Internal audit manager
Risk manager
Compliance officer
Control owner
Chief risk officer
SOX compliance lead
This process is used when internal controls are being established, modified, or reviewed for effectiveness. It applies during control design for new processes or systems, when control deficiencies require remediation, during periodic control assessments, when regulatory changes necessitate control updates, or when audit findings require control improvements. Control approval is common in financial services, publicly traded companies subject to SOX compliance, healthcare organizations, and any entity with significant internal control frameworks.
Participants typically include the control owner who designs or proposes the control, risk management who assesses whether the control adequately addresses identified risks, compliance who verifies alignment with regulatory requirements, internal audit who may provide independent assessment, and senior leadership who authorize significant control changes. For SOX controls, external auditors may also be involved in the review process.
Effective risk mitigation with controls properly designed to address identified risks. Regulatory compliance through documented controls that meet applicable requirements. Clear accountability with defined control ownership and approval authority. Audit readiness with documented control design, approval, and testing evidence. Consistent control quality through structured review regardless of business area or control type.
Your version of this process may vary based on roles, systems, data, and approval paths. Moxo's flow builder can be configured with AI agents, conditional branching, dynamic data references, and sophisticated logic to match how your organization runs this workflow. The steps below illustrate one example.
Control proposal and documentation
The process begins when a control owner proposes a new control or modification to an existing control. The proposal includes control objective, design description, implementation approach, testing methodology, and the risk or requirement being addressed. An AI agent may assist by checking proposal completeness against control documentation standards or identifying similar controls for consistency.
Risk alignment assessment
Risk management reviews the proposed control to verify it adequately addresses the identified risk. This includes assessing whether the control design would prevent or detect the risk scenario, whether the control frequency and coverage are appropriate, and whether residual risk after the control is acceptable.
Compliance review
Compliance evaluates the control against applicable regulatory requirements, industry standards, or internal policies. This ensures the control meets minimum requirements and can be evidenced during examinations or audits. If the control involves data handling or privacy, additional specialized review may be required.
Approval and authorization
Once risk and compliance reviews are complete, the control is routed to the appropriate approval authority based on control significance, risk level, or organizational policy. The approver reviews the complete package and either authorizes the control, requests modifications, or rejects with explanation.
Implementation and evidence
Upon approval, the control is implemented according to the documented design. Control owners establish evidence collection processes to demonstrate ongoing operation. The approved control documentation is maintained in the control inventory for future testing and audit reference.
This process commonly relies on inputs such as control documentation, risk assessments, regulatory requirements, process flowcharts, and testing plans. It may be triggered by events like new system implementations, audit findings, risk assessment updates, or regulatory changes. Supporting systems might include GRC platforms like ServiceNow or Workiva, risk management systems, and audit management tools.
Key decision points include determining whether the control design adequately addresses the identified risk, whether implementation is feasible and sustainable, whether the control meets regulatory and policy requirements, and whether the control should be approved as proposed or requires modification. If the control is deemed insufficient, the workflow branches to redesign or alternative mitigation approaches.
Inadequate control design when controls are approved but do not actually mitigate the intended risk. Missing documentation when control design and rationale are not properly recorded for audit evidence. Siloed reviews when risk, compliance, and business perspectives are not coordinated. Implementation gaps when approved controls are not properly implemented or evidenced.
Structures control proposals so reviewers receive complete documentation including design, risk mapping, and testing approach.
Routes reviews to appropriate stakeholders based on control type, risk area, or regulatory domain.
AI agents assist with documentation review by checking completeness, identifying similar controls, and flagging potential gaps.
Coordinates multi-stakeholder assessment across risk, compliance, and business functions with clear handoffs.
Maintains control documentation with approval records, design details, and version history for audit purposes.
Integrates with GRC platforms to synchronize control inventory and testing schedules.
