We have noticed a trend that has caused some concern. Many organizations are testing controls to see how well they work.<\/span>\u00a0<\/span>However, they are not paying enough attention to <\/span>design testing<\/a>. An essential part of the risk management process is ensuring the controls established by management are operating effectively. But focusing on control design is just as important, if not more so.<\/p>\n If a control is not well-written and designed to <\/span>mitigate <\/span>risk, it may not be effective. Even if the control is working properly, it still may not be effective. It takes proper evaluation<\/a>, change management, and commitment to alter, test, and improve design of controls over time.\u00a0<\/span><\/span><\/p>\n Let\u2019s<\/span> take a real-world example of implementing control design improvements related to user access reviews:\u00a0<\/span><\/span><\/p>\n On the surface, this control seems to be properly designed to mitigate the risk of inappropriate access to key systems. Let\u2019s add more context to the situation:<\/p>\n This fact changes the situation of our control designed to mitigate the risk. If users <\/span>frequently<\/span> change departments, the system administrator will <\/span>likely need<\/span> to adjust their access to important systems accordingly.<\/span><\/p>\n Even the best change management<\/a>, provisioning, and deprovisioning programs miss items from time to time. But having the proper mitigating controls in place helps reduce risk to a more acceptable level.<\/p>\n Considering the additional facts learned above, we should change our control design to read as follows:<\/p>\n While the above example is a simple one, it does a great job of demonstrating the importance of designing specific controls. Organizations should perform careful process walkthroughs to gain an understanding of how their business operates. Evaluate what your risks really are, and which controls could help mitigate those risks<\/a>.<\/strong><\/p>\n After designing your controls correctly, you can <\/span>proceed<\/span> to test their effectiveness. However, make sure not to overlook the importance of the <\/span>control <\/span>design phase. In a changing world where risks are increasing, companies will be glad they carefully considered these control design issues.<\/span><\/span><\/p>\n \n Control Design Case Study: Before<\/h2>\n
\n
\n
Case Study Example: After<\/h2>\n
\n