04. Enterprise IS Governance, Risk Management, and Controls

04.05. The Role, Types, & Evaluation of IS Controls

Credit:Photo Of People Having Meeting by Yan Krukau, used under the Pexels License.

Briefly reflect on the following before we begin:

  • What are the differences between preventive, detective, and corrective controls in IT?
  • How do IT general controls differ from application controls?
  • How do you think IS controls need to evolve to address new and emerging IT risks?

Continuing our discussion on internal controls, we will review the critical components of IS controls that ensure the integrity, security, and efficiency of Information Systems (IS). When effectively implemented, we will explore how these controls can be a powerful tool for achieving organizational objectives.

Next, we delve into the primary categories of IS internal controls – preventive, detective, and corrective. Each category plays a unique role in the control environment. Preventive controls aim to deter undesired events, detective controls identify issues, and corrective controls rectify problems. Understanding these categories is fundamental to grasping the complete picture of IS controls.

We then shift our focus to comparing IT General Controls and Application Controls. While both are essential, they serve different purposes. IT General Controls are broad and apply to all IT systems, such as network security and data center operations. Application Controls, on the other hand, are specific to individual applications, focusing on aspects like data input and output accuracy.

Lastly, we will cover the evaluation and testing of IS controls by discussing methods and techniques for assessing the effectiveness of IS controls. We will explore various evaluation methodologies, from manual testing to automated tools.

The Nature, Role, and Types of Internal Controls

Understanding the definition, nature, role, and importance of internal controls is fundamental before delving into the types of information systems (IS) controls and exploring how to evaluate them. As we have discussed earlier, internal controls are mechanisms, policies, and procedures that organizations put in place to ensure the achievement of their objectives. They are pivotal in managing and safeguarding an organization’s resources, providing accurate and reliable reporting, promoting efficiency, and ensuring compliance with laws and regulations.

At their core, internal controls are integral to the overall corporate governance structure. They assure management and the board of directors that the organization’s risks are adequately managed. This assurance is crucial given the potential for significant financial and reputational damage arising from IS failures or breaches. Moreover, internal controls are about risk management. They are designed to address risks that could impede the organization’s operational, financial, and compliance objectives. These risks could range from data breaches and cyber-attacks to system failures and inaccuracies in data processing. By mitigating such risks, internal controls help maintain the integrity, confidentiality, and availability of information systems, critical assets in today’s digital world.

Beyond supporting the governance of enterprise IT and risk mitigation, internal controls also enhance operational efficiency by ensuring that resources are used effectively and processes are streamlined and consistent. This could mean automating specific tasks to reduce the likelihood of human error and to free up valuable resources for more strategic activities. Additionally, internal controls contribute to the reliability of financial reporting, which is crucial for maintaining investor and stakeholder trust. Adequate internal controls in IS help protect against data loss, theft, and corruption, ensuring the continuity of business operations. They also play a critical role in regulatory compliance, as many laws and regulations require specific controls to be in place, particularly around data protection and privacy.

At a high level, internal controls can be classified as preventive, detective, or corrective. Collectively, they form a comprehensive approach to managing and mitigating IS risks, with each type of control playing a unique role in safeguarding an organization’s data and technology infrastructure.

