What are some of the principles that are involved for good compliance monitoring and evaluation?

What will be an ideal response?

---

There are several principles that are involved for good compliance monitoring and evaluation:
* Clear definition of the controls-A proper understanding of exactly what the controls are, why they are in place, and how they are to properly function is important. Without this understanding, it will not be possible to determine the validity of the controls.
* Continual oversight-Compliance monitoring is a continual process and not just an occasional check on the status of equipment. A process of ongoing risk and control assessment is necessary to see the continued operation of controls. This often involves continual cooperation among different business units within the organization.
* Validation by an external unit-Determining if compliance is being achieved should not be performed by the individuals or business units that designed, installed, or manage the controls. There will be too much temptation to approve the controls and not rigorously test the controls if the persons responsible for the controls are also evaluating them. In a large organization, the internal audit department should perform this function.
* Use of scanning tools - Whenever possible, tools should be used to scan systems for control implementation. If this is not possible, the controls can be evaluated through manually tracking the workflow.