Control over the IT process of Monitor and Evaluate Internal Control that satisfies the business requirement for IT of
- protecting the achievement of IT objectives and complying with IT-related laws, regulations and contracts
- monitoring the internal control processes for IT-related activities and identifying improvement actions
- Defining a system of internal controls embedded in the IT process framework
- Monitoring and reporting on the effectiveness of the internal controls over IT
- Reporting control exceptions to management for action
- Number of major internal control breaches
- Number of control improvement initiatives
- Number and coverage of control self-assessments
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
The organization lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of IT operational security and internal control assurance. Management and employees have an overall lack of awareness of internal controls.
2 Initial/Ad Hoc when
Management recognizes the need for regular IT management and control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. IT management has not formally assigned responsibility for monitoring the effectiveness of internal controls. IT internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function.
3 Repeatable but Intuitive when
The organization uses informal control reports to initiate corrective action initiatives. Internal control assessment is dependent on the skill sets of key individuals. The organization has an increased awareness of internal control monitoring. Information service management performs monitoring over the effectiveness of what it believes are critical internal controls on a regular basis. Methodologies and tools for monitoring internal controls are starting to be used, but not based on a plan. Risk factors specific to the IT environment are identified based on the skills of individuals.
4 Defined when
Management supports and institutes internal control monitoring. Policies and procedures are developed for assessing and reporting on internal control monitoring activities. An education and training program for internal control monitoring is defined. A process is defined for self-assessments and internal control assurance reviews, with roles for responsible business and IT managers. Tools are being utilized but are not necessarily integrated into all processes. IT process risk assessment policies are being used within control frameworks developed specifically for the IT organization. Process-specific risks and mitigation policies are defined.
5 Managed and Measurable when
Management implements a framework for IT internal control monitoring. The organization establishes tolerance levels for the internal control monitoring process. Tools are implemented to standardize assessments and automatically detect control exceptions. A formal IT internal control function is established, with specialized and certified professionals utilizing a formal control framework endorsed by senior management. Skilled IT staff members are routinely participating in internal control assessments. A metrics knowledge base for historical information on internal control monitoring is established. Peer reviews for internal control monitoring are established.
6 Optimized when
Management establishes an organization-wide continuous improvement program that takes into account lessons learned and industry good practices for internal control monitoring. The organization uses integrated and updated tools, where appropriate, that allow effective assessment of critical IT controls and rapid detection of IT control monitoring incidents. Knowledge sharing specific to the information services function is formally implemented. Benchmarking against industry standards and good practices is formalized.