IT Risk and Controls Matrix

Process: IT Governance

Sub-Process Control Objective

The IT organization is designed for

effective job responsibilities, functional
1 IT Organization
segregation of duties, business unit
support, and management oversight.

IT employee roles, responsibilities, and

skill sets are documented and
2 Roles and Responsibilities periodically reviewed to ensure
adequate and effective technology
service is provided.

IT policies and procedures, including

3 Policies and Procedures
information security and operations,
provide formal and standardized
guidance to IS employees, and
company-wide employees as
appropriate, and provide appropriate
compliance measures.

IT Management periodically assesses

risk and determines whether adequate
4 Risk Assessment/Governance
policies, procedures, and mitigating
controls exist.

IT Management drafts and implements a

strategic plan which solicits and governs
5 Strategic Planning technology expectations across the
organization and aligns with the overall
corporate strategy.

6 Budgeting
Cost Administration and
7 system development/enhancement
SOP98-1
Operational Monitoring and
8
Reporting
Vendor Management and
9 identify and address contract violations,
Service Level Agreements
10 IT Asset Inventory, Licenses
11 Information Architecture
12 IT Regulatory Compliance
IT Management drafts and implements
an annual budget which sets and
governs technology and resource
spending across the IS department and
within individual projects and is
incorporated into the corporate budget.
IT identifies, records, and reports
costs using a formal methodology.
Operational performance of the IT
department is monitored and addressed
by IT management and results are
reported to, and feedback is solicited
from, business unit management and
the BOD, as appropriate.
Management monitors vendors'
performance and control practices to
deficient service levels and control
practices.
recorded, periodically inventoried, and
properly disposed to ensure existence,
proper use, and compliance
The information architecture (application
inventory, system architectures, data
flow diagrams, etc) is documented and
periodically reviewed and data
ownership is assigned and monitored.
IT legal, regulatory and contractual
requirements are identified, inventoried,
monitored, and addressed.
 COBiT
Risk Ref Description of Key Control Activity

A poorly designed IT organization

may not meet the support needs of
the business units, may create
ineffective governance and PO-4
performance, and cause non
segregated IS duties at an individual
level.

Employees may not be aware of or

appropriately matched to roles and
responsibilities based upon their skill PO-4
sets, resulting in substandard service
performance.

Governance is weakened without

formal policies and procedures to
PO-4
guide daily IT employee
PO-6
responsibilities and processes and
DS-13
compliance is difficult to measure,
monitor, and enforce.

PO-4
IT risks and/or control deficiencies
PO-6
may not be timely identified,
PO-9
addressed, or mitigated.
ME-2

IT may not have adequate planning,

resources, or technologies which are
prioritized according to business unit PO-1
needs and support future initiatives. PO-3
AI-3
Ineffective fiscal, technology, or
resource management may occur, PO-5
resulting in inefficient funding and AI-3
spending.

Inaccurate or incomplete IT and

system development costs may be
allocated/capitalized, impacting
DS-6
internal cost allocations and the
corporate balance sheet and income
statement.

Substandard operating performance

PO-8
(e.g. throughput, Help Desk support,
ME-1
etc.) and related root causes may
ME-4
not be detected, reported, or
DS-1
remedied timely and IT may not be
DS-3
meeting the needs of the business
DS-10
units.
Substandard vendor performance
and control deficiencies may not be
DS-1
detected, reported, or remedied
DS-2
timely, resulting in increased internal
costs and vulnerabilities.
IT assets may be misappropriated,
inappropriately secured or used, and DS-9
licensing contracts may be violated.
Without a clearly documented and
understood information architecture,
PO-2
controls over data, application
DS-9
dependencies, strategic planning,
etc. may not effective or efficient.

