Skip to main content

Lesson 13 of 25

Design Effectiveness vs. Operating Effectiveness

5 min read · CAMS-Audit

The heart of fieldwork. Learn to tell whether a control is built right from whether it actually runs as built, and why getting the diagnosis right sends management to the correct fix.

Two questions, not one

  • Design effectiveness — is the control built right?
  • Operating effectiveness — does it run as built?
  • A control can pass one test and fail the other
  • Audit must answer both, separately

The heart of fieldwork is a pair of questions you must never collapse into one. First, design effectiveness: is the control built right? If it operated exactly as designed, would it actually prevent or detect the risk it targets?

Second, operating effectiveness: does the control actually run the way it was designed, consistently, over the period? These are genuinely different. A control can be beautifully designed and never executed.

It can be faithfully executed and yet poorly designed, so it catches the wrong things. The exam constantly tests whether you can tell these apart, because the remediation is different for each, and naming the wrong one sends management to fix the wrong thing.

Testing design effectiveness

  • Walk through the control end to end
  • Ask: would this catch the risk if it ran perfectly?
  • Look for gaps, wrong triggers, missing coverage
  • A design flaw can't be cured by running it harder

To test design, you walk the control through end to end, often a single walkthrough, and ask the key question: assuming this control ran perfectly every time, would it actually catch the risk? You look for design gaps, a monitoring scenario that targets the wrong behavior, a CDD form that never asks for beneficial ownership, an approval step that any junior staffer can bypass. The defining feature of a design flaw is that running the control more diligently won't fix it.

If the rule is built to detect the wrong pattern, executing it flawlessly still misses the real activity. Design failures are often the more serious, because they mean the risk was never truly covered.

Testing operating effectiveness

  • Sample across the whole period, not one moment
  • Re-perform: did the control actually fire and work?
  • Check consistency, completeness, timeliness
  • Look for overrides and skipped steps

To test operating effectiveness, one walkthrough isn't enough; you sample items across the whole period, because a control might work in January and quietly break by June. You re-perform where you can: did the alert actually generate, did the review actually happen, did the approver actually approve before the account opened? You check consistency, completeness, and timeliness, and you hunt for overrides and skipped steps, the manager who waved through approvals, the queue that was cleared without review to hit a deadline.

An operating failure means the control was well-designed but didn't run as intended, and the fix is usually about execution, training, capacity, or discipline, not redesign.

Getting the diagnosis right

  • Design flaw → fix the control, not the people
  • Operating flaw → fix execution, capacity, discipline
  • Mislabeling sends the wrong remediation
  • Sometimes both fail at once — say so

Why does the distinction matter so much in practice? Because it drives the fix. A design flaw means you must change the control itself, rebuild the scenario, add the missing field, redesign the approval.

Throwing more staff at a badly designed control just produces more diligent failure. An operating flaw means the design is sound but execution slipped, so you fix capacity, training, monitoring, or accountability. Mislabel the problem and management spends money on the wrong remedy.

Occasionally both fail at once, a control that's poorly designed and also inconsistently run, and a good auditor names both rather than forcing a single label. The exam rewards the precise diagnosis.

Preventive, detective, and compensating controls

  • Preventive — stops the risk before it happens
  • Detective — catches it after the fact
  • Compensating — covers a gap left by a weaker control
  • Evaluate the whole control environment, not one control

Sharpen your evaluation by classifying controls. Preventive controls stop a risk before it occurs, blocking a payment to a sanctioned party at the point of processing. Detective controls catch a problem after the fact, transaction monitoring flagging suspicious activity that already happened.

Compensating controls cover a gap left by a weaker primary control, extra manual review where an automated check is known to be limited. This classification matters because you evaluate the whole control environment, not a single control in isolation. A weakness in one control may be acceptable if a strong compensating control covers it, or it may be fatal if nothing backs it up.

So when you find a deficiency, ask what else stands between the risk and a loss; the residual exposure depends on the layers together. The exam may give you a weak control and a strong compensating one and ask for the net risk, the answer turns on whether the layers genuinely cover the gap.

Recap and next

  • Design — built right; operating — runs as built
  • Walkthrough for design; sampled re-performance for operating
  • The diagnosis drives the remediation
  • Next — auditing the enterprise-wide risk assessment

Recapping: fieldwork answers two separate questions. Design effectiveness asks whether the control is built right, tested with a walkthrough; operating effectiveness asks whether it runs as built, tested by sampling across the period and re-performing. A design flaw needs a redesign; an operating flaw needs better execution; and getting the diagnosis right is what sends management to the correct fix.

And evaluate controls as layers, preventive, detective, and compensating, so you judge the net residual risk rather than any single control in isolation. Next, we apply this lens to the first big fieldwork target: auditing the enterprise-wide AML risk assessment itself. Test yourself on design versus operating effectiveness first, because it underpins everything that follows.

Sources

  • IIA International Professional Practices Framework — evaluating control design and operating effectiveness
  • COSO Internal Control — Integrated Framework
  • FFIEC BSA/AML Examination Manual — internal controls

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. An auditor reviews the files of ten politically exposed persons (PEPs) and finds that each has only a standard CDD file — no source-of-wealth documentation, no intensified monitoring, and no senior-management approval for the relationship. What pillar failure does this represent?

  2. Q2. A finding reads: 'Alert dispositions are not being completed within required timeframes, resulting in a backlog that increases the risk of missing the SAR filing window.' Which element of a finding anatomy is STILL MISSING from this statement?

  3. Q3. After issuing a draft audit report, management provides a written response stating they disagree with a finding about insufficient SAR narrative quality. The finding is well-supported by evidence. What should the auditor do?

  4. Q4. Two auditors from the same team rate the same finding: one rates it 'high' and the other rates it 'medium' using the same rating scale. What does this inconsistency indicate?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →