IT Risk and Controls Matrix

Process: IT Governance

Sub-Process Control Objective

The IT organization is designed for

effective job responsibilities, functional
1 IT Organization
segregation of duties, business unit
support, and management oversight.

IT employee roles, responsibilities, and

skill sets are documented and
2 Roles and Responsibilities periodically reviewed to ensure
adequate and effective technology
service is provided.

IT policies and procedures, including

information security and operations,
provide formal and standardized
3 Policies and Procedures guidance to IS employees, and
company-wide employees as
appropriate, and provide appropriate
compliance measures.

IT Management periodically assesses

risk and determines whether adequate
4 Risk Assessment/Governance
policies, procedures, and mitigating
controls exist.

IT Management drafts and implements a

strategic plan which solicits and governs
5 Strategic Planning technology expectations across the
organization and aligns with the overall
corporate strategy.
 IT Management drafts and implements
an annual budget which sets and
governs technology and resource
6 Budgeting
spending across the IS department and
within individual projects and is
incorporated into the corporate budget.

IT identifies, records, and reports

Cost Administration and
7 system development/enhancement
SOP98-1
costs using a formal methodology.

Operational performance of the IT

department is monitored and addressed
Operational Monitoring and by IT management and results are
8
Reporting reported to, and feedback is solicited
from, business unit management and
the BOD, as appropriate.

Management monitors vendors'

performance and control practices to
Vendor Management and
9 identify and address contract violations,
Service Level Agreements
deficient service levels and control
practices.
recorded, periodically inventoried, and
10 IT Asset Inventory, Licenses properly disposed to ensure existence,
proper use, and compliance
The information architecture (application
inventory, system architectures, data
11 Information Architecture flow diagrams, etc) is documented and
periodically reviewed and data
ownership is assigned and monitored.

IT legal, regulatory and contractual

12 IT Regulatory Compliance requirements are identified, inventoried,
monitored, and addressed.
 COBiT
Risk Ref Description of Key Control Activity

A poorly designed IT organization

may not meet the support needs of
the business units, may create
ineffective governance and PO-4
performance, and cause non
segregated IS duties at an individual
level.

Employees may not be aware of or

appropriately matched to roles and
responsibilities based upon their skill PO-4
sets, resulting in substandard service
performance.

Governance is weakened without

formal policies and procedures to
PO-4
guide daily IT employee
PO-6
responsibilities and processes and
DS-13
compliance is difficult to measure,
monitor, and enforce.

PO-4
IT risks and/or control deficiencies
PO-6
may not be timely identified,
PO-9
addressed, or mitigated.
ME-2

IT may not have adequate planning,

resources, or technologies which are
prioritized according to business unit PO-1
needs and support future initiatives. PO-3
AI-3
Ineffective fiscal, technology, or
resource management may occur, PO-5
resulting in inefficient funding and AI-3
spending.

Inaccurate or incomplete IT and

system development costs may be
allocated/capitalized, impacting
DS-6
internal cost allocations and the
corporate balance sheet and income
statement.

Substandard operating performance

PO-8
(e.g. throughput, Help Desk support,
ME-1
etc.) and related root causes may
ME-4
not be detected, reported, or
DS-1
remedied timely and IT may not be
DS-3
meeting the needs of the business
DS-10
units.
Substandard vendor performance
and control deficiencies may not be
DS-1
detected, reported, or remedied
DS-2
timely, resulting in increased internal
costs and vulnerabilities.
IT assets may be misappropriated,
inappropriately secured or used, and DS-9
licensing contracts may be violated.
Without a clearly documented and
understood information architecture,
PO-2
controls over data, application
DS-9
dependencies, strategic planning,
etc. may not effective or efficient.

