Skip to main content

3.8 Control Monitoring and Effectiveness

3.8 Control Monitoring and Effectiveness




  • Risk practitioners should ensure that appropriate processes are in place to evaluate and monitor the effectiveness of the control.


  • Best way to determine the control effectiveness is to test the controls. Controls are to be tested at frequent intervals. Also, internal controls to be evaluated at regular intervals.


  • The risk professional role is very important in control monitoring. Role of risk practitioner in the control monitoring process is to assist in planning, reporting and scheduling tests of IS controls.


  • Maintaining controls at an optimal level helps to maintain a balance between control cost and control effectiveness & benefit. Control is said to be optimum when cost of control is less than the perceived risk. At optimum level of control, there is balance between control effectiveness and control cost. Control should be able to provide value to the organization.


  • Adherence to laws and regulations is one of the most important external requirements for an organization. Control should be implemented and monitored at periodic intervals to ensure that the organization is complying with legal and regulatory requirements. Legal and Regulatory requirements are the most important external requirements to which compliance should be monitored.



Control Monitoring and Reporting Tools and Techniques



  • While designing the control, care should be taken to address the control monitoring process.


  • Monitoring and reporting of controls should be performed in the risk monitoring phase of risk management.

  • In case controls are monitored through a managed security service provider (MSSP) or a security information and event management (SIEM), the system should have capability to capture and analyze the data.




Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Role of a risk practitioner in IS control monitoring process

Assists in planning, reporting and scheduling tests of IS controls

Maintenance of control at optimum level indicates

Balance between control effectiveness and cost


Key objective for maintaining control effectiveness for external requirements

Compliance with regulatory and legal requirements

Best way to determine the control effectiveness

To the test the controls


Flashcards - 3.8 Control Monitoring and Effectiveness


Practice Questions - 3.8 Control Monitoring and Effectiveness

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more