The principle
If you can't test it, you can't trust it.
A "control" that can't be verified is just a statement.
Where people go wrong
A lot of controls fail in the writing stage:
- unclear owner
- unclear frequency
- no evidence trail
- no defined "pass/fail"
That's why documentation matters. Not to be formal — to be verifiable.
The question I now ask first
What evidence would prove this happened?
If there's no clear answer, the control needs work.
Key takeaway
Clarity protects decisions.
Evidence protects organizations.
— Myles
Discipline compounds.