Control Effectiveness Testing

workflow:control-effectiveness-testing

Workflowworkflows/workflows/workflows-operational-risk.yaml·Open in Graph →

{
  "id": "workflow:control-effectiveness-testing",
  "_kind": "Workflow",
  "_file": "workflows/workflows/workflows-operational-risk.yaml",
  "_cluster": "workflows",
  "attributes": {
    "displayName": "Control Effectiveness Testing",
    "workflowKind": "governance",
    "triggerType": "scheduled",
    "typicalCadence": "quarterly",
    "complexity": "cross-team",
    "description": "Tests the design and operating effectiveness of internal controls --\nselecting control samples based on risk-tier prioritization,\nevaluating whether control design adequately addresses identified\nrisks, testing operating effectiveness through walkthroughs,\nre-performance, and evidence inspection, assessing automated control\nconfigurations and access restrictions, identifying control\ndeficiencies and classifying severity as gap, weakness, or material\nweakness, and tracking remediation commitments from prior testing\ncycles. Produces control testing results matrix, deficiency register,\nand remediation status report. Excludes control design and policy\nauthoring.\n"
  },
  "outgoingEdges": [
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "role:operational-risk-analyst",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "role:security-reviewer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "role:compliance-officer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "skill-area:observability-pipeline",
      "kind": "requires_skill_area",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "skill-area:incident-response",
      "kind": "requires_skill_area",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "domain:operations",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "domain:cybersecurity-grc",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "responsibility:run-security-scans",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "responsibility:review-architecture-changes",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "org-unit:risk-management-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:control-effectiveness-testing",
      "to": "org-unit:compliance-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    }
  ],
  "incomingEdges": []
}

{ "id": "workflow:control-effectiveness-testing", "_kind": "Workflow", "_file": "workflows/workflows/workflows-operational-risk.yaml", "_cluster": "workflows", "attributes": { "displayName": "Control Effectiveness Testing", "workflowKind": "governance", "triggerType": "scheduled", "typicalCadence": "quarterly", "complexity": "cross-team", "description": "Tests the design and operating effectiveness of internal controls --\nselecting control samples based on risk-tier prioritization,\nevaluating whether control design adequately addresses identified\nrisks, testing operating effectiveness through walkthroughs,\nre-performance, and evidence inspection, assessing automated control\nconfigurations and access restrictions, identifying control\ndeficiencies and classifying severity as gap, weakness, or material\nweakness, and tracking remediation commitments from prior testing\ncycles. Produces control testing results matrix, deficiency register,\nand remediation status report. Excludes control design and policy\nauthoring.\n" }, "outgoingEdges": [ { "from": "workflow:control-effectiveness-testing", "to": "role:operational-risk-analyst", "kind": "involves_role", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "role:security-reviewer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "role:compliance-officer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "skill-area:observability-pipeline", "kind": "requires_skill_area", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "skill-area:incident-response", "kind": "requires_skill_area", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "domain:operations", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "domain:cybersecurity-grc", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "responsibility:run-security-scans", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "responsibility:review-architecture-changes", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "org-unit:risk-management-team", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:control-effectiveness-testing", "to": "org-unit:compliance-team", "kind": "performed_by_org_unit", "attributes": {} } ], "incomingEdges": [] }