Readings
- What is a compensating control? When would you use one? Why? Can you give an example?
- If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
- What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
- What do you consider to be the most important personnel hiring controls for an organization?
- How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
Your Neighborhood Grocer Case
Consider the following questions about the YNG case. Ignore the questions at the end of the case.
- YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
- Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
- The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Joseph Henofer says
Hello Mr. Flanagan,
Is the case study for this week correct? I downloaded the case study for this week from the link in Week 3 and the name of it is “ClaimProof Insurance”, not “Your Neighborhood Grocer”.
Richard Flanagan says
Joe,
Thanks for the heads up. I tracked the problem down and reset the case. You should find “Your Neighborhood Grocer” on the link now.
Rich
Jason Wulf says
Where’s the link for the cases?
Jason
Joseph Henofer says
Jason,
I just checked and it’s under the Week 3 case study.
Richard Flanagan says
All the reading materials are linked to the the weekly assignment page under the Schedule tab.
Nathan A. Van Cleave says
3. Segregation of duties fall into the IT Personnel Controls and dictate that each role within an IT organization has no more access or privilege than is necessary to fulfill his or her role.
A good example I see in my organization is the segregation of duties between our Project Delivery group ( Application Development) and our Application Support Team (Application maintenance). To further illustrate, an approved IT project has been fully developed and tested by the Project Delivery group is ready to be deployed. No one from Project Delivery has the authority or access to deploy the code or application into the production environments. That duty can only be fulfilled by a member of Application Services with the appropriate authority to do so.
Because this segregation of duties exists and is clearly defined, the risk that someone could cause harm to a system or application is minimized.
Joseph Henofer says
Nathan,
Your definition of SoD sounds more like least privilege of duties. Would you agree? In SoD your splitting up a job function so that a person doesn’t have full control of a specific function. For instance, a payroll department should have one group that creates the checks and another group that cuts them. A person can access their job role with the least privilege duties implemented but that doesn’t mean SoD is being performed.
In your example, you could have a person that can do both as their job function and nothing else. This would be a form of least privilege of duties. Your example is a good form of SoD because you’re taking a specific job function (a project) and splitting the task between two groups.
Richard Flanagan says
Nathan,
Segregation of duties is related to the least access possible but it is not the same. Segregation of duties separates tasks that could be used together to produce an undesirable result, like fraud. Its been around long before IT. The classic example is in procurement where the person who orders things can’t be the person who receives them, nor the person who pays for them. Its called the triple match and controls fraud.
Your example is great, development and support are frequently segregated. Why?
Priya Prasad Pataskar says
Information rule states that it must be need to know basis. And this will prevent from misuse of data. No one in the system should have access to the end-to-end process. Like the example posted by Nathan.
Assign responsibility for development, authorization and monitoring to separate individuals. It is necessary to segregate duties of people having access to development environment and production environment. A person with both the access has privileges to modify data to great extent. Someone with a bad intention can easily hamper the system, The limited number of accesses to the production environment minimizes risk.
e.g. Imagine a person from development team has admin access and can modify the database entries. And if this same person has access to live data, he can alter information. what if he gets the real bank account number from the production environment and changes it in the database with his development access.
Nathan A. Van Cleave says
Priya,
You highlight a fascinating and real life cause for concern. In my line of work I’m mostly focused on internal programs that, yes indeed, touch customer information, but nothing financial in nature; others in my company certainly do though.
That’s a very real concern from a business and IT security perspective; What if this person with developer credentials accesses production environments to modify real banking information. Customer(s) would rightly be furious, bank would suffer financially and more importantly, reputationally.
Great example!
Folake Stella Alabede says
Hi Nathan, Segregation of duties would also exist within the same department or Job function. An example in your Project delivery group (Application development) would be the person that design the application maybe different from the person that test the application.
Nathan A. Van Cleave says
Folake, thank you for pointing that out. That is absolutely the case. We have specific and separate groups/individuals that do testing (QA, UAT, Regression) independent of the actual developers.
Nathan A. Van Cleave says
4. What do you consider to be the most important personnel hiring controls for an organization?
The most important personnel hiring controls for an organization are screening controls. This is a critical first opportunity for an organization to ensure they are hiring an appropriately qualified person that does not have a criminal record that would point to a potential risk to IT assets or information.
In some positions, a credit report may be run on a potential employee if they are hired for certain financial related roles. An organization may also employ other screens such as aptitude/skills or integrity tests to help manage the potential risks to the organization.
In my current company, I recall 3 different screens that I went through as pre-employment requirements.
Sean Patrick Walsh says
I agree with your position. There were many jobs in the military that you could not do if you had an alcohol abuse history or domestic violence history. There were even more jobs that you could not do if you had a significant amount of debt because you were a liable risk to sell secrets or take part in any other type of espionage or sabotage. And still other jobs were restricted to personnel who were not color blind because when you had to cut or attach a specific wire you had to be able to do so. There are a lot of jobs today that require you to apply online and to take personality tests to determine whether or not you are a potential fit for the job. It is interesting to see how the screening process has changed over the years, how it will continue to change, and whether a push will be made to institute some sort of random screening process after being hired at some interval to ensure employees are maintaining their employment eligibility requirements.
Andrew P. Sardaro says
Sean,
I am in agreement with you, screening controls are most important and the screening process has advanced and adapted over the years. You raise an interesting point/concept of extending the screening process post hiring to determine if employees maintain their employment eligibility. It would be interesting to see ongoing screening measures put in place in an effort to protect your organization. You are who you hire.
Nathan A. Van Cleave says
Sean & Andrew,
Indeed, times have changed. I remember the good old days (pre-Internet) when the only way to apply for a job was in person. You had a much better opportunity to get your foot in the door even if you were not fully qualified for the position. If you could sell yourself the HR person, you could find a way in. I see how pre-screens have really changed how companies search for qualified candidates. Though a candidate may, even today, falsely represent how knowledgeable or experienced they just to get an interview, there are still other controls beyond that initial survey or personality test that could/should filter out.
I’m curious, if certain organizations require CISA’s/CISSP’s to recertify when it’s time. I haven’t had enough experience to know whether most or few (or somewhere in between) companies require them to keep current.
Candace Nelson says
I find the comment regarding ongoing employee screening to be of interest. At my former employer, we (Internal Audit) contemplated whether this would be a good control measure. After all, if/when an employee’s personal circumstances change, whether via illness, divorce, financial distress (e.g. gambling or addiction) they could rack up debt that didn’t exist at the point of hiring. Then, should a fraud vulnerability arise (perceived financial need, opportunity, and rationalization), an otherwise honest employee could become dishonest.
An interesting thought is – such ongoing backgrounds could not be targeted. However, the perception of a control is a control and for some that would be enough of a deterrent. For instance, employees who are routinely tested for drugs. If they don’t know whether or when they will be tested, it is more likely that they will not show up for work “under the influence” due to the fear of being detected.
Andres Galarza says
Candace,
I think that ongoing screening should be targeted. Depending on the position that employee holds, it could be worked into the contractual agreement that continued employment is contingent on this persistent screening.
I would argue that the drug testing your give as an example could be considered targeted, and I think that’s a good thing. Another example that comes to mind is the routine/regular screening that happens to maintain a security clearance for military and military-related jobs. Furthermore, your point on how circumstances in a person’s life can change makes it very prudent to continue screening on a regular basis.
Ivy M. McCottry says
I’m in agreement on screening as well. Regarding contractual agreements, I think that it would be valid to inform the employee that ongoing screening is to be expected because as time goes on, the employee becomes more valuable to someone because of proprietary information (ex. good and bad company secrets). I’m not sure of how frequently backgrounds are checked for military clearances (maybe with each change in mission or duty station?); I would probably look to federal law enforcement agencies for a cadence for background checks just because of the need for sweeping for possible leaks and other adverse information incidents. The military clearance is a great example though because it’s concrete and relevant to the public and private sectors.
Folake Stella Alabede says
Hi Nathan, I do not believe that quantitative/analytical aspect of screening controls should be the most important rather, organisations should focus on the character of the applicant (which a face to face interview would help with).
What criteria will an applicant with no criminal or debt records be analysed? By face to face interview. However, historical data may guide a little interviewing the applicant.
Nathan A. Van Cleave says
Hi Folake,
I don’t believe I said that quantitative/analytical aspects of screening controls are the most important. Personnel hiring controls cover a wide array of mediums, including interviews. I simply used pre-screens as an example and they are very commonly the very first control an organization employs (aside from, say a job listing itself).. Moreover, it’s very common for a criminal background check to be one for many companies. In some it would automatically preclude you from being hired, and in others, just one of many factors a company will use to determine whether they should hire person x vs person y.
I agree that character cannot always be accurately conveyed via a quantitative survey… in fact, as i think mentioned before, I was often able to acquire a job that I may not have been completely qualified for when I used to have to apply in person. I was able to use my soft skills to convey the value that a pre-screen would not have been able to tell.
Jason Wulf says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is an internal administrative control used to reduce the potential damage from the improper actions of one person. Examples of improper activities could be fraud, errors, or theft. This control provides checks and balances on the activities of the individual.
When separation of duties cannot be performed, compensation controls such as audit trails are used. The audit trails include the time/date/description/information that was updated/changed through an independent party or mechanism such as a syslog server that the user does not have access to.
In governance, extreme separation of duties can lead to issues such as determining the root cause of failures in an information flow process. No one person can pinpoint the error since they don’t see the “big picture”. A real world example at one of my previous employers was, there was an application problem and it didn’t function properly. The network department stated the issues was with development, development stated the issue was with desktop support, desktop support stated the issue was with the server team, and the server team stated the problem was with the network department.
Examples of segregation of duties:
The database administrator and the system
Development and the system administrator.
Andres Galarza says
Jason,
The issue at your previous employer sounds more like an issue of improper oversight and a lack of accountability than a problem that stemmed from too much segregation of duties. That organization should still have had some mechanism or procedure in place to ascertain where a root problem came from.
Jason Wulf says
The idea for my example came from a Wiki article stating separation of duties “can lead to a high level of difficulty when trying to determine what the underlying causes of errors or failures in large scale entity’s production automation as no person will be able to view the information flow process from the “big picture”” from https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Information_Security_and_Risk_Management.
When looking at the articles below, you see the segregation of duties is a great principle to follow, but not an absolute. As with most things in life, you can have too much of a good thing.
Problems with segregation of duties (small companies):http://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=2304&context=facpubs
Step by step approach to segregation of duties: http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_duties.pdf
Jason Wulf says
4. What do you consider to be the most important personnel hiring controls for an organization?
The most important personnel hiring control would be background checks.
Background checks can consist of:
Character checks
Visual verification of government issued identification.
Credit checks.
Sexual predatory registry.
Criminal background checks.
Checking OFAC (Office of Foreign Asset Control) list of SDN’s (Specially Designated Nationals) and Blocked Persons list.
Educational Checks.
Credential checks (Certification and Licenses).
Driving records.
Work history.
Social Security Number checks consisting of:
• Verify the social security numbers is in a valid range.
• Verify the social security number is not for a deceased person.
• Verify the social security number is not randomly generated.
• Verify the social security number matches the state.
• Verify year of issuance of the social security number.
These are part of the checks I perform for my employer every week.
Joseph Henofer says
Jason,
Are you the person who does the initial checks or do you just audit the initial check? If you audit the initial check what procedures do you perform to get that information? If you can’t disclose then I understand, just wondering.
Jason Wulf says
I perform risk assessments on companies nationwide. I fly out to the site, interview executives, SME’s, and perform physical inspections. As part of the assessment process, I review documentation including human resource policies, processes, procedures, and interview HR representatives.
Through experience, I’ve found legal entities to have the greatest impairment when it comes to hiring practices. I’ve ran across law firms that do not perform background checks. Attorneys, who pass the bar exam, have been fully vetted due to bar requirements. However, their staff sometimes haven’t had any checks.
Joseph Henofer says
Jason,
Thank you for the reply. Good information to know.
Kevin Blankenship says
That’s interesting me to that the staff at a legal firm would have some of the lowest requirements for checks. That seems like it would cause liability issues.
Have you found a particular reason for that? I get lawyers have bar requirements that they would have already passed. But why would they care less about the stafff?
Jason Wulf says
Hi Kevin,
The excuse from the attorneys is usually, “we can sue them if necessary”. In certain lines of work, I’ve noticed people tend to get a god complex believing they know everything about a subject. They tend to get annoyed with people around them.
Good quotes that are relevant is “Leaders who don’t listen, will eventually be surrounded by people who have nothing to say.” and “an ounce of prevent is worth a pound of cure.”
A simple background check will save the attorneys time and money. What they said is true about suing them, but they haven’t done a cost/risk analysis.
Richard Flanagan says
Jason,
Great examples. I wonder how many of the companies represented in the class do this extent of background screening. Please reply to Jason’s comment with what your company does.
Priya Prasad Pataskar says
I agree with Jason. All these background checks are necessary. It is also important to realize who all fall under the employment category? Contractors, Employees, Executives, Consultants all represent the company and have access to company data. Do you include them in background checks?
– Does the level of background check vary from post to post, or as per the department which is hiring the person?
– I used to work at a company who had outsourced the background check process. Meaning, personnel data was shared with a third party. This always resulted in one problem. Data requested to them was never submitted to the auditors in time. This would mean a person X who was still working in the organization, despite his not qualified status. I think background checks must be done in house. The level of responsibility about through checking is better if it was done in house. Jason, as you perform the check yourself, do you think a in house team is better than outsourcing?
Jason Wulf says
Hi Priya,
When looking at non-employees, I look for confidentiality agreements, NDA’s, and SLA’s to verify the organization vets their employees. In the SLA, I verify the company has a “right to audit” and has the ability to monitor services. Additionally, I verify that training programs are in place after a particular time period.
Yes, different departments may have different requirements. I record the requirements for my report to show due diligence. For example, drivers may require certification in a particular area in addition to a valid driver’s license check upon hire. Executives checks sometimes have more extensive background checks going back 10 years instead of 7 years.
Most background checks are performed by an external party who has access to various databases. I would recommend a hybrid approach to background checks. Internally have recruitment vet the new hire with basic character and reference checks, then have an external vendor perform a full background check to satisfy regulatory requirements before making the offer official or contingent upon hire.
