1. Business Understanding. 2. Key/ Significant processes break-down 3) Key risk assessment for each identified process. 4. Conduct a process walk-through and identify the design effectiveness of controls. 5. Optionally perform an operating effectiveness testing (management testing). 6. Report on control gaps.

1. A brief about the business (whether documented or oral). 2. Meetings with key process owners which are in scope to understand controls in place. 3. A documented risk and control matrix maintained by the organisation where the controls operating in each business cycle is detailed. This document clearly spells out the risk, the control to mitigate such risk, the person responsible for performing such control. 4. Based on the above information a detailed list of information maybe requested in terms of evidences/documents being maintained by the entity.