IS Controls
While we cannot completely eliminate the risk of unauthorized changes, we can control and reduce the risk using certain measures. These measures are called controls.
There are two types of controls we need to consider: preventative controls and detective controls.
Preventative Controls
Preventative controls are measures we put in place to prevent unauthorized changes from happening in the first place. For example, programmers should not have direct access to the system libraries where changes can be made. Instead, they should only have access to a testing environment. This ensures that any changes they make can be properly reviewed and tested before being implemented.
Detective controls
Detective controls, on the other hand, are measures we use to detect unauthorized changes that may have occurred. For example, we can establish a procedure where any problems or issues with the system are reported to the IT department. This helps in identifying any unauthorized changes that may have caused the problem.
Steps
In addition to these controls, there are other important steps to consider.
When making changes, there should be a proper change request form that needs to be filled out and approved. Management should take these change requests seriously and sign off on them. Once changes have been tested, they should be submitted to a change control board for review. This board ensures that the changes made are appropriate and do not contain any extra lines of code that could potentially cause harm.
In some cases, organizations may outsource the development of certain systems. In such situations, it is important to have a separate server where vendors can access and fix any issues. This server should not have direct access to the production environment or the system libraries. Instead, vendors are given temporary access through an emergency ID, which can only be used once.
Overall, the goal of these controls is to minimize the risk of unauthorized changes and ensure that any changes made to the system are properly reviewed, tested, and approved.
Controls to minimize the misuse of change controls
Access to program libraries should be restricted
Supervisory reviews should be conducted
Change requests should be approved and documented
Potential impact of changes should be assessed
How to conduct the controls?
A sample of program changes made during the audit period should be selected and traced to the maintenance form to determine whether the changes are authorized, check that the form has appropriate approvals, and compare the date on the form with the date of production update for agreement
Sampling techniques
Simple random sampling
This is the most basic and straightforward sampling technique. In simple random sampling, each member of the population has an equal chance of being selected for the sample. It is like picking names out of a hat. This technique ensures that every individual in the population has an equal opportunity to be included in the sample.
Systematic sampling
In systematic sampling, the selection of individuals for the sample is done using a systematic approach. The population is first ordered or numbered, and then a fixed interval is chosen. For example, if the population size is 100 and the desired sample size is 10, every 10th individual would be selected. This technique is useful when the population is large, and it is not feasible to select individuals randomly.
Stratified sampling
Stratified sampling involves dividing the population into different subgroups or strata based on certain characteristics or attributes. Each stratum represents a specific subgroup within the population. Then, a sample is taken from each stratum using either simple random sampling or systematic sampling. This technique ensures that the sample is representative of the different subgroups within the population. It is particularly useful when there are distinct subgroups with different characteristics in the population.
Last updated