Control maintenance - Testing
When you test a control you're essentially evaluating it to see if it's effective. Control testing allows you to discover what's working (and what's not). Regularly testing your controls allows you to address any weaknesses before you enter an audit. If controls are found to be effective, control risk is low. If controls are identified as ineffective, control risk is high. In Hyperproof, you can test your controls manually or via automation.
Hyperproof recognizes the following testing statuses:
Not tested (default) - The control has not yet been tested.
Effective - The control is doing its job; risk is low.
In progress - The control is actively undergoing testing.
Ineffective - The control has a weakness that needs to be addressed; risk is high. When set to ineffective, two deficiency properties are available: design and operation.
Calculated value - This status is linked to any automated tests that have been implemented on the control. If a test passes, the status is effective. If the test fails, the status is ineffective and the control is considered to be at risk.
To change the testing status:
Navigate to the control.
From the Details tab, locate the control status panel.
Hover over the current testing status, and then click the Edit icon.
Select a new status.
Note
The overall health of the control may change depending on the selected status. A testing status of 'not tested' or 'in progress' puts the control 'at risk'. A testing status of 'ineffective' causes the overall health status to default to 'critical', even if the control is fresh, implemented, and has linked proof.
If you need to change the status on multiple controls, you can bulk edit those controls.
Automated control testing
Automated control testing requires the use of a Hypersync on a control or a label to gather the proof automatically. Proof gathered by Hypersyncs follows a predictable table format allowing it to be tested easily.
Once a Hypersync is set up, you can configure a test to run on a schedule that you specify: on the most recent proof, on all proof, or on proof created in a particular date range. Hyperproof’s flexible test builder allows you to write many types of tests using simple business logic. It works similarly to popular spreadsheet functions like VLOOKUP(), HLOOKUP(), IF(), and more.
For example, if you have a control that requires that all passwords be 10 characters or more, you can use a Hypersync to retrieve proof that contains password length. Based on that proof, you can configure a test that checks the password length field to ensure that it is greater than or equal to 10. If not, the test fails, and you can address the issue.
Hyperproof’s notification system warns you about failed tests by email, Slack, or Teams depending on your configuration. You can also set up automatic event-driven repeating tasks for failed tests asking team members to review controls or labels, and the associated proof.
If a test fails, review the failure on the Tests tab of the control or label you are testing.
To use automated control testing:
Select the control you want to test.
Configure a Hypersync for the control or associated label to collect proof. See How does a Hyperproof user create a new Hypersync? and Hypersync overview.
Review the proof to determine what needs to be tested. See Viewing proof.
Configure a test to verify that the proof collected meets the criteria for the control. See Creating and running an automated control test.
For more information, see these workshops on automated control testing:
The importance of automated controls
Automated control testing