IS Control Objectives



This topic is related to information systems auditing. Every organization has controls in place. Controls are normally composed of policies, procedures, practices and organizational structures that are implemented to reduce risks to the organization. The board of directors and seniors management are responsible for establishing the appropriate culture to facilitate effective and efficient internal control system. There are two aspects of controls: What should be achieved and what should be avoided. Internal controls address business and operational objectives. 

Control objectives are statements of the desired result or purpose to be achieved by implementing the control activities which are in the form of processes and procedures. Control objectives apply to all controls whether they are manual, automated or combination. Control objectives need to be addressed relevant to specific IS-related processes. A control measure is defined as an activity contributing to the fulfilment of a control objective. In other words, a control measure is an action aimed to eliminate a hazard or at least reduce the risk of exposure to an acceptable level as defined in the control objective.

IS control objectives provide complete set of high-level requirements to be considered by the management for effective control of each IT process area.

IS control objectives include:

  • Safeguarding assets
  • Ensuring that SDLC (Software Development Life Cycle) processes are established, in place and operating effectively.
  • Ensuring integrity of general OS environments including network management and operations.
  • Ensuring integrity of sensitive and critical application systems by authorization of the input, validating the input, accuracy and completeness of processing transactions and reliability of overall information processing activities
  • Ensuring appropriate identification and authentication of users of IS resources.
  • Ensuring efficiency and effectiveness of operations.
  • Complying with user's requirements, organizational policies and procedures, and applicable laws and regulations.
  • Ensuring availability of IT services by developing efficient business continuity plan (BCP) and disaster recovery plan (DRP) that include backup and recovery processes.
  • Enhancing protection of data and systems by developing an incident response plan.
  • Ensuring integrity and reliability of systems by implementing effective change management procedures.
  • Ensuring that outsourced IS processes and services have clearly defined service level agreements and contract terms and conditions to ensure the organization's assets are properly protected and meet business goals and objectives

An IS Auditor also assesses the strengths and weaknesses of the controls evaluated and determines if they are effective in meeting the control objectives. Established as part of audit planning processes. In some instances, a strong control may compensate for a weak control in another area. Generally, a group of controls when aggregated together may act as a compensating controls, and thereby minimize the risk. An IS auditor should always review for compensating controls prior to reporting of control weakness.

Comments

Post a Comment

Popular posts from this blog

Work from home: an elusive oasis!

Image
Since covid pandemic, work from home has gained momentum and importance. It was the need of the hour. But what is the wisdom in sticking to the same thing when it is no longer the situation? To some extent, the travelling hurdles and travel time are eliminated, the energy of employee is saved. But is it worth sacrificing other valuable benefits of working from office just because your travel trouble is saved?  Initially, an Indian employee gets overjoyed of the idea of working from home because he had seen many Hollywood movies where the lead actor or actress is talking to boss over phone, making sandwich with another hand. They have a baby sitter who takes care of their baby throughout the day. But in my opinion, when we talk in terms of India, the 95% of Indian families, houses and mentality are yet not suitable for work from home concept. And let alone their families, the employees themselves are not competent enough for the work from home mechanism. In 85% cases, the spouse (home m
Read more

Business Resiliency (BCP & DRP)

Image
Business resilience is the ability of an organization’s to adjust when the disruptions, disasters and negative incidents occur. It is the action plan which describes the steps to maintain continuous operations and protect the organization’s assets during disruptions.  An asset is anything which has value to the organization. There are many types of assets like Information assets (data files, databases), Software assets (system s/w, application s/w), physical assets (computer equipment and communication equipment), service assets (telecom, power), people assets, paper assets etc. Even company image is an asset for a company. Business resilience comprises of BCP and DRP. The possible disasters or emergencies are:  Denial of access Failure of critical suppliers Human Error Technical error Fraud, Sabotage, Extortion, Espionage Industrial action Natural disasters Viruses and other security breaches  Before understanding what is BCP and what is DRP, we will understand the difference in recov
Read more

Difference Between!

Image
When we work in areas like project management, security, quality, finance, human resources, operations and manufacturing, we usually get confused between similar terms like process and procedure, validation and verification, authorization and authentication, data and information, agreement and contract etc. Whenever, we compare two things, what we do is nothing but finding out the differences between them. However please note that, we can not find differences, if there is no similarity between the two things. For example, we can compare Sachin Tendulkar and Steve Smith because both are cricketers. Similarly, we can compare Cricket and Football because both are outdoor sports. We can compare indoor and outdoor sports because both are sports. And so on.  We can compare mountain and hill. We can compare river and lake. But we can not compare a mountain and a river. (If you decide, you can still compare these two also and you will definitely get all the differences for sure. Someone will a
Read more