During the validation of control activities you should attempt to make security easier on users and more difficult for attackers.
Activities to verify may include (not limited to):
- Prevention (2FA, least privilege, reduce deniability, …)
- Delay (strong encryption, layering, …)
- Detect (monitor, detect change, audit, automate, …)
- Compliance (implementation of corporate policy and standards, including configuration best practices)
- Recover (verify the ability to reset to the last known good state)
NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.
May I suggest to (also) use the first matrix of https://maverisk.wordpress.com/2015/02/18/all-against-all-part-6-loose-ends/ to enhance sec, and to verify afterwards ..?
Like your Note above … Much more to be said about this, e.g., https://maverisk.wordpress.com/2017/01/31/compliance-auditing/
…