Janet Yeomans says
Priya,
Good point about broadly defining who should be subject to background checks. Business models today include lots of access to physical premises, systems and information by 3rd parties. The risk posed by each needs to be considered. Regarding doing the checks in house, smaller enterprises typically do not have the expertise to conduct a thorough check. The tradeoff between fast and in-depth must be considered in relation to the sensitivity of the position.
Joseph Henofer says
Jason,
My place of employment is doing the following
Character checks – Yes
Visual verification of government issued identification. – Yes
Credit checks.- Depends on your role, specifically, this is for the accounting department
Sexual predatory registry – Yes
Criminal background checks – Yes
Checking OFAC (Office of Foreign Asset Control) list of SDN’s (Specially Designated Nationals) and Blocked Persons list – No
Educational Checks – Yes
Credential checks (Certification and Licenses) – Yes
Driving records – Yes
Work history – Yes
Social Security Number checks – Yes but I don’t think to that level stated by you.
Jason Wulf says
Hi Joseph,
If your company uses a vendor, they may go that far in the social security number checks. You need to look at the agreement with your vendor. This is in a 30 to 120-page document provided by the vendor.
Joseph Henofer says
Jason,
I do not know at this time, but I will follow up.
Anonymous says
Hi Jason,
Very extensive list of background checks your company does. Do you also do any social media checks, i.e check the prospective employee’s Facebook/Twitter/Instagram accounts? Personally, I am not involved with my company’s HR department. However, due to the nature of the company, they do at least these types of checks and they regularly monitor our social media accounts after we are hired.
Ahmed A. Alkaysi says
Hi Jason,
This is a very extensive list. Do you also do any social media checks i.e, Facebook/Twitter/Instagram? I am not involved with my companies HR department, so not exactly sure what they use, however, since I work for a very large financial institution, there has to be tight background checks in place. They especially make a big deal out of checking social media, including Linkedin. Even after someone is hired, they continue to monitor their social media accounts.
Janet Yeomans says
In addition to social media, it is common to check credit reports.
Loi Van Tran says
That’s very true Professor Yeoman, I had my credit report pulled and recited to me several times. It’s not a very comforting feeling, knowing that somebody can have so much information on you in a matter of minutes. By now, I’m pretty used to explaining why stuff exists on my credit report when confronted.
Sheena Thomas says
I don’t agree with any company pulling credit reports during the hiring process. Nor do I think they should use your credit report as a bases for whether or not they will hire a person.
What if someone was going through a divorce, or identity theft or fell on hard times and was trying to get hired somewhere to pay their bills on time?
Sean Patrick Walsh says
Most employers will give a potential hire the ability to explain any concerns on their reports. A big reason employers run credit checks is to get an idea of the individual’s debt and debt habits. Hiring somebody with a large amount of debt, and debt consistency, can raise a red flag to an employer that the individual could be a risk for theft, fraud, and espionage. Does it suck for an employee to go through that, of course it does if it is an issue for them, but at the end of the day a business has to take risk management into account and do their best to screen potential threats and vulnerabilities out of their hiring pool.
Joseph Henofer says
Sheena,
I disagree, if your applying for a position that requires you to handle money like payroll, then pulling your credit report should be something that is investigated. In my past I had the employer tell me they were going to do a background check which included pulling my credit report. Now if they don’t tell you that is were I can see you having an issue.
Sheena Thomas says
We will definitely have to agree to disagree….to deny a person a job because their credit is bad is not fair, whether it’s in a financial institution….Life happens, situations happen that could be out of a persons control.
Andres Galarza says
Sheena,
Your comment made me think that credit scores, in particular, could be used to dis-proportionally disqualify a certain ethnic or socio-economic group within a pool of applicants.
However, I don’t think it’s unfair for a person’s financial background and challenges to factor into the hiring process.
In my opinion, if a company chooses to use credit scores as a litmus test in their hiring process, they should give applicants a chance to explain the situation in some way.
Said Ouedraogo says
As Joseph mentioned it, some positions require the employee to handle money. I don’t think an employer will take someone with a bad credit score to handle certain type of transaction. In that case, the applicant is considered as a risk for the company. Also, if you can’t handle your money, how will you handle an organization money? Don’t get me wrong, I know some people bad credit score can be justified; but they still a risk for the organization hiring.
Jason Wulf says
Hello Ahmed,
No, I do not check for social media background checks in my reports. I haven’t seen a company that does this yet. However, I do verify the organization has a social media policy.
Deepali Kochhar says
It is also important to keep controls on the employees personal identifiable information, on of the most important being SSN. Proper controls should be established over how such important information is used and who is authenticated to use that information. it should not go into the hands of unauthorized person as this could harm the confidentiality of the information.
In such way health records also if being considered should be kept under controls.
Joseph Henofer says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a security measure that is designed to satisfy the requirement for some other security measure that is considered too difficult or impractical to implement. Compensating controls also provide an alternative measure of control that helps reduce vulnerabilities, when segregation of duties are not able to be enforced.
Compensating controls may be used in certain situations, like when an employee is performing all the activities in a process because you don’t have enough staff or when you have a small department. The reason why you would use a compensating control is because your organization is not able to effectively implement segregation of duties. An example of a compensating control would be
• Second signature: two signatures required to authorize a large sum of money for a bank check, transfer of funds to another account or purchase orders
• Perform analytical reviews: Comparing a budget plan vs the actual expenditure from one year to another.
Richard Flanagan says
Joe,
Everything you say is on target but don’t limit your thinking to just security. Compensating controls can be used for a variety reasons including your examples.
Fred Zajac says
Joe,
You gave a great explanation of compensating controls and real-world example. “Wearing many hats” is what we call the person who makes decisions multiple functions at an organization.
One example of compensating controls is in the sales department. All order must be verified and discounts must be approved. This would avoid the sales team from writing bad orders or “sandbagging” / delaying orders for personal gain.
Sachin Shah says
I agree with your analogy of wearing multiple hats. I used to be a store manager yet if we were short staffed than I would work the register or do sales. My manager is a team manager but right now he gets his hands dirty and manages also. It is not so much do to the IS department not being able to hire another person due to money. It is due to the time it would take to hire someone and get them up to speed takes time and it is better for our team to just pick up the pace, test each other’s work and up our “game”. I would consider this to be a compensating control in my work place.
Joseph Henofer says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of Duties is a specific internal control concept that splits a job function so that one person does not have sole control of the task. Segregation of Duties is implemented to prevent errors and fraud from occurring by designating at least two people to perform a job otherwise done by one person.
Segregation of Duties is addressed in administrative controls when risk management is involved. By implementing SoD you can lower your risk of fraud or errors to an acceptable level deemed by the organization. For instance; if the nuclear weapon system is managed by one person your risk for that system to be fired is high. But if you implement SoD your risk then decreases, thus making it an acceptable level for your company.
Two IT roles that should be segregated are the Application Development group and the group that does the Maintenance of the Application. By using SoD in this instance you are lowering your risk of improper documentation, errors, fraud, and sabotage. In many cases given this much responsibility to one group can lead to a greater risk. There is a strong possibility that the code or the maintenance instructions will contain errors or incomplete documentation.
Joseph Henofer says
4. What do you consider to be the most important personnel hiring controls for an organization?
In my opinion, the most important personnel hiring control is the pre-employment background check process. This type of preventive/administrative control gives the employer the ability not only to verify information about the employee like educational records, criminal records or financial history, but it also can potentially determine if they get the job. For instance; if your company is a bank with two candidates and after doing the background check you find that one candidate has a really low credit score, that candidate may be a greater risk to commit embezzlement of funds from the bank versus the other candidate with a good credit score.
Depending on your company’s risk appetite you may decide the risk of hiring that person is not worth it so you move on to the other candidate. Another example would be if a person is looking to get hired to be a teachers’ aid, but has a criminal record. The chances of getting the job will probably be low. The pre-employment background process is one of many personnel hiring controls that allows a company to reduce their risk to an acceptable level.
Loi Van Tran says
Good point about educational records. I have seen several documentaries where people were able to get a job with falsified degrees. In many cases, the perpetrator just went online to get a faux educational records. Some sites even go through the extreme by providing fake identities for references, setting phone numbers for employers to call for verification, and even a digital identity, fake job experiences and resumes. Background check is definitely an important personnel hiring control.
Yulun Song says
The three types of basic IT controls:
Preventive controls:
They are controls that prevent any problems, losses and harms from happening. For example, segregation of responsibilities, if an employee authorizes a payment to Staples to order office supplies for the company, his supervisor or related person must approve it, which reduces the possibility to do it wrong.
Other examples: secured accounts and passwords, segregation of duties, approvals, authorization, verifications, etc.
Detective controls:
They are designed to find errors or problems after they have occurred. For example, if a person does the general ledger or payment request, his supervisor may review and compare information to identify fraudulent payments.
Other examples: bank reconciliations, physical inventory counts, counts of cash on hand, audits, etc.
Corrective controls:
They restore the system or process back to state prior to a harmful event. For example, if a company’s system was down, they may consider restoring its system.
Other examples: data backups, data validity tests, insurance, training and operations manuals, etc.
If I had to rank them, I rank preventative control as the most important. The reason is that they prevent something from happening, which minimizes the possibility of loss or errors. They are proactive and emphasize quality; I rank corrective control as second most important because when something errors or problems really happen, the company just needs to use backup to restore data, which means if something happens, solve it immediately; I rank detective control as the least important, because when something happens, the company prefer restoring the data and solving the problem directly rather than finding problems. The company can find the problems after it solves them.
Joseph Henofer says
Yulun,
I would agree that preventative controls would be the most important if I made a list, but I would have to disagree with corrective control being second and detective being third. Detective controls are used for more than just finding problems, it can alert you that something needs your attention good or bad. For instance, if you have a RAID 6 setup and one of the drives fail. Now the data is still being replicated without an issue, but how would you know if the drive failed if you didn’t have a detective control in place. It’s not a problem that the one drive failed in that RAID setup but it does need your attention because if the second drive fails now you have a problem. How would you know what to correct if the problem never was detected?
Ahmed A. Alkaysi says
Hi Joseph,
I agree with your ranking. Although corrective controls are very important, it is only being used after the worst has happened. On the other hand, with strong detective controls, the need to use the corrective controls, which would be worse case scenario, can be avoided. For example, if there is a system breach, the preventing controls has already failed. Now if there are strong detective controls in place, the security team will know that there has been a system breach and can work to mitigate the damage before the need to use the corrective controls occurs.
Ming Hu says
I agree with you, Besides, the data generated by detective controls could also be used to perfect preventive controls to prevent re-occurrence of breach as you described.
Andrew P. Sardaro says
Joe,
I agree with your statement about detective controls ranking second in order of importance. To complement your RAID 6 example, we have detective/monitoring systems in place that notify us if certain server processes are running high, high disk space utilization. These notifications allow us to act before it becomes a more serious problem.
Wen Ting Lu says
I agree with your rankings. It’s always important to prevent something from happening. Deductive control being less important because most of time it really depends on how soon the detective control is invoked after an event, a business may already uncover a loss before there is any opportunity to limit the amount of damages.
Folake Stella Alabede says
i think all the basic IT controls are important, the importance might just vary depending on the nature of the business, but i think for any business, you want to prevent any issue before it happens, like the popular saying “Prevention is better than cure”.
Again, using a pharmaceutical company or food company as an example, everything has to be done right, i think they should have a solid preventive control in place. Everything has to be done right the first time, i don’t think they have room for errors (which should be the case for any business though-just buttressing the point that some controls are important and key to some business).
some business on the other hand might tell u, xyz situations cant happen, but if it does, we have a way to resolve it efficiently, which means they might have solid preventive and corrective controls in place, and it also means their ‘defective’ detective controls is not so much of a threat to their business.
Sachin Shah says
I agree with your analysis. One of my first managers always stressed to be more proactive and less reactive. To me in the world of IT controls preventive control represents being proactive and solving problems before they start. The second one is reactive or as in IT control detective, that is looks for problems. We looks for problems as in quality assurance or post activation testing which is reactive. Lastly you have corrective control, which is damage control. This is putting in a permanent fix and communicating what went wrong, how it got fixed, and assuring it will never happen again.
My opinion from experience is that corrective control is when there is a fire at work and hundreds or emails are sent and countless conference calls. All of this can be avoided if there is a good staff doing detective control, It could be even less if there are analysts and leadership who recognize potential threats and putting in plans for fixes prior to escalation.
Binu Anna Eapen says
1. What is a compensating control? When would you use one? Why? Can you give an example?
Compensating controls are the controls that can be used when you are not able to define a specific control or the control does not meet a requirement explicitly as stated due to legitimate technical or business constraints, but can mitigate the risk involved appreciably.
A compensating control reduces the vulnerabilities in ineffectively segregated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality.
Compensating controls include:
1. Audit trails
2. Reconciliation
3. Exception reporting
4. Transaction logs
5. Supervisory reviews
6. Independent reviews
When designing a function or business process one factor we need to consider is the segregation of duties(SOD). But sometimes it is not possible to correctly define or segregate particular duties to a specific role especially in smaller firms. During this time when the manager is unable to decide, he can implement the compensating controls. Having an audit trail control helps as the auditor can check who initiated the transaction, time and day of entry, information fields, type of information, what files etc. This way we can know what is going on within the team and who does what. Also it can be combined with transaction logs or independent reviews to have a better understanding. By combining two or more compensating controls better security can be provided and risk mitigated to great extent.
Mansi Paun says
Well-explained Binu. I liked that you have given an example as well to explain compensatory control. I’m curious to know if you could provide any example of Reconciliation ?
Binu Anna Eapen says
Yes Mansi. In my previous company we had asset reconciliation one day every week. The leased assets records were maintained on SAP(Lease Asset management). Apart from this all the machines were scanned on Wednesdays and this report was then compared with the SAP record in order to eliminate any discrepancies caused by human error.
