Generally Accepted System Security Principles
P-11 Internal Control Principle
P-11 Internal Control Principle
Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
Information security forms the core of an organization's
information internal control system.
This principle originated in the financial arena but has universal
applicability. As an internal control system, information security
organizations and safeguards should meet the standards applied to other
internal control systems. "The internal control standards define the
minimum level of quality acceptable for internal control systems in
operation and constitute the criteria against which systems are to be
evaluated. These internal control standards apply to all operations and
administrative functions but are not intended to limit or interfere with
duly granted authority related to development of legislation,
rulemaking, or other discretionary policymaking in an organization or
agency.
A. General Standards
- 1. Reasonable Assurance. Internal control systems are to provide
reasonable assurance that the objectives of the systems will be
accomplished.
- 2. Supportive Attitude. Managers and employees are to maintain
and demonstrate a positive and supportive attitude toward internal
controls at all times.
- 3. Competent Personnel. Managers and employees are to have
personal and professional integrity and are to maintain a level of
competence that allows them to accomplish their assigned duties, as well
as understand the importance of developing and implementing good
internal controls.
- 4. Control Objectives. Internal control objectives are to be
identified or developed for each organizational activity and are to be
logical, applicable, and reasonably complete.
- 5. Control Techniques. Internal control techniques are to be
effective and efficient in accomplishing their internal control
objectives.
B. Specific Standards
- 1. Documentation. Internal control systems and all transactions
and other significant events are to be clearly documented, and the
documentation is to be readily available for examination.
- 2. Recording of Transactions and Events. Transactions and other
significant events are to be promptly recorded and properly classified.
- 3. Execution of Transactions and Events. Transactions and other
significant events are to be authorized and executed only by persons
acting within the scope of their authority.
- 4. Separation of Duties. Key duties and responsibilities in
authorizing, processing, recording, and reviewing transactions should be
separated among individuals.
- 5. Supervision. Qualified and continuous supervision is to be
provided to ensure that internal control objectives are achieved.
- 6. Access to and Accountability for Resources. Access to
resources and records is to be limited to authorized individuals, and
accountability for the custody and use of resources is to be assigned
and maintained. Periodic comparison shall be made of the resources with
the recorded accountability to determine whether the two agree. The
frequency of the comparison shall be a function of the vulnerability of
the asset.
C. Audit Resolution Standard
Prompt Resolution of Audit Findings. Managers are to (1) promptly
evaluate findings and recommendations reported by auditors, (2)
determine proper actions in response to audit findings and
recommendations, and (3) complete, within established time frames, all
actions that correct or otherwise resolve the matters brought to
management's attention. [3]"