A control is an action or measure that reduces the likelihood or impact of a risk to an acceptable

level. A control issue is a problem or weakness that affects the effectiveness or efficiency of a

control, such as a gap, deficiency, or failure. A control enhancement is an improvement or

modification that increases the effectiveness or efficiency of a control, such as by adding, replacing,

or updating the control. An external audit is an independent and objective examination of the

enterprise’s activities, processes, or systems, such as the risk management program or thecontrol

environment, by an external party, such as a regulator or a third-party auditor. The best way for a risk

practitioner to verify that management has addressed control issues identified during a previous

external audit is to observe the control enhancements in operation. This will enable the risk

practitioner to evaluate the actual performance and outcome of the control enhancements, and to

determine whether they have resolved or mitigated the control issues. The other options are not the

best way to verify that management has addressed control issues, as they involve different methods

or sources of verification:

Interview control owners means that the risk practitioner asks questions or collects feedback from

the persons or groups who have the authority and accountability to manage the controls and their

issues, such as the business process owners or the IT controls managers. This may provide some

information or evidence on the control enhancements, but it may not be as reliable orobjective as

observing the control enhancements in operation, as the control owners may have biases, conflicts,

or gaps in their knowledge or perception of the control enhancements.

Inspect external audit documentation means that the risk practitioner reviews the reports or records

of the external audit, such as the audit findings, recommendations, or opinions. This may provide

some information or evidence on the control issues, but it may not be as current or relevant as

observing the control enhancements in operation, as the external audit documentation may not

reflect the latest or updated status or results of the control enhancements, or may not cover all the

aspects or components of the control enhancements.

Review management’s detailed action plans means that the risk practitioner examines the

documents that specify the actions to be taken by the management to address the control issues,

such as the resources required, the timelines, the owners, and the expected outcomes. This may

provide some information or evidence on the control enhancements, but it may not be as accurate or

sufficient as observing the control enhancements in operation, as the management’s detailed action

plans may not match the actual implementation or execution of the control enhancements, or may

not account for the uncertainties or complexities of the control enhancements. Reference = Risk and

Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.3.3.1, pp. 62-63.