Internal controls manager
Compliance director
IT governance lead
Project manager
Internal audit director
Risk management officer
This process is used when a new internal control is required or an existing control must be significantly modified — in response to a regulatory change, an audit finding, a risk assessment gap, a system implementation, or an organizational restructuring. It applies when the control must be designed, configured or built, tested for operating effectiveness, documented, and transitioned to the control owner for ongoing operation and monitoring. Ideal for organizations managing SOX compliance, SOC reporting, regulatory control frameworks, or any internal control environment requiring formal implementation and testing.
The control implementation process typically involves internal controls or compliance managers who oversee the implementation, control designers who define the control objective, attributes, and operating procedures, IT teams who configure system-based controls, control owners who will operate the control after implementation, testers who validate the control’s operating effectiveness, and internal audit who may review the implementation independently.
Effective controls deployed on schedule that address the identified risk, regulatory requirement, or audit finding. Tested and validated controls with documented evidence that the control operates as designed before it is transitioned to ongoing operations. Clear control ownership with the designated owner trained and accountable for the control’s ongoing operation and monitoring. Complete control documentation including the control description, design rationale, operating procedures, testing results, and ownership assignment. Audit-ready implementation records that demonstrate a structured approach to control design, testing, and deployment.
Your version of this process may vary based on roles, systems, data, and approval paths. Moxo’s flow builder can be configured with AI agents, conditional branching, dynamic data references, and sophisticated logic to match how your organization runs this workflow. The steps below illustrate one example.
Control design and requirements definition
The process begins when a new control is required. The controls manager and the designated control designer define the control objective, the risk it addresses, the control attributes (frequency, type, automation level), the operating procedures, and the evidence that demonstrates effective operation. An AI Agent can assist by pulling the relevant risk assessment, regulatory requirement, or audit finding that drives the control need.
Technical configuration and development
For system-based or automated controls, the IT team configures the control in the relevant system. For manual controls, the operating procedures and templates are developed. The configuration or development is documented against the design specifications.
Control testing
Before the control is transitioned to operations, it is tested to confirm that it operates effectively. Testing includes both design effectiveness (the control is properly designed to address the risk) and operating effectiveness (the control operates as designed in practice). Test results, including any exceptions identified, are documented.
Remediation of testing exceptions
If testing identifies exceptions or deficiencies, the control design or configuration is adjusted and retested. The remediation is documented, and the retesting confirms effective operation.
Documentation and control owner handoff
The complete control documentation — including the control description, design rationale, operating procedures, testing results, and monitoring expectations — is finalized. The control is formally handed off to the designated control owner, who is trained on the control’s operation and their ongoing responsibilities.
Post-implementation monitoring
After handoff, the control is monitored during an initial operating period to confirm sustained effectiveness. Any issues identified during monitoring are addressed and the control is integrated into the organization’s ongoing control testing program.
This process commonly relies on inputs such as the risk assessment, regulatory requirement, audit finding, control design specifications, system configuration documentation, and test plans. It may be triggered by a regulatory change, an audit finding, a risk assessment gap, or a system implementation. Connected systems often include GRC platforms like ServiceNow GRC, Workiva, or AuditBoard, IT change management systems, and document management systems for control documentation.
Key decision points include what control type and design best addresses the identified risk or requirement, whether the control passes design and operating effectiveness testing, whether testing exceptions require control redesign or can be addressed through procedural adjustments, and whether the control owner is prepared to assume ongoing responsibility.
Control design does not address the actual risk, resulting in a control that passes testing but does not mitigate the underlying exposure. Technical configuration errors that are not caught during testing because test scenarios are incomplete. Testing exceptions not remediated before the control is transitioned to operations, leaving a known deficiency in the control environment. Control owner not trained or unclear about their ongoing responsibilities, causing the control to degrade after implementation. Control documentation incomplete, creating gaps when the control is included in audit or SOX testing.
Orchestrates control implementation from design through testing, handoff, and post-implementation monitoring across controls managers, IT, control owners, and testers in a single coordinated flow.
AI Agents pull the driving requirement — risk assessment, audit finding, or regulatory change — into the implementation workflow so the control design is grounded in the actual need.
Manages testing within the workflow including design and operating effectiveness testing, exception documentation, and remediation retesting.
Coordinates the formal handoff to the control owner with training documentation and ongoing monitoring expectations captured in context.
Connects to GRC platforms like ServiceNow, Workiva, and AuditBoard so control documentation, testing results, and ownership records are synchronized with the control environment.
Preserves the complete implementation record including design specifications, configuration documentation, testing evidence, remediation actions, and handoff confirmation for audit and SOX compliance.
