Professional Documents
Culture Documents
Control Risk Asessment
Control Risk Asessment
(1) Design
- Are the controls capable of mitigating the risk?
- Are they properly designed?
Procedures:
- Obtain the System description and inspect for description of controls
and assess their ability to mitigate the risks
- Enquire with management as to the nature of risks and the controls put
in place to mitigate
(2) Implementation
– Are the controls actually there and being used?
Procedures:
- Observation
- Walk through system (point in time)
*This is different to checking operating effectiveness of controls as
operating effectiveness is checking that the controls have worked all year
long (Exception to this rule is automated control if consistent IT
processing)
MUST conclude.
*If D&I not good i.e. answer to the above questions is no – then ISA265 Control
deficiencies applies.