Defining your test approach
This recipe focuses on answering the question about the effectiveness of your compliance program. You must perform periodic tests to determine whether your control objectives are truly met by the controls you implemented. If there is a problem that appears again and again in your test, you should know that you must redesign it. Without periodic tests, you will never be able to find the problems.
It is just like traffic; everyone sees the speed limit signs but, without periodic controls by the police, many people would simply ignore them, even though we know that driving above the speed limit could lead to undesired consequences.
You must have your controls documented and truly understand the goals you try ...