During the validation of control activities you should attempt to make security easier on users and more difficult for attackers.
Activities to verify may include (not limited to):
- Prevention (2FA, least privilege, reduce deniability, …)
- Delay (strong encryption, layering, …)
- Detect (monitor, detect change, audit, automate, …)
- Compliance (implementation of corporate policy and standards, including configuration best practices)
- Recover (verify the ability to reset to the last known good state)
NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.