Control: definition and their types (General control : Apply to all areas…
Control: definition and their types
Controls include policies, procedures and practices (tasks and activities)
established by management to provide reasonable assurance
that specific objectives will be achieved
General control : Apply to all areas including IT infrastructure and support services
Internal accounting controls
that are primarily directed at
controls that concern the safeguarding
of assets and reliability of
DAY TO DAY
functions and activities meeting business objectives
in a functional area and
ADHERENCE TO MANAGEMENT POLICY
Organizational security policies and procedures
usage of assets
Overall policies for the design and use of adequate document and records
RECORDING OF TRANSACTIONS
-transnational audit trail
Procedures and practices to ensure ADEQUATE SAFEGUARDS OVER AND ACCESS TO AND USE OF ASSETS AND FACILITIES
Physical and logical security policies for all facilities,data centers and IT resources
(e.g., servers and telecom infrastrncture)
General control can be translated into Specific control
The IS auditor should understand the basic control objectives that exist for all functions.
IS control procedures include:
•Strategy and direction of the IT function
•General organization and management of the IT function
• Access to IT resources, including data and programs
• Systems development methodologies and change control
• Operations procedures
• Systems programming and technical support functions
•Quality assurance (QA) procedures
• Physical access controls
•Business continuity (BCP)/disaster recovery planning (DRP)
• Networks and communications
• Database administration
• Protection and detective mechanisms against internal and external attacks
An IS auditor
reviews evidence gathered during the audit to determine if the
operations reviewed are well controlled and effective.
This is also an
area that requires judgment and experience.
assesses the strengths and weaknesses of the controls
determines if they are effective in meeting the control objectives
established as part of the audit planning process.
A control matrix is often used in
assessing the proper level of controls.
Known types of errors that can occur in an area under review are placed on the top axis of the matrix
and known controls to detect or correct errors are placed on the side axis of the matrix.
Then, using a ranking method, the matrix is filled with the appropriate measurements.
When completed, the matrix illustrates areas where controls are weak or lacking
a group of controls, when aggregated together, may act as compensating controls, and thereby minimize the risk.
An IS auditor should always review for compensating controls prior to reporting a control weakness
IS auditor may not find each control procedure to be in place
but should evaluate the comprehensiveness of controls by considering the strengths and weaknesses of control procedures