Design Control Framework
Control design for providing evidence of the regularity of business processes
Industry
Status Quo
- Providing services to companies regulated by supervisory law
- Outsourcing portfolio enforces provision of evidence of the regularity of business processes
- Requirements for a control framework and comparison with the current situation required
Goal
- Identification of requirements in relation to outsourcing
- Deviation analysis (target vs. actual) to internal and external requirements
- Concept for the creation of a control framework
Initial situation
Due to the outsourcing situation, the aim of this project was to describe business processes in relation to the legal basis and requirements. One of the main focuses here was on certification in accordance with IDW PS951, an auditing standard published by the Institute of Public Auditors in Germany (IDW) for regulating an outsourced internal control system (ICS) to a service company. IDW PS951 Type 2, which is relevant for the audit of the annual financial statements, comprises an audit of (i) the adequacy of the internal control system presented, (ii) the implementation of the required controls, and (iii) their effectiveness for a defined period of time.
To this end, (i) the adequacy of the ICS of the outsourcing activity first requires a design of a framework that provides remedies for:
- Link to business requirements,
- Integration of IT-related activities into a generally accepted process model,
- identification of essential IT resources to be controlled, and
- the definition of control objectives to be taken into account.
Our approach
Identification and analysis of requirements
The basis for the operation of the ICS are the relevant, generally applicable laws, regulations, standards and specifications that apply to the companies listed in the scope and the associated risks for the companies.
As part of the IT compliance management system, IT compliance analyzes all sets of rules in the first phase with regard to the impact of the requirements or parts of the requirements they contain on the IT internal control system (IT ICS) and thus indirectly on the IT organizational structure, IT processes or IT systems (IT relevance check). For each set of rules, a decision is made as to whether it has IT relevance and is therefore pursued further within the framework of the IT CMS. The result of the analysis is summarized in the IT compliance register. Requirements are determined on the basis of the corresponding derived IT rules and regulations.
Process classification and control objectives
Requirements were then derived from the IT-relevant sets of rules and assigned to a process in the IT process landscape for implementation. The process assignment (IT process landscape) is summarized in corresponding documentation. For a downstream design of the corresponding controls, control objectives are to be worked out. This provides the basis for the definition of controls (control design) by the process owner. The principle applies that at least one IT control must be assigned to each control objective.
Gap-analysis and process accountability
The GAP analysis played a key role. The analysis was used to identify shortfalls ("finding"), i.e., outsourcing-relevant requirements for which no or ineffective controls are implemented from the customer's perspective. The corresponding assignable regulators, process owners, etc. can also be directly viewed on the basis of the design created. It should be noted that in this context the assignment of requirements to the respective COBIT Core Objectives proves to be very useful when it comes to developing new controls in the event of undercoverage of certain IT requirements.