Sean Patrick Walsh says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
While I was still in the Navy our budget was created by a top down approach, but with bottom up inputs. The Department of Defense gets the overall funding allotted to the military, and then would divide the funding up between each branch. Once the Navy got its funding allotment it was distributed between all the asset groups under its control. As each fiscal year began, funding was distributed on a needs basis; and if you needed funding for something you usually have to go out of your way to really prove that the funding was needed for a specific part, training, or travel expense. As the fiscal year progressed and the stringent spending controls mitigated too much outflow of funds it became much easier to get the funds needed when they were requested.
At the end of each fiscal year we usually received a notification from the Supply Department that there were funds that “had” to be spent immediately. The funds were what had not been spent during the year from the spending controls put in place to prevent unnecessary spending, but now had to be spent to justify to the Department of Defense, and Congress, that the budget was necessary. Many times we were actually implored to spend more than we had on things we might need later to overspend our budgets to justify request for more funding in next year’s fiscal budget. Even if an individual department could not utilize the funds they would be distributed to another department that could in order to ensure the funds were used.
Joseph Henofer says
Sean,
I am familiar with this kind of budget handling method. In my previous job we had this structure for our department but the only difference was the bottom up didn’t have much input. I was wondering how did your department handle the input from the bottom? For example, if two ideas were presented to your boss, was it voted on by your group or did your boss just make the decision?
Sean Patrick Walsh says
Well, it really depended on the situation honestly which might be why I thought it was a train wreck. For instance, every so many years a ship would go through a Planned Incremental Availability (PIA) either pier side or in a dry-dock (DPIA). About a year out from this event each department would formulate a list of jobs they wanted to work through the refit period and then present the list, with as much associated costs as could be determined, to their divisional and department heads. Once the department heads got the lists and work plans they would then “chop” some lists and even add work to others to bring the costs into a range that they were required to meet. The list would then be submitted to the civilian and Navy personnel who managed the entire process for their input to see what jobs could and could not be done during that time period. Once approved at their level the lists would come back to us maintenance level personnel to begin ordering the parts and tools necessary, write up any required work packages, and to begin preparing the work authorization forms and system “tag outs”( a tag out is a procedure used where red or yellow colored tags are attached to valves, breakers, fuses, etc. to prevent inadvertent operation of equipment while being worked on to prevent equipment and/or personnel casualties) to do the work. I tried to keep it as simple as possible to answer your question, but I apologize if I made it even more confusing. As a maintenance worker we had a voice because it was us who operated the equipment everyday and knew what did and didn’t need to be fixed, but at the end of the day the military was a not democracy so there was no voting…lol…whatever the supervisors wanted us to do is we did at the end of the day.
Joseph Henofer says
Sean,
I appreciate the reply. I understand that you needed to frame the process so I would better understand the concerns you had. I had a feeling from talking to people in the military that democracy is not an option.
Richard Flanagan says
Sean,
Did you do quarterly re-forecasts? I mean at the end of Q1 did you lose any unspent money unless you had a early good reason to say that you would spend it in Q2-4?
Loi Van Tran says
I will attempt to answer this question because I came from similar background as Sean. I worked in Supply and worked very closely with the comptroller to spend said “additional funds” at fiscal year end. To simply answer your question, there was no quarterly re-forecasts. The annual budget is broken down into four quarters, but is not re-forecasted until fiscal year end.
The budget is centrally managed by the Supply Management Unit (SMU) Fiscal Operations which acts like a hub, a centralized warehouse like Wal-Mart. When one unit (business) does not use up their funds it gets transferred to another unit that needs it. If that money is still unspent at the end of the quarter the money returns back to the SMU Procurement section to order equipment and supplies to keep on hand based on historic requisitions and demands. The prices for this OH inventory ranges from a couple bucks to multi-million dollar pieces of equipment. So with the money being spent, primarily by the SMU to stock for “readiness” the budget was typically justified with inventory to maintain current and future operations.
I’m speaking from a supply person perspective and it’s what I have seen during my time in.
Sean Patrick Walsh says
Rich,
Loi did a great job of explaining it from a different point in the “chain.” As far as I was aware, no budget re-forecasts were done in a formal or traditional sense. An funds not used would merely be used by other entities who needed them. We all drew funds from the same pool so it wasn’t exactly a process of shifting the funding. I would add to Loi’s explanation of the hub description that there were different levels of hubs. So much like the military has tiered chain-of-command the points where funds, or the parts and equipment, were pooled was tiered as well. That methodology allowed for faster deployment of resources when needed and also allowed resources to be spread out to get to units deployed that might need them faster than usual.
Ahmed A. Alkaysi says
I don’t know how I feel about the ‘use it or lose it’ approach to budgeting. I feel the money isn’t being used efficiently with this strategy. It would be better to rollover the money that is not needed into an account for future use. It’s lazy budgeting and forecasting using this type of methodology. I mean by using past budget spending and growth, higher probability forecasts can be estimated.
Sean, do you know how much is left at the end of the year?
Thanks
Loi Van Tran says
Honestly Ahmed,
It’s not efficient or effective at all! The USG coined the term fraud, waste and abuse. I don’t want to turn this into a political debate, but what I’ve seen over the years is unnerving to say the least.
As far as how much is left at the end of the year, the best answer would be Zero. That’s how we justify a budget increase. The saying that Fiscal operation had was “There’s always a way to spend a million bucks.”
Sean Patrick Walsh says
Again, Loi did a great job explaining. I agree that the ideology is very flawed and not efficient at all. It also doesn’t help that everything the govt pays for is through contracts that are super-inflated. What you pay for a hammer or toilet seat at a home improvement store is probably 100-200% cheaper than what the govt pays for it in their individual contracts for those items. Also, it is important to remember when thinking about budgeting that the govt is not operated for a profit like a business is, so that makes things very difficult and complicated at times when trying to apply a business practice to a govt operation.
Kevin Blankenship says
I know many pockets are being lined by having the system be like this, so I can see why there would not be a large push to restructure how budgets are made from the higher levels. Is there anyone on a lower level in the SMU that tries to make some budgeting more efficient? Or is it just such a large structure that things are just the way they are?
I guess with fund being centrally located and doled out on an as need basis, there is little incentive to want to receive less funding for a “your” area.
Andres Galarza says
Kevin,
I’d argue that there is zero incentive to not burn through your allotted budget, regardless of the need or efficiency of how the money is spent. Along with Sean and Loi, I’m basing this on prior military experience, but I wasn’t on the supply side.
An infantry company I was assigned to had funding set aside for platoons to purchase whatever equipment they deemed necessary for an upcoming deployment. What money wasn’t used up by my platoon would simply roll down to the next platoon, and I’m certain that’s how it worked at the company level. If we didn’t spend it, our buddies simply would, and as long as spending fit into an incredibly wide net of what was “acceptable” the purchases were green lighted without batting an eye.
Rich says we should take a position in our posts, so here’s mine:
Military spending in the US has massive room for improvement.
Paul Linkchorst says
Professor Yeoman’s Section
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is the practice of splitting up business processes to different personnel to mitigate risks such as fraud, theft, and error. In business, there are certain processes that more than one individual should perform. As an accounting undergrad, I remember one professor describing segregation duties as separating accounting from sales. If sales had control of the accounting, then they would blow up the sales figures to make themselves look better. While this might be an oversimplification, the premise still holds true that separating different business functions creates checks and balances. In relation to administrative controls, administration controls are according to the text those in which are “non-financial, non-technical, and non-production” which revolve around “operational efficiency and organizational policies”. Therefore, segregation of duties falls right into this category as it allows an employee to control one piece of business, which ultimately improves efficiency as well as provides another check and balance to mitigate risks from the organization.
An example of two IT roles that should be segregated is in the payroll process. Within the payroll process, there is a process which adds employees to the payroll master file and the process of actually paying those employees on a weekly/monthly basis. The should be one employee who prepares an employee into the payroll system and there should another employee who inputs the correct number of hours/authorizes the payment. During my IT audit internship, one of the auditees had a natural segregation of duties issue since the company did not have enough staff to properly segregate the payroll process. However, to properly control this issue they had a third employee, which happened to be the Director of Information Security & Governance, perform a quarterly review of the payroll master file to mitigate the risks.
Vaibhav Shukla says
Going by the definition of compensatory-Reducing the unpleasant effect of something.
In an auditing environment the Compensatory controls can be broadly defined as controls which reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective .
Compensatory controls are usually designed to be used in a organization where the implementation of original control is too week or difficult to completely mitigate the risks
I will like to take up an example from the Indian banking sector to define this .
The banks in order to prevent unauthorized transfer of money through their online banking have implemented authentication system. Authentication requires customer to verify his details in-order to access the account.
But with the increasing attempts of online hacking and phishing cases arising day by day the bank has implemented a second control where in-order to transfer a larger amount of money to a new account or beneficiary the customer has to wait for 24 hrs.The banks have introduced a cooling period,This would
give time for the bank to check the transaction and also for the account holder to alert the bank .
Sheena Thomas says
1.What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control – is something such as a policy, technology or physical control that is put in place as a work around or alternate method to mitigate the risk of a vulnerability.
You can use a compensating control when you are trying to implement a framework/regulatory standard within the organization. A compensating control can become necessary when the business process, a deadline and/or budget is preventing the company from implementing a control.
An example of a compensating control – Say you live in a apartment complex and tenants are complaining to building mgmt about too many non-residents can easily gain access to the property which makes them feel unsafe. The building mgmt. determined that they cannot afford to employee physical guards 24/7. But what they can do is put up security gates around the property which would force all non-residents to call either a tenant or mgmt. to gain access to the property.
Priya Prasad Pataskar says
Q] .What is a compensating control? When would you use one? Why? Can you give an example?
Compensating Controls are alternative controls put in place when you cannot meet a requirement explicitly as stated. Compensating controls are not a short cut to compliance. In reality, it is actually harder to implement them and cost more money in the long run than actually fixing or addressing the original issue or vulnerability.
PCI DSS has established compensatory controls in section Appendix B: Compensating Controls Worksheet
It is important to realize what is a compensating control and what risk does it pose in place of the original control.
1. List constraints precluding compliance with the original requirement.
2. Define the objective of the original control; identify the objective met by the compensating control.
3. Identify any additional risk posed by the lack of the original control.
4. Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5. Define how the compensating controls were validated and tested.
6. Define process and controls in place to maintain compensating controls.
Source[https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf]
Example. Password must not be stored is a simple and must security control.I came across a team working on 100s of applications and it was mandatory to change password once a week. Also it was mandatory to use the complex password rules. This team couldn’t possibly remember all passwords. So as a compensatory control they were allowed to use password management tool.
Priya Prasad Pataskar says
Sorry I posted this as a reply.
Deepali Kochhar says
Just to add to your point Priya, compensating controls may cost more and may be difficult to implement. They are used to reduce cost and implementation efforts depending on the need of the organisation.
For example, data encryption can be an expensive task for a small or mid size organisation where the cost of data is rather less than the cost of encrypting the data. In place of that they can safeguard the data by implementing network access control or data base controls.
So we need to first analyze the ROI before taking a decision on the implementation of Compensating controls.
Richard Flanagan says
An important point here. All types of controls cost something so we need to always thingk about sufficiency, effectiveness and EFFICIENCY. Badly designed controls can make a company very bureaucratic and raise administrative costs significantly. There is a balance to achieve and it changes over time.
Sheena Thomas says
3.What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties means having multiple employees are required to complete a job. Segregation of duties play into IT Personnel controls which will help in preventing fraudulent activities from one or more employees.
System Administrator and Internal IT auditor – a sys admin has the capability to make configuration changes, reboot a system, add users to a system, add and remove applications. One role of an internal IT auditor is to identify if the sys admin is following the company’s IT policy and procedures when making a change, rebooting and adding and remove applications to a system.
Sean Patrick Walsh says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is defining the different roles of personnel, and ensuring that personnel are not tasked and/or authorized to conduct actions of different roles and specifically roles that might be chronologically linked in duties either before or after an employee’s role. Segregation of duties is an administrative control used to distinguish different roles, and the associated responsibilities with each respective role, to prevent fraud or inadvertent employee damage from happening as much as realistically possible. Segregation of duties becomes harder as the size of a business gets smaller since the resource of available personnel to do specific jobs gets smaller as well.
An example of two IT roles that should be separated would be an application developer and those personnel who manage applications already in operation. By separating the duties a business can prevent developers from putting an app into operation that could inadvertently, or purposely, cause system interruptions.
Abhay V Kshirsagar says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties (SoD) is a basic internal control that seeks to ensure that no single employee has the authority to execute “conflicting sensitive transactions,” which can potentially impact an organization
.
If an individual has excessive system access, which enables him/her to execute a transaction across an entire business process without any checkpoints, it represents a real risk to the business.
There lies an opportunity for fraud when the same employee who is an operations manager also has administrative privileges to the accounting software of the organization. The physical inventory count is expected to match with the inventory count as a basic audit check for accuracy in reporting. In this case, the operations manager has a heavy influence on the accounting software and can compromise the data load process from the physical inventory to the accounting software.
Brou Marie Joelle Alexandra Adje says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties means assigning tasks to different person within the organization. It is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual.
For example, those responsible for duties such as data entry, support, managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs
Richard Flanagan says
Brou,
The important point is that the tasks required to do a sensitive job are split between multiple people to insure that no single person can defraud the company. This is a standard practice that applies to all areas of the organization, including IT.
Fred Zajac says
Segregation of duties is separating the tasks required to accomplish a goal between multiple people. This would play into basic administrative controls by structuring company policies to include multiple people in the process or function.
In my opinion, the two most important IT roles that should be segregated are:
1. IT Duties & User Departments
a. As a IT support company, we see User Departments “trying” to perform IT duties. The IT project the User Department is trying to accomplish usually never ends well, and will wind up costing more to fix the problem they caused, on top of the original problem. Let the IT professionals do their job and we will let the User Departments do their job because most of the time they will make it worse.
2. Information Security & Rest of IT Function
a. Information Security professionals are responsible for handling most of the settings, configuration, management and monitoring for security. The person handling security should be different from the person(s) managing the rest of the IT functions because there is a risk of harm that may be more effectively hidden by the person holding the “keys to the kingdom”.
