While someone may be familiar with a concept because they have been putting it into practice for some time, when they try to articulate it to others, they might find it difficult to explain. I faced this situation recently during a training program for IS auditors, when a participant asked how to assess the design of a control. It was seemingly a simple question, but I found it difficult to articulate the answer.
To answer this question, it is necessary to understand a control. I came across an interesting definition, which says “[A] control is an ‘enabler,’ something that enables a business objective to be achieved.” The following anecdote helps explain the concept of a control as an enabler:
Once, my teacher and mentor asked me the question, “Why are brakes fitted to a vehicle?” Promptly I answered, “to stop or slow the vehicle.” He smiled and told me to think about it from another perspective. I was silent. Then he asked what would happen if there was no brake. I quickly answered that the vehicle would not be under our control. Still smiling, he waited for a few seconds and said, “Actually, brakes help us speed up the vehicle. Can you imagine driving a vehicle with no brakes?”
In other words, an organization needs to contain risk to keep it at an acceptable level. The risk owner determines a response for the assessed risk. When that risk rises beyond a tolerable limit, the risk owner tries to mitigate risk by deploying a control that will either reduce the risk’s likelihood, impact or both, so that it can be managed within the acceptable limit of risk appetite. Thus, another component of a control is that it helps organizations mitigate risk.
The difference between control objectives and control activities should also be understood. A control objective is a high-level description of the outcome to be achieved to mitigate the risk. For example, a risk associated with unauthorized access may have a control objective to prevent, detect and correct unauthorized access. To achieve this objective, multiple control activities are defined, such as identifying the user, requesting access to resources, approving access, granting access, revoking access, changing authorizations and reviewing access authorizations. These activities are aimed at achieving 1 or more control objectives.
An auditor’s main role is to assess whether the controls implemented by an organization are aimed at mitigating risk to keep it at an acceptable level determined by senior management or the board of directors. Therefore, an auditor evaluates controls by performing the following 3 actions:
- Assess the design of the control.
- Assess the implementation of the control as per the design.
- Assess the ongoing effectiveness of the control to meet the control objective.
Since assessing the design of the control is the first step, auditors need to understand the control objective and associated control activities and ensure that all control activities meet a common control objective. In other words, auditors need to evaluate the design of all control activities. This includes the tasks performed to complete the control activity. For example, the identity of the user must be established before allowing the user to raise a request to access a resource. This request needs to be approved by the owner of the resource while ensuring segregation of duties, meaning the requesting user should not be the owner of the resource. Similarly, granting access must be performed by someone other than the requester. If the requirements of this control activity are satisfied, then the auditor can proceed to assess the design for the access granting process. Granting access requires an assessment of the authorization associated with the request. These authorizations are defined by the owner of the resource based on the “need to know, need to do” principle.
Once all control activities assessed by the auditor conform with mitigating risk, then the auditor may proceed to the next step: Assessing the implementation of the control as designed. In the case of automated controls, the auditor simply verifies that the appropriate parameters have been set as per the design. However, in the case of manual activities performed by different users, changing the activity can speed up the control execution process.
Assessing the ongoing effectiveness of a control refers to the performance of control activities as designed in the case of all instances of the control execution. For example, all access requests must be executed as designed without exception. If the auditor is satisfied based on the available evidence, then they may consider the control to be effective.
In short, when assessing the control design, always look for the risk that is mitigated by the control activity and evaluate the design of all control activities to ensure that together they mitigate the risk as expected by management.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Is a consultant and trainer in IT governance and information security.