Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Control Design Evaluation and Testing

Control Design Evaluation & Testing

The Heart of ICFR Assurance

8/13/2025
Control Design Evaluation and Testing

What is Control Design Evaluation?

Control design evaluation determines whether a control is suitably designed to prevent or detect a financial misstatement.

Key questions to ask:

  • Is the control clearly defined and properly documented?
  • Does it directly address the identified risk?
  • Is the control owner specified?
  • Is it preventive or detective?
  • Is there a trail of documentation or system log?

Examples of Well - vs. Poorly Designed Controls

Risk

Poor Control

Strong Control

Unauthorized Journal Entries

CFO randomly reviews some entries

All journal entries > AED 50K require CFO approval with timestamp

Inaccurate Vendor Payments

Manual review “when possible”

ERP blocks payments without 3-way PO match and DoA approval

What is Control Testing?

Control testing confirms that controls:

  1. Exist
  2. Are operating consistently as intended
  3. Are effective in real-world execution

Types of testing:

  • Design Effectiveness Testing (DET) – Is the control well-structured?
  • Operating Effectiveness Testing (OET) – Is the control being performed as expected?

Sample Testing Scenario

Test

Example

DET

Review if the Delegation of Authority (DoA) matrix exists, and aligns with approval thresholds

OET

Select 25 journal entries > AED 50K and verify that each was approved as per DoA

UAE ICFR Relevance

  • For PJSCs: Control testing results form the basis of the auditor’s ICFR opinion required by the SCA
  • For Insurers: Control operating effectiveness must be demonstrated under CBUAE reporting requirements
  • For Private Companies: Testing supports documentation and defensibility under UAE Corporate Tax Law

How to Approach Testing

  • Identify and tag key controls during risk mapping
  • Use sampling based on control frequency and risk level
  • Maintain evidence: screenshots, logs, emails, signed checklists
  • Document test results, exceptions, and remediation steps
  • Rate controls as: Effective, Ineffective, or Not Applicable

Common Pitfalls to Avoid

  • Relying on undocumented controls or verbal confirmations
  • Assuming system controls work without ERP access testing
  • Treating walkthroughs as full control testing
  • Skipping re-testing after control remediation

How Crowe Adds Value to ICFR Testing

We support organizations with:

  • Designing and reviewing control test scripts
  • Conducting DET and OET with audit-grade documentation
  • Identifying gaps and planning remediation
  • Aligning testing with COSO, SCA, and CBUAE standards
  • Preparing working papers for external auditors and regulators

Coming Next Week:

Next week, we’ll focus on ICFR Deficiency Evaluation and Remediation, how to classify control failures, communicate findings, and track corrective actions to ensure full closure before year-end audit.

Contact Us

Rakesh Kumar
Rakesh Kumar Dhoot
Associate Partner- Risk Advisory, Forensic & Process Excellence Division
009714 447 3951