04.05. The Role, Types, & Evaluation of IS Controls

Briefly reflect on the following before we begin:

• What are the differences between preventive, detective, and corrective controls in IT?
• How do IT general controls differ from application controls?
• How do you think IS controls need to evolve to address new and emerging IT risks?

Continuing our discussion on internal controls, we will review the critical components of IS controls that ensure the integrity, security, and efficiency of Information Systems (IS). When effectively implemented, we will explore how these controls can be a powerful tool for achieving organizational objectives.

Next, we delve into the primary categories of IS internal controls – preventive, detective, and corrective. Each category plays a unique role in the control environment. Preventive controls aim to deter undesired events, detective controls identify issues, and corrective controls rectify problems. Understanding these categories is fundamental to grasping the complete picture of IS controls.

We then shift our focus to comparing IT General Controls and Application Controls. While both are essential, they serve different purposes. IT General Controls are broad and apply to all IT systems, such as network security and data center operations. Application Controls, on the other hand, are specific to individual applications, focusing on aspects like data input and output accuracy.

Lastly, we will cover the evaluation and testing of IS controls by discussing methods and techniques for assessing the effectiveness of IS controls. We will explore various evaluation methodologies, from manual testing to automated tools.

The Nature, Role, and Types of Internal Controls

Understanding the definition, nature, role, and importance of internal controls is fundamental before delving into the types of information systems (IS) controls and exploring how to evaluate them. As we have discussed earlier, internal controls are mechanisms, policies, and procedures that organizations put in place to ensure the achievement of their objectives. They are pivotal in managing and safeguarding an organization’s resources, providing accurate and reliable reporting, promoting efficiency, and ensuring compliance with laws and regulations.

At their core, internal controls are integral to the overall corporate governance structure. They assure management and the board of directors that the organization’s risks are adequately managed. This assurance is crucial given the potential for significant financial and reputational damage arising from IS failures or breaches. Moreover, internal controls are about risk management. They are designed to address risks that could impede the organization’s operational, financial, and compliance objectives. These risks could range from data breaches and cyber-attacks to system failures and inaccuracies in data processing. By mitigating such risks, internal controls help maintain the integrity, confidentiality, and availability of information systems, critical assets in today’s digital world.

Beyond supporting the governance of enterprise IT and risk mitigation, internal controls also enhance operational efficiency by ensuring that resources are used effectively and processes are streamlined and consistent. This could mean automating specific tasks to reduce the likelihood of human error and to free up valuable resources for more strategic activities. Additionally, internal controls contribute to the reliability of financial reporting, which is crucial for maintaining investor and stakeholder trust. Adequate internal controls in IS help protect against data loss, theft, and corruption, ensuring the continuity of business operations. They also play a critical role in regulatory compliance, as many laws and regulations require specific controls to be in place, particularly around data protection and privacy.

At a high level, internal controls can be classified as preventive, detective, or corrective. Collectively, they form a comprehensive approach to managing and mitigating IS risks, with each type of control playing a unique role in safeguarding an organization’s data and technology infrastructure.

The effectiveness of these controls is not independent but interrelated. An organization must implement a balanced mix of preventive, detective, and corrective controls for optimal risk management. This multi-layered approach ensures that even if one control fails, others are in place to mitigate risks. Implementing these controls must be strategic and aligned with the organization’s overall risk management framework. This alignment ensures controls are randomly applied and targeted toward specific risks identified through risk assessment processes. Additionally, the cost and complexity of controls should be proportional to the potential risks they are meant to mitigate. Moreover, these controls must be regularly reviewed and updated to remain effective. The dynamic nature of technology and emerging threats necessitates continual reassessment of information systems’ preventive, detective, and corrective controls. Regular audits and assessments can help identify areas where controls must be strengthened or updated.

The Primary Categories of Internal Controls

Now that we have explored the broader types of IS controls let’s dive deeper into the primary categories of internal controls. They are pivotal in ensuring the integrity, security, and efficiency of IS processes.

One way to categorize internal controls is by their nature: automated, manual, and IT-dependent.

• Automated controls are built into software and hardware systems, functioning without human intervention. Examples of automated IS controls can include:
  • Antivirus Software: Continuously automatically scans and removes malicious software from computers and networks without human intervention.
  • Automatic Data Encryption: Encrypts data automatically as it is stored or transmitted, ensuring data security without requiring manual input.
  • Automated Network Monitoring Tools: Constantly monitor network traffic for unusual activity or threats, automatically alerting the IT team of potential security breaches.
• Manual controls require human action, such as physical inventory checks or manual approval processes. Examples of manual IS controls can include:
  • Review of Automated Logs: Human review of system-generated logs, such as access or transaction logs, to identify any unusual or unauthorized activity.
  • Manual Approval of System Updates: Automated system update notifications requiring manual review and approval before implementation.
  • Periodic User Access Reviews: Manually reviewing and verifying user access rights and privileges based on reports generated by an access management system.
• IT-dependent controls are a hybrid, involving both technology and human input. Examples of IT-dependent manual IS controls can include:
  • Physical Security Measures: Includes measures such as locks, security guards, and access badges to control physical access to information systems and data centers.
  • Manual Data Entry Oversight: Supervising and verifying manually entered data into systems for accuracy and integrity.
  • Employee Training Sessions: Conducting in-person training for employees on cybersecurity best practices, protocols, and manual procedures related to information security.