Table: Internal Controls
Control Description Example
Preventive Controls Preventive controls are proactive measures designed to stop undesirable events or exposures before they occur. They are the first line of defence in risk management. In an IS context, preventive controls include strong password policies, access controls, firewalls, and encryption. Implementing these controls requires careful planning and consideration of potential risks, aiming to minimize them before they become actual issues.
  • Access Control Systems: Restrict access to information systems and data to authorized personnel only, preventing unauthorized access and potential data breaches.
  • Firewalls: Act as a barrier between secure internal networks and untrusted external networks, like the internet, to prevent unauthorized access and protect against external threats.
  • Data Encryption: Encrypt sensitive data both in transit and at rest to prevent unauthorized users from reading or modifying it, thereby safeguarding data confidentiality and integrity.
Detective Controls Detective controls are designed to identify and report occurrences of an undesirable event. They are essential in promptly identifying issues that preventive controls may not have caught. These controls play a crucial role in determining security breaches, system failures, or data integrity issues after they have occurred. By quickly detecting these issues, organizations can respond promptly to mitigate their impact.
  • Intrusion Detection Systems (IDS): Monitor network traffic for suspicious activities and signs of potential security breaches, alerting the IT team to investigate further.
  • System Audit Trails and Transaction Logs: Keep records of system activities, such as user logins, file accesses, and system changes, allowing for the detection of unusual or unauthorized activities.
  • Regular System Audits: Conduct systematic reviews of information systems to identify security weaknesses, non-compliance with policies, or other issues that might compromise the system’s integrity.
Corrective Controls Corrective controls come into play after a risk has materialized. Their primary purpose is to correct and recover from undesirable events. In the context of IS controls, corrective actions might include disaster recovery plans, data backup systems, and patches or fixes to software issues. Corrective controls are critical for business continuity management and reducing the potential damage from security incidents or system failures.
  • Disaster Recovery Plans: Provide a set of procedures to recover and restore IT systems and operations following a disruption or disaster, ensuring business continuity management.
  • Patch Management: Involves regularly updating software to fix known vulnerabilities that have been detected, thereby correcting security weaknesses.
  • Data Backup Systems: Regularly back up data to secure locations, allowing for data restoration in case of corruption, loss, or a security breach.

The effectiveness of these controls is not independent but interrelated. An organization must implement a balanced mix of preventive, detective, and corrective controls for optimal risk management. This multi-layered approach ensures that even if one control fails, others are in place to mitigate risks. Implementing these controls must be strategic and aligned with the organization’s overall risk management framework. This alignment ensures controls are randomly applied and targeted toward specific risks identified through risk assessment processes. Additionally, the cost and complexity of controls should be proportional to the potential risks they are meant to mitigate. Moreover, these controls must be regularly reviewed and updated to remain effective. The dynamic nature of technology and emerging threats necessitates continual reassessment of information systems’ preventive, detective, and corrective controls. Regular audits and assessments can help identify areas where controls must be strengthened or updated.

The Primary Categories of Internal Controls

Now that we have explored the broader types of IS controls let’s dive deeper into the primary categories of internal controls. They are pivotal in ensuring the integrity, security, and efficiency of IS processes.

One way to categorize internal controls is by their nature: automated, manual, and IT-dependent.

  • Automated controls are built into software and hardware systems, functioning without human intervention. Examples of automated IS controls can include:
    • Antivirus Software: Continuously automatically scans and removes malicious software from computers and networks without human intervention.
    • Automatic Data Encryption: Encrypts data automatically as it is stored or transmitted, ensuring data security without requiring manual input.
    • Automated Network Monitoring Tools: Constantly monitor network traffic for unusual activity or threats, automatically alerting the IT team of potential security breaches.
  • Manual controls require human action, such as physical inventory checks or manual approval processes. Examples of manual IS controls can include:
    • Review of Automated Logs: Human review of system-generated logs, such as access or transaction logs, to identify any unusual or unauthorized activity.
    • Manual Approval of System Updates: Automated system update notifications requiring manual review and approval before implementation.
    • Periodic User Access Reviews: Manually reviewing and verifying user access rights and privileges based on reports generated by an access management system.
  • IT-dependent controls are a hybrid, involving both technology and human input. Examples of IT-dependent manual IS controls can include:
    • Physical Security Measures: Includes measures such as locks, security guards, and access badges to control physical access to information systems and data centers.
    • Manual Data Entry Oversight: Supervising and verifying manually entered data into systems for accuracy and integrity.
    • Employee Training Sessions: Conducting in-person training for employees on cybersecurity best practices, protocols, and manual procedures related to information security.

Another classification divides controls into application controls and IT general controls.

  • Application controls are specific to individual software applications. They ensure the completeness, accuracy, and authorization of transactions processed by the application. This includes input controls, processing controls, and output controls.
  • IT general controls provide the environment to ensure the proper operation of application controls. They include controls over data center operations, system software acquisition and maintenance, and access security.

Internal controls can also be categorized by their purpose.

