IT Governance, Risk, Compliance (GRC)

Questions and Answers

What is the primary goal of organizational governance in relation to stakeholder interests and the alignment of an organization’s performance?

To ensure an organization's strategy and performance are aligned with stakeholder interests/value and address internal/external requirements.

What are the three key areas SOX was designed to resolve deficiencies in?

Corporate governance, financial reporting, and auditing practices.

What are 'formal controls,' and how are they typically established and enforced within an organization?

Formal controls are rule-based or procedure-based controls requiring compliance established and enforced by an authoritative party, taking the form of established rules or procedures.

Briefly describe the concept of 'compensating control' and its purpose within a control system.

It's a control activity that compensates for the absence of another control deemed too costly, difficult, or impractical to implement.

What are the key steps involved in 'compliance processes' within an organization, and what is their overall aim?

Establishing a scope, identifying compliance requirements, determining compliance gaps, assessing noncompliance risks, implementing compliance actions, monitoring compliance practices, and reporting compliance efforts.

What is the difference between IT General Controls (ITGCs) and IT Application Controls, and what is the focus of each?

ITGCs are broad controls over the IT environment/resources ensuring reliability and responsible use of IT. IT Application Controls are automated controls integrated into software applications ensuring data integrity within the data processing cycle.

What is the main distinction between 'discretionary' and 'non-discretionary' controls, and how does this distinction impact the strength of each control type?

Discretionary controls allow the user to choose whether or not to execute the control, making them weaker. Non-discretionary controls do not allow the user to choose, making them stronger.

Describe the purpose and functionality of 'detective controls,' and provide an example of one.

Detective controls identify, discover, or expose undesirable events that are occurring or have already occurred.

In the context of IT security, what are the three primary objectives (CIA triad) that organizations strive to achieve?

Confidentiality, Integrity, and Availability.

What is an 'audit trail' in the context of transaction processing, and why is it important?

A series of manual/electronic items that provides evidence of tasks preformed; it allows someone to trace transactions throughout processing.

What is the primary focus of IS security according to the provided text?

Protecting IS resources (people, data, processes, IT infrastructure, facilities) from harm.

Explain the purpose and main components of the "Control Environment" as defined within the COSO Internal Control Integrated Framework.

The control environment refers to the processes, standards, and structures established by the board of directors and senior management to provide a basis for internal control across an organization.

According to COSO's internal control framework, what are the three categories of internal control objectives that organizations should focus on?

Operations, reporting, and compliance objectives.

Briefly describe the 'goals cascade' concept within the COBIT framework and its purpose.

Goals at one level are translated from one level to another to align organizational strategy and operational objectives.

What are the key phases or steps involved in conducting an IS audit, as outlined in the text?

Preliminary review, audit planning, audit procedures/testing, and audit reporting.

What does the acronym GRC stand for and what is its overall objective?

Governance, Risk, and Compliance. Its objective is to manage complexity, reduce redundancy, and optimize efficacy.

Explain the primary purpose of the Computer Fraud and Abuse Act (CFAA).

It prohibits intentional unauthorized access of a protected computer and provides for protections and penalties for such criminal offenses.

What is the main objective of the Gramm-Leach-Bliley Act (GLBA)?

Relates to the privacy and protection of sensitive consumer data within the financial services industry.

What are the key steps involved in 'IS Risk Assessment' and why is it important?

Preparing for assessment, conducting risk assessment, communicating results, and maintaining the risk assessment. These are the basis for determining response strategies.

What are the key objectives SOX was designed to accomplish?

Improve corporate governance, increase management accountability, increase oversight of accounting firms, increase efforts to prevent fraud, and restore investor confidence.

Why are preventative controls important in IS and what are examples of preventative controls.

They are considered the most effecient because they prevent a threat, rather than detect, correct or recover from a threat event.

Which key controls are applicable when establishing supervision of duties as a protection against fraud?

Authorizing transactions, custody of assets, and recording of transactions.

What is the main focus of IT governance, and how does it contribute to organizational success?

Focuses on strategic alignment and utilization of IT resources to support organizational strategy and objectives.

What are the three primary processes that constitute IT governance?

Evaluate, Direct, and Monitor.

From the IT governance goals described, specify what is meant by IT Strategy Alignment.

