What is the right sequence for RCMs, walkthroughs, design testing, and operating effectiveness testing?
Start with a draft process map and risk-control matrix, then validate it through walkthroughs. The walkthrough confirms how the process actually works, what evidence exists, who performs the control, and whether the control is performed as described.
After the walkthrough, assess design effectiveness. Ask whether the control, if performed as described, would mitigate the risk. Only then should the auditor test operating effectiveness for a defined period. Operating testing asks whether the control was performed consistently and evidenced properly.
If the design is missing or weak, do not force an operating test just to fill a template. Report the design issue and have management define or improve the control before later operating testing.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.