control, as structured, is theoretically capable of preventing or detecting the risk it targets. Methods include walkthroughs, policy reviews, and process documentation analysis.

Per PCAOB AS 2201, a control is well-designed if it would satisfy its objective when operated by a person with the necessary authority and competence.

Common design failures: controls that address the wrong risk, rely on a single point of failure, or contain logical gaps that bad actors could exploit.

Operating Effectiveness

Operating effectiveness asks: Is this control reliably working in practice, not just on paper?

Testing operating effectiveness means evaluating whether the control is being executed correctly and consistently over a defined period — typically tested through sampling, reperformance, and log reviews.

Common operating failures: controls that are correctly designed but skipped under workload pressure, delegated to undertrained staff, or manually overridden without documentation.

Why Both Must Pass

Scenario What It Means The Risk
Good design, poor execution Control exists but isn't followed Real exposure despite good documentation
Poor design, consistent execution Control runs reliably but won't catch the risk False sense of security
Both pass Control is effective Defensible to regulators and auditors

Design versus operating effectiveness control scenarios comparison infographic

Both failures carry real consequences. During a sponsor bank due diligence review or regulatory examination, a well-documented but inconsistently executed transaction monitoring control won't satisfy an OCC examiner — and can expose a BaaS bank to consent orders or civil money penalties.

The 4 Methods of Control Testing

The 5 Methods of Control Testing

1. Inquiry

Inquiry involves asking control owners, managers, and operators how a control is performed, how often, and who is responsible. It's the starting point for almost every control test — useful for building context, identifying process owners, and spotting initial red flags.

Limitation: Inquiry relies entirely on self-reporting. It cannot stand alone as audit evidence. It must be corroborated by at least one other method.

2. Observation

Observation means watching the control activity in real time — for example, observing a BSA officer working through a transaction monitoring alert queue, or watching how a payments team handles a segregation of duties workflow.

Limitation: The observer effect is a real constraint — personnel often behave differently when they know they're being watched. Observation provides point-in-time evidence, not proof of consistent day-to-day performance.

3. Inspection of Evidence

Inspection involves reviewing documentation, records, logs, reports, and approval trails that demonstrate a control was performed — for example, examining signed SAR filing records, access control logs, or approval histories in a payment platform.

This is one of the most reliable manual methods because it produces a verifiable audit trail independent of human testimony. A well-documented alert disposition log speaks for itself.

4. Reperformance

Reperformance is the most rigorous method. The tester independently re-executes the control using original data and procedures, then verifies the output matches what should have been produced.

Fintech examples include:

  • Recalculating a customer risk score to verify the model's output
  • Re-running a sanctions screening check against a current watchlist
  • Manually reprocessing a transaction to confirm the approval logic is correct

Reperformance delivers the highest level of assurance — but it's also the most resource-intensive method, which is why it's reserved for the highest-risk controls.

5 control testing methods from inquiry to CAATs assurance level comparison

5. CAATs and Continuous Monitoring

Computer-Assisted Audit Techniques (CAATs) use data analytics tools to test controls across entire transaction populations rather than samples. The IIA defines CAATs as automated audit techniques including generalized audit software, test data, and specialized analytical tools.

For high-volume fintechs processing thousands of daily transactions, manual sampling catches only a fraction of potential failures. CAATs close that gap.

Continuous monitoring takes it further, running automated control checks in real time and flagging deviations immediately rather than discovering them months later in a periodic audit.

The Control Testing Process: Step-by-Step

Step 1 — Scoping and Risk Assessment

Start by identifying which controls to test. Not every control warrants the same scrutiny; resources should follow risk.

Use the regulatory frameworks your organization operates under to drive scoping decisions. For most fintechs, that means prioritizing:

  • BSA/AML transaction monitoring and SAR filing controls
  • Customer due diligence (CDD) and KYC onboarding controls
  • Data access controls and privileged user access reviews
  • UDAAP complaint handling and Reg E dispute resolution
  • Sanctions screening procedures

The FFIEC BSA/AML examination manual frames independent testing as an assessment of BSA compliance relative to the bank's risk profile — which means your control test scope should directly reflect the products, customers, geographies, and partners that define your risk exposure.

Step 2 — Defining the Population and Sampling

Define the full population first: all transactions processed in a quarter, all user access provisioning events in the past year, all customer onboarding decisions in a six-month window. Then determine sample size based on:

  • Control frequency (daily vs. monthly)
  • Risk level of the underlying activity
  • Expected deviation rate based on prior testing history

Where data analytics tools are available, testing the full population eliminates sampling risk entirely and removes any debate about sample representativeness.

Step 3 — Selecting and Executing the Testing Method

Match the method to the nature of the control and the assurance level required. For a daily transaction monitoring control, combining inspection (reviewing alert disposition logs) with reperformance (re-running a flagged transaction through the model) produces far more defensible evidence than inquiry alone.

General guidance:

  • Automated system controls → inspection of system logs + reperformance
  • Manual review controls → observation + inspection + inquiry
  • High-volume transaction controls → CAATs or full population testing
  • New or recently changed controls → walkthrough + design effectiveness review first

Step 4 — Evaluating Results and Classifying Deficiencies

If all sampled items pass, the control is operating effectively. If failures exist, classify the deficiency:

Level Definition Action Required
Control Deficiency A minor gap in design or operation Document; remediate in normal course
Significant Deficiency Merits management attention; elevated risk Escalate to senior management; remediate with defined deadline
Material Weakness Serious flaw with potential for significant harm or regulatory consequence Immediate escalation; board-level attention in financial services

Three-tier control deficiency classification levels with definitions and required actions

In financial services, even a single material weakness can trigger regulatory action or create problems with a sponsor bank relationship. The OCC's internal control handbook explicitly notes that examiners should discuss significant weaknesses with bank management, a standard that applies equally to fintech partners under interagency third-party risk guidance.

