Control Testing

    Executing, reviewing, and evidencing control tests

    How Testing Works

    A control test is an execution of a control's test procedure. The tester follows the documented steps, records their findings, and submits a result. Each test receives a sequential test number (TST-0001, TST-0002, and so on).

    What a Test Captures

    Each test records the following information:

    • Result — the outcome: pass, fail, or not applicable.
    • Evidence — a text description of what was observed during testing.
    • Notes — additional notes or context from the tester.
    • Tester — the user who executed the test (set automatically to the current user).
    • Test date — the timestamp of when the test was executed.

    Evidence Attachments

    Testers can upload file attachments as evidence to support their test result. These attachments are stored against the test record and are accessible from the test detail view. Common evidence includes screenshots, log exports, configuration dumps, or compliance scan reports.

    Review Workflow

    If the parent control has review enabled, every test enters a review workflow after submission:

    1. The tester submits the test. The review status is set to Pending.
    2. A reviewer (who must be a different user from the tester) examines the result and evidence.
    3. The reviewer either approves or rejects the test, optionally adding review notes.
    4. The reviewer and the review timestamp are recorded.

    The approved or rejected result becomes the authoritative outcome. If the control does not require review, the test result is immediately authoritative — no review step is needed.

    Automatic Issue Creation

    When a test result is a failure, Anzen automatically creates an issue with the following defaults:

    • Title: "Control failure: [control title]"
    • Severity: medium
    • Status: Open
    • Entity: inherited from the control's owning entity
    • Links: the issue references both the control and the specific test that triggered it

    A system comment is added to the auto-created issue noting which test triggered it. This issue then feeds into the risk report, connecting failed controls to risk exposure.