Test Procedures
Test procedures are the structured steps auditors perform to evaluate controls. In AIIA, test procedures live within workpapers and link to specific engagement controls, providing full traceability from control objectives through testing to conclusions.
What Is a Test Procedure?
A test procedure defines a specific audit test to evaluate whether a control is operating effectively. Each test procedure is linked to:
- A Workpaper (where the test is documented)
- Optionally, an Engagement Control (the control being tested)
Creating Test Procedures
Manual Creation
- Open a workpaper within an engagement
- Navigate to the Test Procedures tab
- Click + Add Test Procedure
- Fill in:
| Field | Description | Required |
|---|---|---|
description | What test will be performed — the detailed steps | ✅ |
engagement_control_id | The control being tested (optional link) | Optional |
is_key_control | Whether this tests a key/critical control | Optional |
result_summary | Outcome of the test after execution | After execution |
AI-Generated Test Procedures
- Click AI Suggest Tests on a workpaper
- The AI analyzes the engagement scope, linked risks, and controls
- It generates a set of recommended test procedures
- Review each suggestion and click Apply to add to the workpaper
AI-suggested test procedures are displayed as recommendations. Each must be individually reviewed and applied by the auditor. The ai_execution_id field tracks which AI session generated the suggestion.
Test Procedure Fields
| Field | Type | Description |
|---|---|---|
id | Integer | Auto-generated unique ID |
workpaper_id | Integer | Parent workpaper |
description | String | Full test procedure description |
result_summary | String | Test outcome (filled after execution) |
is_key_control | Boolean | Whether this tests a key control (default: false) |
engagement_control_id | Integer | Optional link to the control being tested |
ai_execution_id | String | AI execution reference (if AI-generated) |
Executing Tests
Step 1 — Understand the Control
Review the linked engagement control to understand:
- What the control is designed to do
- Whether it is preventive or detective
- The expected operating effectiveness
Step 2 — Perform the Test
Execute the test steps described in the procedure. Common approaches:
| Test Type | Description |
|---|---|
| Inquiry | Interview process owners about control operation |
| Observation | Watch the control being executed in real-time |
| Inspection | Examine documents, reports, or system outputs |
| Re-performance | Re-execute the control independently |
Step 3 — Document Results
Update the result_summary field with:
- What was found
- Sample size and methodology
- Any exceptions identified
- Conclusion (effective / not effective / partially effective)
Step 4 — Create Findings (if needed)
If the test reveals a control gap, create a finding directly from the test procedure:
- Click Create Finding from Test on the test procedure
- The finding is auto-linked to the workpaper and engagement
- The CCCER framework is pre-populated with context from the test
Key Control Testing
When is_key_control is set to true:
- The test procedure is flagged with a 🔑 icon
- Key control tests are highlighted in engagement dashboards
- Incomplete key control tests block engagement progression
- Board packs include key control test results
Traceability Chain
This chain provides end-to-end traceability from identified risks through controls, test procedures, workpapers, and findings — a core requirement for audit governance.
Permissions
| Action | Auditor | Manager | CAE |
|---|---|---|---|
| Create test procedures | ✅ | ✅ | ✅ |
| Execute and record results | ✅ | ✅ | ✅ |
| Edit test procedures | ✅ Own | ✅ All | ✅ All |
| Use AI to suggest tests | ✅ | ✅ | ✅ |