Your day-to-day operations in IT is keeping you busy as are the many projects running at the same time. Keeping the lights on, while at the same time for instance changing the technical foundation of the organisation is asking a lot of your team. Furthermore, the digital transformation requires the engagement of business representatives and sometimes it feels like a continuous battle. Simultaneously an audit has taken place and IT has a long list of items that need to be improved. Auditors are talking about IT controls and the need to shape a risk based mentality. What are they talking about and how do we make sure that we are able to implement the required advancements?
In this article, I am going to describe the different types of controls and why it is relevant for IT and business. In addition, I will also cover how to ensure execution on implementing IT controls.
IT General Controls (ITGC)
ITGC are typically seen as the foundation of the IT control structure. If you are in IT, these types of controls should not sound unfamiliar. Typically they are either ITIL processes/ procedures and security/ access related processes and policies. ITGC apply to all computerised applications and are a combination of hardware, software, and the afore mentioned processes and policies. Examples of ITGC are:
- Change management
- Logical access
- Disaster recovery
- Incident/ problem management
The auditors will want to assess the maturity of these processes and elements and make sure that the risks to the organisation are reduced, avoided or mitigated. With creating the processes and making them repeatable, reduces the risks from occurring. As an example on your change management process, it helps to have a change advisory board (CAB) with the various necessary stakeholders to review any change implementations in your product environment. Each change will have been evaluated on impact and risks. You will answer questions like: How has the rollback been tested and how is it organised? I know and you will surely know to that a structured approach to the assessments done on changes, will reduce the chance of a incident occurring in production. An incident in turn will almost for sure impact the business/ organisation and will have financial consequences. Auditors want to limit these kind of impacts.
IT Logic
“So, we already do that!” I heard this from an IT manager in one of my consulting assignments. And of course I had to fully agree, as most IT departments I have seen have (ITIL) processes in place or execute on their software development according to certain processes (Agile). The question I get asked then is what is missing in the eyes of the auditors or corporate risk management? The answer, I find is usually in the administrative registration (or proof) of the steps taken to prevent production failure: Say what you do, execute, prove that you have executed in the way you said.
From the example above, the minutes of the meeting of the CAB need to be stored in an accessible file storage (e.g. OneDrive, Teams or similar). The minutes should be showing the decisions taken and which discussion have been had. The change registration and CMDB tooling should all be linked up to reflect the changes and register the approval or rejection of changes.
In this way the auditors are appeased that a structured approach is managed and executed.
Application and Automated Controls
A subset of ITGC is application controls. These are controls that are specific for an application: how do we ensure the input is entered correctly (complete, accurate and valid), the processing is executed well and that after this the output is in line with expectations. Prime examples are the automated controls options in ERP systems: checks on bank account details (bank account validation) or four eye principles (e.g. the approver of the purchase order can’t be the same person as the requester of the purchase order).
To emphasise I reiterate that controls are implemented to limit risks and potential (financial) damage to the company.
Risk Framework
More often than not in corporate organisations, the ITGC are part of the total corporate risk framework. I have found that the risk framework has been written from a certain perspective, focusing on operational risks and financial risks, which makes total sense. However, as the importance of and dependency on IT increases year-by-year in most organisation, the significance of IT risks also increases as a result. It therefore is highly relevant to understand both the perspective of the risk framework and the specific IT environment. It is this environment that actually supports the business and requires the controls to ‘manage’ the afore mentioned IT risks. Or should I actually call them business risks too?
CobiT: The Solution?
The ISACA developed CobiT framework describes the control objectives for IT. This framework gives a valuable guide for implementing controls in IT. I consider this a great toolbox, but it is like with the alphabet; if you know your ABC’s, that doesn’t mean you are able to create words, create sentences or communicate your story in any way, shape or form. For one, the specific organisational situation requires that the right controls are addressed for your company. Each company may have a different sight on the importance of certain controls based on their risk appetite and the focus of the specific company risk framework. In conclusion, the implementation of IT Controls is highly dependent on the organisational situation.
Intrigued?
If you are interested to discuss how I am able to assist on controls, you can reach out to me! Above all, I go beyond only analysing or reviewing. In other words, I also am able to execute on the actual implementation. In these implementations, I incorporate the organisational risk requirements and the IT daily realities simultaneously in an optimised way.