- Deficiencies in controls could result in a serious breach for the company, or worse – your job.
- Despite these drastic consequences, improving the system of internal controls remains a low priority for many IT organizations and their leaders.
- You don’t need to implement every control. Maximize your risk mitigation at a low cost by focusing on your organization’s greatest risks.
Impact and Result
This research will help you prevent or resolve the following situations:
- High Risk Operations: Risks that could damage the business are not being mitigated.
- Lack of Clarity: We don’t know what our controls are. There is no documentation and processes differ from business unit to business unit.
- Lack of Adherence: Effective internal controls exist, but no one follows them.
- Lack of Effectiveness: We have controls in place that are followed, but they seem to be ineffective or we don’t know how effective they are.
Business Process Controls & Internal Audit
The only thing worse than a lack of control is the illusion of control.
This course makes up part of the Security & Risk Certificate.
- Course Modules: 5
- Estimated Completion Time: 2-2.5 hours
- Featured Analysts:
- David Yackness, Sr. Research Director, CIO Practice
- James Alexander, SVP of Research and Advisory, CIO Practice
Workshop: Establish an Effective System of Internal IT Controls to Mitigate Risks
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Control Coverage
- Recognition of the benefits and importance of internal controls.
- Identification of the risks of an ineffective system of internal controls.
- Assessment of the adequacy of current controls and their coverage of risks.
Key Benefits Achieved
- Selected metrics to measure your system of internal controls.
- Risks prioritized relative to their current control coverage.
- Selected metrics and baseline measurements of internal control capability.
Identify and assess IT’s greatest risks.
- List of IT’s greatest risks ranked by severity of risk.
Map controls to risks.
Assess the adequacy of control coverage for each risk.
- IT risks prioritized relative to their current control coverage.
Module 2: Establish, Monitor, and Evaluate Controls
- Identification of specific controls to implement.
- Identification of best practices for control development and monitoring.
- Communication of controls.
- Assign roles and responsibilities for the governance of internal controls.
Key Benefits Achieved
- Identified specific controls to mitigate risks and assigned implementation owner.
- Discussed best practices for developing and monitoring controls.
- Communicated controls effectively to end users.
- Roles and responsibilities assigned for governance of internal controls.
Identify the processes affected by each risk.
Determine the specific controls to implement for each control coverage gap.
- Recommended action plan for each risk to achieve adequate control coverage.
Create an inventory of control establishment activities.
- Inventory of internal control establishment initiatives.
Discuss best practices for designing controls.
- Sample control documents.
Assign metrics to measure individual control effectiveness.
- Selected metrics and baseline measurements of effectiveness of individual controls.
Develop an internal control communication plan.
- Internal control communication plan.
Create a RACI chart for governance of internal controls.
- Completed RACI chart for internal control monitoring.
Discuss control monitoring and evaluating best practices.
- Internal control self-assessment checklist.