Definition: Control are the Policies, procedures, practices and organizational structure that are designed to provide reasonable assurance that business objectives are achieved and undesired events are prevented or detected and corrected.
Controls pertaining to the Information Systems are referred as Information Systems Controls. The objective of control is to:
- reduce or if possible, eliminate
- the causes of the exposure to potential loss.
- Exposures are potential losses due to threats materializing.
- All exposures have causes.
Some categories of exposures are as follows:
- Errors or omissions in data, procedure, processing, judgment and comparison;
- Improper authorizations with regards to procedures, processing, judgment and comparison; and
- Inefficient activity in procedures, processing and comparison.
Some of the critical control lacking in a computerized environment are as follows:
- Lack of management understanding of IS risks and related controls;
- Lack of awareness and knowledge of IS risks and controls amongstÂ theÂ businessÂ users and even IT staff;
- Absence or inadequate IS control framework;
- Absence of weak general controls and IS controls;
- Complexity of implementation of controls in distributed computing environments and extended enterprises;
- Lack of control features or their implementation in highly technology driven environments; and
- Inappropriate technology implementations or inadequate security functionality in technologies implemented.
The control objectives serve twoÂ main purposes:
- Outline the policies of the organization as laid down by the management; and
- A benchmark for evaluating whether control objectives are met.
Impact of Technology on Controls
- Competent and Trustworthy Personnel.
- Personnel should have proper skill and knowledge to discharge their duties.
- Personnel have substantial powers in CBIS any misuse of such power can result in huge loss.
- Segregation of Duties
Segregation of Duties refers to the concept of distribution of work responsibilities such that individual employees are performing only the duties stipulated to them.
In a manual system, there are split between different people, such that one person does not process a transaction right from start to finish.
However, in a computerized system, this segregation may be missing.