Non-compliance with legal,

regulatory and contractual
ME-3
requirements may result in lawsuits,
fines, and/or reputational damage.
 CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Acces
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obli

Control
Frequency
(Multi-daily,
Type:
Automated Daily,Weekly,
Preventive or
or Manual Monthly,
Control Type: Detective
(A,M) Quarterly,
Financial (P,D)
Annual, Ad-
Reporting (FR), FS hoc, Control
Regulatory (R), Assertion/ Continuous) Performer,
Operational (O) CAVR Owner
A=Accuracy; V=Validity; R=Restricted Access
V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Key System
Applicable Systems or
Generated Reports
Tools
or Spreadsheets
IT Risk and Controls Matrix
Process: IS Governance and Operations
Sub-Process
1 Help Desk
Job Scheduling and
2 uncontrolled changes, or monitoring
Batch Processing
3 Data feed balancing
Operational Failures,
4
Error resolution
Network, Database
5 subject to formal policies, including
Management and Monitoring
6 Data Backup and Recovery
CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure
Control
Frequency
(Multi-daily,
Type:
Automated Daily,Weekly, Key System
Preventive or Applicable Systems or
or Manual Monthly, Generated Reports
Control Type: Detective Tools
(A,M) Quarterly, or Spreadsheets
Financial (P,D)
Annual, Ad-
Reporting (FR), FS Control
hoc,
COBiT Regulatory (R), Assertion/ Continuous) Performer,
Control Objective Risk Ref
PO-8 Description of Key Control Activity Operational (O) CAVR Owner
and procedures, captures and reports allbe captured, addressed using a
DS-8
user requests, and provides the front formalized process, reported, or
Improper production scheduling, DS-10
end controlby
monitored from the ITauthorized
properly change control analyzed to determine root causes
including unauthorized or DS-13
personnel and changes / deviations
DS-13
from production processing are
may result in data corruption errors
identified, documented, approved and
and delays in production processing.
Inaccurate or incomplete data feeds
Data feeds are monitored and errors are
are received/sent and/or identified
addressed and reported using a formal AC
errors are not timely or appropriately
resolution process.
resolved, jeopardizing data integrity.
Operational failures and their root
Software issues, including emergency causes may not be identified, AC
change requests, are documented, documented, or resolved timely or DS-3
reported, monitored, approved, and effectively, resulting in continued DS-10
resolved timely. processing problems or data DS-13
unavailability.
Poorly designed networks and lax
Management of networks and servers is
monitoring/resolution of issues may DS-3
result in communication or retrieval DS-13
formal monitoring procedures.
delays of information and data.
Current and historical data may not
Key data, including email, is backed up be available for prioritized recovery
regularly and retained according to during an adverse event. With
business needs, available for restoration insecure data, data theft, misuse or
DS-11
in the event of processing errors and/or privacy violations may occur. If data
unexpected interruptions, and securely is retained beyond business unit
stored. requirements, unnecessary costs of
data storage may occur.
IT Risk and Controls Matrix
Process: IT Application Development and Change Management
Sub-Process Control Objective
System development projects and
System Development Life
changes to application code, system
Cycle Policy
software, reports, data, databases, and
1 resulting in cost, resource, and
application configurations have formal
IT Change Management
procedures for planning, authorization,
Policies and Procedures
testing, approval, and implementation.
System implementations and/or
significant modifications are approved
2 Planning and Initiation by senior management and planned
according to formal project management
requirements.
Formal analysis and design of system
implementations and/or significant
3 Analysis and Design
modifications adheres to a standardized
methodology and project standards.
System implementations and/or
significant modifications are built/coded
4 Construction
using a standardized methodology and
in accordance with project requirements.
Programming code is administered
using version control software to ensure
that changes are made in an orderly
5 Code Version Control
fashion, monitored, secured, and that
prior versions of the code can be
restored as necessary.
Data conversions are planned, tested,
6 Data Conversion and implemented for all projects
completely and accurately.
Testing for all system implementations
and changes to hardware, programs,
Testing: System, and data is planned, executed and
7
Integration, User approved by IT, stakeholder, and end
user management before transfer into
the production environment.
CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure
Control
Frequency
(Multi-daily,
Type: Preventive or
Automated or Manual Daily,Weekly,
Detective
(A,M) Monthly,
(P,D)
Control Type: Quarterly,
Financial Reporting Annual, Ad-hoc,
COBiT (FR), Regulatory FS Assertion/ Continuous) Control
Risk Ref Description of Key Control Activity (R), Operational (O) CAVR Performer
System development projects and all IT-
related changes may not be processed
PO-6
in a standardized, controlled manner,
PO-10
AI-3
operational inefficiencies, as well as
AI-6
jeopardizing the integrity of underlying
critical data.
Without approval by all stakeholders
and formal planning, projects may not PO-10
meet the needs of the business units or AI-1
IT, result in cost and resource overruns, AI-3
or may contain control deficiencies.
Without formal analysis and design,
projects may not meet the needs of the
AI-2
business units or IT, result in cost and
AI-3
resource overruns, or may contain
control deficiencies.
Without standardized and approved
construction methodology, projects may
not meet the needs of the business units AI-2
or IT, result in cost and resource AI-3
overruns, or may contain control
deficiencies.
Multiple versions of code may be
changed at once, creating replication
conflicts, changes to code may not be
AI-6
identified, monitored, or authorized,
and/or prior versions of the code may
not be recoverable.
Data may be inaccurately or
incompletely converted from the legacy AI-6
to the new system jeopardizing the AI-7
integrity of key data.
Implementations and changes that are AI-6
introduced into the production AI-7
environment may not be fully tested,
accurate, complete, approved, or meet
the needs of IT and/or the business
units, jeopardizing system functionality
and data integrity.

