IT Examiner School eBook May 2025

Step 5 – Evaluate and Monitor Controls

Objective: Continuously assess the effectiveness of controls and adjust to emerging risks. • Examiner Validation: • Request audit reports, control assessments. • Verify that control evaluations are performed regularly, and findings are addressed. • Review evidence of continuous monitoring for evolving threats such as metrics reporting to evidence conformance with policies and procedures. • Additional Checks: • Inspect Board and Management Reporting. • Check Risk and Control Self-Assessments (RCSA). • Risk Register is current and regularly updated to reflect changes in risk status or mitigation efforts.

Examination Takeaways: Risk Assessment How much time should I spend on the Risk Assessment?

Plan to expand the depth of review when: • Not been reviewed at least annually. • Changes in management and/or environment. • Risk assessment completed with limited input from other stakeholders. • Discrepancies in the identified process. • Audit & Exam findings are evident. • You are not confident in management's responses.

Plan to reduce the depth of review when: • The risk assessment was recently reviewed by a qualified auditor and found to be adequate. • There have been no changes in management or the environment since the last examination. • The quality of the risk assessment process has been validated.