Question - How to best verify the effectiveness of controls?

In eramba you have the possibility to put in many tests/audits to test if an control is working as intended.

You can then make reports on how many test/audits was; OK, Missing or failed.

But do some of you have an idea how I can show the effectiveness of the controls mitigating risks?


can you give an example of what you mean by that? A screenshot of a report? or with words what you think would work?


In eramba we can tell if a control Pass or fail, if just one of its test/audits Pass or fail.

But I think that because a audit/test fail, that control can still be an effective control.

Let me explain. If an Control have 4 audits, and 3 of them passed and one failed, then the Control will be “red” = Fail.
The problem is that we cannot see if the control is effective mitigating the risk. The 3 audits that passed could be very critical audits (key-audit) and the one that failed could be a minor important control. If it was possible to rank the audits we could say that the result of the control was ”failed but still very effective” (90%-100% = Very effective)

Maybe a control have status “failed and not effective (10%)” though 3 out of 4 audits passed, but the 3 audits were not very critical audits, and the one that failed were very critical , therefor the control is showed “not effective”

Hope that can explain my questions?