Organizational controls
Organizational controls
Organizational controls are selected and implemented once with applicability across the entire enterprise. Entity-level controls are important as a focus area for internal and external audits because they provide the foundation for how organi- zations manage control-supported functions. Entity-level controls are also incor- porated by reference into many types of audits performed at other levels of the organization, as business units, programs and projects, and technology assets all leverage different types of entity-level controls. Figure 6.2 shows different major categories of entity-level controls and the kinds of controls within each category
Personnel Governance
IT
Policies and
Organization structure
Human resources Strategy
Control policies
Environment
Building access Background checks Risk management
Guidelines
Awareness and training Certification
Standards
Physical security
Compliance
Data stewardship
Separation of duties
Skills assessment Performance
Quality assurance Security and privacy
Remote access Media handling
Core IT Processes and Supporting Functions
Procurement
Incident response Asset management
Software development
Business continuity Change management
Data and system backup
Disaster recovery Configuration management
Patch management
System administration
Monitoring
Capacity planning
User management
Reporting
FIGURE 6.2
Entity-level controls include any policies, processes and procedures, standards, or measures specified for organization-wide use.
112 CHAPTER 6 IT Audit Components
that may be implemented and subject to audit in different organizations. Audits of entity-level controls differ to some extent from examinations focused at more narrowly defined elements within organizations. The effectiveness of entity-level controls depends in part on the extent to which the organization establishes control authority and implements each control in a manner that pervades the entire organi- zation. From this perspective, audits of entity-level controls essentially examine the organization’s management and governance capabilities, including the structure of the organization, alignment of business and IT objectives, and existence and use of strategic and operational planning activities and artifacts. These control ele- ments help ensure that the controls an organization specifies in policies are actu- ally implemented and used to support the achievement of the organization’s control objectives.
Prominent governance and risk management frameworks emphasize the impor- tance of establishing entity-level controls and seem to assume that virtually all organizations recognize the value of implementing these types of controls [2,8,9] . Such assumptions stem in part from the large proportion of publicly traded compa- nies or organizations in regulated industries or operating environments that make up the intended audience of guidance on governance, risk management, compli- ance, and auditing. Most organizations implement some controls at an enterprise- wide level, but the types of entity-level controls they implement vary substantially among different organizations, even within the same sector or industry. The catego- ries of controls shown in the upper half of Figure 6.2 —IT governance, policies and procedures, common controls, and personnel oversight—each reflect at least some functions or management activities that are likely to be performed similarly across different business units or operational areas. Greater variation may be expected for core IT processes and support functions in organizations with different data centers, facilities, service providers, or types of systems, or in organizations with decentral- ized management structures. The capability to implement and leverage entity-level controls offers potential benefits to organizations from financial and administrative efficiency and also in terms of enabling more effective execution of enterprise IT governance, risk management, and compliance activities.