Recommended Control Content Formatting for Accurate AI Results

Introduction

To get the most accurate and consistent results from control checks with Trustero AI, we recommend following our proven best practices for control content formatting. 

This article will cover guidelines for the three control sections the AI depends on most:

• Control Objective 
• Required Evidence
• Test Procedures

---

Control Objective

The objective is a high-level, succinct and precise summarization of the control’s purpose that aligns with the corresponding policy intent and also mitigates the associated risk. 

Recommended Format: [the what] [the action] [the why]

Example: ""Deliver tailored security training to personnel based on their specific job roles to ensure they understand and can perform security-relevant duties in alignment with system and data protection requirements."

---

Required Evidence

Required Evidence specifies the artifacts needed to verify that a control is operating effectively. The evidence is the output of the control operationalization. 

Recommended Format: [Type of evidence] 

This should be focused on what the “output” is if the user operationalizes the controls based on the “General Guidance” action items, that are aligned with the policy “what” and “why.” 

Example: "Training assignment and completion logs"

---

Test Procedures

Test Procedures detail how the evidence will be examined to confirm compliance and control operating effectiveness. Each test procedure should sequentially align with one of the listed required evidence for the same control.

What every test procedure needs: 

1. What evidence should be reviewed?
2. What action should be taken? (Check / Review / Validate / Confirm / Examine)
3. What specific fields should be looked at?
4. What defines pass or fail? (Defining what “bad” looks like is more effective)

Recommended Format:

1. Title (name of Test Procedures): [Title of Test that aligns with Type of Evidence name]:
2. Test Procedure Content:
   1. Part 1: [Examine/Validate/Confirm/Verify/Check] [piece of evidence] [where/how] [contains/includes/is or isn’t/are].
   2. Part 2: [Confirm/Validate the specific bad that "shows/demonstrates" that the control is not operating effectively.]
   3. Part 3: [If "bad is found" then flag/note x.]
   4. Tip: [what to test/look for - this should always be the "bad" to find].

Example:

"Check Training Completion Records by Role: Review the LMS or training platform records for a sample of personnel assigned to security-relevant roles. Confirm that each listed individual has a record of completed role-based training within the last 12 months. If any active personnel in these roles have no training completion record within that period, document the affected users and their assigned roles."

Test Procedure Additional Tips:

Note: The test procedures always should be practical and concrete. It can't be theoretical.

1. Reference What the AI/Auditor Can See (attached to control): Test procedures can only operate on explicitly provided artifacts, not internal organizational context (like “authorized users” or “standard roles”) unless these are documented in the evidence itself.

2. Specify Source of Evidence Clearly: State where to look (e.g., “examine IT service tickets” or “review LMS training logs”). Do not reference undocumented assumptions or generic standards.

3. Define “What Bad Looks Like”: Spell out what constitutes a failure or deficiency

4. Avoid Abstract or Broad Verifications: Be concrete and actionable. Avoid vague terms like “current” or “regular.”

5. Reference What the LLM Can See: Test procedures can only operate on explicitly provided artifacts, not internal organizational context (like “authorized users” or “standard roles”) unless these are documented in the evidence itself.

By following these content formatting best practices, organizations can enhance the accuracy of Trustero AI control check results for effective risk management and ongoing compliance.