Docy Child

BIZOPS-25 Internal Assessment

Estimated reading: 2 minutes 188 views

What is this control really about?

This control is ensuring that as an organization, time is spent on evaluating the functioning of internal controls and that the results of these evaluations are shared with senior management. Internal controls can be compliance related controls or any internal activity such as accounts reconciliation, vulnerability scanning, segregation of duties, payroll, etc..

In a bigger organization, this control can be met through the presence of an Internal Audit team. The role of an internal audit team is to gauge the performance of the internal controls. The internal audit results are shared with the organization and contain recommendations for improving the internal processes.

In a smaller organization, this can look like a part time consultant reviewing your policies, procedures and making recommendations. Or a consultant  or internal employee performing a gap assessment against a standard and sharing the results with management or the Board.

Available tools in the marketplace

N/A – No tools required

Available templates

  • N/A no templates available for this control

What is required to implement this control?

In order to address this control, you must:

  • First identify critical areas of the organization that need evaluation. For example, if security is a concern, vulnerability scanning is ideal. If fraud is a concern, account reconciliation is ideal. Is compliance a concern, a gap assessment is ideal, etc..
  • Then, a dedicated team must be assigned to the review of the process
  • Time must be allocated to properly conduct the review
  • The review results must be shared with senior management or the Board

The good news with this is that the act of using Trust Ops of TrustCloud and addressing the requirements for controls can serve as continual internal assessment.

What evidence is the auditor looking for?

  • Most recent internal assessment (use Trust Ops of TrustCloud)
  • Evidence that the last internal assessment was shared with senior management or the Board

An example of what an artifact can look like

  1. Most recent internal assessment (use Trust Ops of TrustCloud)



  1. Evidence that the last internal assessment was shared with senior management or the Board

Note: screenshot is of one slide from the Board meeting presentation showing that compliance and security controls results are shared with senior management


Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.