Determine and Establish Controls

• Rate and determine risk areas
• Identify control characteristic, types and objectives
• Specify individual controls
• Key and testable control determination
• Separate reporting locations and groups

Document the Controls

• Current process review
• Observe gap areas
• New process implementation
• Target key process owners
• Record process narratives and flowcharts
• Organize supporting documentation
• List and design revision control method

Test and Assess the Controls

• Timetable determination and scheduling
• Establish test plans and processes
• Set documentation requirements
• Test according to schedule
• Implement results reporting method
• Non-compliance and exception remediation
• Grade final results annually