Testing: System,
7
Integration, User
8 Implementation (Go-live)
Testing for all system implementations
and changes to hardware, programs,
and data is planned, executed and
approved by IT, stakeholder, and end
user management before transfer into
the production environment.
Implementations of programming
changes are performed only after testing
is conducted and appropriate approvals
are received and documented.
Implementations and changes that are AI-6
introduced into the production AI-7
environment may not be fully tested,
accurate, complete, approved, or meet
the needs of IT and/or the business
units, jeopardizing system functionality
and data integrity.
AI-6
AI-7

Users may not be adequately trained to

Adequate user training and
Post Implementation--
documentation occurs for system
9 documentation and
implementations and significant
training
modifications.
properly utilize system functionality or
AI-4
corresponding controls and ineffective or
DS-7
inefficient system support may result
without properly system documentation.

Programming changes may be

10 Segregation of Duties
inappropriate or unauthorized and/or
Appropriate segregation of duties exist
testing results may be inappropriately
throughout the development, test, and
modified to gain approval, resulting in AI-2
production environments for application
changes that do not meet the needs of AI-6
developers, DBA's, production support
IT and/or the business units or that
personnel, and end users.
jeopardize system functionality and data
integrity.

Emergency changes may not be

11 Emergency Procedures
12 Vendor Changes
13 Patch Management
Emergency change procedures are
appropriate, documented, authorized,
subject to standardized change AI-6
tested, or approved, jeopardizing the
management polices.
integrity of data, programs, etc.
Substandard vendor performance and
Vendor services and supplied control deficiencies may not be
programming changes, upgrades, detected, reported, or remedied timely, AI-3
patches, etc. are reviewed, tested, and resulting in increased internal costs and AI-6
approved prior to implementation. vulnerabilities in system functionality
and data integrity.
Unremediated security and program
Software patches for known
code vulnerabilities may allow for
vulnerabilities are identified, obtained
inappropriate access to networks and AI-6
from the vendor, and applied in a timely
applications and result in unauthorized
manner.
systems activity.

