Key factors for effective control testing amid regulatory shifts

In the face of upcoming change to listing rule requirements on controls testing, ORX hosted a session with our UK-based firms to share how their approaches and plans for control testing practices are evolving.

The context for the discussion was the upcoming Corporate Governance Code changes in 2026 in the UK. However, valuable insights were shared that could benefit the wider community. These are summarised below, along with common FAQs.

The latest edition of the UK Corporate Governance Code asks boards to include in their annual report a description of any ineffective material controls and the action taken/proposed to improve them, as well as any actions taken to address previously reported issues.

The importance of integrated systems for a holistic overview

Just as in ORX’s Strategic Vision of ONFR, the importance of connecting the dots to provide an accurate and holistic view of control testing processes and results was highlighted.

Overall, firms have good levels of accurate controls-related information, and some are using their centralised or integrated risk system of record effectively to aggregate and leverage these insights. However, there is still work to be done in this area as some firms grapple with decentralised systems and data aggregation.

Examples of how control testing information is being integrated and made more accessible include:

• Federated models with centralised testing, where testing results are provided to legal entities and franchises via the GRC tool
• Centralising the location of information by embedding information in the ERM system or creating a single, downloadable, golden source database/inventory of controls testing results with control testers identified
  
• Investment into issue management systems recording all deficiencies against individual controls, connecting with:
  • RCSAs
  • Internal and external audit
  • Compliance monitoring
  • Relevant external event data 
    

• Building ONFR dashboards to support reporting for board risk committee and audit

AI capabilities can be leveraged to support control testing activities through:

• The development of Large Language Model (LLM) tools to sit over a GRC to suggest improvements to control descriptions
• Automatic aggregation of data points by AI to assess whether a control is operational (yes/no). If the AI deems the control to be operational, it would subsequently advise that testing is not required
  • Some participant firms are developing these capabilities with the support of third parties with an intention to bring these in house at a later stage
    

How to identify key controls: A combined interview approach 

When defining a key control population and the subsequent testing requirements for key controls, some participant firms are taking a combined Subject Matter Expert (SME) interview approach:

Are subsidiaries considered within scope for control testing?

Across the board, firms generally consider some or all subsidiaries to be within scope of control testing. It’s worth noting that subsidiaries often perform additional control testing on top of the group control testing.

Key considerations for the inclusion of subsidiaries in control testing

• Materiality of the subsidiary
  • By activities performed by the legal entity. Perimeter exercises assess the relevance of every legal entity to the operational risk framework
  • Level of subsidiary’s involvement in critical business services/processes
  • The exposure of the wider organisation to the subsidiary and subsequent potential operational failure impacts

• Control type in operation, and the extent to which that control mitigates the material risks
• Regulatory requirements
• Size of subsidiary’s balance sheet

Methods for making controls testing and reporting more efficient

Aggregating low-level but key controls

Where there is a high volume of low-level but key controls, it can be challenging to aggregate these into a material control. One way in which this is being addressed is through the following method: 

• Combine a selection (<1000) of low-level controls operating in a similar way and environment into a group to constitute a single material control
• If these similar controls are functioning in at least 95% of their applications, then the material control can be assessed as functioning and adequate
• For both internal and regulatory reporting, it can then be stated that the material control is present, adequate and effective

Automated controls

Some firms do not capture automated controls, but only ‘observable controls’ i.e. where process failure indicates that there is a potential control failure. Using this lens allows for a reduced reporting quantity as well as a focus on critical exposure to process failure. 

Testing frequencies

There is a shift towards making controls testing more agile, less formulaic and less administratively heavy, with some firms moving to perform testing on a trigger-basis only, where monitoring detects changes in the risk and control landscape. However, most firms opt to test key controls annually as a minimum as part of the RCSA process. 

Key factors to consider for determining testing frequency:

• Materiality of the risk the control is mitigating and the potential risk exposure
• Frequency of control application
• Operating model: automated or manual?
• Control failures
• Internal or external risk events
• Type of testing required e.g. automated vs manual (where 4-eyes checks are required)
• Volume of testing required (i.e. if there is a high volume of regular manual checks, then duplicative testing of these controls may not be required)
• Resource capacity and size of testing team
• Operating environment e.g. higher risk activities could warrant more regular testing
  

How are control testing teams structured?

Firms emphasised the importance of leveraging the right knowledge from the right people at the right time, no matter where they sat within the organisational structure.

Firms indicated that developments over the past couple of years have focused on centralising control testing resources and getting that team and their roles and responsibilities established. Some firms are still in this process. As such, ORX has pulled together a selection of FAQs regarding control testing team structure (note the responses are based on answers provided by the firms involved).

Ongoing concerns centre around the (in)sufficiency of resource and skill levels to perform adequate testing. One example of how to mitigate these concerns is by considering outsourcing relationships with internal/external audit to bring in specific technical expertise. 

Reporting on control testing results: Micro vs macro

Firms continue to face the perennial issue of how to report vast quantities of control testing information in a meaningful way to their Boards.

Overcoming this challenge typically involves prioritising clear, high-level overviews, whilst maintaining more granular, detailed documentation in the event of additional questioning.