Develop and Report Overall Conclusion and Recommendations
The substantiated risk of the control weaknesses must be communicated to the different stakeholders of the assurance initiative. The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identify and
document the actual and potential impact. In addition, the assurance professional may provide comparative information, e.g., through benchmarks, to establish a reference framework in which the test results ought to be evaluated. The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons for taking action.
This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identified control weaknesses and communicating:
• Recommended actions to mitigate the impact of the control weaknesses
• Performance comparison to standards and best practices for a relative view on the results
• The risk associated with a failure to perform the process effectively
The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions. When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formal assurance communication and compliant with assurance reporting standards and guidelines.
EXAMPLES OF THE USE OF DETAILED ASSURANCE STEPS
The following sections provide illustrative examples of how the assurance testing steps could be applied.
Testing of Control Design
Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6
Manage Changes; COBIT control objective AI6.2 Impact assessment, prioritisation and authorisation
Observations: For the selected systems (e.g., application, platform or network), the assurance professional inventoried the types of changes that can be implemented, procedures (formal or informal) currently in place, all parties involved in the change
management process, tools used, etc. This was done through interviews with involved persons and enquiries for documented procedures. The result of this work was a comprehensive and correct flowchart of the change management process.
The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assess the impact of a change by a competent person or group of persons. The assurance professional observed that the template for requesting and approving changes included a section on impact assessment. However, the change management procedure did not mention that this information is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the procedure did not mention any documentation standards or required verification and approval steps for the impact assessment.
Test Result: The design of this control is flawed, because a fundamental component of the control, i.e., impact assessment, is incomplete at best. It is possible that changes are implemented without proper risk assessment, which can lead to unplanned and difficult-to-contain operational disruptions or malfunctions.
Testing for the Effectiveness of the Control
Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6
Manage Changes; COBIT control objective AI6.3 Emergency changes
Observations: As part of the evaluation of the control design, the assurance professional identified that, for all relevant change management procedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal change management cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changes are appropriately logged in a change management tool.
As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tool and traced to their reintroduction as normal changes. This tracing included verification of whether the emergency change was actually introduced again as a normal change and whether it was processed following the
normal change management procedure.
The assurance professional observed that from the sample of 25 emergency changes selected, three were not subsequently reprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had been duly reintroduced, only 10 were discussed at the change management board—or at
least that there was a trace available that indicated that the 10 changes were discussed (trace included information stored in the change management tool).
Test Result:
The emergency change procedure is not effective for two reasons:
• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not learning from them.
• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.
Documenting the Impact of Control Weaknesses
Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6
Manage Changes; COBIT control objective AI6.3 Emergency changes
Observations: Using the situation as described, the assurance professional needed to gain additional information and perform further analysis to assess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed to consider the types and numbers of changes affected by the control weaknesses.
Some of the required information might/should already be gathered at the planning stage. This information should be used to evaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructure components and the applications/information they support/process. In addition, SLA penalties might apply. Analysis of problems noted in the past can help establish the real potential impact of the weaknesses noted.
In this case, it turns out, after discussion with the responsible change manager and confirmation with other change management board members, that the missing emergency changes relate to non-critical systems, and that the missing documentation was only a documentation issue, whereas the actual change, its cause and consequences had, indeed,
been discussed but were not formally documented.
Test Result: Although the control weaknesses remain as they have been observed, further analysis and documentation showed that the weaknesses were of a lesser importance than originally assessed.
CONCLUSION
An assurance initiative involves three phases. First, the assurance professional must develop a plan that identifies the assurance universe and uses an appropriate IT control framework to identify the assurance objectives based on a high-level risk assessment. Second, the initiative must be scoped through a top-down analysis that identifies the business goals to be examined and the IT goals that support those business goals, then identifies the IT processes and resources necessary to accomplish the IT goals and the key control objectives that must be accomplished for those processes to function effectively. Third, the initiative must be executed by refining understanding of the key control objectives within the assurance universe, evaluating the design and operational effectiveness of control procedures that address key control objectives, evaluating the impact of any deficiencies that come to light, and communicating findings and recommendations to stakeholders.
