Control Monitoring Week #6 – CRISC Exam Prep ~ Domain #5 : Control Monitoring Week #6 – CRISC Exam Prep ~ Domain #5 Bill Pankey Tunitas Group
Job Practice : Job Practice 5.1 Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls. 5.2 Collect information and review documentation to identify information systems control deficiencies. 5.3 Review information systems policies, standards and procedures to verify that they address the organization's internal and external requirements. 5.4 Assess and recommend tools and techniques to automate information systems control verification processes . 5.5 Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity. 5.6 Determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated . 5.7 Maintain sufficient, adequate evidence to support conclusions on the existence and operating effectiveness of information systems controls. 5.8 Provide information systems control status reporting to relevant stakeholders to enable informed decision making. CRISC Control Monitoring Domain assess mitigate assure
Risk vs Control Monitoring : Risk vs Control Monitoring Risk monitoring relates to observations of factors correlated with risk (KRIs) Early warning / predictive of change to risk profile Identifies changes in risk factors (typically external) Control monitoring relates to the effective operation of the control Management oversight Are controls in place and operating as designed? Are controls ‘effective’?
What to Monitor? : What to Monitor? Can’t monitor everything? ~ 100 risk scenarios in risk registry x multiple control points / types of controls ~ 500 infosec controls in representative catalog NIST FIPS 200, BITS, ISO 27002 x multiple systems / processes x time parameters Question of cost effectiveness Cost to collect, maintain, analyze data Process ‘inefficiencies’ result from ‘documentation
Monitor ‘Key’ Controls : Monitor ‘Key’ Controls Prioritize risk Identify key controls? NO ISACA definition | PCAOB definition unhelpful ? a key control is one that is required to provide reasonable assurance that material errors will be prevented or timely detected . Identify persuasive information (evidence) indicate whether the control is operating ‘effectively’ Implement monitoring Cost effective procedures to collect and analyze ‘persuasive information’ Report Results ISACA Recommendation
Risk Based Key Control Id : Risk Based Key Control Id Key control selection based on control risk : Importance of the Risk being controlled (prioritization) Likelihood of control failure Consider control risk factors, e.g.: Complexity Requirements for sophisticated judgment / agreement Manual vs. automated History of previous control failures Competence of personnel Ability of management to override Likelihood of control failure detection during operations
Aggregate Control Risk : Aggregate Control Risk Key control selection should consider aggregate control risk: Factors include: Whether general or application control ITGC are related to the environment within which computer-based application systems are developed, maintained and operated applicable to many applications of processes Application control relate to completeness, accuracy and validity of [business] data The control’s effect on the operation of other controls Whether control failures detected or corrected by other controls
Evidence : Evidence Direct information Output from control operation e.g. ‘sign-off’ documentation Examination of control elements Indication of compliance Indirect information Data collected independent of control | assessment that control objective achieved e.g., ‘active employee’ tests Indication of effectiveness
Intermittent Monitoring : Intermittent Monitoring Typically based on a snapshot of data Current state of system Inputs Evidence from controls Timing of periodic control reviews based on: Risk events Regulatory requirements
Monitoring Change : Monitoring Change Test \ baseline key control at specific point (implementation ?) to ensure operational effectiveness Implement change management process to prevent changes that degrade control effectiveness Audit change controls to ensure their effectiveness Assurance of the continued effectiveness of key control
Continuous Monitoring : Continuous Monitoring http://www.isacacochin.org/downloads/17-concurrent- audit .../download Automated methods Integrated test facility Introduce test data into production system Snapshots ‘Pictures’ of data at different points in the transaction Continuous and intermittent simulation (CIS) SCARF (systems control audit review file) | EAM (embedded audit module) “Involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions” Relevance limited to controls that are themsleves automated? Concurrent Audit
CRISC EXAM : CRISC EXAM Typical ISACA exam “practice oriented” w/ few ‘concept & keyword’ type questions “best’ in a context Ambiguous language use Uncertainty about the exact question Uncertainty about intended level of precious technical vs colloquial of informal use of term Selection of “controversial” answers (some) Knowledgeable and experienced professionals will disagree 120 Questions 4 hours
Strategy : Strategy Ensure answers conform to basic themes / axioms of CRISC domain, e.g.: IT risk is business risk Multiple types of IT risk (strategy; delivery; ops) Risk management process Multiple sources for a given risk Goal of risk management to achieve business objective
Strategy : Strategy Assume that each question is logically complete Try to answer w/o recourse to assumptions about current state of threats / assets values But, If you must make assumption … Assume the most generally applicable \ persistent conditions International administration Multiple verticals / regulatory regimes, etc.
Strategy : Strategy Answer all questions No penalty for incorrect answer Guess as need be Avoid time crunch 1 st pass, complete exam Answer every question Mark ‘problematic’ answers (in test booklet) for review 2 hours max 2 nd pass, review answers to marked question (1 hour) 3 rd pass, further work on ‘hard’ questions
Strategy : Strategy Maintain a positive ‘test attitude’ AVOID trivializing test Difficulty of ISACA tests may be deceptive Don’t be frustrated by ambiguity Best ‘guess’ followed by resolution of subsequent pass
Practice Questions : Practice Questions