Consulting

Security Assessment & Testing

Co-Sourcing

Managed Security Services

Internal Controls Risk Assessment

Sarbanes 404 Technology Audits

Application Security

Fraud Detection

Information Request

Contact Us


Internal Controls Risk Assessment

Internal Controls provide management with reasonable assurances that:
Operations are efficient and effective

Business activity is recorded accuratel

Financial reporting is reliable

Risk management systems are effective

The firm complies with laws, regulations, internal policies and internal procedures.
The process of assessing internal controls to meet the above objectives, in a cost-effective manner, starts with an entity-wide risk assessment that is relatively granular in terms of the controls that are needed to mitigate the identified business risks. To satisfy regulators, and regulations like Sarbanes-Oxley, as well as gain confidence that the domain of risks is sufficiently comprehensive, technology auditors use widely-accepted standards for the risk assessment process. Typically, in the United States these are COBIT (Control Objectives for Information and related Technology), and internationally the ISO (International Organization for Standards) standards.

Using these control objectives to drive the risk assessment results in a summary document that shows the business risk, its likelihood of occurrence, the impact on an organization, and the ease of detection and recovery from an identified business risk. To this summary, we add the control procedures that seek to reduce or mitigate the business risk to an acceptable level. On an annual basis, when the risk assessment is performed, it is worthwhile to compare the previous year's or years' risk value for each control to be aware of changes in risk areas and note the risks that are increasing.

We now have a listing of controls procedures that are ranked from high-to-low risk, know those areas where risk is increasing and can create the audit plan and scope of audits to provide management with assurances that these controls are in place, functioning and can be relied upon.

Once the audit plan has been executed, the results are first communicated to management for their comments and remediation plans. The complete document, with management comments is then presented to the Audit committee (for public companies) for review and action.

Technology Controls are typically addressed by assessing:
The IT General Controls that affect the entire business entity. This includes governance, environmental, change management, security administration, BCP/Disaster Recovery and vendor management among many other issues.

Application Controls, including Application Security, accuracy and completeness.

Specific Regulatory Compliance Reviews for GLBA, HIPAA, SOX 404 and more.

Service Provider Controls including SAS 70 User Control considerations.
For more information on how FDC Associates can be your IT Audit and Governance Solutions provider, complete an Information Request or Contact Us.