Another classification divides controls into application controls and IT general controls.

• Application controls are specific to individual software applications. They ensure the completeness, accuracy, and authorization of transactions processed by the application. This includes input controls, processing controls, and output controls.
• IT general controls provide the environment to ensure the proper operation of application controls. They include controls over data center operations, system software acquisition and maintenance, and access security.

Internal controls can also be categorized by their purpose.

• Competent personnel are essential for any control system to function effectively. They are knowledgeable and skilled individuals who understand the importance of controls in safeguarding assets and ensuring accurate reporting. Examples of these controls can include:
  • Certified IT Security Staff: Employing staff with certifications in cybersecurity, such as CISSP or CISA, ensuring they have the expertise to manage and secure information systems effectively.
  • Ongoing Training Programs: Regular training programs for IT staff on the latest technologies and security practices to keep their skills and knowledge current.
  • Hiring Process with Skill Assessments: Implementing a robust hiring process for IT personnel, including assessments to evaluate technical competencies and problem-solving skills.
• Supervision ensures that these personnel perform their duties correctly and promptly address potential risks. Examples of these controls can include:
  • IT Management Oversight: Senior IT managers regularly review IT staff’s work, ensuring adherence to policies and standards.
  • Team Lead Reviews: Team leads conduct regular check-ins and oversee ongoing IT projects and daily operations.
  • Peer Review Processes: Implementing a system where IT staff members review each other’s work, such as code reviews in software development.
• Monitoring and performance feedback are vital for assessing the effectiveness of controls and making necessary improvements. They involve regular reviews and analysis of control activities and their outcomes. Examples of these controls can include:
  • Performance Metrics and KPIs: Establishing key performance indicators for IT staff and systems and regularly monitoring these metrics.
  • Regular Performance Appraisals: Conduct periodic performance reviews to provide feedback to IT staff on their work and progress.
  • Real-Time Monitoring Systems: Utilizing software tools to monitor system performance and automatically report issues to the IT team.
• Segregation of duties is another crucial control type. It prevents individuals from controlling all process aspects, reducing the risk of errors or fraud. Examples of these controls can include:
  • Separation of Development and Operations: Ensuring that different individuals or teams handle system development and IT operations to prevent conflicts of interest.
  • Distinct Access Rights: Assigning different levels of system access to staff based on their job roles, ensuring no single individual has control over all process aspects.
  • Dual Control for Critical Processes: Requiring more than one person to complete and approve critical tasks, such as system changes or financial transactions.
• Restricted access is critical in IS controls. It ensures that only authorized personnel can access systems and data, protecting sensitive information from unauthorized use or disclosure. Examples of these controls can include:
  • Role-Based Access Control (RBAC): Implementing access controls that limit user access to information and functions based on their organizational role.
  • Two-Factor Authentication (2FA): Requiring a second form of verification beyond just a password to access sensitive systems or data.
  • VPN and Secure Remote Access: Providing secure, limited access to the company’s network for remote employees through VPNs or other secure access tools.
• Periodic reconciliation involves comparing different data sets to identify and correct discrepancies, an essential step in ensuring data integrity. Examples of these controls can include:
  • Regular Financial Reconciliations: Periodically reconciling financial records in IT systems with bank statements or other financial documents.
  • Data Cross-Verification: Regularly cross-checking data stored in different systems for consistency and accuracy.
  • Audit Trail Reviews: Review audit trails and logs periodically to ensure transactions and activities are recorded accurately and reconciled with system outputs.

Lastly, authorization, custody, recording, and reconciliation are crucial elements in control activities.

• Authorization ensures that transactions are approved by appropriate personnel before processing. Examples of authorization IS controls can include:
  • User Access Permissions: Establishing controls where access to systems and data requires authorization based on user roles and responsibilities, ensuring only authorized personnel can access sensitive information.
  • Transaction Approval Processes: Requiring managerial approval for transactions above a certain threshold in financial applications to ensure legitimacy.
  • Electronic Signature Authentication: Implementing electronic signature verification for document approvals and transactions in systems, ensuring that the correct individual authorizes actions.
• Custody involves the safekeeping of assets, preventing unauthorized access or loss. Examples of custody IS controls can include:
  • Secure Data Storage: Using encrypted databases and secure storage solutions to maintain the custody of sensitive data, ensuring it is protected from unauthorized access or tampering.
  • Physical Security of Hardware: Implementing security measures like locked rooms and surveillance cameras to protect servers and other critical IT hardware that store sensitive information.
  • Access Control to Data Centers: Restricting physical access to data centers and server rooms to authorized personnel only, ensuring the safety and integrity of the hardware and data.
• Recording refers to the accurate and timely documentation of transactions and events. Examples of recording IS controls can include:
  • Automated Transaction Logging: Systems that automatically record transactions and user activities, creating an audit trail for accountability and traceability.
  • Document Management Systems: Implementing systems that record the creation, modification, and access of documents, ensuring a traceable record of all document-related activities.
  • Time-Stamping Entries: Ensuring all entries in the system, such as updates or new data inputs, are time-stamped to create an accurate historical record of activities.
• Reconciliation ensures that recorded transactions match the actual assets and liabilities. Examples of reconciliation IS controls can include:
  • Financial Data Reconciliation Tools: Utilizing software to reconcile financial transactions recorded in the system with external statements like bank statements.
  • Inventory Reconciliation Systems: Systems to periodically reconcile physical inventory counts with inventory records maintained in the system.
  • Cross-System Data Reconciliation: Implementing processes to reconcile data across different systems, ensuring consistency and accuracy of information stored in various applications.