  • Competent personnel are essential for any control system to function effectively. They are knowledgeable and skilled individuals who understand the importance of controls in safeguarding assets and ensuring accurate reporting. Examples of these controls can include:
    • Certified IT Security Staff: Employing staff with certifications in cybersecurity, such as CISSP or CISA, ensuring they have the expertise to manage and secure information systems effectively.
    • Ongoing Training Programs: Regular training programs for IT staff on the latest technologies and security practices to keep their skills and knowledge current.
    • Hiring Process with Skill Assessments: Implementing a robust hiring process for IT personnel, including assessments to evaluate technical competencies and problem-solving skills.
  • Supervision ensures that these personnel perform their duties correctly and promptly address potential risks. Examples of these controls can include:
    • IT Management Oversight: Senior IT managers regularly review IT staff’s work, ensuring adherence to policies and standards.
    • Team Lead Reviews: Team leads conduct regular check-ins and oversee ongoing IT projects and daily operations.
    • Peer Review Processes: Implementing a system where IT staff members review each other’s work, such as code reviews in software development.
  • Monitoring and performance feedback are vital for assessing the effectiveness of controls and making necessary improvements. They involve regular reviews and analysis of control activities and their outcomes. Examples of these controls can include:
    • Performance Metrics and KPIs: Establishing key performance indicators for IT staff and systems and regularly monitoring these metrics.
    • Regular Performance Appraisals: Conduct periodic performance reviews to provide feedback to IT staff on their work and progress.
    • Real-Time Monitoring Systems: Utilizing software tools to monitor system performance and automatically report issues to the IT team.
  • Segregation of duties is another crucial control type. It prevents individuals from controlling all process aspects, reducing the risk of errors or fraud. Examples of these controls can include:
    • Separation of Development and Operations: Ensuring that different individuals or teams handle system development and IT operations to prevent conflicts of interest.
    • Distinct Access Rights: Assigning different levels of system access to staff based on their job roles, ensuring no single individual has control over all process aspects.
    • Dual Control for Critical Processes: Requiring more than one person to complete and approve critical tasks, such as system changes or financial transactions.
  • Restricted access is critical in IS controls. It ensures that only authorized personnel can access systems and data, protecting sensitive information from unauthorized use or disclosure. Examples of these controls can include:
    • Role-Based Access Control (RBAC): Implementing access controls that limit user access to information and functions based on their organizational role.
    • Two-Factor Authentication (2FA): Requiring a second form of verification beyond just a password to access sensitive systems or data.
    • VPN and Secure Remote Access: Providing secure, limited access to the company’s network for remote employees through VPNs or other secure access tools.
  • Periodic reconciliation involves comparing different data sets to identify and correct discrepancies, an essential step in ensuring data integrity. Examples of these controls can include:
    • Regular Financial Reconciliations: Periodically reconciling financial records in IT systems with bank statements or other financial documents.
    • Data Cross-Verification: Regularly cross-checking data stored in different systems for consistency and accuracy.
    • Audit Trail Reviews: Review audit trails and logs periodically to ensure transactions and activities are recorded accurately and reconciled with system outputs.

Lastly, authorization, custody, recording, and reconciliation are crucial elements in control activities.

