The IT control environment is the set of standards, processes, and structures that provide the basis for carrying out IT internal control across the organization1. The IT control environment comprises the IT governance, IT policies and procedures, IT organizational structure, IT roles and responsibilities, IT competencies and training, and IT culture and ethics2. The effectiveness of the IT control environment can be measured by how well it supports the achievement of the organization’s IT objectives, such as IT reliability, security, compliance, and performance3.
One of the best ways to provide the most up-to-date information about the effectiveness of the organization’s overall IT control environment is to perform periodic penetrationtesting. Penetration testing is the process of simulating real-world cyberattacks on the organization’s IT systems, networks, and applications, to identify and exploit any vulnerabilities, weaknesses, or gaps in the IT control environment4. Penetration testing can help to:
Evaluate the current state and maturity of the IT control environment and its alignment with the organization’s risk appetite and tolerance
Detect and prioritize the most critical and urgent IT risks and threats that may compromise the organization’s IT objectives or assets
Test and validate the effectiveness and efficiency of the existing IT controls and their ability to prevent, detect, or respond to cyberattacks
Provide recommendations and feedback for improving the IT control environment and enhancing the IT security posture and resilience of the organization
References = COSO – Control Environment - Deloitte, How to use COSO to assess IT controls - Journal of Accountancy, What is Penetration Testing?, [Penetration Testing: A Guide for Business Leaders]
Submit