IT General Controls Vs. Application Controls

Both IT General Controls and Application Controls play significant roles in safeguarding data and ensuring the integrity of IS processes, yet they operate in different scopes and manners.

The primary difference between ITGCs and Application Controls lies in their focus and scope. ITGCs provide a broad framework that supports the entire IT environment, ensuring IT processes’ overall security and effectiveness. They are foundational controls that create an environment for Application Controls to function effectively. With robust ITGCs, Application Controls can operate effectively, as they rely on the overall integrity of the IT environment. Application Controls, however, are more focused and specific. They deal with the nitty-gritty details of particular systems, ensuring the accuracy and reliability of the data within those specific systems. These controls are critical in transaction processing systems, where precision and completeness of data are paramount.

In practice, both ITGCs and Application Controls are essential for effective risk management in information systems. ITGCs provide the secure and stable environment necessary for applications to operate safely and effectively. At the same time, Application Controls ensure that transactions within those applications are processed correctly. Together, they form a comprehensive control environment that safeguards an organization’s information systems against various risks. For example, consider an organization’s payroll system. ITGCs would ensure that only authorized personnel have access to the payroll system and that it is secure and reliable. In this case, Application Controls would include checks to ensure that payroll calculations are correct and that employees are only paid for hours they have worked.

See Chapter 5 for a detailed discussion on the nature, types, and evaluation of ITGCs and Chapter 6 for a detailed discussion on the nature, types, and assessment of Application Controls.

Evaluation and Testing of IS Controls: Methods and Techniques

The evaluation and testing of Information Systems (IS) controls involve various methods and techniques designed to assess different aspects of IS controls, identify weaknesses or gaps in the controls, and ensure that they function as intended to protect the organization’s information assets.

Evaluation of IS controls should be conducted using a risk-based approach. It involves identifying the key risks to the IS environment and assessing how well the controls mitigate them. For example, if a data breach is a significant risk, the evaluation would focus on how adequately the controls prevent unauthorized access to data. This approach ensures that the review is focused and relevant to the organization’s risk profile. IS Auditors also use control self-assessment, which involves having the staff who use or manage the IS controls assess their effectiveness. This can be done through questionnaires or interviews. Self-assessment helps gain an insider’s perspective on the controls’ practicality and effectiveness and encourages a culture of responsibility and awareness among staff.

IS Auditors typically perform walkthroughs and observations to assess the design effectiveness of IS controls. This hands-on approach provides a clear understanding of how the controls operate in practice and can reveal issues that need to be evident from documentation or reports. Automated tools and software can also play a significant role in evaluating IS controls as they continuously monitor controls and flag any anomalies or failures. They can provide real-time analysis of large volumes of data, making it easier to evaluate the effectiveness of controls over time.

On the other hand, to test the operating effectiveness of IS controls, IS auditors apply various methods, such as penetration testing, where simulated cyber attacks are performed to test the strength of network security controls. Another example is system testing, where the functionality and reliability of application controls are tested under different scenarios. Testing provides concrete evidence of control effectiveness and can uncover vulnerabilities. This process involves various methods and techniques to gather evidence and assess the effectiveness of controls. As a quick recap of our discussion from Chapter 03, the primary audit evidence-gathering techniques typically used in evaluating the operating effectiveness of IS controls include the following:

When conducting evaluations and tests, it is essential to consider sampling approaches to gather evidence while managing resources efficiently. The two standard audit sampling approaches commonly used by IS Auditors include:

• Statistical sampling selects a random subset of items or transactions for evaluation. This approach relies on statistical principles to provide high confidence in the results. It is beneficial when assessing many similar transactions or data points. Statistical sampling helps ensure that the sample is representative of the entire population, reducing the risk of bias.
• Judgmental sampling involves the selection of items or transactions based on the evaluator’s judgment. This method is more subjective and relies on the evaluator’s expertise to choose items likely to be significant or indicate control effectiveness. Judgmental sampling can be beneficial when evaluating unique or high-risk areas where statistical sampling may not be practical.