  • Authorization ensures that transactions are approved by appropriate personnel before processing. Examples of authorization IS controls can include:
    • User Access Permissions: Establishing controls where access to systems and data requires authorization based on user roles and responsibilities, ensuring only authorized personnel can access sensitive information.
    • Transaction Approval Processes: Requiring managerial approval for transactions above a certain threshold in financial applications to ensure legitimacy.
    • Electronic Signature Authentication: Implementing electronic signature verification for document approvals and transactions in systems, ensuring that the correct individual authorizes actions.
  • Custody involves the safekeeping of assets, preventing unauthorized access or loss. Examples of custody IS controls can include:
    • Secure Data Storage: Using encrypted databases and secure storage solutions to maintain the custody of sensitive data, ensuring it is protected from unauthorized access or tampering.
    • Physical Security of Hardware: Implementing security measures like locked rooms and surveillance cameras to protect servers and other critical IT hardware that store sensitive information.
    • Access Control to Data Centers: Restricting physical access to data centers and server rooms to authorized personnel only, ensuring the safety and integrity of the hardware and data.
  • Recording refers to the accurate and timely documentation of transactions and events. Examples of recording IS controls can include:
    • Automated Transaction Logging: Systems that automatically record transactions and user activities, creating an audit trail for accountability and traceability.
    • Document Management Systems: Implementing systems that record the creation, modification, and access of documents, ensuring a traceable record of all document-related activities.
    • Time-Stamping Entries: Ensuring all entries in the system, such as updates or new data inputs, are time-stamped to create an accurate historical record of activities.
  • Reconciliation ensures that recorded transactions match the actual assets and liabilities. Examples of reconciliation IS controls can include:
    • Financial Data Reconciliation Tools: Utilizing software to reconcile financial transactions recorded in the system with external statements like bank statements.
    • Inventory Reconciliation Systems: Systems to periodically reconcile physical inventory counts with inventory records maintained in the system.
    • Cross-System Data Reconciliation: Implementing processes to reconcile data across different systems, ensuring consistency and accuracy of information stored in various applications.

IT General Controls Vs. Application Controls

Both IT General Controls and Application Controls play significant roles in safeguarding data and ensuring the integrity of IS processes, yet they operate in different scopes and manners.

IT General Controls (ITGCs)

IT General Controls (ITGCs) are policies and procedures that apply to the entire IT environment of an organization. These controls ensure the proper functioning and security of the IT infrastructure. Their primary focus is managing and overseeing IT operations, including data center operations, network security, and access to programs and data. For instance, ITGCs control user access to systems and data, ensuring that only authorized personnel can access sensitive information. They also cover system development and maintenance, ensuring that changes to IT systems are appropriately managed and documented.

Applications Controls

Application Controls, on the other hand, are more specific and are directly related to individual software applications. These controls are designed to ensure the integrity, accuracy, and completeness of the data these applications process. They include input controls, which check data for accuracy and completeness when entered into a system; processing controls, which ensure that data is processed correctly in an application; and output controls, which ensure that the data output from a system is accurate and appropriately distributed.

 

Commonly Used Types of ITGCs and Application Controls

  • User Access Management: Controls who can access the IT systems and data, including user account creation, modification, and deletion.
  • Change Management: Procedures for managing changes to IT systems, including software updates and patches.
  • Network Security Controls: Measures to protect against unauthorized access to the network, such as firewalls and intrusion detection systems.
  • Data Backup and Recovery: Processes to back up data regularly and recover it in case of loss.
  • Physical Security: Controls to protect physical IT assets, like servers and data centers, including locks, security cameras, and access logs.
  • System Development Life Cycle (SDLC) Controls: Ensuring systems are developed and implemented in a controlled and secure manner.
  • Password Policies: Requirements for password complexity, expiration, and resets to ensure secure authentication.
  • Segregation of Duties in IT: Ensuring that responsibilities for essential IT functions are separated to prevent fraud or errors.
  • Environmental Controls: Measures to protect IT equipment from environmental hazards, like fire suppression systems and temperature controls.
  • IT Compliance Auditing: Regular audits to ensure IT practices adhere to relevant laws, regulations, and standards.
  • Input Controls: Checks to ensure that data entered into an application is correct and appropriate, like validating data formats and ranges.
  • Processing Controls: Ensuring data is processed correctly within the application, like calculations and transformations.
  • Output Controls: Ensuring the accuracy and completeness of data output from an application, like reports and data exports.
  • Error Detection and Correction: Mechanisms within an application to identify and correct errors in data processing.
  • Authorization Controls: Controls to ensure that transactions are approved by appropriate personnel within the application.
  • Transaction Logs: Recording details of transactions processed by the application for auditing and tracking purposes.
  • Data Integrity Checks: Ensuring that data within the application is accurate and remains unaltered.
  • Interface Controls: Ensuring data transmitted between different applications is complete and accurate.
  • Access Controls within Applications: Controls to limit user access to specific functions and data within an application.
  • Automated Alerts and Notifications: Application features that alert users of specific conditions or anomalies in data processing.