Janet Yeomans says
Fred,
Your segregation suggestions are good ones. Also consider the other person who typically has the “keys to the kingdom”: the data base administrator.
Magaly Perez says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a data security measures that reduces the vulnerabilities in ineffectively separated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality.
These controls generally occur after the audit is complete. They often take more resources to investigate and correct errors as well as to recover losses than it does to prevent the errors in the first place.
Example of a compensating control is increasing supervisor oversight: A manager may perform compensating controls through surveillance and examination by increasing supervisory reviews through the observation of procedures performed in certain functions and making inquiries of employees in order to help identify and address areas of concerns.
Overall, operational compensating controls can aid the design of a process that has insufficient separations of duties and ultimately provide practical assurance to managers that the anticipated objectives will be achieved by the process.
Deepali Kochhar says
1. What is a compensating control? When would you use one? Why? Can you give an example?
Compensating control is an alternative to a security measure that is deemed too difficult or impractical to implement. Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the security requirements specified where necessary.
Compensating controls are used when a security measure is difficult to implement due to following reasons:
• Resource Scarcity
• Cost
• Time
They are used to compensate for the following increased risk which may occur due to above factors:
• Risk of errors
• Omissions
• Irregularities
• Deficiencies in processes which may occur due to above factors.
Example of Compensating Controls can be:
• Encryption: It is an important security measure however can be difficult and expensive for medium or small size organizations to implement. Network access control(NAC), database security applications and services can be the compensating controls to reduce cost and implement security measure so as to reduce risk.
Deepali Kochhar says
Q 3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is an internal control for an organization which is used in defining roles and responsibilities for the employees in an organization based on the responsibilities, area of expertise, horizontal and vertical positioning in the organization in order to build a sustainable risk management structure for an organization.
It works as a basic administrative control as it helps in defining:
• Whether to disperse the critical functions of a particular process to more than one person or not.
• It helps in managing unauthorized access to key systems and database.
• It helps in defining work authorization based on roles and responsibilities.
• It helps in Log generation as well as analysis.
• It helps in managing frauds and risks as it gives a clear picture of the organization’s horizontal and vertical structure.
• It helps in controlling opportunity of collision of roles
For example, during a software development, application development team will develop the system and will define the structure of database. The database structure will then be communicated to the database team to implement.
The application team is not authorized to make database structural changes. Only a database administrator is authorized. In this way segregation of duties will help in taking care of any unauthorized access to the database which may contain critical information.
Deepali Kochhar says
Q 5. How are budgets handled (i.e. created monitored, re-forecast, etc.) in your organization?
Budgets are a necessary part of any organization as it allows to estimate the costs to be incurred and revenues to be realized based on the period for which the budget is defined. Defining budgets and the details around it are dependent on the size of the organization.
Defining Budget:
• In terms of the organization for which I had worked, each department submitted their Income Sources, Fixed Costs, Variable expenses and one-time spends for the year based on the sales expected. This data was collected across all departments within the organization like Human Resources, Information Technology, Support Services, Accounting and Finance and Marketing. The accumulated data was then used to determine the budget for the entire organization.
Budget Review
• A rigorous review process was used to streamline the budget expectations across all departments with the organization’s strategy of profit earning. This helped to define a robust budget which has input from all departments. A monthly review for the budget was then performed to determine the variance between the actual and planned spends / earnings. This helped to evaluate the budget performance and realign goals if needed. E.g. cost of travel was one of the variable expenses which was downsized by implementing virtual meetings to meet the revenue targets.
Budget forecast
• To the close of the financial year the budget was once again reviewed and lessons learnt were defined. This information was shared across all the departments and was used to forecast the expenses and earnings for the upcoming year.
Richard Flanagan says
Do you have quarterly re-forecasts that take unused money back from the department?
Deepali Kochhar says
Professor, depending on the size of the organization, the budget was reviewed monthly for the projected revenues, expenses and the bottom line based on the market fluctuations, growing operational costs and the performance of various departments.
This resulted in surplus and deficit in different departments and gave a cushion and flexibility to utilize the surplus among departments.
This again fed into the budget planning for the upcoming year as lessons learnt and was useful in defining budgets for different departments accordingly for the next financial year.
Ahmed A. Alkaysi says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is used when some other type of control is not possible, compensating for it For example, there can be compensating controls for segregation of duties.
Smaller companies might have an issue with limited resources conducting specific tasks. Since there are limited resources and those tasks require the segregation of duties, there can be a compensating control put into place instead. This would allow the resources to work on multiple tasks, while mitigating the errors that might arise without the proper segregation of duties controls.
Neil Y. Rushi says
Segregation of duties is identifying what a role in the company actually does by listing the primary duties for the job titles, what they do and also any secondary functions they may be involved with. This plays into basic administrative controls because a company has to know what each department and its members does on a daily basis and have little to no overlap of duties unless it calls for it. Employees should be given a clear cut list of responsibilities that they do everyday otherwise when asked, they might say “I don’t know.” The two IT roles that should have segregation of duties are a database administrator and desktop support tech. Database administrators handle the database systems and manage all the data that a company uses on a daily basis, any issues that occur they are properly equipped to diagnosis and solve. A Desktop support tech works on the computers that all employees use on a daily basis, supporting any issues users have and solve but doesn’t have rights to fix a database servers. When coming into the company, these roles need to have their duties laid out clearly.
Janet Yeomans says
Neil,
Think of segregation of duties as a risk mitigation tool. Risks mitigated can stem from either deliberate malicious acts (e.g. fraud, sabotage) or unintended errors (e.g. undetected data entry mistakes, programming errors). Damage from unknown/unforeseeable risks is also mitigated by segregation of duties.
Said Ouedraogo says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. To be certain that all separation of duties issues have been identified, a company needs to create an information flow diagram for every function within each area of the organization.
SoD plays into basic administrative controls as it establishes roles and responsibilities within an organization.
The most basic segregation is a general one: segregation of the duties of the IT function from user departments. In fact, the user department should not performs its own IT duties as it increase fraud and error. For example, the accounting department should not built an application from A-Z because it will be easier from that department to what they want.
Ahmed A. Alkaysi says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is having 2 or more people do different tasks. It is used to mitigate any errors, compliance issues, or fraud that might occur if one person is doing multiple related tasks.
For example, at work we have App Devs and BAs. The BAs write the requirements and the App Devs code to satisfy those requirements. There was an issue where the App Dev was telling the BA what the requirements should be so they would have a reduced LOE for coding. Since the App Dev was a SME for their system, the BA took their word and made changes to the requirement. However, these changed requirements ultimately did not satisfy everything business asked for. In this case, with segregation of duties, the AD should have worried about coding and the BA worry about the requirements gathering.
Yu Ming Keung says
According to ISACA, compensating control is an alternative security measure and should be considered where detective or preventive controls are insufficient. When compensating control is being implemented, the security manager should determine the value trigger to analyze the causes of problems and define the management action plan to mitigate the risk or resolve the issue. It often happens in smaller organizations where the IT support only consists of a few employee and the management wont put a lot of resources to invest on its preventive controls and detective controls.
Compensating controls must exist to mitigate the risk resulting from a lack of segregation of duties. The examples are:
Audit trails:
In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. It is desirable to be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
Independent reviews:
Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures
Source: http://internalaudit.uncc.edu/sites/internalaudit.uncc.edu/files/media/docs/Internal%20Controls%20presentation%20updated%2012-20-12.pdf
Paul M. Dooley says
Compensatory controls are internal controls that are allowed to be put in place for data security if a requirement is deemed too costly or difficult to implement effectively. An example of this would be Segregation of Duties (SoD). SoD is a principle that is meant to eliminate a user’s ability to have the “keys to the kingdom” or the ability to access, change, delete anything. This ability allows for the risk of fraud, errors, or sabotage. The general SoD application in an IT organization is that users of said system (inputting data) should not be the ones responsible for maintaining said systems.
Outside of the scope of IT, the SoD principle can be shown in a company’s procurement process. The responsibility to purchase goods is separated from the ability to issue payment and receive the purchased goods. This creates an internal control that would eliminate the ability for an individual to make fraudulent purchases or use for personal gain.
Joseph Henofer says
Your Neighborhood Grocers Case
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
The YNG grew through acquisition resulting in a mess of systems because a lack of a strong control framework. The first example of this is that YNG retained many legacy systems because their strategic focus is on marketing and IT infrastructure was put at a lower priority. By putting IT infrastructure at lower priority you run the risk that your company will not perform as efficiently as possible. In this case we saw that having the legacy systems and application piecemeal together caused the YNG to have multiple weaknesses in controls during their audit. The second example in this case was demonstrated when acquiring a new store. The IT function would evaluate the current program of the acquired store and if it was deemed better they would use it instead of the parent store program. In my opinion this is showing a lack of structure for applications in general, thus leading to a mess. The last example is the multiple platforms used which made it difficult to implement proper access controls. YNG is using multiple databases and hardware which lead to the audit not being successful.
Larry could implement a control framework to align the IT infrastructure with the business needs. Next he would need to evaluate and prioritize the business critical systems. By evaluating these systems, he can get an idea of what applications and hardware needs to be upgraded or eliminated. By creating this standard this will allow him to implement access controls in a consistent manner. Then finally he could create, maintain and monitor a budget to ensure that future budgets are accurate, reliable and cost effective. This also will help him reallocate funds if the strategic plan of the business changes.
Joseph Henofer says
Your Neighborhood Grocers Case
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
I believe that there are two reasons why the Business Application procurement is such a big problem. The first problem is that they do not have a strong control framework in place. IT lead the initial acquisition of software and hardware process which was a disaster. Even though it was efficient the implementation was cumbersome. After this failure the business management compounded the situation by taking over and leaving IT completely out of the process. These instances showed me that the control framework is completely non-existence, thus leading to an incomplete standard for hardware and software; as well, as wasted money for YNG.
The second problem is that the strategic focus views the IT infrastructure as a low priority. The case states that the strategic focus is on put on marketing and IT infrastructure was a low priority. I find it difficult to be a successful business and have IT infrastructure as a low priority. Especially in this case because the IT infrastructure is the driving tool for ordering and efficiently keeping your records consistent.
Larry can develop and implement a strong control framework. This would help align the business goals and IT infrastructure goals together creating an efficient business strategy for YNG. This would also allow for budget money to be allocated in an efficient way so that YNG can be more profitable.
Joseph Henofer says
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Larry should look to recommend a strong framework to help streamline the processes for both the software and hardware portion; as well as, the structure of the business needs and IT infrastructure. By implementing a strong framework like COBIT 5 it can align the two groups to work in an efficient way. With this framework this will give Larry the ability to plan budgets and cost strategies, so they can be profitable, organize their current assets and eliminate unnecessary ones from the company. This framework will also allow for both the business group and IT infrastructure group to align their goals and work together in an efficient manner.
Loi Van Tran says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
The key principle of segregation of duties is to make sure that a single person does not have the “key to the kingdom.” The idea is to separate or segregate critical functions, like invoicing and payment in accounting, so that key processes are disperse and associated privileges are not maintained/controlled by a single person. This internal control limits the risk associated with fraud, abuse and error..
An example of two IT roles that should be segregated are Application Development and Application Maintenance. Application developers should only have access to the development environment, where newly developed applications can be tested before being moved to production. Once the code has been tested by a QA and user’s acceptance, it will then move into production. A separate team, Application Maintenance, should be responsible for updating the codes to the application once it’s in production. Without this segregation, developers can add malicious code into production without anyone even knowing. There are also potential for human errors and that’s where the App Maintenance team would play a crucial role in identifying and debugging the code before it causes severe impacts to the organization.
Fangzhou Hou says
Question: What is a compensating control? When would you use one? Why? Can you give an example?
The compensating control is the type of control to ensure internal control is maintained in situations where inherently incompatible duties/ responsibilities cannot be segregated. My understanding is that when some other internal controls or progresses have weakness and potential risks, the compensating control is necessary because it can mitigate the risks and ensure the control processes still working.
For example, segregation of duties (SoD) is an internal control, which designed to ensure at least two different people are responsible for separate parts of any task. To prevent the potential fraud and error within the payroll management, the company may ask one person do the journal entries and one another sign the check. However, if it’s a new-start company, the compensating control in this case may be the audit trails or setting access authority.
Source: http://www.beta.mmb.state.mn.us/doc/statewide-financial/ch11/1101-07-02.pdf
Yu Ming Keung says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is an internal administrative control to ensure that each person has only authority to perform certain function, which is separated from any other functions that could be used in combination to perform a fraud.
The Database administrator who is responsible for ensuring the database structure right and being used right cannot be the one who writes the application. It is because segregation of duties separates the functions of any process into screen test, assigning different tasks to different people will help them cooperate to get the overall function done and prevent fraud because they will check on each other.
Jason Wulf says
1.YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
A requirement of architecture standards should be put in place. During the acquisition phase it would be prudent to budget a conversion to current software and development standards of the company. For example, require that hardware be converted to virtualized hardware to make it future proof. Additionally, quote out to external companies for the conversion of software applications to standard and common frameworks the company supports.
Sheena Thomas says
4.What do you consider to be the most important personnel hiring controls for an organization?
I think “Screening” is the most important personnel hiring control for an organization. Screen encompasses background checks, drug screening, verification of previous employment and education, criminal checks, and credit checks (which I don’t agree with).
Screening assist in verifying that the person did not misrepresent his/her self on the job application. Hiring the “right person” for the job is essential in the hiring process.
Said Ouedraogo says
Why don’t you agree with the credit checks screening?
Ming Hu says
Q: What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
According to AICPA, segregation of Duties (SoD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.
For example, application developers should not be able to promote code into production. If this control does not exist, unauthorized changes to software could result. In addition, uncontrolled and/or unauthorized changes to business information may lead to fraud and irregularities. Finally, malicious programs can be introduced into the production environment, affecting system availability, data integrity and information confidentiality issues.”
Ming Hu says
Source: https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Auditing/InternalControl/Pages/value-strategy-through-segregation-of-duties.aspx
Sheena Thomas says
2.If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
I am unable to rank the importance of basic IT controls. Here is my stand.
I think all the controls are equally important. In a world filled with so many breaches, malware attacks, and identity theft. Any company should view each basic control as important.
