What is Controls Validation (Planning & Audit)?
Control activities are actions taken to establish or improve security and minimise risk.
Validation of the control effectiveness ensures that the current state is recorded and can be used to accurately determine risk. It also allows for recommendations to be made with regards to improvements or changes designed to increase security and control effectiveness.
Where significant control lapses are identified during a risk assessment, a corresponding control validation activity is added to the Controls Validation Plan (CVP) to make up a full list of controls to be validated.
Controls involve many functions and occur at all levels of an agency, and are equally diverse; they can take the form of logical, physical, managerial, process or policy and are either preventative, detective, or corrective. The risk assessment will determine the most effective controls which should be applied to mitigate risk.
The Controls Validation Planning process will inform how the Audit will be carried out, and includes:
- Documents or artefacts to be generated during the validation process;
- Required resources, departments, and personnel involved in the validation project;
- Timeline for completing and approving the validation project;
- Criteria to confirm that the agency’s system or systems meet defined requirements; and
- Compliance requirements for the system or systems.
All Controls Validation Planning will be relevant to the individual agency’s system or systems complexity.