Ensures IT aligns with strategic objectives and business requirements.

Describe Enterprise Risk Management (ERM) and its most basic objective at an organization?

A process utilized to manage risks and opportunities related to the achievement of strategic objectives.

Describe the two categories IT Application Controls are categorized as.

Input Controls, Processing Controls, and Output Controls.

In the COBIT framework of Objectives, what does the acronym MEA stand for, and what are its primary intentions?

Monitor, Evaluate, Assess. Pertains to IT performance monitoring and assessment of conformance with objectives, targets, and requirements.

What is the main purpose of Compliance Processes at an organization?

To establish a scope for compliance, identify requirements, determine compliance concerns/gaps, assess / implement actions needed to monitor compliance.

What is the intent of General Controls in an IT context?

Broad controls relating to IT environment/resources designed to ensure reliability, protection, and responsible use of IT.

Flashcards

Governance, Risk, and Compliance (GRC)

A business concept promoting a holistic, integrated approach to governance by coordinating governance, risk management, and compliance management.

Organizational Governance

The process by which an organization is evaluated, directed, and monitored to align strategy and performance with stakeholder interests and requirements.

IT Governance

The system by which organizational IT is evaluated, directed, and monitored to align with organizational strategy and objectives.

IT Governance Processes

Processes consisting of Evaluate, Direct, and Monitor.

IT Strategy Alignment

Ensuring IT is aligned with strategic objectives and business requirements.

IT Risk Management

Ensuring IT risks are effectively managed in line with an organization's risk appetite/tolerance.

IT Compliance Management

Ensuring IT complies with internal expectations and external requirements.

IT Performance Management

Ensuring IT objectives are met and IT resources/services perform as expected through monitoring and assessing.

Enterprise Risk Management (ERM)

A process used to manage business risks and opportunities related to strategic objectives.

IS Risk Management

Process used to manage risks associated with IS/IT resources, including framing, assessing, responding to, and monitoring risk.

IS Risk Assessment

A process of analyzing risks to determine appropriate risk response strategies.

Organizational Compliance Management

Process used to determine, assess, and manage compliance with internal/external requirements (e.g., Sarbanes-Oxley).

Compliance Processes

Processes involving establishing a scope for compliance, identifying requirements, determining gaps, assessing risks, implementing actions, and monitoring efforts.

Compliance Requirements

Responsibilities for which an organization is accountable, subject to internal and external requirements.

Sarbanes-Oxley Act (SOX)

Act of 2002 designed to resolve deficiencies in corporate governance, financial reporting, and auditing practices.

Control

A process designed to ensure objectives are met.

IS Control

Encompasses internal control, IT control, and IS security.

Control Objectives

Goals or requirements corresponding to strategies, resources, or processes.

Control Environment

An organization's collective control consciousness that shapes awareness, attitudes, and commitment regarding control.

Controls

Plans, policies, procedures, or practices implemented to mitigate risks and ensure objectives are met.

Compensating Control

A control that compensates for the absence of another control.

Control Framework

A structure/model/standard designed to provide guidance on the design, implementation, and assessment of control systems.

Administrative, Logical, and Physical Controls

Classification based on nature (administrative, logical, or physical).

Automated Controls and Manual Controls

Classification based on how the control is performed (automated or manual).

Formal and Informal Controls

Classification based on formality (formal or informal controls).

General and Application Controls

Classification based on scope (general controls; application controls).

Preventative, Detective, Corrective, and Recovery Controls

Classification based on purpose (preventative, detective, corrective, and recovery).

Discretionary vs. Non-discretionary Controls

Classification based on user discretion (discretionary; non-discretionary).

Internal Control

Internal control refers to a process designed to provide internal integrity.

IS Assurance

IS security designed to give confidence that IS objectives are met.

