We have seen earlier, in the controls section, that it is possible to have two control review activities each with their own rating; the business has a CRSA activity (Self-Assessment tests) and an Internal Audit that operates as a separate review function. It is important to understand how, if at all, the ratings from these two activities differ; this is shown in this report:
We can see that, for control 50, the self-assessment view is that the control is Mostly working but Internal Audit have not yet tested it.