Soft Controls in IT Auditing

weighing the importance of soft controls in information technology auditing and control

810: Alex de Leeuw & Clyve Lo-A-Njoe

VRIJE

UNIVERSITEIT

AMSTERDAM SOFT CONTROLS IN IT AUDITING

2

Postgraduate IT Audit education VU Amsterdam

Team number: 810

Students:

Drs. C. Lo-A-Njoe

Drs. A.P. de Leeuw

Coach:

Drs. R.F. van Rijsewijk EMIA CIA [Deloitte]

Counsellor:

Drs. B. van Staveren RE [UWV]

Deloitte Accountants B.V.

Enterprise Risk Services

Laan van Kronenburg 2

P.O. Box 300

1180 AH Amstelveen

The Netherlands

Contact information:

Clyve Lo-A-Njoe

e: [email protected]

m: +31 6 20 789 655

Alex de Leeuw

e: [email protected]

m: +31 6 20 789 803

Vrije Universiteit Amsterdam

Soft Controls in IT Auditing

3

Ethics is knowing the

difference between

what you have a right

to do and what is

right to do.

Potter Stewart

92nd Associate Justice of the United States Supreme

Court



5

Executive summary 7

Introduction 9

1. A Closer Look at Organisations 11

1.1 Classification of Organisations 11

1.2 Other Indicators 14

1.3 Risk Management, Control and the Role of the Control Environment 15

2. Hard Controls and Soft Controls in IT Auditing 21

2.1 COBIT at a Glance 21

2.2 Soft Controls Explained 23

2.3 Soft Controls in IT Auditing: the IT Control Environment 24

3. Case Study: Applying the Balanced Approach 25

3.1 XS4ALL Internet B.V. 25

3.2 Using an Alternative Approach 26

3.3 Organisational Perspectives: The Business Controller 27

3.4 Assessment of Soft Controls 28

4. Conclusion 30

4.1 Conclusion 30

4.2 Further Research 30

Appendix 31

Acknowledgements 31

Bibliography 32

Tables and Figures 33

Endnotes 33



7

EXECUTIVE SUMMARY In the last two decades organisations experienced the full impact of the information society.

Companies around the globe are faced with the fact that their business processes cannot exist

without the support of information systems en technology. This has also affected the way in which

management controls their organisation. Similarly, the increase in relevance and growth of the IT

auditing profession has been profound.

To control its organisation, management had to implement controls for the IT organisation as well. A

control framework, COBIT, was developed and broadly applied. This framework, which is also used

by accounting firms in their IT audits, prescribes strict IT policies and procedures (‘hard controls’) for

companies to comply with. We experienced that this method lends itself to be implemented best at

traditional organisations that are often large, mature, and predominantly focused on production

rather than their employees.

We argue that the straight-forward COBIT approach should significantly be adapted for

organisations that do not fit with the characteristics noted above. Organisations that are young,

small, creative and flexible may find that simply implementing COBIT is actually counter-productive.

We argue that before auditing or advising an organisation to follow a specific approach, auditors and

consultants should take into account the specifics of an organisation. Organisations should be

carefully evaluated with regards to their organisation type, and their management or leadership

style. Also, typical indicators such as size, maturity, innovativeness and culture are critical in

assessing the IT control framework that’s suited best for an organisation. COBIT hardly takes into

account these characteristics.

Alternatives to COBIT, like COSO, CoCo, and especially Simons’ Levers of Control do weigh these

organisational factors. These frameworks combine soft controls with hard controls and in doing so

they create a balance between control and empowerment. This combined approach is key in small,

young and innovative organisations.

In a case study at the Dutch internet service provider XS4ALL, we noted that it was inefficient to

implement the unmodified COBIT framework, as these hard controls clashed with the culture of the

organisation and was even experienced as counter-productive. XS4ALL aimed to improve their

internal controls, but this required a tailored approach to fit with its organisation.

The solution was found in applying an IT-specific Control Environment (ITCE) that takes into account

the specific strengths of the organisation: its soft controls. The ITCE is derived from the COSO

Internal Environment model and contains elements that allow companies to factor in the specific

aspects and culture of an organisation. The ITCE was used to test the existence of soft controls, that

when combined with hard controls, allowed the organisation to be in control over their IT processes.

The authors recommend further testing of the concept of soft controls in IT, to assess the validity of

the IT Control Environment with different types of organisations.



9

INTRODUCTION The digital revolution has had unimaginable effects on our society. New industries have emerged,

business models that seemed ludicrous not so long ago have proven to be sustainable, and entire

communities interact in ways no-one could have predicted. Our society has evolved into an

information society, in which individuals can cooperate and compete globally. Thomas Friedman

(Friedman, 2006) therefore argues that the world is flat. Traditional boundaries such as distance and

time simply do not apply anymore.

One of the key accelerators of this ‘flattening’ is of course technology. The marginal cost of

bandwidth is nearly zero, and a vast proportion of the world’s population now has access to

personal computers and the internet. For most businesses, IT has become a mission-critical enabler.

Consequently, the importance of, and reliance on IT auditing has increased tremendously since its

early beginnings in 1960’s. IT control frameworks have been developed and some have matured into

globally used benchmarks, such as COBITi. IT auditing has also evolved into a integral part of most

financial statement audits, as for most companies, transactions are recorded digitally.

In this paper, we argue that IT auditors should take into account the specifics of the organisation in

order for them to efficiently and effectively perform audits. Using a single one-size-fits-all approach

does not meet the needs in today’s wired world. It is time for IT auditors to take the next step in the

development of their profession, look outside the server room, and factor in the organisational

environment of IT auditing. The same applies for IT control consultants that advise management on

the ways in which they should control their IT environment.