Detective controls give you visibility into the network, preventive controls will stop malicious activity from occurring and corrective controls can restore a system and or data. To me all the controls work hand in hand with each other to ensure the stability of a network.
Anonymous says
I agree Sheena, i think all the basis IT controls are important, the importance might just vary depending on the nature of the business, but i think for any business, you want to prevent any issue before it happens, like the popular saying “Prevention is better than cure”.
Again, using a pharmaceutical company or food company as an example, everything has to be done right, i think they should have a solid preventive control in place. Everything has to be done right the first time, i dont think they have room for errors (which should be the case for any business though-just buttressing the point that some controls are important and key to some business).
some business on the other hand might tell u, xyz situations cant happen, but if it does, we have a way to resolve it fast, which means they might have solid preventive and corrective controls in place, and it also means their ‘defective’ detective controls is not so much of a threat to their business.
Andrew P. Sardaro says
What do you consider to be the most important personnel hiring controls for an organization?
The most important personal hiring control for an organization is pre-hire background screenings. You are who you hire. If a job requirement is that someone needs to have a specific coding skill, and you do not check or verify his education or certifications, you are now paying for training for this person to do their hired job. Background checks give the employer the ability to verify some of the following against a potential job candidate.
• Criminal record checks
• Work history checks
• Reviews of any legal proceedings
• Education verification
• Personal references
• Professional certification checks
• Drug and alcohol screenings
If you hire the wrong person, and they are placed within a sensitive area, you are exposing your organization to potential financial, legal and reputational damage.
Yang Li Kang says
1. What do you consider to be the most important personnel hiring controls for an organization?
I consider screening controls to be the most important personnel hiring controls for an organization. This is the first important steps to determine who enters the company. Your employees represent your company. The company should ensure that the employees they hire do not clash with their company’s ideals and reputation. This is where background checks come in.
They should also ensure that the potential hiree possess the necessary or required skills for the position. You don’t want to be put into a position where the employee has to be trained significantly for the job. This valuable wastes time and money.
One of the last and most important screening done during this process if the potential hiree passes the first two screening controls is behavioral screening. The company should ensure that their new employee can fit or adapt to their company’s culture. You do not want clashes or animosities within the workspace as this can lead to lack or productivity or a vulnerability that could be exploited.
Mengxue Ni says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a control that can reduces risks from an existing or potential control might result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.
If we consider compensating control as a detective control, I think it is easier to understand it. When there is a chance that a preventive control can fail or can’t be placed, compensating control will help to mitigate the loss.
For example, encryption is an important security measure for potentially sensitive data. However, it can be difficult and expensive to implement and can cause problems for application. Compensating controls like database security applications, network access control, data leak prevention and e-mail encryption can be used when you can’t afford or don’t have the skill of encryption.
Andrew P. Sardaro says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a control measure used to protect an organization from fraud, crime and devious actions against IT systems and Infrastructure. For example, application developers should not be able to implement code into production. If this control does not exist, unauthorized changes to software could result. These duties should be split amongst units or individuals.
Another example is where Information security should be separate from the rest of IT. Information Security professionals are responsible for handling security configuration, management and monitoring for organizations. The staff handling security should be different from the IT staff in charge of remaining IT functions.
Ryan P Boyce says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is essentially a type of control that supplements another control. When a situation arises in a company where a control such as a separation of duties is not able to be implemented, the company may wish to use a compensating control in its place-in this sense, the compensating control is supplementing an existing control. You would typically see this in small organizations where controls that are larger in scope cannot be easily implemented. The purpose behind these compensating controls is that, rather than skip over a necessary control because either funds or resources prevent it from coming to fruition, companies can achieve the same outcome from the compensating control as they would have from the missing control. Taking how small their company is into account, a manager may implement compensating controls into a process when he or she requires application developers review OS patches to see if their code will be at risk from the upgrade prior to implementing the patch and realizing the problem could have been avoided earlier.
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
If I had to rank the importance of basic IT controls, I would say that the two at the top would be IT standards, policies, and procedures and IT personnel management control. The first of these two I believe is the most important because, after all, “it all starts at the top”. If the policies and procedures that govern and control the IT function and even the business as a whole are flawed, the identity and performance of the groups they oversee are liable to fall apart at some point. The low level functions of IT and the individuals who perform those functions (system admins/apps devs) could be performing their job to the best of their ability but if management is implementing poor procedures and policies, this will greatly hinder or undermine their performance. IT personnel management control is a close second for the most important of basic administrative controls. A company is only as good as its employees after all and the IT unit is certainly a part of this. Just as poor policies, standards, and procedures can undermine good employee performance, so, too, can poor employee performance undermine good direction from the heads of the IT organization.
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Separation of duties is the act of keeping roles and responsibilities separate in an organization so as to prevent error or any elicit activity. More practically, it is the process of having someone check and verify another’s work and vice versa. Separation of duties lie at the heart of administrative controls-they are essentially one of the ways in which administrative duties are performed from a best practice perspective. Take a project for example-the group funding the project should be the only one to manage the project as this could cause conflict of interest if deadlines are late or budgets are not being met. It is likely that, in an effort to makeup for either of those scenarios, corners could be cut and quality assurance becomes less of a focus. In IT a classic example of separation of powers is user rights’ assignment and the best example of this is that regular users (apps dev, end user) should not have administrative/root access to a server. Another example in the IT segment, is that some part of the business function-usually finance or upper management-should review and grant approval for any resources the IT department would like to procure. The latest and greatest Cisco switch might look appealing to a true network architect but that particular piece of hardware may be overly expensive for what the needs of the business call for.
4. What do you consider to be the most important personnel hiring controls for an organization?
Separation of duties is massively important in an IT unit but thoroughly screening potential employees surpasses this control. in an age of data breaches and security threats, an organization need be especially sure it is hiring honest and thorough individuals now more than ever. Screening people accurately and thoroughly can also have a major implication on the financial position of a company. It is very expensive to train and bring employees up to speed. If poor screening metrics/techniques are in use, the odds of that company identifying candidates who are likely to leave after a short time is low. At my previous job I personally witnessed someone get hired after just 3 phone interviews. The person arrived for work the day they were supposed to except it wasn’t the person who did the phone interviews. My managers quickly realized that someone else with more experience actually gave the interview so the person who needed a job could get hired. This is an extreme case but it cost the company money to conduct the phone interview and pay for their travel to the site to start working.
Kevin Blankenship says
Segregation of Duties separates role duties and function so that one person cannot cause anything that would be a liability or breach to the organization.
At work developers who write code cannot QA it. Once that code is QA’d it is brought before a Change Advisory Board to be reviewed before being put into production. And even once the CAB request is completed, code is then run through automated security testing to check from code that may cause a loophole or exploit in a system. Each of these steps is kept completely separated from each other, using different teams. This way no code can be manipulated to harm the organization without being caught.
Wenlin Zhou says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.
Example:
IT Duties VS. User Departments
The user department does not perform its own IT duties. To mix critical IT duties with user departments is to increase risk associated with errors, fraud and sabotage.
New App development VS. App Maintenance
One way to mitigate the composite risk of programming is to segregate the initial App Development from the maintenance of that application. For example, the applications will not be properly documented since the group is doing everything for all of the applications in that segment. If a key employees leave, the IT function may struggle an waste unnecessary time figuring out the code, the flow of the code and how to make a needed change.
Joshua Tarlow says
Compensating controls are used when either the cost or effort of a desired control is prohibitive or segregation of duties is not possible. Typically not the best choice, and often can require more than one to provide comparable security. For example, it may not be feasible for a company the size of Wal-Mart to deploy encryption to every location and information system. A few examples of compensating controls in this situation would be passwords requirements such as length, special characters, or upper and lower cases letters. Others could be firewalls, restrict access to sensitive data, comprehensive logs, two factor identification, or network segmentation.
Folake Stella Alabede says
1. What is a compensating control? When would you use one? Why? Can you give an example?
What is a compensating control?
A compensating control is a data security measure that is designed to satisfy the requirement for some other security measure that is deemed deficient, too difficult or impractical to implement.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.
Compensating controls are not a short cut to compliance. Compensating controls were never meant to be a permanent solution for a compliance gap
When would you use one? Why?
The objective of Compensating Controls is to ensure internal control is maintained in situations where inherently incompatible duties/responsibilities cannot be segregated.
Segregation of duties is an important internal control element because it promotes the use of sound business practices and supports the achievement of a process objective. However, effective segregation of duties might not be achieved in certain situations, such as an employee performing all activities within a process, one person having incompatible access in a financial application or a small department having few employees.
When adequate segregation of duties cannot be achieved and cannot be addressed in a timely manner, the next alternative is for management to mitigate the additional risks by implementing compensating controls that provide sufficient review and oversight of the incompatible activities.
A compensating control reduces the vulnerabilities in ineffectively segregated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality
Compensating controls are less desirable than segregation of duties, because they generally occur after transactions are completed and take more resources.
An example of compensating controls
I think an example will be segregation of duties.
There is an easy test for Separation of Duties. First ask if any one person alter or destroy your financial data without being detected. For the second test ask is any one person can steal or exfiltrate sensitive information. The final test asks if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.
Segregation of Duties
Separation of duties is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions
When these functions cannot be separated, a detailed supervisory review of related activities is required as a compensating control activity.
By separating duties, it is much more difficult to commit fraud, since at least two people must work together to do so – which is far less likely than if one person is responsible for all aspects of an accounting transaction
Segregation of Incompatible Duties
Duties are considered to be incompatible if a single person can carry out and conceal errors and/or irregularities in the course of performing day-to-day activities. Assignments of duties should provide a cross-check of responsibilities to avoid incompatibilities.
Because even though, Joe and Bob are two individuals who segregate a duty, if in the system both of them have access to do both functions, we really don’t have any assurance or we can’t really rely on the segregation of duties because their access is not really restricted.
Examples of the separation of duties are:
• The individual responsible for designing and implement security cannot be the same person as the person responsible for testing security, conducting security audits as well as monitoring and reporting on security.
• Cash. One person opens envelopes containing checks, and another person records the checks in the accounting system. This reduces the risk that checks will be removed from the company and deposited into a person’s own checking account.
• Accounts receivable. One person records cash received from customers, and another person creates credit memos to customers. This reduces the risk that an employee will divert an incoming payment from a customer and cover the theft with a matching credit to that customer’s account.
• Inventory. One person orders goods from suppliers, and another person logs in the received goods in the accounting system. This keeps the purchasing person from diverting incoming goods for his own use.
• Payroll. One person compiles the gross and net pay information for a payroll, and another person verifies the calculations. This keeps a payroll clerk from artificially increasing the compensation of some employees, or from creating and paying fake employees.
http://whatis.techtarget.com/definition/compensating-control
http://www.beta.mmb.state.mn.us/doc/statewide-financial/ch11/1101-07-02.pdf
https://www.brandenwilliams.com/brwpubs/TheArtoftheCompensatingControl.pdf
Folake Stella Alabede says
To further emphasize on this, an organisation whose business objectives (due to limited resources) requires that an employee may start and finish a process may put in place compensating controls like a third party reviewing the activity log of such employee on a weekly basis.
Alexander B Olubajo says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a form of control that looks to decrease to an acceptable extent, the potential vulnerabilities that may be exploited in segregated functions deemed to be ineffective within an organization. These include risk of errors, irregularities, omissions, and deficiencies in process quality.
They could also be viewed as alternate controls designed to accomplish the intent of the original control as closely as possible, when the originally control cannot be used or fails due to limitations of the environment.
Compensating controls may be considered or used when an entity cannot meet a requirement explicitly as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through the implementation of other controls.[2]. In a nutshell, it is used/implemented by the management of a company when adequate segregation of duties cannot be addressed in a timely fashion or doesn’t exit.
An example could be the review of transaction reports where a manager may select a few sample of transactions, request for the supporting documents, and reviews the documents to ensure that they are complete, appropriate, and accurately processed. By applying this, the manager can detect errors, and reduce the opportunity for employee performing incompatible duties to process unauthorized or fraudulent transactions.
[2]. http://www.sans.edu/research/security-laboratory/article/security-controls
Jianhui Chen says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is a data security measure that is designed to satisfy the requirement for some other security measure that is deemed to too difficult or impractical to implement. It can improve the design of a process that has inadequate segregations of duties and ultimately provide reasonable assurance to managers that the anticipated objectives of a process or a department will be archived
For example, the manager of a clothing factory will select a few samples of the product and review the quality to ensure the low defective rate of the finished clothes.
source:http://whatis.techtarget.com/definition/compensating-control
http://www.dartmouth.edu/~rmi/documentsunprotect/theuseofcompensatingcontrols.pdf
Alexander B Olubajo says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
If I were to rank the importance of basic IT controls, I would isolate and evaluate each control separately and independent of the other, looking for and ranking top of the list the ones that when implemented appropriately, would lay the foundation on which the company will build upon. The highest ranked basic IT controls should in my opinion, set the tone for the company/organization in terms of culture, values, and operation.
With that said, I will go with ranking both IT standards, policies and procedures as the most important, followed by IT personnel management controls as the second most important, and probably IT office administration controls as the least. The reason being that both IT standards, polices, and procedures, and IT personnel management deals with rules and regulations as well as consequences each employee must comply with, abide by, and are subject to, which are mostly like derived from the company’s mission/vision statement. It would provide a structured process that governs the organization as a whole and going back to my point of company’s culture and value, this would definitely set the tone. This is very important because without this employees of a company will do whatever they want and can’t be held accountable since there wasn’t standards and policies put in place.
Mansi Paun says
Q 4 What do you consider to be the most important personnel hiring controls for an organization?
A 4 Personnel hiring is an extremely important activity and process in an Organization. Companies pay big bucks in the form of referral bonuses to employees who have referred friends and acquaintances successfully as a finder’s fee. Employees who were in hiring or managerial roles, could misuse their position to facilitate recruiting friends and acquaintances or be bribed to recruit someone who wasn’t even the right fit for the role that was being hired for. This calls for proper controls so that those with the power of hiring would not be able to misuse their position and eventually harm the organization by recruiting sub-standard personnel.
