2.5. CONTROLS OVER INFORMATION TECHNOLOGY SYSTEMS
2.5.1. Coso Guidance
COSO describes framework for considering IT-related controls that groups these controls into two types: general computer controls and application-specific controls.
General controls include controls over:
Data center operations (e.g., job scheduling, backup and recovery procedures)
Systems software controls (e.g., the acquisition and implementation of operating systems)
Access security
Application system development and maintenance controls (e.g., the acquisition and implementation of individual computer software applications)
Application controls are designed to control data processing and help ensure the completeness and accuracy of transaction processing, authorization and validity. Application controls also encompass the way in which different applications interface with each other and exchange data.
The COSO Report does not mandate this approach to assessing the effectiveness of internal controls but states that this is one set of groupings of IT-related control activities that can be used.
2.5.2. Cobit Framework
Since the release of the COSO, the Information Systems Audit and Control Association and Foundation has developed its COBIT framework, which provides a generally applicable and accepted standard for information technology security and control practices. Among IT audit professionals, COBIT is widely accepted.
The COBIT framework is similar to COSO in that it puts controls within the context of an ...
Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.