Study Notes

IT Governance, Risk, Compliance (GRC)

• GRC advocates for a holistic, integrated approach to business governance
• Achieved by coordinating governance, risk management, and compliance management
• Aims to manage complexity, reduce redundancy, and optimize efficacy
• Goal to coordinate these areas of governance throughout the organization

IT Governance: Organizational Governance

• Involves evaluating, directing, and monitoring an organization
• Ensures the strategy and performance align with stakeholder interests and internal/external requirements
• Establishes strategic direction and then institutes strategies, objectives, policies, structures, roles, compliance/control processes and monitoring systems to support performance

IT Governance

• The system/process to evaluate, direct, and monitor organizational IT, consisting of leadership, structures, systems, and processes
• Focuses on the strategic alignment and utilization of IT resources to support organizational strategies, objectives, and requirements
• The central purpose ensures IT supports enterprise strategy/objectives and considered a component of organizational governance (ISO/IEC 2024)

IT Governance Processes (ISO/IEC 2024)

• Evaluate: assess current/future IT implementation to establish strategic direction for IT, considering internal/external pressures
• Direct: establish strategies, objectives, policy, plans, structures, and roles to direct IT implementation, consistent with requirements
• Monitor: establish monitoring/measurement systems and monitor IT performance to ensure compliance
• Includes control processes (risk management, compliance management, control measures) for compliance with IT strategies, objectives, policies, and requirements

IT Governance Goals

• IT strategy alignment: aligning IT with strategic objectives and business requirements
• IT risk management: managing IT risks effectively in line with risk appetite/tolerance
• IT value delivery: delivering benefits to stakeholders
• IT service delivery: utilizing IT responsibly to deliver service in line with expectations/requirements
• IT compliance management: ensuring compliance with internal and external requirements
• IT performance management: ensuring meeting IT objectives and the effective performance of IT resources/services

IS Risk Management: Enterprise Risk Management (ERM)

• ERM is a process organizations use to manage business risks and opportunities related to strategic objectives
• ERM involves identifying, analyzing, and responding to risks that negatively impact achieving objectives

IS Risk Management

• Manages risks associated with IS/IT resources by framing risk, assessing risk, responding to risk, and monitoring risk (NIST 2012)
• IS/IT risk management is a component of ERM

IS Risk Assessment

• Process of analyzing risks to determine appropriate risk response strategies, involving preparation, conducting, communicating, and maintaining the assessment (NIST 2012, 23)
• Includes threat identification, vulnerability identification, likelihood and impact determination, and risk determination

IT Compliance Management

• Organizational compliance management determines, assesses, and manages compliance with internal/external requirements like Sarbanes-Oxley
• IT/IS compliance management determines, assesses, and manages compliance with IT/IS related requirements like commercial email/spam law
• IT/IS compliance management is an aspect of organizational compliance management

Compliance Processes

• Scope: compliance concerns to be addressed
• Compliance requirements: critical requirements for compliance
• Concerns/gaps: areas where the organization falls short
• Noncompliance risks: level of risk based on potential threats, likelihood, and impact
• Actions/responses: control activities/measures
• Monitoring/assessing practices and reporting compliance efforts

Compliance

• The state of adhering to applicable internal/external requirements

Compliance Requirements

• Compliance responsibilities that organizations are accountable for
• Organizations are subject to internal (codes, ethics, policies) and external (contractual, legal, regulatory) requirements
• External legal/regulatory requirements can be the most significant compliance concerns, with the Sarbanes-Oxley Act being the most significant for publicly traded companies

Sarbanes-Oxley Act (SOX)

• Most significant regulation impacting the accounting profession, prompted by financial scandals in 2000-2001
• Designed to resolve deficiencies in corporate governance, financial reporting, and auditing practices for SEC-registered companies
• Primarily applies to U.S. companies with publicly traded stocks and debt but does apply to foreign companies registered to conduct business in the U.S.

SOX Objectives

• Improve corporate governance and public trust
• Increase corporate management accountability and financial reporting transparency
• Increase oversight of public accounting firms and their audit practices
• Improve prevention, detection, investigation, and remediation of fraud and misconduct
• Restore investor confidence in capital markets

SOX Titles

• Title 1: Public Company Accounting Oversight Board (PCAOB)
• Title 2: Auditor Independence
• Title 3: Corporate Responsibility
• Title 4: Enhanced Financial Disclosures
• Title 5: Conflicts of Interest
• Title 6: Securities and Exchange Commission (SEC) resources and authority
• Title 7: Studies and Reports
• Title 8: Corporate and Criminal Fraud and Accountability
• Title 9: White-Collar Crime Penalty Enhancements
• Title 10: Corporate Tax Returns
• Title 11: Corporate Fraud and Accountability

