XML Feeds
| « Information Technology Glossary - ABEND | Common Forms of Fraud - Part 2 » |
Sarbanes Oxley Basics - Four Steps in Designing Internal Controls
Sarbanes Oxley Basics - Four Steps in Designing Internal Controls
Internal Control designing is a step by step process. If correctly understood one can easily design internal controls for any process irrespective of the company. I am today discussing the brief steps for designing efficient and effective internal controls. The steps below are intended to just give an overview. I would be discussing the entire internal control design process in detail later on.
Four Steps in Designing Effective Internal Controls
Undertand the Risk - The first step in designing internal controls is to understand the risk that you are trying to mitigate. Without a clear understanding of risk, its unlikely that you would be able to design good internal controls.
Identify Control Activity - Once you have identified the risk, identify the control activity which would reduce the identified risk to an acceptable level.
Benefit Vs. Costs - In any controls design process it very important to compare cost of controls with the benefits to be derived. Controls no doubt have a cost, however, cost of controls should not overweigh the benefits. It's no point protecting an assets worth a couple of hundred dollars with a biometric control costing thousands.
Establish Internal Control - Having accomplished the above three steps, the last step is establishing the identified activity as an internal control.
1 comment
You correctly say that there is no point in protecting something worth 100 bucks with biometrics that will cost a few thousand. I would like to point out that most data probably have a much higher “damage price tag” than people might think! Encentuate stated in 2003 that they average damage caused by a disgruntled employee is $2.7 Mio. The damage could include anything from stealing, selling and deleting data to bad press, image loss (resulting in a stock value decline) and multi million dollar lawsuits. The first InformationWeek magazine this year had on the front page a guy writing over and over “ I will protect personal data “. The article included 6 major companies that had significant breaches in the previous month and general damages for businesses were conservatively estimated at $48 billion…
An alternative approach would be not to choose to protect “a certain risk”, but certain user profiles with access to high-risk data. Choose the people or departments with the most critical access (Finance, HR, Administration, Top Management, etc. ) and protect their access. Once there access is protected with biometrics or alternative solutions (see www.singlgesignon.us why biometrics is recommended) the risk of financial damage will be significantly reduced.
This post has 19 feedbacks awaiting moderation...