 

The primary difference between ITGCs and Application Controls lies in their focus and scope. ITGCs provide a broad framework that supports the entire IT environment, ensuring IT processes’ overall security and effectiveness. They are foundational controls that create an environment for Application Controls to function effectively. With robust ITGCs, Application Controls can operate effectively, as they rely on the overall integrity of the IT environment. Application Controls, however, are more focused and specific. They deal with the nitty-gritty details of particular systems, ensuring the accuracy and reliability of the data within those specific systems. These controls are critical in transaction processing systems, where precision and completeness of data are paramount.

In practice, both ITGCs and Application Controls are essential for effective risk management in information systems. ITGCs provide the secure and stable environment necessary for applications to operate safely and effectively. At the same time, Application Controls ensure that transactions within those applications are processed correctly. Together, they form a comprehensive control environment that safeguards an organization’s information systems against various risks. For example, consider an organization’s payroll system. ITGCs would ensure that only authorized personnel have access to the payroll system and that it is secure and reliable. In this case, Application Controls would include checks to ensure that payroll calculations are correct and that employees are only paid for hours they have worked.

See Chapter 5 for a detailed discussion on the nature, types, and evaluation of ITGCs and Chapter 6 for a detailed discussion on the nature, types, and assessment of Application Controls.

Evaluation and Testing of IS Controls: Methods and Techniques

The evaluation and testing of Information Systems (IS) controls involve various methods and techniques designed to assess different aspects of IS controls, identify weaknesses or gaps in the controls, and ensure that they function as intended to protect the organization’s information assets.

Evaluation of IS controls should be conducted using a risk-based approach. It involves identifying the key risks to the IS environment and assessing how well the controls mitigate them. For example, if a data breach is a significant risk, the evaluation would focus on how adequately the controls prevent unauthorized access to data. This approach ensures that the review is focused and relevant to the organization’s risk profile. IS Auditors also use control self-assessment, which involves having the staff who use or manage the IS controls assess their effectiveness. This can be done through questionnaires or interviews. Self-assessment helps gain an insider’s perspective on the controls’ practicality and effectiveness and encourages a culture of responsibility and awareness among staff.

IS Auditors typically perform walkthroughs and observations to assess the design effectiveness of IS controls. This hands-on approach provides a clear understanding of how the controls operate in practice and can reveal issues that need to be evident from documentation or reports. Automated tools and software can also play a significant role in evaluating IS controls as they continuously monitor controls and flag any anomalies or failures. They can provide real-time analysis of large volumes of data, making it easier to evaluate the effectiveness of controls over time.

On the other hand, to test the operating effectiveness of IS controls, IS auditors apply various methods, such as penetration testing, where simulated cyber attacks are performed to test the strength of network security controls. Another example is system testing, where the functionality and reliability of application controls are tested under different scenarios. Testing provides concrete evidence of control effectiveness and can uncover vulnerabilities. This process involves various methods and techniques to gather evidence and assess the effectiveness of controls. As a quick recap of our discussion from Chapter 03, the primary audit evidence-gathering techniques typically used in evaluating the operating effectiveness of IS controls include the following:

Evidence-Gathering Techniques

Analysis

Analysis examines data, documents, or records to identify patterns, anomalies, or inconsistencies. It plays a crucial role in assessing data integrity and security controls. By analyzing system logs, transaction records, and audit trails, evaluators can detect unauthorized access attempts or unusual system behaviour.

Inspection

Inspection involves thoroughly examining physical or electronic documents, files, or records. Evaluators can scrutinize control-related documents like policies, procedures, and configuration settings. This method helps ensure that controls are adequately documented and aligned with industry standards and best practices.

Confirmation

Confirmation involves obtaining third-party verification to validate control assertions. This technique is often used to confirm information with external entities, such as a confirmation from a vendor or a third-party auditor. For instance, a company might confirm the accuracy of vendor invoices by contacting the vendor directly.

Reperformance

Reperformance refers to independently executing or reenacting control procedures to validate their effectiveness. This technique is beneficial for controls related to data processing or system configurations. For instance, an evaluator might replicate a user’s access request and check if the access control mechanism correctly grants or denies access as per policy.

