II.
Workflow overview
Reference · liveworkflow:control-effectiveness-testing
Control Effectiveness Testing overview
Tests the design and operating effectiveness of internal controls -- selecting control samples based on risk-tier prioritization, evaluating whether control design adequately addresses identified risks, testing operating effectiveness through walkthroughs, re-performance, and evidence inspection, assessing automated control configurations and access restrictions, identifying control deficiencies and classifying severity as gap, weakness, or material weakness, and tracking remediation commitments from prior testing cycles. Produces control testing results matrix, deficiency register, and remediation status report. Excludes control design and policy authoring.
Attributes
displayName
Control Effectiveness Testing
workflowKind
governance
triggerType
scheduled
typicalCadence
quarterly
complexity
cross-team
description
Tests the design and operating effectiveness of internal controls --
selecting control samples based on risk-tier prioritization,
evaluating whether control design adequately addresses identified
risks, testing operating effectiveness through walkthroughs,
re-performance, and evidence inspection, assessing automated control
configurations and access restrictions, identifying control
deficiencies and classifying severity as gap, weakness, or material
weakness, and tracking remediation commitments from prior testing
cycles. Produces control testing results matrix, deficiency register,
and remediation status report. Excludes control design and policy
authoring.
Outgoing edges
applies_to_domain2
- domain:operations·DomainOperations
- domain:cybersecurity-grc·DomainCybersecurity GRC
involves_role3
- role:operational-risk-analyst·RoleOperational Risk Analyst
- role:security-reviewer·RoleSecurity Reviewer
- role:compliance-officer·RoleCompliance Officer
performed_by_org_unit2
- org-unit:risk-management-team·OrgUnitRisk Management Team
- org-unit:compliance-team·OrgUnitCompliance Team
requires_skill_area2
- skill-area:observability-pipeline·SkillAreaObservability Pipeline
- skill-area:incident-response·SkillAreaIncident Response
triggers_responsibility2
- responsibility:run-security-scans·ResponsibilityRun security scans
- responsibility:review-architecture-changes·ResponsibilityReview architecture changes
Incoming edges
None.