SOX Titles and IS Control: Title III - Section 302 and Title IV - Section 404

• Establish corporate management responsibility and legal accountability for financial reporting integrity and internal controls
• Section 302: Focuses on reporting integrity, requiring management to certify the accuracy of financial/non-financial information in reports and that statements are without material misstatements
• Management must report internal control deficiencies that led to fraud
• Provides penalties for false certifications
• If accuracy is not certified then an organization cannot control the IT/IS resources/processes utilized to enable data/information processing

SOX Titles and IS Control: Title IV - Section 404

• Focuses on internal control, requiring management to establish, assess, and monitor the effectiveness of internal controls annually
• The annual report must assess transaction flows, potential misstatements, internal control effectiveness, fraud potential, controls adequacy, and controls corresponding to the COSO framework
• IT/IS controls are required to have an effective system of internal control over financial reporting to ensure proper implementation

Other Laws/Regulations

• Numerous laws/regulations/standards relate to organizational IT/IS use
• Many are issue or industry-specific, majorioty focus on security of information resources and privacy
• Examples include CFAA and FISMA

Computer Fraud and Abuse Act (CFAA)

• Federal anti-cracking statute relating to computer cracking and fraud
• Prohibits intentional unauthorized access of a protected computer and provides protections and penalties

Federal Information Security Management/Modernization Act (FISMA)

• Relates to the management of information security controls within federal government agencies
• Requires development/implementation of an entity-wide information security program, compliance reporting, and security assessments
• NIST develops federal information processing standards consistent with FISMA for federal agencies

Gramm-Leach-Bliley Act (GLBA)

• Relates to the privacy and protection of sensitive consumer data within the financial services industry
• Financial institutions must provide privacy notifications to customers allowing them to prohibit sharing with nonaffiliated third parties
• Also requires a risk management program, security policies, employee security training, and security measure testing

Health Insurance Portability and Accountability Act (HIPAA)

• Relates to privacy of personal health/medical information within the health services industry
• Mandates national standards and procedures for the storage, use, and transmission of healthcare information

Payment Card Industry Data Security Standards (PCI DSS)

• Relates to security of credit card and personal information within the PCI industry
• Developed by the PCI Security Standards Council, applicable to any entity that processes, transmits, or stores credit card information
• Stipulates security standards designed to reduce fraud and protect cardholder data
• Not mandated as law in all states but is a private sector initiative where noncompliance can result in penalties

IS CONTROL Concepts

• Control: A process to ensure objectives are met
• IS Control: Includes internal, IT, and IS security controls

Control Objectives

• Goals or requirements for strategies, resources, or processes

Control Environment

• An organization's control consciousness shaped by policies, processes, standards, and structures
• Established by management as a foundation for implementation
• Elements include organizational culture/philosophy, standards/procedures/guidelines, and personnel competence
• Impacts the ultimate effectiveness and a weak control environment can render good controls ineffective

Controls

• Plans, policies, procedures, or practices implemented to mitigate risks or ensure objectives are met

Compensating Control

• A control that satisfies the requirements for another control considered too costly, difficult, or impractical

Control Framework

• Structure, model, and/or standard that provides guidance on control systems
• Frameworks of particular relevance to accounting related IS control (e.g., COSO, COBIT)

Control Classification

• Provides a basis for analyzing and assessing controls using various schemes
• The following classifications have particular relevance for IS

Administrative, Logical, and Physical Controls

• Based on the nature of the control as administrative, logical, or physical
• Administrative: Rule-based (codes, policies, procedures, standards, regulations) and conduct codes
• Logical: Technology-based (hardware, software, or network components) and password authentication or firewalls
• Physical: Material (manual, physical, or environmental measures) and humidity/temperature control

Automated and Manual Controls

• Classified based on how the control is performed

Automated Controls

• Also referred to as programmed controls
• Performed electronically (by software) and logical access controls

Manual Controls

• Performed physically (by a human)
• Include signature-based authorizations

Formal and Informal Controls

• Controls classified based on formality

Formal Controls

• Controls that require compliance with expectations/goals
• "Official" controls in the form of established rules

Informal Controls

• A.K.A Social Controls
• Behavioral and social controls facilitating conformity with expectations and norms
• Unofficial controls via interactions, reactions, and peer influence

