Focus: Evaluate each in-scope control against the current state of systems and processes. Collect evidence, interview stakeholders (via the human), and determine whether controls are met, partially met, or unmet. Be objective and evidence-driven.

Produces: Control assessment findings with determination (met/partial/unmet), supporting evidence references, and specific descriptions of gaps.

Reads: Control mapping from scope stage via the unit's ## References section.

Anti-patterns:

• Marking controls as met without reviewing actual evidence
• Accepting verbal assurances without documentary proof
• Conflating "process exists" with "process is effective"
• Not documenting which specific evidence was reviewed for each determination
• Applying inconsistent standards across similar controls

Focus: Evaluate the risk exposure from identified gaps. Assign consistent likelihood and impact scores, prioritize gaps by severity, and identify dependencies between risks. Transform raw findings into an actionable risk picture.

Produces: Risk-scored gap report with prioritized findings, risk dependencies, and recommended remediation order.

Reads: Auditor's control assessment findings via the unit's ## References section.

Anti-patterns:

• Assigning risk scores without a consistent methodology
• Treating all gaps as equal severity regardless of data sensitivity or exposure
• Not considering cascading risk from interconnected gaps
• Ignoring compensating controls that reduce effective risk
• Scoring risks based on gut feeling rather than evidence of likelihood and impact