Deviations from IT change control

policies and procedures or significant
root cause trends may not be detected
Management monitors adherence to IS' or addressed or appropriate resources PO-8
Management monitoring, change control policies through review may not be assigned to problematic PO-10
14
Quality Assurance of metric reports, status updates, areas. Further, changes or delays in AI-6
individual changes/projects. implementations that have significant AI-7
impact on business unit initiatives or
other dependent projects may not be
addressed.
IT Risk and Controls Matrix
Process: Access to Programs and Data CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Control
Frequency
Control Type: (Multi-daily,
Type:
Financial Automated Daily,Weekly, Key System Generated
Preventive or
Reporting or Manual Monthly, Reports or Applicable Systems or Tools
Detective
(FR), (A,M) Quarterly, Spreadsheets
(P,D)
Regulatory Annual, Ad-
(R), hoc,
COBiT Operational FS Assertion/ Continuous) Control
Sub-Process Control Objective Risk Ref Description of Key Control Activity (O) CAVR Performer

Formal procedures govern the Inappropriate IT and/or user access to

administration of IS and business user systems, programs, or data may occur,
Access Administration
1 access to programs and data and resulting in non-segregated duties, DS-5
and Monitoring
appropriate monitoring of user access unauthorized changes, or violations of
levels occurs. data privacy laws.

Security Appropriate segregation of duties exist Security administrators may be able to

2 Administration between security administration
Segregation of Duties personnel.
data and databases is restricted to
3 Database Security authorized personnel based on job
responsibilities,
related data filesisand
appropriately
computer
4 Application Security programs is restricted to authorized
personnel, is appropriately configured,
Logical access to the operating systems
and underlying hardware is restricted to
Operating System authorized personnel based on job
5
Security responsibilities, is appropriately
configured, and provides segregation of
duties.
Privileged ID activity is monitored to
identify and address unusual and/or
6 Activity Monitoring
inappropriate access to programs, files,
data, and the Internet.
grant inappropriate or conflicting access DS-5
to programs, data, etc.
DS-5
DS-9
DS-5
Inappropriate IT and/or user access to DS-9
systems, programs, or data may occur,
resulting in non-segregated duties,
unauthorized or undetected changes, or
violations of data privacy laws. DS-5
DS-9
Unusual or inappropriate access to
programs, files, or data may occur
DS-5
undetected and result in unauthorized
changes to key configurations or data.

Inappropriate internal and/or external

Internal and perimeter networks and
access to networks and related
Internal and perimeter related hardware are adequately DS-5
7 hardware, and therefore other system
network security configured and secured and activity is DS-9
resources, may occur undetected and
monitored and reported.
go unresolved.
 Inappropriate internal and/or external
Internal and perimeter networks and
access to networks and related
Internal and perimeter related hardware are adequately DS-5
7 hardware, and therefore other system
network security configured and secured and activity is DS-9
resources, may occur undetected and
monitored and reported.
go unresolved.

Transaction data sent between internal

Unsecure or improperly addressed
applications and business/operational
Transaction/Communi internal/external communications,
functions and/or external
8 cation Authentication transaction feeds, etc. may be DS-5
communications is secure and checked
and Integrity improperly accessed and/or the integrity
for proper addressing, authenticity of
of data may be jeopardized.
origin and integrity of content.

Adequate preventive and/or detective Viruses can jeopardize data integrity,

9 Virus Management controls exist to mitigate the exposure to disrupt computer processing, and create DS-5
viruses. system outages.

Without a timely, effective response to

Formal processes and procedures exist security incidents, the impact (including
Incident and
10 to identify, report, and address viruses, business reputation) of the incident may DS-5
Response
security weaknesses and exploitations. be more severe and/or the incident may
be likely to recur in the future.

Data is classified, prioritized, and DS-5

Privacy and confidentiality of data is
Data privacy and secured accordingly to comply with data
11 jeopardized, violating laws and
confidentiality privacy/confidentiality laws and
regulations.
regulations.