Non-compliance with legal,

regulatory and contractual
ME-3
requirements may result in lawsuits,
fines, and/or reputational damage.
 CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Acces
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obli

Control
Frequency
(Multi-daily,
Type:
Automated Daily,Weekly,
Preventive or
or Manual Monthly,
Control Type: Detective
(A,M) Quarterly,
Financial (P,D)
Annual, Ad-
Reporting (FR), FS hoc, Control
Regulatory (R), Assertion/ Continuous) Performer,
Operational (O) CAVR Owner
A=Accuracy; V=Validity; R=Restricted Access
V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Key System
Applicable Systems or
Generated Reports
Tools
or Spreadsheets
IT Risk and Controls Matrix
Process: IS Governance and Operations CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Control
Frequency
(Multi-daily,
Type:
Automated Daily,Weekly, Key System
Preventive or Applicable Systems or
or Manual Monthly, Generated Reports
Control Type: Detective Tools
(A,M) Quarterly, or Spreadsheets
Financial (P,D)
Annual, Ad-
Reporting (FR), FS Control
hoc,
COBiT Regulatory (R), Assertion/ Continuous) Performer,
Sub-Process Control Objective Risk Ref
PO-8 Description of Key Control Activity Operational (O) CAVR Owner
and procedures, captures and reports allbe captured, addressed using a
DS-8
1 Help Desk user requests, and provides the front formalized process, reported, or
Improper production scheduling, DS-10
end controlby
monitored from the ITauthorized
properly change control analyzed to determine root causes
including unauthorized or DS-13
Job Scheduling and personnel and changes / deviations
2 uncontrolled changes, or monitoring DS-13
Batch Processing from production processing are
may result in data corruption errors
identified, documented, approved and
and delays in production processing.
Inaccurate or incomplete data feeds
Data feeds are monitored and errors are
are received/sent and/or identified
3 Data feed balancing addressed and reported using a formal AC
errors are not timely or appropriately
resolution process.
resolved, jeopardizing data integrity.

Operational failures and their root

Software issues, including emergency causes may not be identified, AC
Operational Failures, change requests, are documented, documented, or resolved timely or DS-3
4
Error resolution reported, monitored, approved, and effectively, resulting in continued DS-10
resolved timely. processing problems or data DS-13
unavailability.

Poorly designed networks and lax

Management of networks and servers is
Network, Database monitoring/resolution of issues may DS-3
5 subject to formal policies, including
Management and Monitoring result in communication or retrieval DS-13
formal monitoring procedures.
delays of information and data.

Current and historical data may not

Key data, including email, is backed up be available for prioritized recovery
regularly and retained according to during an adverse event. With
business needs, available for restoration insecure data, data theft, misuse or
6 Data Backup and Recovery DS-11
in the event of processing errors and/or privacy violations may occur. If data
unexpected interruptions, and securely is retained beyond business unit
stored. requirements, unnecessary costs of
data storage may occur.
IT Risk and Controls Matrix
Process: IT Application Development and Change Management CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Control
Frequency
(Multi-daily,
Type: Preventive or
Automated or Manual Daily,Weekly,
Detective
(A,M) Monthly,
(P,D)
Control Type: Quarterly,
Financial Reporting Annual, Ad-hoc,
COBiT (FR), Regulatory FS Assertion/ Continuous) Control
Sub-Process Control Objective Risk Ref Description of Key Control Activity (R), Operational (O) CAVR Performer
System development projects and all IT-
System development projects and
System Development Life related changes may not be processed
changes to application code, system PO-6
Cycle Policy in a standardized, controlled manner,
software, reports, data, databases, and PO-10
1 resulting in cost, resource, and
application configurations have formal AI-3
IT Change Management operational inefficiencies, as well as
procedures for planning, authorization, AI-6
Policies and Procedures jeopardizing the integrity of underlying
testing, approval, and implementation.
critical data.

System implementations and/or Without approval by all stakeholders

significant modifications are approved and formal planning, projects may not PO-10
2 Planning and Initiation by senior management and planned meet the needs of the business units or AI-1
according to formal project management IT, result in cost and resource overruns, AI-3
requirements. or may contain control deficiencies.

