Establish an Effective System of Internal IT Controls to Mitigate Risks

The only thing worse than a lack of control is the illusion of control.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Deficiencies in controls could result in a serious breach for the company, or worse – your job.
  • Despite these drastic consequences, improving the system of internal controls remains a low priority for many IT organizations and their leaders.

Our Advice

Critical Insight

  • You don’t need to implement every control. Maximize your risk mitigation at a low cost by focusing on your organization’s greatest risks.

Impact and Result

This research will help you prevent or resolve the following situations:

  • High Risk Operations: Risks that could damage the business are not being mitigated.
  • Lack of Clarity: We don’t know what our controls are. There is no documentation and processes differ from business unit to business unit.
  • Lack of Adherence: Effective internal controls exist, but no one follows them.
  • Lack of Effectiveness: We have controls in place that are followed, but they seem to be ineffective or we don’t know how effective they are.

Establish an Effective System of Internal IT Controls to Mitigate Risks


Understand the importance of internal controls

Gain an understanding of the process of establishing a well-designed system of internal controls.


Assess need for control

Identify and analyze the severity of IT’s risks; the level of control will be determined by the severity of the risk.


Assess control coverage

Map current controls to risks and create an action plan to close the gaps in your current control coverage.


Establish controls

Develop and communicate controls effectively to ensure adoption.


Monitor and evaluate controls

Adapt to changing risks by continuously and effectively monitoring and evaluating your system of internal controls.


Assemble proof of effective controls

Provide artifacts to auditors.

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

New to Info-Tech Academy? Learn more here

Business Process Controls & Internal Audit Course

The only thing worse than a lack of control is the illusion of control.
This course makes up part of the Security & Risk Certificate.

Now Playing: Executive Brief

Course information:

Title: Business Process Controls & Internal Audit Course
Number of Course Modules: 5
Estimated Time to Complete: 2-2.5 hours

David Yackness, Sr. Research Director, CIO Practice
James Alexander, SVP of Research and Advisory, CIO Practice

Onsite Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Control Coverage

The Purpose

  • Recognition of the benefits and importance of internal controls.
  • Identification of the risks of an ineffective system of internal controls.
  • Assessment of the adequacy of current controls and their coverage of risks.

Key Benefits Achieved

  • Selected metrics to measure your system of internal controls.
  • Risks prioritized relative to their current control coverage.



Select metrics.

  • Selected metrics and baseline measurements of internal control capability.


Identify and assess IT’s greatest risks.

  • List of IT’s greatest risks ranked by severity of risk.


Map controls to risks.


Assess the adequacy of control coverage for each risk.

  • IT risks prioritized relative to their current control coverage.

Module 2: Establish, Monitor, and Evaluate Controls

The Purpose

  • Identification of specific controls to implement.
  • Identification of best practices for control development and monitoring.
  • Communication of controls.
  • Assign roles and responsibilities for the governance of internal controls.

Key Benefits Achieved

  • Identified specific controls to mitigate risks and assigned implementation owner.
  • Discussed best practices for developing and monitoring controls.
  • Communicated controls effectively to end users.
  • Roles and responsibilities assigned for governance of internal controls.



Identify the processes affected by each risk.


Determine the specific controls to implement for each control coverage gap.

  • Recommended action plan for each risk to achieve adequate control coverage.


Create an inventory of control establishment activities.

  • Inventory of internal control establishment initiatives.


Discuss best practices for designing controls.

  • Sample control documents.


Assign metrics to measure individual control effectiveness.

  • Selected metrics and baseline measurements of effectiveness of individual controls.


Develop an internal control communication plan.

  • Internal control communication plan.


Create a RACI chart for governance of internal controls.

  • Completed RACI chart for internal control monitoring.


Discuss control monitoring and evaluating best practices.

  • Internal control self-assessment checklist.

Search Code: 74122
Published: October 9, 2014
Last Revised: October 9, 2014