CHALLENGING ASSESSMENT SCORES
As both risk and control self-assessment scores are largely subjective, they should be challenged with whatever actual data we have to hand. This may include control testing scores, internal audit control scores, actual loss data of the firm, near miss data, trend data and external loss data if available. In addition, the existence of outstanding actions is another indication of management’s view of the controls, i.e. if they think that it is worth spending resources to enhance a control then the control cannot currently be highly effective.
Some of the above information is obvious in its use. For example, if control testing or an internal audit shows that a control is not very good but the control owner is claiming ...
Get Mastering Risk Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
