I’ve been talking to myself lately(I do this a lot) about control in the IT environment. That is, change control and security of the information systems from an audit point of view. There are two viewpoints that seem to be discussed.
I’ve heard one viewpoint that says think about it like a manufacturing process where you put processes and controls in place to get a high-yield (or a low excursion rate) on control breakdowns. That is, you can’t achieve 100% control and just like a real-world manufacturing process, you are going to always have events that seem to be out of control. One will always find excursions, there will always be exceptions, there will always be special cases or emergencies where changes are made outside the normal control processes.
On the other hand, from an audit point of view, one should expect the assets to be ‘in control’ with no exceptions. Any excursion where someone has access they are not supposed to be have or a change is made outside of the normal change control processes is significant and should not happen. There is no yield concept and exceptions should never happen.
What do you think? What is the correct answer?
Realize that 100% perfection is hard to obtain and very expensive.