Enabling IT to rationalize internal controls is the basis of this article, and the method described here can be used to define a strategy and start executing. The importance of IT general controls and their rationalization for any organization that needs to comply with the US Sarbanes-Oxley Act and similar legislation, such as Canada’s and Japan’s requirements, is the premise from which the method described here evolved.
Over the last few decades, the objectivity, skills and knowledge of competent internal auditors have proved to add significant value to any organization’s management system. In the recent past, this has led to management’s focus shifting toward internal controls, risk management and governance, and subsequently to the evolution of the rationalization of controls.
In the internal auditors’ efforts to improve operational efficiency and support management’s objective of being more cost-effective, control rationalization will bring in diminishing returns if the communication becomes unidirectional as opposed to bidirectional. One of the key elements that will assist in making communication bidirectional is bringing awareness to the process owners about the control-based management system. The other, more vital and important element is guiding the process owners toward reassessing and rationalizing the controls. The facts that COBIT awareness has increased by 50 percent and its adoption continues to grow have led to the development of this method for control rationalization that will support any control-based IT management system.
The method described here provides the necessary understanding to process owners and control performers and can help them to rationalize their internal controls and be more focused on the key controls.
Control Rationalization Method and Its Functioning
The Control Rationalization Method has evolved from the need to have businesses understand and recognize control rationalization as a continuous process that will add value to the control self-assessment and, thereby, make the internal controls more efficient and effective. It is also useful in bridging the gaps where auditing, compliance and control self-assessment coexist. With compliance being a hot topic, the effort spent by each organization to comply with regulatory requirements is increasing. This method provides a guide to categorize internal controls and remain more focused on the critical controls.
Controls need to be categorized either as key controls or non-key controls. Then, the key controls need to be evaluated and rated as high, moderate or low. The basis of this categorization is determined by the absence of these controls resulting in an impact on financial results, the vulnerability of the threats assessed as a part of the risk assessment process and the absence of compensating controls.
For example, if the control states “all vendor default passwords are changed upon implementation of the application by the implementer,” the rationalization of this control will depend on the following aspects:
- Financial reporting—From a financial reporting standpoint, the absence of this control will determine the impact.
- Threats and risk—Will the addressed threat be mitigated if this control is absent?
- Compensating control—Is there any other control activity that is performed before or after this control?
The values associated with each of these dependents will be:
- Financial reporting (FR): High, medium, low
- Threats and risk (TR): High, medium, low
- Compensating controls (CC): Few, many, none
Once the values for the dependents have been assigned, a rationalized value for that control will have been determined.
For the previously mentioned control statement, if the impact was “high” for FR, “medium” for TR and “many” for CC, the control would be rationalized as “moderate.”
The rationalized value, shown in figure 1, is picked from the set of values shown in figure 3.
ITGC Rationalization: A Process to Improve Operational Efficiency and Increase Productivity
Rationalizing the IT general controls (ITGC) helps the organization identify the IT control structure that is best for the organization. It also helps the organization safely reduce compliance costs, without compromising compliance.
Typically, the rationalization process of ITGC starts from the documented library of controls. The process includes undertaking a risk assessment, and it helps the organization automate the general computing controls. The rationalization of ITGC will significantly help IT management focus only on key controls, which, in turn, will translate to reduced organizational efforts during external audit engagements.
Figure 2 shows the plotting of the values of the three attributes and provides guidance for arriving at the most appropriate key control rationalized value.
Figure 3 is a guideline on how to construct and adapt this method. Shown in this table of values are the 27 possible combinations of the three attributes (FR, TR and CC). The results of each combination determine the outcome of the rationalized value. Values can change based on industry, nature of business, geography, etc. In fact, the attributes that should be considered must be appropriate to the scope and purpose of rationalization.
By carrying out a control rationalization, management is prevented from concluding that the company’s internal control over financial reporting is effective. Additionally, management should meet with the independent auditors to determine the period of time this rationalized control will be effective and is required to be operating before the attestation date.
is the IT governance analyst at Enerflex Systems, where he has institutionalized a sound and progressive IT governance functioning unit, embracing COBIT 4.1. Nair has worked in the field of IT for 21 years.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.