Operating effectiveness
Definition
The assessment of whether a control has consistently functioned as designed over the audit period. Requires evidence of actual operation, such as logs, approval records, or re-performance of the control, and usually involves sampling from the full population of control executions.
Related terms
- Audit chain of custody
- The documented record of when audit evidence was collected, by whom, from what source, and how it has been stored and accessed...
- Control criterion
- The standard against which a control is evaluated. Criteria may come from an external standard (ISO 27001 Annex A, NIST CSF, PCI-DSS),...
- Design effectiveness
- The assessment of whether a control is designed in a way that would prevent or detect the risk it targets, if it...
- Document control
- The systematic management of all procedural documents in a quality management system, ensuring that the current approved version is in use, all...
- Evidence sufficiency
- The standard that evidence must meet to support an audit conclusion. Evidence must be relevant to the control being tested, reliable in...
- Fieldwork
- The active evidence-gathering phase of an audit, during which the auditor applies testing procedures to specific controls and collects the evidence that...
- Information Security Policy
- A high-level governance document that states what the organisation intends to achieve in protecting information, assigns accountability to roles, and sets the...
- Policy Exception
- A formal, time-bounded approval to deviate from a policy or standard requirement when the standard control is not achievable. Exceptions must be...
- Procedure
- A step-by-step operational instruction that tells a specific role how to carry out a task in conformance with the relevant standard. Procedures...
- Standard
- A document that translates a policy requirement into specific, measurable criteria. For example, a password policy may require strong authentication; the accompanying...
Explained in these topics
- Fieldwork, Evidence Collection, and Control TestingThe assessment of whether a control has consistently functioned as designed over the audit period. Requires evidence of actual operation, such as logs, approva...
- Information Security Policy HierarchyWhether a control is actually performing as the policy and standard require, as opposed to merely being documented (design effectiveness). Auditors test operat...