Internal controls usually consist of policies, procedures, practices and organizational structures that are implemented to reduce the risks to the organization.
There are two main aspects that controls should address:
- what should be achieved, and
- what should be avoided..
The controls are divided into 3 categories
Some of the best controls prevent fraud, theft, abnormality or ineffective organizational functioning.
They should not allow anomalies before they happen.
eg a numerical editing control in a field of data entry into the euro. Not allowing anything other than numeric values prevents things like inter-site scripts or SQL injection, or other mistakes that may not be intentional.
They can be as simple as limiting access by access to keys and access codes to sensitive building areas or passwords or prior authorization for access to confidential information.
Një kamerë sigurie është një shembull i mirë i një kontrolli detektiv.
A security camera is a good example of a detective control.
An access log and an alarm system can quickly detect and notify management of efforts by employees or outsiders to access unauthorized information or part of a building.
So are those measures that help us identify unauthorized actions as long as they are happening.
Accompanied with preventive and detective controls, correctional controls help mitigate damages after the risk materializes
What are the actions that can be taken to restore the system or recover from the damage caused.
When looking at business functions, one of the things an IT auditor has to look for is the place where the process has potential for harm to confidentiality, integrity, or availability. For example, if the data is collected through a front-end of the web which then reformats and sends it to the database or for storage or processing and then returns to the web front-end for user display there are a number of checkpoints which should take into account:
- Web Front-end which has access to networks and at what rate is this achieved?
- How the front-end and database connection is protected,
- Which data can restore the database, which is allowed to process these data
- Is network traffic limited to traffic to support the web application
The list goes on.
There are many checkpoints to consider when looking at a particular business function. In an effort to determine all control points, an IT auditor should consider the system boundary which should be part of the Business Impact Analysis and the IT auditor should be able to build a flowchart and identify all the checkpoints that will need to be reviewed as part of his / her audit.
Remember, our work is intensive and we have a limited amount of time, so taking a risk-based approach will consider the checkpoints that represent the greatest risk to business. And this is part of our job to identify risks and help management understand what business risk would be if a check at a specific point does not work properly and the information is compromised.