Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Internal Controls
The institution should adopt adequate controls based on the degree of exposure and the potential risk of loss arising from the use of technology. Controls should include clear and measurable performance goals, the allocation of specific responsibilities for key project implementation, and independent mechanisms that will both measure risks and minimize excessive risk-taking. Management should re-evaluate these controls periodically.
Management should establish an effective system of internal controls. Internal controls for an IT environment generally should address the overall integrity of that environment. Typically, internal controls span management and multiple technical disciplines. The scope and quality of internal controls are key components of the risk assessment process. Senior management is responsible for the oversight and monitoring of internal controls.
Management should identify the specific requirements for internal controls in the financial institution's policies, standards, and practices in order to establish an auditable baseline. The established baseline provides a general picture of the control environment. The detail aspects for each area or discipline are used to measure compliance against the established requirements (standards).
Management practices associated with general controls include:
Adequate internal controls should be structured to assure senior management that:
Independent audits can verify that these controls exist and are functioning effectively.