The Quality Assurance reviewers can be within the organization or can be an external organization providing audit support. See Audit Foundry’s list of qualified partners.
QA reviewers receive notifications and a link to their User Dashboard when CSAs have been completed. If no QA is assigned, the Accountable owner is assigned as the QA and receives the notification(s). The QA Reviewer views their dashboard for CSAs marked “Ready for review”. When the QA is complete, the CSA is marked “Completed”. The objective of the QA review is to ensure that every control was executed completely, accurately, and timely; issues with controls are addressed through Risk Management; and evidence is attached to support the assertions made by the control owner.
Some of the fields in the QA interface are the same as the CSA interface to provide the QA reviewer with the same context for the review. The QA Reviewer will also see the Control Assessor’s name, controls described, issues indicated, and evidence uploaded in the Information Panel on the left side of the screen. On the right side of the screen, the QA Reviewer will place their notes and ratings.
QA Reviewer Fields #
Evidence uploaded: The QA Reviewer can see all the attachments provided during the CSA to ensure they prove the control effectively meets the requirement. Evidence should have owner/submitter, date/time stamp; should be the final versions of policies, procedures, and reports; lists should have information describing how they were created; and screenshots should have sufficient information to show the source/target, query/filters used, and first/last page of multi-page reports.
Request Additional Information: If the QA Reviewer feels the evidence is insufficient to support the control assertions or if there are questions regarding any comments in the CSA, the QA reviewer can return the assessment to the control owner for further information. The owner would receive notification, make the necessary updates, and submit the CSA again. The reviewer and the CSA can see the history of this interaction by clicking the “See History” button. When the QA Reviewer is satisfied the CSA would pass an external audit, the CSA is marked as QA review complete.
Residual Risk Rating: Provide a rating from 1 to 5 of the perceived residual risk based on the design of the control and operating effectiveness.
|Rating||Description of the Rating|
|1||Controls and compliance practices are effective and complete to provide reasonable assurance that risks are being appropriately managed and mitigated to meet business objectives.|
|2||A few specific weaknesses were noted and some improvements are needed; however, controls and compliance practices are generally effective and complete to provide reasonable assurance that risks are being appropriately managed and mitigated to meet management’s business objectives.|
|3||Several weaknesses were noted including systemic issues with control compliance. Controls are not designed effectively or are not consistently executed completely, accurately, and timely.|
|4||Numerous specific weaknesses were noted and major improvement is needed. Controls and compliance practices are unlikely to provide reasonable assurance that risks are being appropriately managed mitigated to meet management’s business objectives.|
|5||Controls are not effective to provide reasonable assurance that risks are being appropriately managed and mitigated to meet management’s business objectives.|