GTAG Information Technology Controls describes the knowledge needed by members of governing bodies, executives, IT professionals, and internal auditors to address technology control issues and their impact on business. Other professionals may find the guidance useful and relevant. The guide provides information on available frameworks for assessing IT controls and describes how to establish the right framework for an organization. Moreover, it sets the stage for future GTAGs that will cover specific IT topics and associated business roles and responsibilities in greater detail.
The objectives of the IT Controls guide are to:
• Explain IT controls from an executive perspective.
• Explain the importance of IT controls within the overall system of internal controls.
• Describe the organizational roles and responsibilities for ensuring IT controls are addressed adequately within the overall system of internal controls.
• Describe the concepts of risk inherent in the use and management of technology by any organization.
• Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effective internal audit assessments of IT controls.
• Describe the relevant elements of the IT controls assessment process as provided by the internal audit function.

2.1 Introduction to IT Controls
IT controls do not exist in isolation. They form an interdependent continuum of protection, but they may also be subject
to compromise due to a weak link. They are subject to error and management override, may range from simple to highly technical, and may exist in a dynamic environment.
IT controls have two significant elements: the automation of business controls and control of IT. Thus, IT controls support business management and governance as well as provide general and technical controls over IT infrastructures.
The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal auditing involves significant interaction with the people in positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.

2.2 Understanding IT Controls
IT controls provide for assurance related to the reliability of information and information services. IT controls help mitigate the risks associated with an organization’s use of technology. They range from corporate policies to their physical implementation within coded instructions; from physical access protection through the ability to trace actions and transactions to responsible individuals; and from automatic edits to reasonability analysis for large bodies of data.

You don’t need to “everything” about IT controls, but remember two key control concepts:
• Assurance must be provided by the IT controls within the system of internal controls. This assurance must be continuous and provide a reliable and continuous trail of evidence.
• The auditor’s assurance is an independent and objective assessment of the first assurance. Auditor assurance is based on understanding, examining, and assessing the key controls related to the risks they manage, and performing sufficient testing to ensure the controls are designed appropriately and functioning effectively and continuously.
Many frameworks exist for categorizing IT controls and their objectives. This guide recommends that each organization use the applicable components of existing frameworks to categorize and assess IT controls, and to provide and document its own framework for:
• Compliance with applicable regulations and legislation.
• Consistency with the organization’s goals and objectives.
• Reliable evidence (reasonable assurance) that activities comply with management’s governance policies and are consistent with the organization’s risk appetite.

2.3 Importance of IT Controls
Many issues drive the need for IT controls, ranging from the need to control costs and remain competitive through the need for compliance with internal and external governance. IT controls promote reliability and efficiency and allow the organization to adapt to changing risk environments. Any control that mitigates or detects fraud or cyber attacks enhances the organization’s resiliency because it helps the organization uncover the risk and manage its impact.
Resiliency is a result of a strong system of internal controls because a well-controlled organization has the ability to manage challenges or disruptions seamlessly.
Key indicators of effective IT controls include:
• The ability to execute and plan new work such as IT infrastructure upgrades required to support new products and services.
• Development projects that are delivered on time and within budget, resulting in cost-effective and better product and service offerings compared to competitors.
• Ability to allocate resources predictably.
• Consistent availability and reliability of information and IT services across the organization and for customers, business partners, and other external interfaces.
• Clear communication to management of key indicators of effective controls.
• The ability to protect against new vulnerabilities and threats and to recover from any disruption of IT services quickly and efficiently.
• The efficient use of a customer support center or help desk.
• Heightened security awareness on the part of the users and a security-conscious culture throughout the organization.

2.4 IT Roles and Responsibilities
Many different roles have emerged in recent years for positions within the organization with IT control responsibilities and ownership. Each position within the governance, management, operational, and technical levels should have a clear description of its roles, responsibilities, and ownership for IT controls to ensure accountability for specific issues. This section addresses the various IT control roles and responsibilities within the organization and allocates them to specific positions within a hypothetical organizational structure.

2.5 Analyzing Risk
IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance. This section explains the concepts of when to apply IT controls.

2.6 Monitoring and Techniques
The implementation of a formal control framework facilitates the process of identifying and assessing the IT controls necessary to address specific risks. A control framework is a structured way of categorizing controls to ensure the whole spectrum of control is covered adequately. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements for organizations subject to them. The process of choosing or constructing a control framework should involve all positions in the organization with direct responsibility for controls. The control framework should apply to, and be used by, the whole organization — not just internal auditing.

2.7 IT Control Assessment
Assessing IT controls is a continuous process. Business processes are changing constantly as technology continues to evolve. Threats emerge as new vulnerabilities are discovered. Audit methods improve as auditors adopt an approach where IT control issues in support of the business objectives are near the top of the agenda.
Management provides IT control metrics and reporting. Auditors attest to their validity and opine on their value. The auditor should liaise with management at all levels and with the audit committee to agree on the validity and effectiveness of the metrics and assurances for reporting.

For more details and to join, visit www.theiia.org

Recent Entries

• IT Expertise Serving to In Haitian Revival
• Automating Audit Tests
• IT Controls in my live and their bearing on firm
• Complying With Government Regulations With Data Entry Software
• Data migration services
• BS7799 and ISMS
• BS7799 Accreditation for Certifying ISMS
• GTAG 3 - Implications for Assurance, Monitoring and Risk Assessment
• Certified Internal Auditor® (CIA®) Overview
• Certified in the Governance of Enterprise IT® (CGEIT®) Overview

This entry was posted on Wednesday, May 27th, 2009 at 10:50 am and is filed under GTAG. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.