What is the 2-step approach for evaluating a control?
A large part of IT Auditor’s job involves assessing the effectiveness of internal controls. But before we delve into the technical aspects, let’s understand what “design effectiveness” and “operating effectiveness” mean.
What are controls?
Controls are safeguards put in place to mitigate risks (reduce their likelihood or impact) to an acceptable level for the organization. It’s important to remember that no risk can be entirely eliminated.
Operational departments are responsible for implementing these controls. The goal is to bring the risk down to a level that the organization is comfortable with, which is called the organization’s risk appetite.
Here’s an example: Imagine a risk that costs the organization $1,000. Let’s say the organization’s risk appetite for this particular risk is $600. The operational team would then implement controls to ensure that the residual risk (the risk remaining after controls are implemented) is less than $600.
Controls are designed to achieve specific objectives, ultimately aiming to mitigate risks to an acceptable level for the organization. Effective design is crucial for a control to function as intended.
Let’s consider change management. When an organization implements changes, especially software changes, change management ensures a controlled rollout to the production environment. This control achieves its objective through several steps:
- Reviewing changes by designated personnel ensures only authorized modifications proceed.
- Approving changes by authorized individuals adds another layer of control.
- Testing changes in a non-production environment identifies potential issues before impacting live systems.
This entire process – the change management control – is designed to effectively implement changes and minimize risks like unauthorized modifications reaching production.
How to evaluate the design effectiveness?
As an IT auditor, evaluating control design effectiveness comes first. The key question is:
- Does the control, like the change management process outlined above, effectively address the risk?
- In this case, does it prevent unauthorized changes from reaching production?
If the design is flawed, further testing is pointless. Design effectiveness testing ensures the control is well-conceived before moving on to evaluate its actual operation, which is called operating effectiveness. We’ll explore operating effectiveness in the next section.
What’s the second step in evaluating a control?
Evaluating control design is just the first step. Even a well-designed control might not always be effective in practice. This is where operating effectiveness comes in.
Testing the Control in Action
Operating effectiveness assesses whether a control is functioning as intended. Imagine the change management process we discussed earlier. An IT auditor wouldn’t simply verify the existence of those steps; they’d test to see if they’re actually followed:
- Are changes consistently reviewed by designated personnel?
- Is there a proper approval process to prevent unauthorized changes?
- Are changes rigorously tested in a non-production environment before deployment?
How to evaluate the operating effectiveness?
As an IT auditor, your job is to gather evidence through interviews, observation, and documentation review. This evidence is then compared to the control’s design criteria to determine if the control is operating effectively. Based on this evaluation, you can then form a conclusion about the control’s overall effectiveness.
In simpler terms:
- Design effectiveness asks: Do we have the right controls in place?
- Operating effectiveness asks: Are the controls working as intended?
Both aspects are crucial. A well-designed control (great security system) won’t be effective if it’s not functioning properly (never gets tested or used).
So what is the key takeaway?
Demonstrating your understanding of both design and operating effectiveness portrays you as someone who can think critically about risk management and internal control systems.
This concludes our newsletter on control effectiveness!
We’ve discussed two key aspects of control evaluation:
- Design Effectiveness: This assesses whether a control is well-conceived to address the intended risk. Auditors use their expertise to determine if the control, like the change management process we discussed, is designed appropriately.
- Operating Effectiveness: This evaluates whether the control is being implemented and followed as designed. In simpler terms, are people actually following the established procedures?
Remember, a poorly designed control is like a faulty umbrella – it won’t effectively shield you from the rain (risk). So, auditors prioritize design effectiveness first.
This article first appeared on Chinmay’s IT Audit Guide and is published here with permission.