In my opinion, one of the most important personnel hiring controls is that those with the authority to hire or interview, cannot refer or interview people for roles within their own line of business. For example, a manager who hires resources for SAP service line, cannot refer or interview his/her acquaintance for a role in the SAP team. The manager can very well refer an acquaintance in another LOB where the chances of him/her influencing hiring decision is greatly reduced.
Wen Ting Lu says
What do you consider to be the most important personnel hiring controls for an organization?
– I consider background screening to be the most important personnel hiring control for an organization. Better candidates lead to better employees, it is very important to know whether the candidate’s prior behavior pose potential risks to the organization. Background screening process not only allows employer to verify information such as education and prior job experiences, it also allow employers to reveals employees behavior include credit history, driving records, drug uses, substance abuse, and criminal convictions.
– For example, if the position requires to operate a vehicle, then employers should verify candidate’s driving record. Also, employees should check with all the reference provided. In addition, when there is a gaps between employments, employees should be able to provide reasonable explanations. If they cannot provide a legitimate reason, employers should reconsider whether the job offer should give to the candidate. An extra step should take in investigation, it’s always good to be safe.
Overall, an employee represents the organization, therefore it’s important to have background checks in personnel hiring process.
Alexander B Olubajo says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties (SoD) is a principle/concept that is based on sharing responsibilities of key processes, while dispersing and separating the critical functions of those processes to more than one persons or departments within an organization. This separation by sharing more than one individuals or departments assigned to a single task it is an internal control designed and intended to prevent fraud and error as well as eliminate an instance of conflict of interest.
An example of two IT roles that should be segregated is that of Application Developer Vs. Database Administrator and Quality Assurance (QA) Testers. The reason for this is that an employee responsible for developing code for an application or system should not be allowed to have access to migrate the code/data into the Production environment without it being properly tested. Likewise, the Application Developer should also not be the same individual responsible for testing the code/function of the application as it would be easy for them to approve/pass the code even when it fails. They could also inject malicious application code if they have full access/control throughout the process.
Ivy M. McCottry says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control compensates for some ineffectiveness of other controls.
You would use a compensating control when there is not a clear separation of duties for a given role (even when the role applies to an entire group). This means that tasks are centralized in some sense which increases risk exposure to the confidentiality, integrity, and availability of IT resources because of centralization with an individual or individuals, a single source operation.
An example of a compensating control in an IT organization with network operation center (NOC) activities is an auto-pick/random ticket generator capability for distributing work to NOC technicians or engineers. This builds job rotation into the operational model because no one gets to work the same troubleshooting issue for the network unless authorized by documented standard procedures (ex. NOC operations manual) or by supervisor authority (ex. exception request).
Anthony Clayton Fecondo says
Question 3.
Segregation of duties is the concept of keeping a single user from accumulating the privileges necessary to perform certain tasks on their own. Segregation of duties acts as a control in and of itself because it guarantees that more than one person has to sign-off/approve an action which helps reduce mistakes, conflict of interest, and defrauding of the company.
An example of two IT roles that should be segregated are software developers and whoever is in charge of production of the software. Whoever is making the software shouldn’t be able to produce it because then they can program the software to do whatever they want it to without anyone checking it for bugs or nefarious code. Another example that I read for segregation of duties is database administrators and any role that has root or administrator authorities. I assume that having access to a lot of sensitive information can already expose the company to risks, but giving that same user elevated privileges could result in some really bad repercussions (read more about that here: http://www.sans.edu/research/security-laboratory/article/it-separation-duties).
Folake Stella Alabede says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of Duties
Separation of duties is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions
When these functions cannot be separated, a detailed supervisory review of related activities is required as a compensating control activity.
There is an easy test for Separation of Duties. First ask if any one person alter or destroy your financial data without being detected. For the second test ask is any one person can steal or exfiltrate sensitive information. The final test asks if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.
By separating duties, it is much more difficult to commit fraud, since at least two people must work together to do so – which is far less likely than if one person is responsible for all aspects of an accounting transaction
Segregation of Incompatible Duties
Duties are considered to be incompatible if a single person can carry out and conceal errors and/or irregularities in the course of performing day-to-day activities. Assignments of duties should provide a cross-check of responsibilities to avoid incompatibilities.
Because even though, Joe and Bob are two individuals who segregate a duty, if in the system both of them have access to do both functions, we really don’t have any assurance or we can’t really rely on the segregation of duties because their access is not really restricted.
Examples of IT roles that should be segregated are:
• The individual responsible for designing and implement security cannot be the same person as the person responsible for testing security, conducting security audits as well as monitoring and reporting on security.
SOD IN CHANGE MANAGEMENT
Change management in software development life cycles, network operations and IT Security Departments use the concepts of SOD to ensure proper approvals and release to production processes. There are five basic steps to all change management that need segregated management and process steps to maintain a proper risk management model:
1. initiation of change with appropriate authorization.
2. Project management oversight of the change process.
3. Tracking of changes to key process steps.
4. Corresponding management and risk controls must be developed and documented.
5. Management oversight and approval for implementation of changes into “production.”
In addition, the CoBIT ( Control Objectives for Information and related Technology) description for push to production or release management should be well understood: “ In addition, application developers should not be able to promote code into production. If this control does not exist, unauthorized changes to software could result. In addition, uncontrolled and/or unauthorized changes to business information may lead to fraud and irregularities. Finally, malicious programs can be introduced into the production environment, affecting system availability, data integrity and information confidentiality issues.”
Anthony Clayton Fecondo says
Question 1
Compensating controls are controls that aim to substitute for any control that is not strong enough on its own or that provides a significant technical or business challenge that inhibits implementation.
You use compensating controls to add extra security to controls that seem lax or in place of controls that are simply too expensive to implement or require some technical system or expertise that is beyond your company. Compensating controls are used (unethically) by some as a means to shortcut their way to compliance.
An example of a compensating control might be using software that monitors password input and learns how a person types their password as opposed to implementing a possession or biometric based secondary authentication system. Simply implementing the software would be cheaper and still provide a 2-factor authentication system, but without having to purchase a biometric scanner or fobs/keycards for all the employees.
Noah J Berson says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is keeping certain roles and functions to different employees so that they cannot combine those duties in a way that could harm the company. This would be a general preventative role since it needs to be done beforehand and relates to access security.
Two IT roles that a company should segregate are the role of Information Security and almost any other IT role. The IS role has the “keys to the kingdom” as said by ISACA, and therefore, combining their access with anything else is dangerous.
Ivy M. McCottry says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
My immediate office pursues federal IT contracts. Our budgets are driven by solicitation pricing requirements (ex. lowest price technically acceptable – LPTA). Given that, our budget creation process is a top-down approach because we align the budget with solicitation requirements. Budget line items vary by project. A project can be for primarily equipment which has lower personnel requirements than a project that is program management heavy. Triggers for re-forecasting are renewal options or re-competes. Both a renewal option and a re-compete for a contract can have new IT performance requirements such as a scale up or down in personnel or changes in technical specifications which initiate budget re-forecasting.
Alexander B Olubajo says
4. What do you consider to be the most important personnel hiring controls for an organization?
I would consider screening to be the most important personnel hiring control for an organization.
A company should properly screen new hires in order to ensure that they are getting who they claim to be and are also getting the right/qualified person for the job. This is important because a company can incur serious costs and face consequences for neglecting and/or ignoring this very important part of the hiring process. When a company hires an unqualified person or someone who has had previous drug or sexual related convictions due to neglecting to or not performing a thorough background check, they risk that individual performing at a below par or unacceptable level, which depending on the person’s role or job description could cause the company losses. The company could also potentially put the security of other employees of the company at risk. Hiring individuals due to the organization not performing their due diligence of screening employees prior to hire could also disrupt the culture of company and atmosphere of the work place with individuals behaving in inappropriate manners.
Screening candidates is a very essential personnel hiring preventive control that managements of organizations must not take very likely as it plays a huge significant role in defining the success of the organization’s business and whether or not they achieve their goals. Employees are core of a company, they are what makes a company and starting from hiring the appropriate and qualified candidates determines the all round success of the organization.
Xiaodi Ji says
Alexander,
I agree with you that screen is a very important process for personnel hiring controls. If we hire a person who has bad background, it likes we set a no-time bombs in the enterprise.
When I consider, however, this question deeply, it also have some problems which confuse me.
First of all, how can we get people’s bad background information? We get all those information online legal or we need pay a lot to buy these information.
Then, checking background spends huge number of money and people in doing this. For the big enterprise, this is not a big problem. However, for the small companies, they may not pay those money. What should we do for the small companies.
Folake Stella Alabede says
Hi Alexander, i like the way you have stated that “Screening candidates is a very essential personnel hiring preventive control ”
Coming to think about it, screening candidates/potential employees can actually be a very effective preventive control, most especially depending on the organization.
Andrew P. Sardaro says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is an alternative control measure created to closely replicate the original control intention. We use these when the existing designed controls cannot be used due to technical or business restrictions. The compensating control can alleviate the risk involved to an acceptable level.
An example I can give is where university police departments are tied into city police dispatch systems. The software that is used for the city dispatch system can only run on Windows XP. Per Microsoft, Windows XP’s life cycle ended in 2014 and no longer receives security updates. This police dispatch partnership has been in place for over 10 years, and there is no road map as to when the city will move away from this software. In order for the university police departments to utilize the city police dispatching, they must use the software on XP systems. To mitigate the risk of the XP systems being compromised and impacting the network, they are isolated and protected with network security measures (isolated VLAN, filtering).
Ahmed A. Alkaysi says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
YNG used both acquired systems and developed in house systems for its IT solution. The IT infrastructure has been ‘piecemealed’ together resulting in inefficiencies and failure to meet business objectives. There are multiple reasons for this including the failure of IT and Business to collaborate on finding the best possible IT solutions, the poor in house developing, and the lack of a stable IT framework.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Ahmed A. Alkaysi says
I apologize I hit the ‘Post Comment’ button by accident before I could finish. Below is my completed thoughts.
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
YNG used both acquired systems and developed in house systems for its IT solution. The IT infrastructure has been ‘piecemealed’ together resulting in inefficiencies and failure to meet business objectives. There are multiple reasons for this including the failure of IT and Business to collaborate on finding the best possible IT solutions, the poor in house developing, and the lack of a stable IT framework.
Some possible controls that could be put in place include:
-IT can give advice on the software used, but Business must ultimately signoff.
-IT solutions must be chosen with a clear business objective in mind.
-When developing systems in house, there needs to be deadlines set and objectives met throughout the process to avoid largely going over budget.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
IT and Business are in a tug-of-war in regards to purchasing IT solutions for the company. IT initially led the procurement of the software and hardware, which led to the business objectives not being met. As a result, Business took over this process which led to the objectives being met but also resulted in a large amount of write-offs. Business and IT clearly need to collaborate better. Some controls that need to be put into place include:
-First off, clear business objectives must be set
-IT should be able to select the software and hardware they will use, but they must make sure 1. Business objectives are being met with acquisitions and 2. Business will sign-off on their decision
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
It sounds like access controls is a “weakness” due to the different type’s architectures used in the company. Larry should recommend that a single-sign-on (SSO) platform be implemented to allow a user to access many different systems using only one username and password. The password criteria should be complicated enough where at least 1 uppercase letter, number, and special character are used. Another control Larry could put in place is requesting a user to change password every 6 months or so.
Kevin Blankenship says
What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control strives to bridge the gap between a security requirement and the feasibility of it being fully satisfied. It would be needed if a security measure is either impractical to cover or not possible to implement.
And example would be SOD. By splitting up function among multiple team members, commit something like fraud is harder to do.
Anthony Clayton Fecondo says
YNG Case Question 1:
YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
YNG’s system are disorganized for two distinct reasons. The first reason for YNG’s mess of systems is that acquisitions were sometimes allowed to keep their systems rather than converting to YNG’s systems. By not implementing a single, organization-wide system, YNG allowed their IT systems to become fragmented and difficult to manage.
The second reason for YNG’s mess of systems is that all of their applications were implemented at different times as independent systems. As a result, some of the older systems are outdated or the company that created the application is out of business. If the creator of the application is out of business that means the application is old and probably outdated and/or the application was bad and the company was driven out of business by its competitors. Additionally, certain systems could be integrated in order to create a more cohesive and more easily manageable collection of IT systems.
In order to fix this issue going forward, Larry needs to determine specific, effective, and efficient systems that will be implemented company wide. The policy of allowing acquisitions to maintain their old systems should be abolished in order to ensure that systems are consistent company wide. This will allow a single set of controls that were tailored to the designated systems to be implemented in every location. Additionally, Larry needs to ensure that updates for the implemented systems are reviewed and processed in a timely manner in order to keep the systems working in peak condition.
Anthony Clayton Fecondo says
YNG case question 2:
Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The purchases by IT have been failures because the IT staff isn’t aligning with the business. IT is purchasing products and only focusing on what they know, the technical aspects. In order to better serve the company and purchase software that will meet the needs of those using it. It seems the IT department knows what technical capabilities the software needs, but they don’t understand what the software needs in terms of usability in order to allow for the effective and efficient use of the software by end-users.
If Larry creates controls that involve the end-users–or personnel who are intricately familiar with the wants and needs of the end-users–in the process of choosing software or testing software before implementation, then IT can still ensure consistent, reliable systems that have the proper technical capabilities while also ensuring that end-users will be able to effectively employ those systems.
Anthony Clayton Fecondo says
I have a general question about segregation of duties. I understand that segregation of duties was originally implemented as a means to reduce the likelihood of employees defrauding the company, but is the separation of job duties only referred to as segregation of duties if its preventing or reducing the likelihood of fraud?
Xiaodi Ji says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
I think that segregation of duties is that giving one function for one person or one job. It means that a person or a department just can solve or handle one kind of function of the company. In the other words, nobody cannot handle too much company’s information, especially for the sensitive information.
The main point of this is reducing risk. The first risk is coming from mistake. Everybody makes mistakes in any place anytime. Thus, if one person play both player and judgment, the mistakes cannot find out or be fixed immediately, which can make more and serious risk or problem for the enterprise.
