Independent Control testing by 2Line of Defense

christophenow
Tera Expert

Hello,

Would like to have your feedback and best practice on how you handle :

- Control Design and Control Effectiveness Control Test by 2nd Line of Defense

- Independent Control testing by 2Lod

 

Several options seems to be used by customers and I wonder what would be the best and which one you choose:

  • Audit management application (Engagement + Control test)
  • Manual attestation
  • Custom tables/functionalities

 

In addition (Nice to have):

-2Lod fill Control Design and Control Effectiveness result, but ask for Evidence from 1st LoD

-Design effectiveness and Operational Effectiveness should be tested in common or separately.

 

@Jan Spurlin I would be very happy to have your enlightened opinion.

 

Regards,

1 REPLY 1

ShafrazMubarak
Giga Guru

when addressing the query regarding the second line of defense's approach to Control Design and Control Effectiveness testing, it is important to provide a structured and professional response. Several methodologies are employed by organizations, each with distinct advantages and considerations. Leveraging a dedicated Audit Management of ServiceNow, presents a robust and integrated solution. This approach facilitates the formal execution of audit engagements and control tests, providing comprehensive workflow, evidence management, issue tracking, and reporting capabilities. While manual attestation offers a less formal alternative suitable for specific contexts or lower-risk controls, it may lack the rigor required for thorough assurance. Custom-built tables and functionalities within ServiceNow can offer tailored solutions but necessitate significant development and ongoing maintenance.

For independent control testing by the second line of defense, the structured framework of an Audit Management application is generally preferred, enabling objective validation of control design and operational effectiveness. Furthermore, while the second line of defense should evaluate control design and effectiveness, soliciting evidence from the first line of defense is a practical approach to gain insights into operational execution.

 

It is also advisable to assess Design Effectiveness and Operational Effectiveness separately to provide a more granular understanding of a control's strengths and potential weaknesses, as a well-designed control may not always operate effectively, and vice versa.