Glossary term
Glossary term
Governance and Compliance
The degree to which a control is designed appropriately and operating as intended. Evidence should show both control design and actual performance over time. Effectiveness testing includes sampled decisions, logs, alerts, review records, test results, exceptions, and whether issues are remediated on time.
SOC 2 Type II reports test control operating effectiveness over a 6 to 12 month period and are increasingly extended to AI controls under AICPA's TSP 100 trust services criteria.
Under ISO/IEC 42001 clause 9.1, organizations must determine what needs to be monitored, methods for monitoring and evaluation, and when results shall be analyzed and evaluated.
The COSO Internal Control Integrated Framework, widely used in SOX compliance, includes design and operating effectiveness testing extensible to AI controls.