Principle 11: Selecting and Developing General Controls over Technology – The organization selects and develops general control actions to support achieving objectives.
Focus Points:
The following focal points highlight essential features of this principle.
Determines the Dependency Between the Use of Technology in Business Processes and Technology General Controls:
Management: Understands and identifies dependencies and connections between business processes, automated controls, and general technology controls.
The reliability of technology in business processes, including automated controls, depends on the selection, development, and implementation of technology control actions, from now on referred to as technology general controls (*).
(*) : Terminology often used to describe these controls includes the terms “general computer controls,” “general controls,” or “computer controls.” “Technology general controls” is used here to refer to general control actions related to technology.
Technology general controls over the acquisition and development of technology are used to help ensure that automated controls operate as they should when they are first developed and implemented. Additionally, technology general controls help ensure that information systems continue working appropriately after implementation.
For example, an organization wants to use an automatic match and edit check that examines data entered online. If something does not match the data in the system or is formatted incorrectly, immediate feedback is provided so that necessary corrections can be made. Error messages show what is wrong with the data, while exception reports enable subsequent follow-up.
Relevant Technology Infrastructure Creates Control Actions:
Management selects and develops control actions over the technology infrastructure designed and implemented to ensure technology operations’ completeness, accuracy, and availability.
Technology requires an infrastructure to work, ranging from communication lines that connect technologies to each other and to the rest of the organization to computing resources to run applications and to electricity to provide the technology with the necessary energy. The technology infrastructure in question can be complex. This infrastructure can be shared with different business units within the organization. (e.g., a shared service center) or through outsourcing to third-party service organizations or location-independent technology services (e.g., cloud computing). These complexities create risks that must be understood and examined. Considering that the changes that are likely to be seen in the use of technology and that are likely to continue in the future are wide-ranging, the organization needs to monitor these changes, evaluate them, and respond to new risks.
Relevant Security Management Process Establishes Control Actions:
Management selects and develops control actions designed and implemented to limit technology access rights to authorized users commensurate with their job responsibilities and to protect the organization’s assets against external threats.
Security management involves sub-processes and control actions over who and what has access to an organization’s technology, including who has the authority to conduct business. These typically include access rights to data, operating systems (system software), networks, applications, and physical layers. Security controls over access protect an organization from inappropriate access and unauthorized use of the system and promote separation of duties.
By preventing unauthorized use and modification of the system, data and program integrity can be ensured against malicious intent (e.g., infiltration/forcible access to technology to carry out fraudulent acts, subversive acts, or acts of terrorism) or simple error (e.g., due to well-intentioned personnel not receiving proper training on the job). , is protected against another employee who is on vacation using their account to do a job and making a mistake or deleting a file.
Establishes Control Actions Over the Processes of Purchasing, Developing, and Maintaining Related Technology:
Management selects and develops control actions over acquiring, developing, and maintaining technology and technology infrastructure to achieve its objectives.
Technology general controls support the acquisition, development, and maintenance of technology. For example, a technology development methodology provides a system design and implementation structure that outlines specific phases, documentation requirements, approvals, checkpoints, and controls over the technology’s acquisition, development, and maintenance.
This methodology provides appropriate controls over changes to the technology, including authorizing change requests, verifying that the organization has the legal right to use the technology as it currently uses it, may require review of changes, approvals, and test results, and implementation of protocols to determine whether changes have been made appropriately.
Technology general controls within the scope of the development methodology will vary depending on the risks posed by the technology project/initiative. A large or complex development project will involve more significant risks than a small, straightforward development project. The scope and frequency of controls on the project should be determined accordingly.
Resources
- Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
- Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
- Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
- Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
- İSMMMO-Practical Information for Internal Audit in SMEs, 2013
- Turkish Internal Audit Institute, www.tide.org.tr
- Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
- Turkish Commercial Code No. 6102
- International Internal Auditing Standards, www.theiia.org
- Treadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
- Public Financial Management and Control Law
- Public Internal Control Standards
- Public Internal Control Guide
Bu gönderi şu adreste de mevcuttur: Türkçe