Types of IT Controls

Basically there are 2 main categories of IT controls, i.e.:-

IT GENERAL CONTROLS
General controls are those controls embedded in IT processes and services. Examples include:
• Systems development
• Change management
• Security
• Computer operations

APPLICATION CONTROLS
Controls embedded in business process applications are commonly referred to as application controls. Examples include:
• Completeness
• Accuracy
• Validity
• Authorisation
• Segregation of duties

PROCESSES NEED CONTROLS

Control is defined as the policies, procedures, practices and organisational
structures designed to provide reasonable assurance that business objectives
will be achieved and undesired events will be prevented or detected and
corrected.

An IT control objective is a statement of the desired result or purpose to be
achieved by implementing control procedures in a particular IT activity.

COBIT’s control objectives are the minimum requirements for effective control
of each IT process.

Each of COBIT’s IT processes has a high-level control objective and a number of detailed control objectives. As a whole, they are the characteristics of a well-managed process.

The detailed control objectives are identified by a two-character domain reference plus a process number and a control objective number.

Effective controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.

IT activities and processes

COBIT defines IT activities in a generic process model within four domains.

These domains are Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor.

PLAN AND ORGANISE (PO)
This domain typically addresses the following management questions:
• Are IT and the business strategy aligned?
• Is the enterprise achieving optimum use of its resources?
• Does everyone in the organisation understand the IT objectives?
• Are IT risks understood and being managed?
• Is the quality of IT systems appropriate for business needs?

ACQUIRE AND IMPLEMENT (AI)
This domain typically addresses the following management questions:
• Are new projects likely to deliver solutions that meet business needs?
• Are new projects likely to be delivered on time and within budget?
• Will the new systems work properly when implemented?
• Will changes be made without upsetting current business operations?

DELIVER AND SUPPORT (DS)
It typically addresses the following management questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimised?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place?

MONITOR AND EVALUATE (ME)
It typically addresses the following management questions:
• Is IT’s performance measured to detect problems before it is too late?
• Does management ensure that internal controls are effective and efficient?
• Can IT performance be linked back to business goals?
• Are risk, control, compliance and performance measured and reported?

IT Controls

IT Risks exist in every IT processes. Therefore, IT Controls should also be in place to mitigate or reduce the IT risk.

IT Controls are available in COBIT. COBIT is something like an IT standard. COBITS focused on 34 IT processes and define what are the controls that have to be in place for these processes.

For a simple illustration,
IT Risks-----> IT Processes------> IT Controls

• Infrastructure Risk-----> Plan & Organise (PO)--------> IT Plan
• Infrastructure Risk-----> Monitor & Evaluate (ME) ---->Supervisory Review
• Availability Risk -------->Deliver & Support (DS) ------>IT Continuity Plan
• Access Risk-------------> Deliver & Support (DS)------> IT Security Plan
• Integrity Risk----------> Acquire & Implement (AI)---> Change Standard, procedures
• Relevance Risk---------> Deliver & Support (DS)------> Business Requirements
  
  Therefore, every organisation needs to evaluate whether the IT controls is sufficient to address and mitigate the IT risks.

IT Risks Assessment

Previously I mentioned the equation: -
IT Risk – IT Controls = IT Exposure.

First, let’s focus on the IT Risk part. I have expressed the risk equation as follows:
Risk = Impact x Likelihood

Impact can be rated in the scale of 1 to 3, for example: -
High (3)
Could prevent the organisation from achieving all, or a major part, of its objectives for a long time
Medium (2)
Could prevent the organisation from achieving its objectives for a limited period
Low (1)
Could cause minor inconvenience, not affecting the achievement of objectives

Likelihood can be rated in the scale of 1 to 3, for example: -
High (3)
Certain / Has Happened
Medium (2)
Possible / May Happen
Low (1)
Unlikely / Never Happen

Subsequently, the “Impact” and “Likelihood” of the failure in that particular area will be multiplied to give a total “Risk” score.

IT Risks

IT risks and circumstances or conditions giving rise to each risk :-

Infrastructure
Organization does not have an effective IT infrastructure (e.g. hardware, software, network, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion.

The risks are generally considered within the following core IT processes:

• Organizational planning
• Application system definition and deployment
• Logical security and security administration
• Computer and network operations
• Data and database management
• Business/data center recovery

Access

Failure to adequately restrict access to information (data or programmes, in any form), which may result in, unauthorized knowledge and use of confidential information. Access risk can occur at any, or all of the following 5 levels i.e. network, processing environment, application system, functional access (within an application), field level access (within a function)

Integrity

Inaccuracy and incompleteness of transactions entered into, processed by, or reported by the various application systems deployed. The risk may occur due to improper segregation of duties, inadequate preventive and detective data controls e.g. balancing, reconciliation controls, error processing, interface, change management, data.

Relevance

Irrelevant information created or summarized by an application system, which may adversely affect decisions of the users. The risks relates to the usability and timeliness of information collected, maintained or distributed.

Availability

• Unavailability of important information when needed threatens the continuity of the organization’s critical operations and processes.
• Availability risk focuses on 3 different levels of risk:
• Risks that can be avoided by monitoring performance and proactively addressing system issues before a problem occurs
• Risks associated with short-term disruptions to systems where restore/recovery techniques can be used to minimize the extent of a disruption
• Risks associated with disaster that cause longer term disruptions in information processing and which focus on controls such as backups and contingency planning

Why perform IT audit?

The objective of an IT audit is to assess the adequacy of the controls in place to safeguard the informational assets.

In other words, to review the level of IT risks, controls and exposure. My simple equation is: -
IT Risk – IT Control = IT Exposure
Therefore, an IT auditor needs to assess the level of IT risks and controls that exist in order to determine whether there is any exposure.

IT Risks
There are many ways to classify the IT risks.

One of the methods is: -
1.Strategic Risk
2.Compliance Risk
3.System Support Risk
4.Operational Risk
5.Security Risk
6.Business Resumption Risk
7.System Support Risk
8.Reputation Risk

Another way is: -
1.Infrastructure Risk
2.Availability Risk
3.Integrity Risk
4.Access Risk
5.Relevance Risk

I will write more about the risks in another post.

What is the scope of an IT Audit?

According to FFIEC Information TechnologyExamination Handbook, the typical scope of an IT audit :-

• Management
• Operations
• Development & Acquisition
• Information Security
• Business Continuity Planning

As per COBIT, the scope of an IT audit covers the followings:-

• Plan & Organise (PO)
• Acquire & Implement (AI)
• Deliver & Support (DS)
• Monitor & Evaluate (ME)

Whether you are using FFIEC, COBIT or any other methodology, the most important thing is to understand your IT environment and how its support the organisation business.

What is IT Audit?

IT = Technology (system/process/method) to produce the information required by the users.

Information = Data that has been processed to suit the user requirements

Audit = assurance and consulting activities

IT Audit is just another branch of audit. It is basically an assurance and consulting activities designed to add value and improve the IT operations.

Interesting websites on IT Audit that you can refer to :-

• http://www.theiia.org/itaudit/
• http://www.isaca.org/