 

When conducting evaluations and tests, it is essential to consider sampling approaches to gather evidence while managing resources efficiently. The two standard audit sampling approaches commonly used by IS Auditors include:

  • Statistical sampling selects a random subset of items or transactions for evaluation. This approach relies on statistical principles to provide high confidence in the results. It is beneficial when assessing many similar transactions or data points. Statistical sampling helps ensure that the sample is representative of the entire population, reducing the risk of bias.
  • Judgmental sampling involves the selection of items or transactions based on the evaluator’s judgment. This method is more subjective and relies on the evaluator’s expertise to choose items likely to be significant or indicate control effectiveness. Judgmental sampling can be beneficial when evaluating unique or high-risk areas where statistical sampling may not be practical.

 

In the Spotlight

For additional context on the role and types of controls, please read the article titled “Are IT General Controls Outdated? Data Protection and Internal Control Over Financial Reporting” [opens a new tab].

Jouke, A. (2022). Are IT general controls outdated? Data protection and internal control over financial reporting. ISACA Journal, 6. https://www.isaca.org/resources/isaca-journal/issues/2022/volume-6/are-it-general-controls-outdated

 

Key Takeaways

Let’s recap the key concepts discussed in this section by watching this video.

Source: Mehta, A.M. (2023, December 6). AIS OER ch 04 topic 05 key takeaways [Video]. https://youtu.be/6CzcGdHytrc

 

Knowledge Check

 

Review Questions

  1. What is the primary purpose of internal controls in an organization’s information systems?
  2. How do IT General Controls differ from Application Controls?

 

Mini Case Study

XYZ Corp is a mid-sized financial services company specializing in personal and small business loan products. Established in 2005, XYZ Corp has grown steadily, serving over 100,000 customers across the United States. With its headquarters in Chicago and four regional offices, the company employs approximately 800 staff, including loan officers, customer service representatives, and various administrative and IT personnel.XYZ Corp’s business model relies heavily on its information systems, which include customer relationship management (CRM) software, loan processing applications, and various support systems such as human resources and accounting software. The company has recently embarked on a digital transformation journey, aiming to leverage technology to improve customer experience and operational efficiency.

However, a recent internal audit has revealed several process weaknesses that could potentially impact the security and integrity of XYZ Corp’s information systems:

  • User Access Management Weaknesses: The audit found that XYZ Corp’s user access management processes are outdated and lack rigour. There is no formal procedure for granting, reviewing, and revoking access rights to various systems. In several instances, former employees’ access rights were not withdrawn promptly, posing a significant security risk. Additionally, cases of excessive privileges are granted to users who do not require such access for their job functions, violating the principle of least privilege.
  • System Change Management Weaknesses: The company’s system change management process is also a cause for concern. Changes to critical systems are often made without adequate testing or documentation, leading to system downtime and data inconsistencies. There is no formal change management committee or process in place, and as a result, changes are made ad hoc without proper authorization or review. This lack of structured change management poses operational risks and makes it difficult to track changes for audit and compliance purposes.
  • Data Management Weaknesses: XYZ Corp’s data management practices are fragmented and inconsistent. No centralized data governance strategy leads to data quality and integrity issues. Data is stored in multiple, sometimes redundant, databases and systems, with no clear ownership or responsibility for accuracy. This situation has led to data retrieval and reporting challenges, affecting decision-making and customer service. Moreover, the company lacks a comprehensive data backup and disaster recovery plan, putting critical business data at risk in the event of a system failure or data breach.

These weaknesses in user access management, system change management, and data management expose XYZ Corp to operational inefficiencies, significant cybersecurity risks, compliance issues, and potential reputational damage. Addressing these weaknesses should be a priority for XYZ Corp as it continues to expand its digital capabilities and maintain its competitive edge in the financial services sector.

Required: Identify the relevant findings from the scenario above and propose a mix of automated, IT-dependent manuals. Manual IS controls, ITGCs, and Application Controls will address those findings.

definition

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Auditing Information Systems Copyright © 2024 by Amit M. Mehta is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book