KCRM assesses controls and risks and design in the planning phase
Plan
* Key document from panning phase – KCRM * Validate with the client so that you are sure the client agrees with the risk assessment * If you’ve assessed a risk as “high inherent risk” and seen that design is okay but control effectiveness is not working, then you have a big issue but if you have “moderate inherent risk” and see that design is okay but control effectiveness not working, not as big of an issue * Validating the design with the client can help you capture some key controls that are in place that you may have missed * Also have the test plan – engagement letter (formal), KCRM up to design assessment, and have a test plan * Should have most of the test plan figured out by this point in the engagement process * Engagement letter * Objective of the audit * Scope * Would want a timeline * Also give high level “nature” of what you plan to do * In the timeline – resources – who’s going to work on it – what level of effort will I have to dedicate to you?
Execution
* Execution of the test plan – how effective are controls? * Design was “is it good enough?” -> assesses goodness and management’s tolerance level for risk * Control effectiveness!
Communication
* Developing a report -> * Executive summary (pulls out scope and objectives from the engagement letter; background information -> what was objective of audit, what was scope) * Key findings -> the good and the not so good * Provide an opinion – green = good; yellow = okay but room for improvement; red = controls are not working to mitigate the risk (way above tolerance levels, cultural issues that allows control override, etc) * Green is good if all key/high risks are mitigated effectively; yellow is maybe one key/high risk not mitigated or a few moderate risks not