General and Application Controls

• Controls can be classified based on the breadth or target of the control as general or application controls

General Controls

• AKA IT General Controls
• Broad controls over the IT environment/resources
• Ensure reliability, protection, and responsible use of IT
• Provide control over IT components, changes, development, operations, services, and systems

Application Controls

• AKA IT Application Controls
• Automated controls integrated into software applications
• Designed to ensure integrity of system functions/processes
• Provide control over stages of data processing and output controls

Preventative, Detective, Corrective, and Recovery Controls

• According to the purpose of the control and where the control activity occurs relative to a threat

Preventative Controls

• Stop it
• Come into play prior to the threat event
• Designed to avert (or reduce the frequency of) undesirable things

Directive Controls

• Help in preventing bad behavior
• Function as administrative guidance by advising individuals of appropriate or expected behavior

Deterrent Controls

• Preventative
• Controls that function as disincentives to discourage inappropriate behavior

Detective Controls

• Find it
• Come into play during or after the threat event
• Designed to identify, discover, or expose undesirable events that are occurring or have already occurred

Corrective Controls

• Fix it
• Come into play during or after the threat event
• Are designed to rectify the problem and/or mitigate the possibility of reoccurrence

Recovery Controls

• Clean up the mess
• Come into play after a threat event
• Designed to help an organization recover from an incident

Discretionary vs. Non-Discretionary Controls

• Classified based on user discretion (the user's discretion over the execution of the control)

Discretionary Controls

• Controls over which the typical user has discretion
• Means that the user can choose whether or not to execute the control
• Considered “weaker” controls because they can be avoided, circumvented, or ignored altogether

Non-Discretionary Controls

• Controls over which the typical user has no discretion
• That is, the user cannot choose whether or not to execute the control
• “Stronger" controls and typically automated controls

IS Control Areas

• Essentially encompasses three interrelated (and overlapping) areas of control: internal control, IT control, and IS security

Internal Control

• Process designed to provide reasonable assurance that an organization achieves its objectives
• Focuses on managing organizational processes and assets

Internal Control Objectives

• Refers to goals or requirements related to the management of organizational processes
• Objectives are operations, reporting, and compliance

Internal Control Components

• Five components: control environment, risk assessment, control activities, information/communication, and monitoring

Internal Controls

• Traditional internal control activities focus on the integrity of business functions and protecting assets
• These controls can be manual (performed by a human) or automated (electronically performed by a computer)

Manual Business Process Controls

• Refers to process-specific controls performed physically by a human

Transaction Authorizations

• Used to ensure validity of transactions and take the form of approval
• General authorizations for routine activities
• Specific authorizations for non-routine events

Segregation of Duties

• Designed to ensure protection against fraud, it involves separating employee duties
• Should limit that people have control over authorizing, custodying, and recording

Supervision

• Designed the ensure effectiveness, efficiency, and integrity of employee actions
• Monitoring and managing the activities of employees

Documents and Records

• Designed to ensure processing of transaction events
• Should minimize errors, enable review/understanding, and promote verification

Independent Verification

• Designed to ensure the integrity of processes
• Activities, processes, or systems need to be independently checked to identify errors and/or misrepresentations

Safeguarding Assets

• Designed to protects assets from loss or security risks
• Includes cash, inventory, fixed assets, and data
• Focuses on safeguarding digital assets from unauthorized access or deletion

Automated Business Process Controls

• Refers to business process controls performed electronically
• IT application controls are automated business process controls and output controls

Adapting Traditional Internal Control Activities to IT-Based Environments

• Transaction authorizations: User access restrictions for certain things
• Segregation of duties: Logical access restrictions for certain data and systems
• Supervision: Digital activity logs

IT Control

• Process designed to provide reasonable assurance that an organization achieves IT objectives
• Focuses on managing IT resources and processes

IT Governance Goals

• Align IT with strategic objectives, managing IT risks, maximize value delivery, improve efficiency, and ensure compliance

IT Governance/Management Objective Domains

• Evaluate, direct, and monitor (EDM)
• Align, plan, and organize (APO)
• Build, acquire, implement (BAI)
• Deliver, service, and support (DSS)
• Monitor, evaluate, and assess (MEA)

IT Controls

• Includes plans, policies, procedures, that helps control IT
• Classified as IT general controls and IT application controls

IT General Controls

• Controls broader IT environment over access (IDs and passwords), malware, physical security, incident response plans, etc.

