« ISACA パブコメ IT Control Objectives for SOX 2nd Edition | Main | ISACA COBIT mapping 2nd Edtion »


キーコントロール in IT CO for SOX

 こんにちは、丸山満彦です。今度のIT Control Objectives for SOX 2nd Editon - EDではキーコントロールにフォーカスがあっています。キーコントロールは便利な言葉なのですが、使う際にはちょっと留意しなければならないことがありますね。

・2006.04.30 IT Control Objectives for Sarbanes-Oxley 2nd Edition – Exposure Draft



Identify Which Controls Are Key Controls
Financial risks are not all equal in likelihood and materiality. Similarly, financial controls are also not the same in their effectiveness in mitigating identified risks. Furthermore, management is not required to evaluate all control activities related to a risk. As a result, companies should endeavor to limit their documentation of controls to key controls. The question most companies ask is “what is a key control?” Unfortunately, there is no authoritative definition for key controls, despite the fact that the term is used
ubiquitously. While they may sound elusive, key controls are those that companies choose to rely on to meet a control objective—they are the controls that provide the most assurance to the control owners that the financial control objective was met.
When judging whether a control is key, companies should consider the following:

• Key controls commonly include policies, procedures, practices and organization structure that are essential for management to mitigate significant risks and achieve the related control objective.

• Key controls often support more than one control objective. For instance, access controls support the validity of financial transactions, valuation of financial accounts, segregation of duties, and more. In most cases, a combination of key controls is an effective way to achieve a particular objective or series of objectives. Placing too much reliance on a single control could create a single point of failure for the compliance program.

• Controls that directly address significant risks (or directly achieve objectives) are often key. For example, the risk of unauthorized access is a significant risk for most companies; therefore, security controls that
prevent or detect unauthorized access are key.

• Preventive controls are typically more effective than detective controls. For example, preventing a fraud from occurring is far better than simply detecting it after the fact. Therefore, preventive fraud controls are often considered key.

• Automated controls are more reliable than manual controls. For example, automated controls that force periodic password changes by users are more reliable than generic policies that have no enforcement. Manual processes are also subject to human error.



« ISACA パブコメ IT Control Objectives for SOX 2nd Edition | Main | ISACA COBIT mapping 2nd Edtion »


Post a comment

(Not displayed with comment.)


Listed below are links to weblogs that reference キーコントロール in IT CO for SOX:

« ISACA パブコメ IT Control Objectives for SOX 2nd Edition | Main | ISACA COBIT mapping 2nd Edtion »