I want a "Red Teaming"
Michael Schneider
The concept of IT General Controls (ITGC) is getting more and more important in companies and organizations. The increasing IT regulations and the need for an effective and efficient IT Governance implies that an organization knows very well and has full control of the maturity of implemented controls across the whole organization.
With the help of well-established ITGCs an organization can leverage many complex topics, such as Information- and IT- Security, Internal- and external Audit, IT-Compliance, Risk Management and IT-Governance Management etc.
Because the ITGCs consist of procedures or policies that provide a reasonable assurance that:
This article is an attempt to give a brief overview of what is important when dealing with the concept of ITGCs, their organizational aspects, as well as structure and handling.
An overall IT General Control Manual (ITGCM) as a kind of Policy should define the standards for the implementation of an effective and efficient Control System across an organization.
The ITGCM provides the reference for an organization implementing control procedures and Policies in their respective area of responsibility:
The scope of the ITGCM includes many organizational activities related to the management of IT Systems or other Information Assets as well non-IT Assets:
Therefore the implementation of the ITGCM should be mandatory across the whole Organization.
Deviations should be subject to exception request and approval in accordance with an established standard process.
The ITGCM consists of elements including:
This all means that an ITGCM is defining the standards for an effective and efficient IT Governance Management Control System.
And management is of course accountable to make sure that the ITGCs are implemented, documented, tested and evidenced according to an overall ITGCM.
The ITGC Controls Matrix as the key element defines all applicable controls as well as additional information that may be used for the implementation, testing and assessment of the controls. Its purpose is to:
An ITGC Controls Matrix should integrate at least these 3 types of information:
The ITGCs can be structured in many different ways the following table illustrates a typical individual set of activity domains and the set recommended by Institute of Internal Auditors:
Typical Set | Global Technology Audit Guide * |
---|---|
IT Business Continuity | GTAG 1: Information Technology Controls |
Backup Management | GTAG 2: Change and Patch Management Controls: Critical for Organizational Success |
Change Management | GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment |
Configuration Management | GTAG 4: Management of IT Auditing |
Information Management Organization and Processes | GTAG 5: Managing and Auditing Privacy Risks |
Incident / Problem Management | GTAG 6: Managing and Auditing IT Vulnerabilities |
IT Organization | GTAG 7: Information Technology Outsourcing |
IT Operations | GTAG 8: Auditing Application Controls |
Project Management | GTAG 9: Identity and Access Management |
Physical Security | GTAG 10: Business Continuity Management |
Risk Management | GTAG 11: Developing the IT Audit Plan |
Service Provider Management | GTAG 12: Auditing IT Projects |
System and Information Security | GTAG 13: Fraud Prevention and Detection in the Automated World |
GTAG 14: Auditing User-developed Applications | |
GTAG 15: Information Security Governance | |
GTAG 16: Data Analysis Technologies | |
GTAG 17: Auditing IT Governance |
* The Global Technology Audit Guide (GTAG) is released by the Institute of Internal Auditors.
An IT Governance team should be responsible for defining the Controls by providing objectives and requirements for each Control. They will be used for reviews by Internal Audit as part of the audit criteria.
The implementation of the IT general controls matrix is mandatory for the whole Organization.
These procedures and policies should be designed to provide reasonable assurance regarding the achievement of control objectives set for:
Updates of the IT general Controls Matrix are subject to formal change management and deviations are subject to formal exception request approval in accordance with established Standards.
The following parameters of the IT general Controls Matrix, with their possible values, or similar can be used to classify and categorize information assets and to identify the list of applicable Controls for these assets:
Information Asset Categories | Information Asset Classes |
---|---|
Information Asset Categories | IT Unit Information/Record IT Application Platform/Service Server/Database/Storage Network/Communication Service End-User Device Data Center Service Provider |
Information Asset Classes | No Classification Group Policies SOX, PCI-DSS or NFCM or any other applicable regulation Confidentiality Integrity Availability Accountability Non-repudiation Data Privacy Records Management Other classification |
Each ITGC can then be mapped to one or more pre-defined asset categories and classification with an indicator (Applicable or Not Applicable).
ITGC objectives and the related requirements for the implementation of controls (i.e. the control activities, including possible validation steps and recommended evidence) are defined for each Control of the IT general Controls Matrix.
The Assessment of the Controls should then use the following standard maturity parameters
These standard parameters of the IT General Controls Matrix must be used to document the results of the controls assessment, to track the results of the controls testing, and may be used to track the progress of the Control Gap remediation (included in the Risk Management process).
Who is responsible? | What do they take care of? |
---|---|
Governance | Ownership of the IT Policy Framework, incl. policies, directives, standards, and procedures, and in particular the IT general control manual which establishes the information management internal control standards |
Obtaining agreement with the various audit, governance and policy-making groups within the organization regarding the contents and use of the IT general control manual | |
Supporting implementations of the IT general control manual | |
Providing IT general control manual training material where required | |
Performing spot checks on asset classifications, controls assessments, controls testing, risk assessments, and risk mitigation plans to ensure a balanced approach across Organization | |
Reviewing and approving exception requests | |
Consolidating and reporting of Controls Status. | |
Internal Audit | Assessment of design and effectiveness of Controls |
Reporting to relevant management | |
Reporting to the Audit and Compliance Committee of the Board | |
Review of effectiveness, efficiency and appropriateness of information management processes and controls, focusing on: * Reliability of information management processes * Adherence to group policies and requirements * Protection of information assets. |
The IT general control manual provides a baseline for Internal Audit to audit against in respect of IT activities. However the scope of an Internal Audit is not limited to this baseline and may include other non-It and non-governance activities.
Who is responsible? | What do they take care of? |
---|---|
External Audit | Opinion on the Controls |
Review of the IT general control manual documentation in support of their assessment of the Organization | |
A review of the documentary evidence of Control Procedures and Policies to support compliance | |
Advice on controls and system weaknesses | |
An Audit and Compliance Committee of the Board may review issues raised by the external auditors |
An Audit and Compliance Committee of the Board may review issues raised by the external auditors.
IT general control Assessment procedures
An IT general Controls Assessment Process is built on the three major process steps:
The Controls Assessment process is triggered either through the annual re-assessment cycle of the Controls, or by changes affecting the Organization or information assets, for example:
The Controls Assessment process is executed for individual Information Assets. Its purpose is to:
The key Output of the Assessment includes
Reporting and monitoring is a continuous process that should occur during the whole risk treatment process.
Divisions must ensure that risk reporting is in place to keep track of the progress of the remediation plans and the degree of risk to which the organization is exposed.
By establishing a life-cycle with well selected Controls it is possible to continuously improve the quality and maturity of multiple critical domains of an organization. It can be a crucial instrument to assure compliance to the increasing amount of mandatory and complex regulations. It is absolutely worthwhile to establish an organization and concept around this governance topic generating many synergies to other important areas, as internal audit, information security, risk management, quality assurance etc.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!