IT Examiner School, Providence, RI

D&A Control Practices

• Management must properly assess key risks to implement the right controls • Controls need to focus on the practices used to protect the entity • Controls need to be written and ensure the entity’s staff follows such controls (testing thru audits) • Controls, like software, need to be re-evaluated regularly

– Appropriate guidance and standards for ALL activities – Tailored to the organization’s unique characteristics – Provide for appropriate training – Reviewed and approved at least annually by the Board- documented in the Board minutes

Project & Change Management

• Projects are started for:

– Phasing out of old technology – Generate value from new products supported by technology – Maintain IT related risk at an acceptable level by updating current technology – Implement additional new security software to fend off cyber incidents/attacks – Implement/update network architecture and/or backup structure – Technology updates requiring assessment of risk to patch vulnerabilities