The objective of this audit report is to reduce volume of controls to focus on key risks and associated controls, improve consistency of controls across application, infrastructure and IT processes, and clarify control ownership as needed. This report includes a process overview, risk review, criteria for control changes, key control review, key IT risks, summary of rationalized risks, reduction of controls by risk, a list of control by risk, and next steps.
The following primary opportunities for improvement were identified and documented in this report:
- Many controls had similar wording and thoughts but were inconsistent from entity area to entity area.
- Many controls were listed as “key” for multiple areas when those areas were dependent on another process.
- Good business practices were often included as controls.
- Controls were identified as “key” but fell below the corporate guidance for dollar threshold.