Which audit methodology step involves evaluating whether internal controls are designed properly to mitigate identified risks?