An IT internal control framework is not something you can afford to overlook. It forms the backbone of reliable operations, protection of assets, and compliance with regulations. But how do you build a framework that actually works?
Two frameworks dominate: COSO (Committee of Sponsoring Organizations) and COBIT (Control Objectives for Information and related Technology). COSO is broader and supports all internal controls in an organisation. COBIT is specifically focused on IT governance and controls.
COSO distinguishes five basic components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. Your framework begins with determining what you as an organisation value (control environment), which risks are relevant, which controls you have, how you communicate these, and how you continuously monitor.
COBIT offers more specific guidance for IT. It divides IT processes into four domains: Evaluate, Direct and Monitor; Align, Plan and Organize; Build, Acquire and Implement; Deliver, Service and Support. This helps you determine where IT controls are most critical.
During implementation, you start with risk assessment. Which IT processes are most critical for your business? What can go wrong? And what is the impact? Financial data processing, customer authentication, and disaster recovery are usually top priorities.
Next, you design controls. These can be preventive controls (stop errors from occurring) or detective controls (discover errors that have taken place). Preventive controls are usually preferred, but you need both.
Documentation is critical. Your framework must describe what the controls are, who is responsible, how frequently you test them, and what the success criteria are. Too many organisations have informal controls that are not well documented.
Testing is continuous. At least annually, you must check whether your controls actually function as designed. This can be done manually, or better still, automated through continuous auditing.
How do you build a strong IT control framework in your organisation? This requires planning, commitment from stakeholders, and expertise in both COSO and COBIT. We have years of experience implementing IT control frameworks.
Let us guide you towards a robust IT control framework. Get in touch for an assessment of your current control environment.
About the author
Partner | IT Auditor