The second risk is coming from dimission. Employees leave enterprise and enterprises hire new employees are normal phenomenon for the business. However, when an important employees who has many sensitive documents or main code for the program leave enterprises, enterprise will lost these information because documents missing is familiar and something in the brain is hard to transform to other completely. Meanwhile, new employees need a long time to study, if this job handle too much things.
The third risk is coming from betray. Nobody likes this word or this action. However, it actually happens in business world. If someone get more authority, whatever they do is hard to discover. They can write down some malicious code in program, sell sensitive information to the competitor to get more money, or get advantage for other employees to help them change some information.
The example is writing and testing code. Programmers who write program test it as they create. They know which place can find what they want, and they will type anything which fit for the system. It is hard for them to find out the problem and let system make mistake. In the case, this program should be given to test department to do a test just like a user who does not anything about this program. It helps enterprise find the error before publishing this program, which can reduce a lot of risks.
It also create contradiction which broke the tone of enterprise. Lots of people do not like others point our mistakes or errors. Thus, when testing department find many mistakes and errors and report to the code department, programmers always feel quite anger and upset. In order to encourage test department find out the error to help enterprise reduce risk, some company also make a rule that if testing department find a mistake in the program, they can get reward and the code department deduct money. This rule makes two department like enemy. However, if enterprises cancel this program, test department does not work hard for find error because doing test for the program is quite boring and need spend a lot of time. Meanwhile, the code department also does not work hard to avoid error because they think that test department can handle this and they will not be punished.
When I heard about it, I felt so confuse and could not find out any solution to solve this problem. What do you think about this question in the enterprise? How should we solve this problem? What kind of rules can we make?
Anthony Clayton Fecondo says
I have a general question about segregation of duties. I understand that segregation of duties was originally implemented as a means to reduce the likelihood of employees defrauding the company, but is the separation of job duties only referred to as segregation of duties if its preventing or reducing the likelihood of fraud?
Xiaodi Ji says
Anthony,
I think that segregation also help employees or departments know what they actually need to do, which makes every thing more effective. Everybody’s energy is limited. They just can focus on one things or a few things. Thus, giving them clear and simply duty can help them do it as good as possible.
Candace Nelson says
Good question Anthony,
In my experience, segregated duties also increases the likelihood that unintended errors will be detected and corrected in a more timely manner!
Kevin Blankenship says
I agree with Xiaodi Ji that clear roles is a good use of SOD as well as fraud.
I think it also can help with simple human error. Dispersing duties with SOD lessens likely-hood a mistake can go unnoticed before being implemented.
Ahmed A. Alkaysi says
Hi Anthony,
If you are using SoD as a control, then yes it is to mitigate errors and fraud. However, you don’t need to use this concept specifically for controls purposes. SoD can be used for efficiency reasons, for compatibility to the job reasons, or for other specific reason that is not limited to error and fraud.
Xiaodi Ji says
4. What do you consider to be the most important personnel hiring controls for an organization?
In my opinion, I think the most important personnel hiring controls is ensure the independence and profession of the recruiting department.
First of all, recruiting department should be an independence department. The duty for the recruiting department is hiring useful and valuable personnel for the enterprise whatever this personnel come from society or introduce by any employees. They should be evaluated by same standard to confirm the quality of personnel.
The second one is that recruiting department should invite some people who come from other department to help them to become profession. A person or a department cannot know every thing or every area. In order to hire right person in right time, they need some professional employees to help them. For example, an enterprise needs hire a website programmer. The recreation department just knows some basic some about this technology. If this person is quite good at presentation but do not have ability, he/she will get this job but cannot work immediately. However, if they ask IT department help them evaluate technology areas, it may avoid this situation.
Xiaodi Ji says
1. What is a compensating control? When would you use one? Why? Can you give an example?
Compensation control is a control measure which using when some process have fault or lack.
I will use this control when I find the tone of this department not good or this department always do not have problem in routine supervision.
For the first one, the tone of department or enterprise is quite significant. Once I find the tone is bad, I will use compensating control to improve this department.
For the second one, I want to ensure that they can do it every time rather than just in the day of checking. Then I can find real problem of this department.
Example: Plainclothes polices check those bar whether they have license or sell alcoholic to people who under 12 without a certain time.
Alexander B Olubajo says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
I work in an IT organization within a Telco company. We provide IT support to Engineers and the Engineering tool/software they use to build our products within the company. From my understanding and based on the level of information I am privy to, annual budgets for my organization are pretty much created months prior to that year or at the very beginning of that particular year. Each Senior Manager compiles a list of expenses they anticipate to incur for that year, then all meet with the VP of the department to discuss and analyse their lists before anything gets approved. Usually most of the items accounted for on the budget are engineering application license renewals, employee training costs, travel expenses, outside contractors, conferences/summit fees etc. There is usually a set budget cap for our department that we have to work under. During the course of the year, the budget is reviewed to determine how the department is doing based on the forecast and what was set at the beginning of the year. After reviews, if it is determined that the budget needs to be increased to accommodate certain items that were poorly accounted for during initial forecast, the VP will need to get approval from his manager – the SVP/CIO and will also need to have the proposal ran by the CFO before more budget room can be allocated. So, I guess budget is typically handled by my company in 3 stages: initial forecast (created), monitored, and re-forecast.
Jaspreet K. Badesha says
I find this very interesting. In my organization I hear about budgets but then find out that budgets for the following year are created in the summer or fall of the previous year. I understand that this is done based on actual expenses incurred in the previous year, the previous year budget, additional expenses or proposals that may be coming into play for the following year, inflation and costs of new staff if required. However complex this may be it still hard to fathom if an expense occurs such as requiring 2 additional developers as opposed to none that you had planned on hiring but then the business proposed a project that required additional resources and expect you to cover it with the budget that was given based on the assumption of not needing new developers.
Anonymous says
1. What is a compensating control? When would you use one? Why? Can you give an example?
The concept of a compensating control derives from the Payment Card Industry Data Security Standard (PCI DSS), and it was originally considered to be a work around when a legitimate constraint (business or technological) to achieving security compliance was encountered.
A relevant example of a compensating control pertaining to IT Personnel Controls relates to segregation of duties (SOD). The concept of segregated duties implies incompatible functions are assigned to different employees to reduce the organizations vulnerability to fraud. In situations where optimal SOD is infeasible due to resource constraints, other compensating controls can be implemented to minimize risk. An example of this is if the clerk who is responsible for applying cash receipts to the general ledger also reconciles the cash account, the reconciliation should be reviewed and approved by a different person. This clerk should also be required to take vacation, during which their responsibilities are performed by someone else to increase the likelihood that a fraud would be detected.
Candace Nelson says
1. What is a compensating control? When would you use one? Why? Can you give an example?
The concept of a compensating control derives from the Payment Card Industry Data Security Standard (PCI DSS), and it was originally considered to be a work around when a legitimate constraint (business or technological) to achieving security compliance was encountered.
A relevant example of a compensating control pertaining to IT Personnel Controls relates to segregation of duties (SOD). The concept of segregated duties implies incompatible functions are assigned to different employees to reduce the organizations vulnerability to fraud. In situations where optimal SOD is infeasible due to resource constraints, other compensating controls can be implemented to minimize risk. An example of this is if the clerk who is responsible for applying cash receipts to the general ledger also reconciles the cash account, the reconciliation should be reviewed and approved by a different person. This clerk should also be required to take vacation, during which their responsibilities are performed by someone else to increase the likelihood that a fraud would be detected.
Candace Nelson says
2. If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
1. Preventive Controls
2. Detective Controls
3. Corrective Controls
I listed the basic types of IT controls in what I believe to be their order of importance is. I rank preventive controls first since it is better to prevent an error, omission, infraction, lack of compliance, etc. than it is to deal with such an event after the fact (which is a corrective control). I rank detective controls second since corrective controls are irrelevant if a preventive control was either lacking or failed to stop a negative event from occurring but nobody knows about it because it wasn’t detected.
Jaspreet K. Badesha says
I agree in the ranking of these IT controls. Preventive controls definitely help set the basis for latter mentioned controls. If preventative control measures were not put in place then it lessens the chances of detective and corrective controls.
Candace Nelson says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
According to Generally Accepted Accounting Principles (GAAP) promulgated by the Financial Accounting Standards Board (FASB): “Separating duties among different employees reduces the opportunity for any one person to commit fraud. It also creates double-check procedures to cut down on clerical errors. The employee who handles record keeping should not have physical custody of the asset. For example, the person responsible for bank reconciliations should not also receive payments from customers or prepare the bank deposits.”
Similar to financial controls, adequately segregated IT controls reduces the risk of conflicting interests (e.g. if the responsibility for systems development is separate from maintenance of the same systems) and increases the likelihood that security breaches will be detected (if the responsibility for information security is segregated from the rest of the IT function). Additionally, database administration should be segregated from all other IT functions due to the wealth of knowledge and access this position controls.
Candace Nelson says
4. What do you consider to be the most important personnel hiring controls for an organization?
There are many factors to consider when determining the most important personnel control. If a candidate is being considered for a position that entails access to or management of significant sums of money (e.g. CFO, Treasurer), the results of a credit report would be pertinent. If a candidate is being considered for a position that requires a valid driver’s license, it would be wise for the employer to obtain a drivers abstract to ensure the license is valid and to gauge the candidates driving habits (especially if they will be transporting others or driving a company vehicle).
The most important personnel control may be checking for a criminal record. I am not suggesting that a hiring decision be based on this alone, but that the nature of the crime and the surrounding circumstances should be considered. For instance, if a person applying for a teaching position has a record of crimes perpetrated against children, they may not be considered a suitable candidate.
Alexander B Olubajo says
YNG Case
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
A couple of things attributed to YNG growing through acquisition and resulting in a mess of systems. The bulk of these wrongdoings can be summarized into YNG simply lacking a structure and defined processes of how their IT system should be integrated to operate after every acquisition. In other words, there is no IT governance at YNG. This easily happened at YNG because of how little IT was regarded. YNG initially gave IT little to no significance until the CEO had realized the company had no streamlined operations and strategy for process improvement and accountability. Now that the damage has been done, Larry would probably look to implement corrective controls like streamlining the IT Business systems used company-wide, where all supermarkets used the same systems and no newly acquired supermarket is exempted to using there own systems.
Folake Stella Alabede says
1. What is a compensating control? When would you use one? Why? Can you give an example?
What is a compensating control?
A compensating control is a data security measure that is designed to satisfy the requirement for some other security measure that is deemed deficient, too difficult or impractical to implement.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.
Compensating controls are not a short cut to compliance. Compensating controls were never meant to be a permanent solution for a compliance gap
When would you use one? Why?
The objective of Compensating Controls is to ensure internal control is maintained in situations where inherently incompatible duties/responsibilities cannot be segregated.
Segregation of duties is an important internal control element because it promotes the use of sound business practices and supports the achievement of a process objective. However, effective segregation of duties might not be achieved in certain situations, such as an employee performing all activities within a process, one person having incompatible access in a financial application or a small department having few employees.
When adequate segregation of duties cannot be achieved and cannot be addressed in a timely manner, the next alternative is for management to mitigate the additional risks by implementing compensating controls that provide sufficient review and oversight of the incompatible activities.
A compensating control reduces the vulnerabilities in ineffectively segregated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality
Compensating controls are less desirable than segregation of duties, because they generally occur after transactions are completed and take more resources.
http://whatis.techtarget.com/definition/compensating-control
http://www.beta.mmb.state.mn.us/doc/statewide-financial/ch11/1101-07-02.pdf
https://www.brandenwilliams.com/brwpubs/TheArtoftheCompensatingControl.pdf
Sheena Thomas says
Consider the following questions about the YNG case.
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
YNG lacked IT policies, procedures, baselines, guidelines and standards The also had to deal with legacy applications, obsolete and decentralized databases, and under qualified programmers/developers. I think Larry need to implement a IT frame work such as Cobit.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
A lack of communications between both departments is a huge problem. The business managers and IT managers need to find a way to align Technology to the business process. IT departments need to under the business need and communicate to the business department what technology would better fit the business need. I also think the budgeting department need to be notified when purchases are taking place from each department.
APO06 01- 02 deals with “Establish and maintain a method to account for all IT-related costs and Implement a decision-making process to prioritize the allocation of resources and rules for discretionary investments by individual business units.”
Source:
COBIT 5: Enabling Processes: APO06 & APO07 https://drive.google.com/a/temple.edu/file/d/0B8S2SZTC04ViYVRpUWxTczU4RXM/view?usp=sharing
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company.
What controls should Larry be ready to recommend to reduce the impact of this finding?
I think Larry should recommend segregation of duties and role based access control.
Segregation of duties – will make sure a user has enough rights to do their job.
Folake Stella Alabede says
Your Neighborhood Grocer Case
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
The acquisition problem with YNG grew into a mess because there were no structure/policies/procedures/ guidelines (or anything) in place with regards to acquisition. They acquired companies with applications that they did not keep track of, and they did not analyse these applications to determine the compatibility and alignment to both the business and IT objectives of the organization.
In addition, YNG just wanted to take the easy way out whenever they did any acquisitions, they “determine whether the acquired company had better applications than the parent. In some cases, the acquired company was permitted to retain its application…..”
This lack of a proper / unified framework and structure led to independent applications being developed over time, including applications from a “now-defunct company”
I feel the first basic control should be some guidelines/policies regarding acquisitions. When companies are acquired, there should be a standard in place that should be followed, not the discretion of the “IT function”.
Also a single integrated framework should be adopted and applied.
They could also develop/adopt an enterprise resource planning (ERP) system/software (with the contribution/input of all departments/users) such that all the applications are centralized and uniform.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures mainly because there is no proper IT Governance in place.
The organization should not be divided and see things as a competition/struggle. IT initially led the selection and acquisition process but this did not achieve business objectives; so subsequently business management “demanded” that hardware and software solutions be selected by business without IT involvement.
Both the business and IT unit should work together to achieve the ‘common’ objective of the organization.
From CobiT point of view, if both business and IT realise that the common Governance Objective is not to compete but to create value, the large budget over-runs would reduce drastically.
