IT Governance, Risk, and Compliance » Knowledge-base

Compliance through Automation: Continuous Monitoring – Part VIII

Robert Davis — Mon, 18 Oct 2010 12:48:21 +0000

Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls. It enhances managerial capabilities and entity-level controls, while striving to enable maintaining acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel assigned responsibility for responding to reported exception conditions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part VII

Robert Davis — Thu, 14 Oct 2010 15:21:57 +0000

Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected datum within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules and tests; through applied analytics identifying performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware or software enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and datum are processed appropriately.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part VI

Robert Davis — Mon, 11 Oct 2010 18:02:25 +0000

To ensure effective continuous monitoring, adequate segregation-of-functions must be sustained. Continuous monitoring and segregation-of-functions are not new control concepts. Yet, technological integration issues can be a barrier to implementing continuous monitoring systems that are: independent of operational processes and capable of easy configuration for specific risk tolerance requirements. Procedurally, achieving appropriate functional independence in an automated system necessitates defining IT and operational user work units considering control context. As a result, when properly deployed, segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity while tracking and collecting datum regarding individual processes.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part V

Robert Davis — Thu, 07 Oct 2010 12:28:17 +0000

According to The Institute of Internal Auditors, “Continuous monitoring of controls is a process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively.” Though manual performance monitoring may suffice in low technology situations, in most high technology environments automated controls become a necessary part of the IT architecture for ensuring information reliability and integrity. As suggested by John Verver in Risk Management and Continuous Monitoring, the technology underpinnings to enable an effective continuous monitoring strategy should include several key components: independence from the system that processes the datum; the ability to compare data and information across multiple platforms; the ability to process large volumes of datum; and prompt notification to management of items that represent control exceptions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part IV

Robert Davis — Mon, 04 Oct 2010 17:25:45 +0000

To enable effective deployment, the three levels of continuous monitoring must operate harmoniously. The data provisioning level supplies raw datum for analysis after completing the collection process. This collected data can be extracted from processed and formatted output that is produced by defined processes and/or through direct data access. The extracted datum is commonly stored in a data repository and/or retained in original form. Certain datum may also need to be stored at the information management level. This includes information about the structure of systems being monitored as well as analytic definitions (such as conditional statements). Analysis of the data is performed utilizing various tools and the output is sent to the presentation medium level for evaluation by designated users.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part III

Robert Davis — Thu, 30 Sep 2010 18:54:38 +0000

“Monitoring encompasses the tracking of individual processes, so that information on their state can be easily seen, and statistics on the performance of one or more processes can be provided.” Conceptually, continuous monitoring systems generally consist of three levels: data provisioning, information management, and information presentation. Data provisioning is enabled by the collection and storage of specified items in an assigned location. Information management utilizes the combination of IT architecture knowledge, analytic knowledge, as well as collected data to assess processing. Whereby, information presentation provides results from monitored conditions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part II

Robert Davis — Mon, 27 Sep 2010 17:30:35 +0000

An entity’s MIS represents the aggregation of personnel, computer hardware and software, with associated policies and procedures, allowing data processing to generate utilizable information for decision-making. Pre-specified and routine decisions, which form the policies and procedures that are typically documented by an entity, are designed to provide time for managers to address non-routine activities and consider improvements to the currently deployed control processes through removal from the more mundane aspects of day-to-day operations. However, process monitoring is required to ensure: expected outcomes are achieved for assigned functional responsibilities and irregular activities are detected on a timely basis.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part I

Robert Davis — Thu, 23 Sep 2010 14:10:24 +0000

Commonly, a Management Information System (MIS) is deployed to permit performance monitoring to assess compliance with adopted standards and enable corrective actions and/or process improvements to an entity’s control systems. Generally accepted key elements enabling successfully managing the risks inherent in many control systems resides in the ability to monitor processes independently and continuously as close to the execution point as possible. Yet, analytic technologies capable of continuous monitoring are typically lacking in MIS deployments. Therefore, a continuous monitoring system conjunctively implemented within operational configuration items can enhance variance detection as well as improve compliance verification and exception reporting systems.

Compliance through Automation: Expert Systems – Part VIII

Robert Davis — Mon, 20 Sep 2010 12:21:57 +0000

From a technical perspective, the typical expert system can be divided into two essential parts: the knowledge base and the inference engine. The knowledge base contains the body of knowledge, or set of facts and relationships, obtained from the knowledge acquisition phase. The rules associated with a knowledge base tend to be heuristic and take the form of conditional statements. Whereas, the inference engine is a collection of computer routines that control the system paths through the knowledge base to enable recommendations. In addition, the inference engine serves as a bridge between the knowledge base and user.

Methodologically, the knowledge engineer defines the ambit of issues that the purposed system will address because one logic path too broad may result in a system too difficult to manage and may generate a system crash. Contrastingly, the knowledge engineer must be careful not to limit an issue too much because a logic path too narrow will produce a system so rudimentary that results will be worthless.

“View Part I of the Compliance through Automation: Expert Systems series here“

Compliance through Automation: Expert Systems – Part VII

Robert Davis — Thu, 16 Sep 2010 16:08:04 +0000

To assist in assessing decisional acumen, most managers are under observation for situational responses impacting the entity. Therefore, information reliability is critical. During the final stage of preparation for deployment, an expert system has to be validated to ascertain reliability and scope of decisional processes. In the model validation step a knowledge engineer and/or IT assurance professional identifies errors, omissions and mistakes in the knowledge base. Furthermore, since the constructed system is designed to simulate an expert’s decision making process, it should be tested against opinions of subject matter experts. Lastly, if the system is later updated to keep the knowledge base current, model reevaluation is necessary to ensure continued decisional reliability.

“View Part I of the Compliance through Automation: Expert Systems series here“