IT Risk and Controls

During the MSIS program

Security and risk management are important to all organizations. Therefore, all students are expected to take foundational modules in IT controls and IT risk management. Depending on your program major, you might take additional specialization courses.

Although the MSIS program will cover the basics, many entering students completed at least one course coving IT controls. You will be well served to have a brief foundation before beginning the masters program.

Major concepts

1. Describe the components of the IT Risk Triad: confidentiality, integrity*, and availability**.
2. Understand what IT controls are, what do they do, why they are necessary.
3. Explain the difference between general controls and application controls.
4. Define the three types of IT controls. Give examples of each.
5. Describe the purpose of the COBIT and COSO control frameworks, and how they differ.

Resources

IT risk is also called “enterprise risk” or “cyber risk”. Unfortunately, there are few good, free resources for learning about IT risk and IT controls. (If you find one, let us know!) While there are some common fundamentals and underlying regulations, each company and consultancy tends to define and organize risks slightly differently.

• Read the opening section of Chapter 6: “Information Systems Security” titled “The Information Security Triad: Confidentiality, Integrity, Availability (CIA)”
• Skim the Wikipedia articles “IT Risk Management”, “COSO“, and “Sarbanes-Oxley”
• Investopedia has a useful article on “Internal Controls”

IT Controls

In the business world, IT controls are specific activities performed by people/systems which are designed to ensure that business objectives are safely met. Some examples of control include a password policy, a requirement to use two-factor authentication, or a database schema enforcing specific types on data.

IT controls play a critical role in assuring that IT is used correctly, data is correct and protected, and the organization is in compliance with all applicable laws and regulations. Controls prevent, detect, and correct transaction errors and fraud.

The Two Categories of IT Controls

There are two categories of IT controls: general controls (ITGC) and application controls (ITAC).

• ITGC: General control are implemented as procedures or policies. Because they are often enforced by people, compliance may vary. There are several subcategories/domains/systems of general controls, including:

  • Enterprise risk management, which includes processes for documenting and organizing risks.
  • IT Change Management: Sometimes called “change control”, IT change management is different from organizational change management. A change control system includes documentation of all implemented IT systems, and formal processes for making changes to those systems. (In contrast, “organization change management” is about encouraging organizations to adopt organizational changes. It’s incredibly important, but isn’t a “control”.)
  • Disaster recovery, which includes creating and testing response plans for likely risks.

• ITAC: Application control are enforced by technology rather than by policy. Enterprises work with huge volumes of data, so automatically enforced controls are necessary to keep data error-free.

  Application controls are often designed to control desirable characteristics of data, including:

  - **Accuracy**: Whether the data values stored for an object are the correct values
  - **Validity**: The reasonableness of data
  - **Integrity**: Detecting whether data has been altered
  - **Completeness**: Whether the data represents an entire population or just a sample
  

  Application controls help manage other features of data, including bias, timeliness, shareability, and security. In addition to enforcing data controls, there are many other purposes of application controls, including access control and encryption. For example, a two-factor authentication requirements build into web or software systems is an application control.

Types of IT Controls

• Preventive Controls: Deter problems before they occur
• Detective Controls: Discover problems after they occur
• Corrective Controls: Mitigate problems after they occur

Here are some examples to better understand these control types:

• Preventive: Lock on a door, to prevent intruders
• Detective: Fire alarm, when fire goes off
• Corrective: House insurance

If you want to read more, look at what this public university has to say about managing its internal controls

Control frameworks, regulations, and organizations

COSO internal control framework

The Committee of Sponsoring Organizations (COSO) issued the Internal Control Framework in 1992. The COSO Internal Control Framework is widely accepted as the authority on internal controls, and provides guidance for evaluating internal control systems.

SOX (Sarbanes-Oxley Act of 2002)

In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines (e.g., ENRON, WorldCom). The impact on financial markets was substantial, and Congress responded by passing of the Sarbanes-Oxley Act of 2002 (SOX). SOX imposed many requirements for controls, and had a strong impact on how public companies operated.

The intent of SOX is to protect investors in public companies by:

• Preventing financial statement fraud
• Making financial reports more transparent
• Demanding stronger internal controls by requiring companies use a control framework
• Punishing executives who commit fraud

COBIT Internal Control Framework

• COBIT stands for “Control Objectives for Information and related Technology” standard developed by the Information Systems Audit and Control Foundation (ISACA)
• The COBIT framework is of generally applicable information systems security and control practices for IT control.
• Most recent update: COBIT-2019. (Timeline graphic from ISACA.)

Resources to read more about COBIT¹:

• “What is the COBIT Framework: Benefits and Components”, Simplilearn
• “COBIT 2019 – the Key Changes to COBIT 5”, Joe the IT Guy NOTE: There are many more IT control frameworks and organizations. These will be discussed during your time in the MSIS program.

COBIT vs. COSO

Read “What Are The Differences Between COBIT & COSO“ to understand the differences between COSO and COBIT.

Exercises

1. What is the purpose of IT controls? Why do you think it is necessary for companies to have formal controls?

2. What is the difference between general controls and applicaiton controls?

3. List several characteristics of data. Are these characteristics best enforced by general controls or application controls?

4. In your own words, describe the three types of IT controls. Give examples of each.

5. In your own words, explain how the following terms relate to IT controls:

   1. COSO
   2. COBIT
   3. SOX

---

1. These article links are NOT an endorsement of these (or any) consulting companies. ↩