IT Application Controls

• Automated controls integrated into software to ensure accountability is properly executed

Input Controls

• Data must be error-free and precise and the same all the way to processing

Output Controls

• Includes reviewing data accuracy

IS Security

• A process designed to provide reasonable assurance by achieving information security objectives
• Focuses on protecting IS resources from harm (i.e, people, data, facilities etc.)

IS Security Objectives

• Confidentiality, Integrity and Validity, availability

IS Security Areas

• Organizational, People, and Technical Controls

IS Assurance

• Designed to afford confidence and is met conducting and being part of IS control assessments

IS Control Self-Assessment

• internal management helps fulfill requirements, and protects the resources/processes

Control Assessment Processes

• Includes classifications, risk assessments, expected controls, expectations and any control deficiencies

Control Adequacy Considerations

• Adequacy is assessed and considered with IIA, ISACA, NIST, and Pironti

Control Presence

• Are expected controls in place to protect and mitigate risks, and compliances

Control Design

• Are controls good that meet all objectives, mitigate, and ensure compliance

Control Implementation

• Ensure management policies are placed into practice

Control Effectiveness

• Are things working as they should, producing proper output

Control Efficiency

• Controls are used in logical and systematic manner

Control Assessment

• Are the controls that are in place deficient

Control Recommendations

• What improvement is needed to increase control and effectiveness

IS Audit

• Is and independent/external assessment to determine how to remain in compliance

IS Audit Objectives

• Follow defined purpose and scope of the audit

IS Control Objectives

• Are you in adherence with the right protocol

IS Audit Guidance

• ISACA provides a comprehensive model that helps with governance

IS Audit Phases/Steps

• Includes the following: prelim review, planning, procedures and testing, audit reporting

Preliminary Review

• It must be seen that you are following the proper audit plan

General Data Gathering

• It helps synthesize that proper process you have to follow including: organization, structure, resources

Preliminary Control Review

• What interests are of focus and critical

Audit Planning

• Develop the best plan possible

Substantive Testing

• Used to find out what the problems are and give support when expected

Results Evaluation

• Provide all processes

Audit Reporting

• How it was completed, procedures and tasks done

Appendix: IS Control Frameworks/Standards

• The following frameworks are recognized that have helped the industry for a while

COSO Internal Control Integrated Framework (COSO IC)

• An internal control and effective tool to help with and organizations objectives

COSO is made by

• Made by a group consisting of Accounting, Executives and more industry experts

The Current Authority

• End orsed by both PCAOB and the SEC and is a starting point

COSO has five things

• Processes
• Objective is achieved
• Focused on reaching a destination
• Controls over people
• Able to fit all new objectives

Control Objectives

• Focuses of 3 categories such as Operations, reporting, compliance

COSO has supporting principles

• Ethical values
• Oversight
• Build framework to back operations
• Competent personal

COSO states this for risk assessment

• Objectives met, risk can be properly analyzed
• fraud, assess impacts is looked at

COSO has these limitation

• Has not adapted to all control requirements
• ISACA made up for this with COBIT to adjust technology framework

ISACA Control Objectives for Information and Related Technology (COBIT)

• An IT control framework to help provide management, governance and all about resources

COBIT Structure

• COBIT flows from stakeholder drivers, enterprice, goals alignment, IT objectives

Goals breakdown

• It helps with COBIT to translate into enterprice goals

The cascade includes

• Stakeholders: which goes into enterprice

Enterprise Goals

• Support holders

Alignment

• Support goals with financial and customers

Evaluate, Direct, Monitor is

• EDM is 5 IT objectives related to strategic points

Align, Plan, Organize

• APO is with 14 other management items

Build, Acquire, Implement

• BAI is with 11 in management with acquisition

Deliver, Service, Support

• DSS has 6 management in objective with support and security

Objective Structure

• Same with other 40 governance but follows DSS as needed for an example

Objective Struct

• What are the goals
• what is the statement
• what do we want for alignments
• what will we do

COBIT Limitation

• Its very detailed, however not made for all objectives, must be careful what is implemented