MO02 Controls Assessment

MO02: Controls Assessment

Description

Controls

KGI

KPI

CSF

Maturity Levels

1. Description

Monitor internal control, assessing their effectiveness, and reporting on them on a regular basis.

2. Control Objectives

Internal Control Monitoring - monitor the effectiveness of internal controls in the normal course of operations through management and supervisory activities, comparisons, reconciliations and other routine actions. Deviations should evoke analysis and corrective action,
Timely Operation of Internal Controls - Reliance on internal controls requires that controls operate promptly to highlight errors and inconsistencies, and that these are corrected before they impact production and delivery. Information regarding errors, inconsistencies and exceptions should be kept and systematically reported to management,
Internal Control Level Reporting - report information on internal control levels and exceptions to the affected parties to ensure the continued effectiveness of its internal control system. Actions should be taken to identify what information is needed at a particular level of decision making,
Operational Security and Internal Control Assurance - independent audit to examine whether or not the security and internal controls are operating according to the stated or implied security and internal control requirements. Ongoing monitoring activities should look for vulnerabilities and security problems.

3. Key Goal Indicators

Index of senior management satisfaction and comfort with reporting on internal control monitoring
Decreased probability of internal control incidents
Positive external qualification and certification reports
Number of control improvement initiatives
Absence of regulatory or legal non-compliance events
Decreased number of security incidents and quality defects

4. Key Performance Indicators

Number and coverage of control selfassessments
Timeliness between internal control deficiency occurrence and reporting
Number, frequency and coverage of internal compliance reports
Number of timely actions on internal control issues
Number of control improvements stemming from root cause analysis

5. Critical Success Factors

Management clearly defines what components of the processes need to be controlled
Internal control, compliance and internal audit responsibilities are clearly understood
Competence and authority of the internal control compliance function exist, addressing delegation as appropriate
A properly defined IT control process framework is in place
A clear process is used for timely reporting of internal control deficiencies
Internal control monitoring data is accurate, complete and timely
There is management commitment to act on internal control deficiencies
There is alignment with risk assessment and security processes
A process is in place to support knowledge sharing on internal control incidents and solutions

6. Service Financing

The process is funded from an annual appropriation to the IT Division as determined amongst annual budget discussions.

6. Service Maturity Variations

0 Non-existent	The organisation lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of IT operational security and internal control assurance. Management and employees have an overall lack of awareness of internal controls.
1 (Initial/Ad Hoc)	The organisation has a lack of management commitment for regular operational security and internal control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. IT management has not formally assigned responsibility for monitoring effectiveness of internal controls. IT internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function.
2 (Repeatable but Intuitive)	The organisation uses informal control reports to initiate corrective action initiatives. Planning and management processes are defined, but assessment is dependent on the skill sets of key individuals. The organisation has an increased awareness of internal control monitoring. Management has begun to establish basic metrics. Information services management performs monitoring over the effectiveness of critical internal controls on a regular basis. Controls over security are monitored and results are reviewed regularly. Methodologies and tools specific to the IT environment are starting to be used, but not consistently. Skilled IT staff is routinely participating in internal control assessments. Risk factors specific to the IT environment are being defined.
3 (Defined Process)	Management supports and has institutionalised internal control monitoring. Policies and procedures have been developed for assessing and reporting on internal control monitoring activities. A metrics knowledge base for historical information on internal control monitoring is being established. An education and training program for internal control monitoring has been implemented. Peer reviews for internal control monitoring have been established. Self assessments and internal controls assurance reviews are established over operational security and internal control assurance and involve information services function management working with business managers. Tools are being utilised but are not necessarily integrated into all processes. IT process risk assessment policies are being used within control frameworks developed specifically for the IT organisation. The information system services function is developing its own, technically oriented, IT internal control capabilities.
4 (Managed and Measurable)	Management has established benchmarking and quantitative goals for internal control review processes. The organisation established tolerance levels for the internal control monitoring process. Integrated and increasingly automated tools are incorporated into internal control review processes, with an increased use of quantitative analysis and control. Process-specific risks and mitigation policies are defined for the entire information services function. A formal IT internal control function is established, with specialised and certified professionals utilising a formal control framework endorsed by senior management. Benchmarking against industry standards and development of best practices is being formalised.
5 Optimized	Management has established an organisation-wide continuous improvement program that takes into account lessons learned and industry best practices for internal control monitoring. The organisation uses state of the art tools that are integrated and updated, where appropriate. Knowledge sharing is formalised and formal training programs, specific to the information services function, are implemented. IT control frameworks address not only IT technical issues, but are integrated with organisation-wide frameworks and methodologies to ensure consistency with organisation goals.