Align Your Policies, Procedures, Practices and Organizational Structures for Maximum Benefit
Download (registration required, 440K)
Provide feedback on this document
Free Download: Internal and Mitigating Control Selection Worksheet
(registration required, 144K)
A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS)
Internal controls are often not well understood in business. Contrary to some misinformed opinions, internal controls are not onerous rules that exist to make work cumbersome or more difficult. In fact, quite the opposite. Careful consideration and implementation of your internal control system can ensure desirable positive outcomes and mitigate potential negative consequences, delivering value to all stakeholders in the organization. Proper use of internal controls can lessen the load internally.
Sure, controls can be complex, and multiple controls and frameworks need to work together, increasing the complexity that must be managed. To help address any implementation concerns, ISACA has created the FREE White Paper – Internal Control Using COBIT 5. In addition, this comprehensive guidance also features a case study illustrating the selection and application of internal controls in an information security environment.
As a companion to our White Paper, ISACA has created a workflow template you also can download for FREE – Internal and Mitigating Control Selection Worksheet.
The particular selection of an internal control is sometimes open to interpretation by the implementer. When that decision is made, it is often wise to record and document the thought processes used in choosing. Sometimes the law requires this documentation. Other times, people and/or circumstances in an organization may change. Or a certification officer may need additional information.
In every case, keeping good records can mitigate confusion in these situations. This template will create a written record of:
- the risk the control is designed to mitigate
- the supporting rationale for why it was selected over others
- the risk analysis upon which that decision is based
- a record of constraints like scope, residual risk, and the time over which the control is intended to operate