Comments
Business enterprises are increasingly relying on advances in information technology to tap opportunities for growth. IT offers key competitive advantage by providing capabilities to process huge data on a real-time basis, connect with and serve millions of customers across the globe, gain consumer insights, scale up operations rapidly and achieve significant efficiencies. Innovations such as mobile applications and Internet banking, however, introduce newer risks and threats. IT risks are business risks, specifically those associated with the use, ownership, operation, involvement, influence and adoption of IT within the enterprise. These risks have to be managed effectively to achieve business objectives.
An effective IT controls framework benefits business growth and ensures mitigation of related risks. IT controls are an important component of the IT governance framework for business.
What are the key characteristics of an effective IT controls framework?
It should provide a focus aligned with business;
it should be technology-agnostic and process-oriented, to enable businesses to keep pace with rapid changes in technology;
it should help meet regulatory requirements and standards;
the framework should have a defined structure and use common terminology and, at the same time, offer flexibility; and
IT controls should be amenable to independent verification — to assure stakeholders on the mitigation of IT risks.
The Control Objectives for Information and related Technology (COBIT) issued by the IT Governance Institute is a widely used framework to manage risks arising out of complex IT deployment.
It suggests good practices — a set of control objectives and controls across domains and processes. The framework can be customised to suit different business requirements.
IT controls are generally established at three levels. At the highest level, they concern policies and procedures, decision-making and monitoring procedures used by the executive management.
At the next level, they apply to specific business processes and are a combination of IT configuration and supporting manual processes. At the third level, IT controls are applied to common IT processes and services, as general controls.
Risks and Controls Matrices (RCM) are usually created to guide stakeholders in the implementation and ongoing assessment of IT controls. Internal and external auditors invariably include review of IT controls in their audit plans and use RCMs to evaluate their effectiveness. Controls are categorised as key and non-key; preventive and detective to help auditors find out how much reliance there is on controls while evaluating the overall internal control environment.
Enterprises often deploy technology tools to provide stakeholders with a continuous controls monitoring mechanism. Such monitoring helps instantly identify control breakdowns and address them in a timely and efficient manner.
IT controls should be reviewed at a pre-determined frequency to ensure they remain relevant to the changing IT environment and growth in business operations.
Abhay Gupte is Senior Director, Deloitte Touche Tohmatsu India Pvt Ltd.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.