The American Institute of Certified Public Accountants (AICPA) developed “Trust Services Principles and Criteria,” which is useful in evaluating controls over IT systems.
Below are seven steps to help determine if adequate controls are in place over your company’s IT systems:
- Guidance – Obtain the latest “Trust Services Principles and Criteria” from the AICPA. The latest AICPA guidance, pictured below, was issued in 2016.
- Principles – Determine which trust services principles are applicable to your IT systems, such as security, availability, processing integrity, confidentiality and privacy. These principles are defined in section TSP 100.13 of the guidance.
- Applicable Criteria – Certain criteria or objectives used to evaluate a system are common to all the trust services principles. This common criteria includes:
- organization and management
- communications
- risk management and design and implementation of controls
- monitoring of controls
- logical and physical access controls
- system operations
- change management
In addition to these seven common criteria, there is additional criteria for each of the trust services principles of availability, processing integrity, confidentiality, and privacy. If any of those principles are applicable to your IT systems, this additional criteria will also be relevant.
- Identify Risks – Review the illustrative risks and controls in “Trust Services Principles and Criteria” for each of the relevant criteria identified in Step 3 above. Using the illustrative risks as a guide, consider and document the actual risks most concerning to your IT systems. Once this risk document is complete, it can be maintained as a baseline and updated periodically.
- Identify Controls – What controls are important in order for your entity to mitigate those risks? Use the illustrative controls in “Trust Services Principles and Criteria” as a guide to consider and document controls in place for each risk.
- Monitoring Procedures – Are the controls at your entity properly designed and implemented? Are specific individuals responsible and accountable? Design and document appropriate monitoring procedures so you will have evidence controls are operating effectively.
- Remediate Control Issues – Are control issues identified and communicated in a timely manner to the appropriate individuals and stakeholders? Are issues resolved quickly?
Our CPA’s and Certified Information Systems Auditors (CISA) are skilled and trained to quickly and efficiently assist your company with properly evaluating, designing and implementing IT controls to ensure your organization’s IT systems are secure and reliable. We evaluate IT controls every day, and we can help you. Email us at abc@abcpas.com to learn more or call 800-930-2923. Visit our website for more information @ http://www.abcpas.com/it-controls-audits.htm
Leave a Reply