The goal of APO06 is ” Manage Budget and Costs Audit/Assurance Program” If a framework like CobiT is adopted, then “there is assurance over the APO06 process that ensure there is a partnership between IT and enterprise stakeholders to enable the effective and efficient use of IT-related resources”. (quote from isaca website)
Since YNG can be seen as an enterprise (The Open Group Business Executive’s Guide to IT Architecture defines an enterprise as a government agency, a whole corporation, a division of a corporation, a single department, or a chain of geographically distant organizations linked together by common ownership) Larry could introduce an enterprise architecture framework to align all the business processes with IT.
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
This should prove to YNG that you cannot separate IT and business without grave consequences, one of which is ‘the sorry state of access control’ in the company.
I feel Larry should immediately adopt, implement and enforce a standard (across all the companies) concerning access control/password policies. If a standard is adopted, (encompassing minimum password length, password complexity, no of wrong passwords before system lock out etc), this should be adopted from a single integrated framework, and ‘the objectives and associated accountabilities should be clearly communicated so they are understood by all’ (quoted from CobiT AP002).
Andres Galarza says
I’m going to buck the trend and make the argument that taking vacations is my pick for most important. This is only a little tongue-in-cheek.
Most organizations in the United States do an acceptable job with some of the other personnel administrative controls, such as screening. However, we do an awful, awful job in this country with the idea of letting people have time off and, therefore, reap none of the benefits that come with happier, more rested (and loyal) employees..
Our readings in Kyriazoglou’s book this week point out that forced vacations can reveal irregularities and problematic activities, particularly if the person taking the vacation holds a pivotal or “keymaster” position in the company. Frankly, forced vacations can only do positive things for an organization,
Daniel Warner says
Andres,
I read your response and agree with you that taking a forced vacation can only do positive things for an organization. It’s funny when I read that over in the textbook it seemed to me like a no-brainer but looking back and reviewing your response it leads me to believe that the dual nature of taking a vacation can only aid a company. I know I’ve mentioned this in a previous comment, but I recall a French company that was in charge of managing portfolios, and an employee was able to launder large sums of money because he never took a vacation, and thus his work wasn’t monitored.
Jaspreet K. Badesha says
1. What is a compensating control? When would you use one? Why? Can you give an example?
A compensating control is data security measure that is put in place to satisfy a requirement for another security measure that is to demanding or unfeasible to implement. This is done when u cannot fully meet the requirements. An example of a compensating control is segregation of duties. This is when two individuals are given different parts of the same task to complete to prevent the risk of fraud. This task that can be completed by one individual is split into multiple tasks for multiple individuals so that one person doesn’t have complete control over the process and is less likely to commit fraud.
Jaspreet K. Badesha says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is an internal (compensating) control that helps an organization divide up one task, that would commonly be completed by one person, into multiple tasks so it can be completed by multiple people therefore lessening the chance of fraud. In IT the process of deploying code to different environments such as production is only allowed after the developer writes the code and QA thoroughly tests it, and BA tests it to a degree to ensure it follows business requirements. This ensures that code that is going to cause malfunctions or breaks in production is not released. Therefore not costing the business additional money.
Jaspreet K. Badesha says
4. What do you consider to be the most important personnel hiring controls for an organization?
I believe that the most important personnel hiring controls for an organization are the following:
o Interviews – this allows you to see if the individual is qualified and will fit into the culture of your organization.
o Background Checks – this will let you know if there is anything that you should know about an individual, if they have been charged with something that involves fraud you may not want them near your data or have an influencing role.
o Credit checks – this is extremely important if you are hiring someone who may have access to people financial or personal data
Andrew P. Sardaro says
Your Neighborhood Grocer Case:
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
When YNG acquires a company, the IT function evaluates the existing software applications and determines if they are better than parent systems. These application acquisitions have been taking place over time without business involvement. YNG has no clear internal controls (policy/procedures/standards/guidelines) to handle these acquisitions. The applications are chosen based on technical functionality and do not integrate with other acquired systems. The current acquisition process shows no alignment between IT and business towards organizational objectives.
Control suggestions:
• Establish a control framework as to align IT with business needs.
• Stop the bleeding, implement a policy as to how acquisitions are to be handled, standardize the process and stick to it.
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The IT and business units are not seeing eye to eye when making application/system decisions. IT chooses applications/systems that are technically effective, but are cumbersome for the end users. The business units are frustrated and not including IT in further decisions. This has resulted in numerous independent hardware and software systems that are difficult to manage and significant budget overruns. The IT and business units need to work together towards the organization common goals and create value for stakeholders.
To achieve this, Larry should adopt COBIT5 and refer to process ID APO06 (Manage Budget and Costs). “Foster partnership between IT and enterprise stakeholders to enable the effective and efficient use of IT-related resources and provide transparency and accountability of the cost and business value of solutions and services. Source: COBIT 5: Enabling Processes: APO06 & APO07
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Being that there are so many independent systems that cannot be centrally managed, access control is difficult. Larry should implement Segregation of Duties (be sure no one person has full access to a system), Role Based Access Control (define roles, what do they need access to), stronger password criteria and password change frequency.
Jaspreet K. Badesha says
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
This happened because the organization would individually determine if the existing system at the organization that was acquired was “better” than their system, if so then they would leave their system the way it was and if not they would implement their YNG system. This is not good. The company should have 1 system / set of applications that run for all of their companies. This allows for less maintenance of so many programs and they can just focus on their own. Larry can implement controls so that there are not multiple applications developed to monitor things that can all be tracked in one, and can be inline with the business strategy. He can use their existing system and upgrade it or do a complete overhaul and purchase a new system and do customizations making it more manageable and not wasting anymore time. This would require their organization to realign their budget, not focus on marketing as much and allocate some resources to maintain their IT systems.
Ivy M. McCottry says
YNG
1. YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
WHY
Acquisitions resulted in a mess of systems because of management tactics and strategies regarding IT. The standard set was “how good are the systems of the new acquisition” rather than a standard of efficient, functional and effective IT governance at a portfolio/organization-wide level. Management did not look at the bigger picture of the needs for IT governance at the organization level and from there, alignment of infrastructure for the new acquisition with the big picture. Decision-makers involved with IT review and decisions for the new acquisition followed a path that was convenient and strategic for keeping the new companies operational. Key examples are how “the IT function within each company was integrated into the YNG data center” and retainment of some legacy applications.
CONTROLS
Larry can put in place IT administrative controls and specifically, policies, standards, and procedures in for establishing overall governance (ex. capabilities that each company needs, standardization of systems even if standardization means a roll-out of the same system to each company, checklists that review teams follow, procedures for confirming agreement with executive management and board on how IT goverance is handled and carried out especially if a new acquisition requires deviations).
Ivy M. McCottry says
Jaspreet – I didn’t mean to post right here but I did intend to reply to post. I like how you added resource allocation for better management of IT resources (human capital and financial capital) as well as the idea of customizing standard applications. Great points.
Jaspreet K. Badesha says
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
The CIO should be savvy on the business side as well as the IT side. Therefore, in and ideal situation should be involved in the business and IT decisions to ensure that IT strategy will be aligned with the business strategy and help make joint decisions in procurement. Larry should implement the COBIT5 process that refers to managing budget and costs through transparent relationships with the business and use their IT resources effectively and efficiently. This will help the business make decisions that will be practical and effective.
Jaspreet K. Badesha says
3. The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Segregation of duties and role based access to the systems/applications are two controls that can be implemented in the current state of these multiple applications or if the applications were combined into one master system/application. This way one individual will not have access to a complete application, they will only have access to their role based ones and will only be able to complete certain tasks as their job requires.
Sachin Shah says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
In my companies many duties are segregated, For instance we have applications that are typically vendor created, yet we have internal IT personnel that supports the functionality and basic application support, yet we have desktop support or end user services that installs the application and any PC trouble shooting, and the we have have database support done by our Database administration team, a few of who have never seen a front end of an application or could care less about how which desktop operating system they use.
These roles are segregated for accountability and specialty. I used to be a system’s analyst but i wanted to be a programmer or DBA, yet I was in no way prepared to be given access to write stored procedures and given full DBA access to patient data. Hence duties need to be segregated according to team specialties as it would be easier able to trace back what and when something went wrong and also who may have done it.
Sachin Shah says
4. What do you consider to be the most important personnel hiring controls for an organization?
I agree that the most important hiring control is the background screening. One can lie about their experience or technical capability but those individuals are dishonest but may not put a company in a negative predicament. I have seen situations where friends of mine did not get sales positions because of poor credit. That is because they were to be given company credit card with more of honor system on what they were purchasing for themselves and potential clients. Companies did not want to “police” or investigate every purchase from cups of coffee to retail establishments. The poor credit lead companies to realize the candidate could not handle his or her own budget and may than be careless with the company’s accounts and finances.
Also I have friends who didn’t get delivery positions or jobs with extensive travel due to poor driving records. Companies feared that commuting to their job or FOR their job may be a risk. Why take the risk and instead a hire a less qualified candidate. That less candidate may not be as qualified but less risk and company needs to put a bit more effort in getting them up so speed and save money on other things like insurance.
Daniel Warner says
1. What is a compensating control? When would you use one? Why? Can you give an example?
“A compensating control reduces the vulnerabilities in ineffectively segregated functions, which include the risk of errors, omissions, irregularities and deficiencies in process quality.” An organization would utilize a compensating control when proper segregation of duties wasn’t possible and the issue needs to be addressed. So for instance if an organization had a short-staffed IT department, but had strong IT governance policies that they wanted to adhere to, the organization could address any shortcomings in their policy with compensating controls. One of the examples given in the article is increased supervision. When a process cannot be completely monitored but still needs to be checked, a manager could make inquiries into certain high-risk aspects of a transaction. For example, if a manager wanted to make sure that customers picking up goods from a loading dock had signed off on each order for a week. Checking every signature make take a long period of time so the manager may only check the signature for items with a high dollar amount.
http://www.dartmouth.edu/~rmi/documentsunprotect/theuseofcompensatingcontrols.pdf
Daniel Warner says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a control that is utilized to protect the organization from fraud or crime. The basis of segregation of duties is that an organization needs to assign separate duties to employees in order to complete a task or transaction. An example is that a receiving clerk that monitors and logs inventory that is received shouldn’t be the same person logging inventory that is being shipped out. The reason in this example is that the receiving clerk could be shipping inventory to himself or an associate.
Segregation of duties supports IT personnel management controls because through proper division of duties the operations of the business are less likely to be impacted by fraud or illegal activity.
Daniel Warner says
4. What do you consider to be the most important personnel hiring controls for an organization?
– I believe the most important hiring control for an organization is the screening process for potential employees. In order to ensure the person that is being considered for a position is vetted properly for the job is to do a background check. This is essential especially in IT where technical experience is paramount to finding the right candidate. If a candidate says they have 3 years of experience developing applications, but when checking with a past employee the hiring manager cannot find evidence of this, that can save the company from having a serious issue down the line.
Daniel Warner says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
– I worked in the finance department at a large company in New Jersey a couple of years back, and although I wasn’t in charge of creating a budget, I was heavily involved with the CFO and Controller and was privy to pieces of how the budget was created. Our branch’s budget was sent from corporate. There was a certain amount of employees allowed by each department and roles pre-defined by corporate. In order to have more cash allocated to a department a manager had to contact their senior manager and all requests went to the CFO who forwarded it to our corporate office. The corporate office than had final say on the allocation of funds. I am sure I am leaving steps out, but this is just what I was made aware of.
Sachin Shah says
5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?
I have been at Penn Medicine IT department for 11 years and once upon a time the budget was bottom up and had gradually shifted to top down. Before it was more operational and spending on what was needed to sufficiently keep the systems operational. In time the department had a larger budget and we had major projects in place and that was what directed the budget. The decisions to move the server farm, move to one EMR, having single sign on, and icnreased web based security dictated where the IS finances and resources were going.
Our IS department spends minimal money on employee travel, expenses, or even off site working. The majority of the money is spent on salaries and temporary consultants. Yet it is interesting as leadership is very strict and does not want consultants moving forward and wants the subject matter knowledge in house. Management wants the budget to remain controllable with employees without extraneous expenses.
Ivy M. McCottry says
2. Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
WHY
IT bought sought the businesses didn’t want because there was a segregation of duties. If there was a segregation of duties, a group would handle requirements development that would inform what another group actually purchases. The requirements and purchase would be the same and importantly, the reflect the end-user needs. This effective and desired outcome is also feasible if end-users are not allowed to make their own purchases and instead inform requirements development groups and IT implementation and/or governance groups about end-user needs.
CONTROLS
Larry can establish segregation of duties and IT purchasing controls that enforce requirements development and approval from end-users and executive management. Another essential control is a budget. The budget should be driven by IT priorities which again should reflect end-user needs. I appreciated how AP006.02 referenced buy, develop, and rent options. A group that has a procurement function will automatically vet cost models for meeting end-user requirements whereas vetting costs might not be top of mind for a group less informed about procurement best practices. I thought about the role of SaaS for an organization that manages a portfolio of companies in the same industry. I would assume that there are some standard logistics for grocery chains and that products, product quality, and pricing would be distinguishing factors. However, some aspects are vanilla just because they have to be and segregation of duties allows for things that are standard to 1) be noticed by the appropriate parties and 2) be leveraged for efficiencies when infrastructure is place for doing so.
Ivy M. McCottry says
ISACA/COBIT P04.11 refers to segregation of duties as “Implement[ing] a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process and [making] sure that personnel are performing only authorised duties relevant to their respective jobs and positions.” This applies to a group level as well; a work group should not have duties that allow for compromise to the confidentiality, integrity, or availability of an organization’s IT resources and information.
http://www.isaca.org/Groups/Professional-English/po4-11-segregation-of-duties/Pages/Overview.aspx
An example of two roles that should be separated are the database administrator role and the database analyst role, in which the analyst is involved with data. I think it is normal to have one person control all facets of a system because organizations tend to increase the responsibilities of subject matter experts and people who are seasoned in a process or tool. However, it takes intentional effort and possibly even compliance to enforce segregation of duties. The concept is common with financial matters but not necessarily operational matters which is why segregation of duties is critical to risk management.