Effective policy, procedure, or directive compliance requires an extensive set of interrelated practices as well as processes. However, organizational policies, procedures, and directives may not incorporate controls or may reflect inadequate controls. Furthermore, organizational policies, procedures, and directives may be inaccurate, incomplete, or outdated. Conversely, regarding adequate controls, GCC organizational policies, procedures and directives should include computer security measures. Specifically, at a minimum, one organizational GCC policy and procedure should address unauthorized computer usage and requesting computer access.
Through key operations GCC; Segregation-of-Functions (SOF) and Segregation-of-Duties (SOD) supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Assessing control existence and adequacy for an audit area are primary IT auditor responsibilities. Therefore, an IT auditor should study and evaluate policies, procedures, directives, SOF, and SOD controls as well as protection-of-information-assets to demonstrate due diligence regarding irregular and illegal act risks.
“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“