Like risk levels and compliance levels, control-levels can be expressed in many forms. The single criterion for expressing it is whether it helps the owner of the control to determine, in the governance process of that control, whether or not to make changes to the assessed controls, and if so, what kinds of changes are called for.
To ensure this, parties may specify the assessment framework(s) that auditors should use for assessing the efficiency and effectiveness of controls, and thereby determine their respective control levels.
- is a measure of some kind (e.g. 'Low', 'Medium', 'High', or a digit in some integer interval, or similar);
- signifies a statement about how efficient and effective a control realizes its associated control objective;
- is associated with a party that uses it to determine and prioritize the work that needs to be done in order to maintain the efficiency and effectiveness of their controls;
- can be the result of assessing the efficiency and effectiveness of a control.