Without formal analysis and design,

Formal analysis and design of system
projects may not meet the needs of the
implementations and/or significant AI-2
3 Analysis and Design business units or IT, result in cost and
modifications adheres to a standardized AI-3
resource overruns, or may contain
methodology and project standards.
control deficiencies.
Without standardized and approved
System implementations and/or construction methodology, projects may
significant modifications are built/coded not meet the needs of the business units AI-2
4 Construction
using a standardized methodology and or IT, result in cost and resource AI-3
in accordance with project requirements. overruns, or may contain control
deficiencies.
Programming code is administered Multiple versions of code may be
using version control software to ensure changed at once, creating replication
that changes are made in an orderly conflicts, changes to code may not be
5 Code Version Control AI-6
fashion, monitored, secured, and that identified, monitored, or authorized,
prior versions of the code can be and/or prior versions of the code may
restored as necessary. not be recoverable.
Data may be inaccurately or
Data conversions are planned, tested,
incompletely converted from the legacy AI-6
6 Data Conversion and implemented for all projects
to the new system jeopardizing the AI-7
completely and accurately.
integrity of key data.

Testing for all system implementations

and changes to hardware, programs,
Testing: System, and data is planned, executed and Implementations and changes that are AI-6
7
Integration, User approved by IT, stakeholder, and end introduced into the production AI-7
user management before transfer into environment may not be fully tested,
the production environment. accurate, complete, approved, or meet
the needs of IT and/or the business
units, jeopardizing system functionality
and data integrity.
 Testing for all system implementations
and changes to hardware, programs,
Testing: System, and data is planned, executed and Implementations and changes that are AI-6
7
Integration, User approved by IT, stakeholder, and end introduced into the production AI-7
user management before transfer into environment may not be fully tested,
the production environment. accurate, complete, approved, or meet
the needs of IT and/or the business
units, jeopardizing system functionality
and data integrity.
Implementations of programming
changes are performed only after testing AI-6
8 Implementation (Go-live)
is conducted and appropriate approvals AI-7
are received and documented.

Users may not be adequately trained to

Adequate user training and
Post Implementation-- properly utilize system functionality or
documentation occurs for system AI-4
9 documentation and corresponding controls and ineffective or
implementations and significant DS-7
training inefficient system support may result
modifications.
without properly system documentation.

Programming changes may be

inappropriate or unauthorized and/or
Appropriate segregation of duties exist
testing results may be inappropriately
throughout the development, test, and
modified to gain approval, resulting in AI-2
10 Segregation of Duties production environments for application
changes that do not meet the needs of AI-6
developers, DBA's, production support
IT and/or the business units or that
personnel, and end users.
jeopardize system functionality and data
integrity.

Emergency changes may not be

Emergency change procedures are
appropriate, documented, authorized,
11 Emergency Procedures subject to standardized change AI-6
tested, or approved, jeopardizing the
management polices.
integrity of data, programs, etc.
Substandard vendor performance and
Vendor services and supplied control deficiencies may not be
programming changes, upgrades, detected, reported, or remedied timely, AI-3
12 Vendor Changes
patches, etc. are reviewed, tested, and resulting in increased internal costs and AI-6
approved prior to implementation. vulnerabilities in system functionality
and data integrity.
Unremediated security and program
Software patches for known
code vulnerabilities may allow for
vulnerabilities are identified, obtained
13 Patch Management inappropriate access to networks and AI-6
from the vendor, and applied in a timely
applications and result in unauthorized
manner.
systems activity.