Step 5 — Documenting Findings and Driving Remediation

Documentation is not a formality: it's the primary evidence your control testing program is real. Each test workpaper should capture:

  • The control objective being tested
  • The method used and rationale
  • The population and sample selected
  • The evidence reviewed
  • The result and any deficiency classification
  • Remediation actions assigned to named owners with deadlines

After remediation, retest. Confirming a fix is effective through retesting is what distinguishes a mature control environment from one that documents problems and leaves them open. Regulators and auditors treat that closed loop as the clearest signal that your program has real teeth — not just paperwork.

Key Benefits of Control Testing

Regulatory and Audit Readiness

Organizations with a verified control testing program can demonstrate — not just claim — that controls work. That distinction matters during regulatory examinations, sponsor bank due diligence, and licensing reviews.

The 2023 interagency guidance from the Federal Reserve, FDIC, and OCC on third-party risk management explicitly requires banks to assess and monitor control environments across fintech relationships. Fintechs that can produce current, documented control testing results are better positioned in those conversations than firms presenting policies alone.

Fraxtional's independent audit engagements prepare clients for exactly these moments, producing board-ready audit reports with prioritized remediation recommendations that hold up under sponsor bank and regulatory scrutiny.

Early Identification of Control Gaps

Regular testing surfaces weaknesses before they manifest as compliance failures, fraud losses, or violations. One Fraxtional client noted that a pre-audit risk review "helped us uncover gaps we didn't even know we had" — gaps that, left undetected, could have created far more expensive problems during a regulatory examination.

That's the difference between finding a problem on your terms versus a regulator finding it on theirs.

Operational Efficiency and Institutional Trust

Control testing frequently surfaces inefficiencies alongside compliance gaps:

  • Duplicative approval steps that slow down operations
  • Manual workarounds that introduce processing errors
  • Automated controls misconfigured after a system update

Fixing these issues improves compliance posture and operational performance at the same time. That dual payoff matters to investors, board members, and banking partners who now routinely require governance evidence before committing to a relationship.

Three key benefits of control testing for fintech regulatory readiness and efficiency

Best Practices for Control Testing in Fintech

Adopt a risk-based approach tied to regulatory obligations. Map your testing program directly to the frameworks you operate under — BSA/AML, UDAAP, Reg E, GDPR, or DORA — and concentrate testing frequency and rigor on the controls regulators will scrutinize most closely. Treating all controls equally exhausts resources while leaving the highest-risk areas under-tested.

Ensure tester independence. Control testers need both technical knowledge and the independence to render an objective verdict. In smaller fintechs, the person running a control and the person testing it are often the same individual, which undermines the credibility of any findings. Engaging a fractional BSA Officer, CAMLO, or CCO — through firms like Fraxtional — delivers expert, independent oversight without the cost of a full-time executive hire.

Maintain audit-ready documentation. Every test should produce a complete workpaper as described in Step 5. This documentation must be producible on short notice — regulatory examiners and sponsor bank reviewers don't provide extended notice before requesting it.

Move toward continuous or rolling testing. Annual testing creates gaps where failures can go undetected for months. These high-risk controls should be tested quarterly at minimum:

  • Transaction monitoring
  • User access reviews
  • Sanctions screening

Automated monitoring closes the gap further by flagging exceptions in real time.

Track remediation to closure and retest. Identifying a deficiency means nothing until it's remediated and verified. Maintain a live deficiency tracker with named owners and deadlines, then retest after remediation to confirm the fix is operational — not just documented.

Frequently Asked Questions

What are the 4 types of control testing?

The four primary methods are inquiry, observation, inspection of evidence (examination), and reperformance. CAATs — Computer-Assisted Audit Techniques — are often added as a fifth automated method. Reperformance and CAATs deliver the highest assurance levels of the five.

What is meant by control testing?

Control testing is the process of evaluating whether an organization's internal controls are properly designed and consistently operating to prevent or detect errors, fraud, or regulatory violations. Having policies written down is not enough; control testing verifies those policies actually function in practice.

What is the difference between design effectiveness and operating effectiveness?

Design effectiveness asks whether a control is logically capable of addressing the risk. Operating effectiveness asks whether it's actually being performed correctly and consistently. A control must pass both assessments — failing either one leaves the organization exposed.

What is the difference between control testing and substantive testing?

Control testing evaluates whether controls function correctly — the system of risk management itself. Substantive testing verifies the accuracy of actual financial data or transactions. They're often used together: strong control testing results reduce the scope of required substantive testing, making the audit process more efficient.

How often should control testing be performed?

Frequency should match the risk level and cadence of the control. High-risk controls like transaction monitoring and access reviews warrant quarterly or continuous testing. Lower-risk controls can be addressed annually within a rolling testing program.

What happens when a control test fails?

A failed test produces a deficiency classified by severity: control deficiency, significant deficiency, or material weakness. The deficiency is assigned to a named owner with a remediation deadline, and the control is retested after the fix is implemented to confirm it's now operating effectively. In financial services, material weaknesses require immediate escalation and can have regulatory consequences.