Baseline Testing: Benchmarking of Automated Controls

Written by Sargon Youmara, Partner, Vonya Global

IT Baseline TestingBaseline testing is a term used in accounting and audit to describe the testing of an automated application control. Once an automated application control has been tested and it is determined by an auditor to be effective, the auditor may conclude that the control remains effective over subsequent periods as long as the automated application control does not change.  This test is considered a baseline, or benchmark, for the automated control.

The PCAOB emphasizes baseline testing on the critical reports being produced through the financial applications as an area that needs attention in their Audit Practice Alert (P.26).  The issue is not new.  It is the responsibility of the company to test the completeness and accuracy of all critical reports produced by the financial applications.  This is no different than testing the accuracy and completeness of critical spreadsheets.

The baseline is not sufficient indefinitely.  Most companies originally tested the automated controls over the critical reports when they first implemented their financial applications and never looked at them again.  The PCAOB’s Audit Standard #5 (AS5) requires auditors to benchmark and test as changes occur or re-establish a baseline based on a prescribed timeline.

If a publicly traded corporation has not benchmarked their critical reports since the financial application was originally implemented, then they will need to perform baseline testing.  This was pushed to the forefront of most public accounting firms in the 2013/2014 inspection reports where the PCAOB asked the accounting firms to perform more testing related to the accuracy and completeness of key reports.

If a company is unsure whether they are required to test automated controls on an annual basis or on a less frequent basis, they should look to the PCAOB for guidance.  Here are preconditions for using a benchmarking strategy, because if these conditions do not exist, the company must test the controls every year.

  1. The general controls over program changes, access to programs, and computer operations should be tested effectively when establishing the baseline (AS5 item B29).
  2. The application should operate in a stable environment and there are only a limited number of changes (AS5 item B31).
  3. The control should be matched to a specific program within the application (AS5 item B31).
  4. There must be information regarding the programs in the production process to prove that controls within the program have not changed (AS5 item B31).
  5. The benchmark must be re-established after a period of time (AS5 item B33).

A public company is required to assure shareholders that an effective control environment exists over financial reporting.  Baseline testing is part of that assurance and is required as part of AS5.


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.