Deviations from IT change control

policies and procedures or significant
root cause trends may not be detected
Management monitors adherence to IS' or addressed or appropriate resources PO-8
Management monitoring, change control policies through review may not be assigned to problematic PO-10
14
Quality Assurance of metric reports, status updates, areas. Further, changes or delays in AI-6
individual changes/projects. implementations that have significant AI-7
impact on business unit initiatives or
other dependent projects may not be
addressed.
IT Risk and Controls Matrix
Process: Access to Programs and Data CAVR (Information processing objectives): C=Completeness; A=Accuracy; V=Validity; R=Restricted Access
F/S Assertions: E/O=Existence/Occurrence; C=Completeness; V/A=Valuation/Allocation; R/O=Rights/Obligations; P/D=Presentation/Disclosure

Control
Frequency
Control Type: (Multi-daily,
Type:
Financial Automated Daily,Weekly, Key System Generated
Preventive or
Reporting or Manual Monthly, Reports or Applicable Systems or Tools
Detective
(FR), (A,M) Quarterly, Spreadsheets
(P,D)
Regulatory Annual, Ad-
(R), hoc,
COBiT Operational FS Assertion/ Continuous) Control
Sub-Process Control Objective Risk Ref Description of Key Control Activity (O) CAVR Performer

Formal procedures govern the Inappropriate IT and/or user access to

administration of IS and business user systems, programs, or data may occur,
Access Administration
1 access to programs and data and resulting in non-segregated duties, DS-5
and Monitoring
appropriate monitoring of user access unauthorized changes, or violations of
levels occurs. data privacy laws.

Security Appropriate segregation of duties exist Security administrators may be able to

2 Administration between security administration grant inappropriate or conflicting access DS-5
Segregation of Duties personnel. to programs, data, etc.
data and databases is restricted to
DS-5
3 Database Security authorized personnel based on job
DS-9
responsibilities,
related data filesisand
appropriately
computer
DS-5
4 Application Security programs is restricted to authorized Inappropriate IT and/or user access to DS-9
personnel, is appropriately configured, systems, programs, or data may occur,
Logical access to the operating systems resulting in non-segregated duties,
and underlying hardware is restricted to unauthorized or undetected changes, or
Operating System authorized personnel based on job violations of data privacy laws. DS-5
5
Security responsibilities, is appropriately DS-9
configured, and provides segregation of
duties.
Privileged ID activity is monitored to Unusual or inappropriate access to
identify and address unusual and/or programs, files, or data may occur
6 Activity Monitoring DS-5
inappropriate access to programs, files, undetected and result in unauthorized
data, and the Internet. changes to key configurations or data.

Inappropriate internal and/or external

Internal and perimeter networks and
access to networks and related
Internal and perimeter related hardware are adequately DS-5
7 hardware, and therefore other system
network security configured and secured and activity is DS-9
resources, may occur undetected and
monitored and reported.
go unresolved.
 Inappropriate internal and/or external
Internal and perimeter networks and
access to networks and related
Internal and perimeter related hardware are adequately DS-5
7 hardware, and therefore other system
network security configured and secured and activity is DS-9
resources, may occur undetected and
monitored and reported.
go unresolved.

Transaction data sent between internal

Unsecure or improperly addressed
applications and business/operational
Transaction/Communi internal/external communications,
functions and/or external
8 cation Authentication transaction feeds, etc. may be DS-5
communications is secure and checked
and Integrity improperly accessed and/or the integrity
for proper addressing, authenticity of
of data may be jeopardized.
origin and integrity of content.

Adequate preventive and/or detective Viruses can jeopardize data integrity,

9 Virus Management controls exist to mitigate the exposure to disrupt computer processing, and create DS-5
viruses. system outages.

Without a timely, effective response to

Formal processes and procedures exist security incidents, the impact (including
Incident and
10 to identify, report, and address viruses, business reputation) of the incident may DS-5
Response
security weaknesses and exploitations. be more severe and/or the incident may
be likely to recur in the future.

Data is classified, prioritized, and DS-5

Privacy and confidentiality of data is
Data privacy and secured accordingly to comply with data
11 jeopardized, violating laws and
confidentiality privacy/confidentiality laws and
regulations.
regulations.