Control testing is the process of evaluating whether internal controls are properly designed and operating effectively. It helps organizations ensure that risks are managed and financial reporting is reliable.

- Design Effectiveness Testing: Determines if a control is well-designed to prevent or detect errors - Operating Effectiveness Testing: Verifies that the control is functioning as intended over time

In SOX compliance, control testing is a core requirement. It also forms the backbone of most risk-based audit programs within broader GRC frameworks.

- Inquiry: Asking employees how controls are performed - Observation: Watching the control being executed - Inspection: Reviewing documents or evidence - Reperformance: Auditor performs the control independently to verify results