IddiLabs · Tools · Internal Controls & Assurance · Luxembourg

Controls Testing Plan Builder

Build a control inventory, set the methodology parameters, and generate a risk-based annual testing plan: rotation, test methods, sample sizes, timing and effort — with the rationale written on every row. Exports to Excel with a methodology tab. Everything runs in your browser; nothing is stored or sent.

Browser-only No data leaves this page Every parameter editable Illustrative methodology — not audit advice
Start here · What this is and how to use it

A testing plan you can defend, built in your browser

This is a controls testing plan builder: define the methodology once, list your controls, and generate the annual plan — scope, test method, sample size, timing and effort, with the reasoning written on every row. Export the result to Excel and continue offline; nothing is stored or transmitted by this page.

  • 1 · Set the methodology parameters below — or keep the ISAE 3402 / SOX-style defaults. Every number is editable.
  • 2 · Build the control inventory — or load the fictional demo inventory to see the whole flow with pre-filled controls in one click.
  • 3 · Read the derived plan. Every control carries its scoping rationale; anything excluded is listed with the reason.
  • 4 · Export to Excel (plan + inventory + methodology tab) or print the summary — the export is your save file.
Before relying on the outputHow scoping is decided — risk-based rotation, the key-control rule, and manual overrides — is explained and defined below. Read it once so the plan's logic is yours, not the tool's.
01 · Methodology parameters

Set the rules once — the plan derives itself

Defaults follow common ISAE 3402 / SOX-style conventions. They are a starting point: edit any number to match your own framework, and the plan, totals and Excel export update instantly.

Plan header
Scoping — rotation by risk rating
Sample sizes by control frequency

Ad hoc / event-driven controls sample 10% of the annual population, capped at 25 — set the population on the control itself. Automated controls take a test of one with reliance on IT general controls.

Effort per control test (hours)
02 · Control inventory

The controls in scope of your framework

Add controls manually, or load the fictional demo inventory to see the whole flow in ten seconds. Data lives only in this page — export before closing.

Add a control
03 · The derived plan

Testing plan

04 · How scoping is decided

Scoping first: how a control gets into the plan

  • Rule 1 — risk sets the clock. Each risk rating carries a rotation interval (defaults: High every year, Medium every 2 years, Low every 3). A control is in scope when the plan year reaches last tested year + interval. Worked examples for a 2026 plan: Medium tested 2024 → due 2026 → in scope. Medium tested 2025 → due 2027 → deferred. High tested 2025 → due 2026 → in scope, as it is every year. Low tested 2023 → due 2026 → in scope.
  • Rule 2 — never tested means always in scope. A control with no testing history cannot be deferred by rotation.
  • Rule 3 — the key-control switch. By default, key/non-key changes how a control is tested (method depth), not whether it is in scope — risk does that. If your framework tests key controls every year regardless of risk rating, set "Key controls" to "Test every year" in the parameters and the clock tightens accordingly.
  • Rule 4 — the manual override wins. The Scope field on each control beats rotation. Yes — force in pulls a control into this cycle (new control, incident follow-up, regulator request). No — scope out excludes it (for example, reliance on an ISAE 3402 report or other assurance) — record the reason. Everything excluded appears under "Not in this cycle" with its rationale, so the plan shows what was left out and why, not only what is in.

Then the test design follows

  • Test method. Automated → test of one with reliance on IT general controls. Key manual → reperformance + inspection. Non-key manual → inspection of evidence; non-key manual at Low risk → inquiry + observation.
  • Sample size. Taken from the frequency table above (ISAE 3402 / SOX-style convention). Ad hoc controls: 10% of the stated annual population, capped at 25. Automated: one item.
  • Timing. Preferred period if set; otherwise in-scope controls are spread across Q1–Q4 in rotation. Treat as indicative — align to evidence availability.
  • Effort. Hours per test by method, from the parameters — a planning estimate, not a quote.
The 22/806 tie-inPoint 51 of Circular CSSF 22/806 requires the internal audit plan to include, in particular, outsourcing arrangements of critical or important functions. Classify an arrangement with the Regime Classifier, then carry its oversight controls into this plan.

Sample sizes, method ladders and rotation intervals vary legitimately between frameworks. This tool encodes a common convention and makes every number editable — the methodology tab in the Excel export records exactly what you used.