1. Standard practices require the management of the entity to demonstrate that the controls designed are operating effectively throughout the period. 2. Based on the existing risk management policy of the entity and based on the risk and controls matrices defined the controls are identified which require testing from the entity's perspective to demonstrate the fact that the controls are operating effectively for a particular period. 3. The identified controls are then tested with documents/evidences maintained by the entity in this regard. 4. Deviations arising, if any, out of the above testing is discussed with the management and suitable remediations, if possible, are carried out. 5. Remediation/ Update testing performed in accordance with timelines agreed. 6. Reporting summary of Audit Deviations and assess overall impact, if any.

1. Overall risk management policy of the entity. 2. Risk and control matrices maintained by the entity which details the identified risks and the corresponding mitigating controls designed by the management of the company.