Different organisations require different approaches. Using a shotgun-approach (by simply opening

up the COBIT floodgates) will lead to false-negatives and frustration at the audited organisation, and

confusion with auditors. Instead, just as IT has changed the world in which we live, the way in which

we communicate, and the way in which we do business, so too should IT auditing change – by

adapting to the organisational culture, structure, and management style.

To be able to use a pragmatic approach to IT auditing, IT auditors must first understand how

companies differ, and what role the organisational culture has. The organisational variables

determine the approach the auditor should use. Only if the IT auditor understands the organisation

can he or she perform true value-added audits.

To understand the differences in organisations, we will look at the various ways in which

organisations can be classified. Next, we will discuss a model in which these classifications serve as

variables; the analogy of a scale is used to argue how some factors correlate and push the scale in

one direction or the other, thereby determining what approach the auditor should use.

Then, two distinct control methods are discussed: hard controls (such as COBIT), and soft controls

(such as the organisation’s control environment). We will argue that all IT audits should weigh the

identified factors to decide on the balance of hard- and soft controls. Some large and mature

organisations will have implemented COBIT controls, and will effectively rely on these controls to

10

manage their IT environment. Other companies (such as small and nimble start-ups) will have some

basic COBIT controls in place, but will probably rely much more on soft controls to manage their IT.

After the theoretical discussion, we will discuss a case study in which this balanced approach is used,

followed by conclusions and recommendations for further research.

Amsterdam

April 2008



11

1. A CLOSER LOOK AT ORGANISATIONS Although all organisations have some common characteristics, no two organisations are identical.

Organisations have different structures, goals, constituencies, leadership styles, tasks and

surrounding environments (Laudon & Laudon, 1998). This chapter describes distinctive features,

such as organisational structure and leadership style and argues how these characteristics can

influence management control. We argue that the way in which management controls its

organisation should be a key factor in an auditor’s approach. The ramifications of this approach for

IT auditing and control is discussed in chapter 2.

1.1 CLASSIFICATION OF ORGANISATIONS

MINTZBERG Throughout the centuries, scholars have studied the many organisational types that have originated

since the earliest forms of cooperation. In many cases, the research focused on differences and

similarities between organisations, which helped with classifying organisations into a set of

organisational types. One of the best known and widely used examples is that of Henry Mintzberg

(Mintzberg, 1979). Mintzberg classified organizations into a set of five clearly distinguishable

variants. The type of organisation, as Mintzberg classifies, influences management of control by its

coordination of people, power and dynamics. The table below shows the Mintzberg classification.

Organisational Type Characteristics

Entrepreneurial Structure Young, small firm in a fast changing environment dominated by a

single entrepreneur and managed by a single chief executive

officer. Employees are under direct supervision.

Machine Bureaucracy Large bureaucracy organised into functional divisions that

centralizes decision making, produces standard products and exists

in a slow changing environment.

Professional Bureaucracy Knowledge-based organisation such as a law firm or hospital that is

dominated by department heads with weak centralized authority;

operates in a slowly changing environment.

Divisionalized Bureaucracy Combination of many machine bureaucracies, each producing a

different product or service, under one central headquarter.

Adhocracy Task force organisation, such as an ad firm, designed to respond to

a rapidly changing environment and characterised by groups of

specialists organised into short lived multidisciplinary task forces.

TABLE 1: FIVE ORGANISATIONAL STRUCTURES BY MINTZBERG

Besides Mintzberg, many more scholars published studies on why organisations take on many

different forms. Different in the sense that they cater to different markets and that they produce

different goods or sell different services, but also about the way in which they are organised and

12

structured. As most employees with some experience will attest to, different leadership styles can

also have an impact on management control.

BLAKE & MOUTON Blake & Mouton published a well known model on the different management styles in organisations

(Blake & Mouton, 1964). The model, which debuted in the beginning of the Contingency Viewpointii

of management, noted that different management styles can be useful for certain situations. Blake

& Mouton’s model has five leadership styles that can be plotted in a grid along two variables, being

the concern for people, and the concern for production. Figure 1 shows the Blake & Mouton

Managerial Grid.

FIGURE 1: BLAKE AND MOUTON MANAGERIAL GRID

MCGREGOR A third significant model is the behavioural model by Douglas McGregor (McGregor, 1960), in which

two distinctly different leadership styles are discussed. The leadership styles are based on the beliefs

of managers about their subordinates. The first of these leadership styles is labelled Theory X; it

holds that leaders tell subordinates exactly what’s expected of them, as employees require direction

as much as possible. Furthermore, Theory X states that employees dislike work, and will avoid it if

possible. Managers should coerce employees to get them to work.

In contrast, the leadership style dubbed ‘Theory Y’ assumes that people like to work, and that

employees who are committed to the company’s objectives will exercise self-direction and self-

control. Additionally, employees accept and even seek responsibility in the workplace, which allows

leaders to consult with their subordinates; allowing them to take part in the planning and decision

making process. With Theory Y, leaders believe people will work hard, cooperate and have positive

attitudes towards the organisation.

Authoritarian High Production / Low People

Efficiency in operations results from arranging conditions of work in such a way that human elements interfere to a minimum degree.

Team Leader High Production / High People

Work accomplishment is from committed people; interdependence through a ‘common stake’ in organisation purpose leads to relationships of trust and respect.

Country Club High People / Low Production

Thoughtful attention to needs of people for satisfying relationship leads to a comfortable friendly organisation atmosphere and work tempo.

Impoverished Low Production / Low People

Exertion of minimum effort to get required work done is appropriate to sustain organisation membership.

Middle-of-the-Road Medium Production / Medium People

Adequate organisation performance is possible through balancing the necessity to get out work with maintaining morale of people at satisfactory level.

Authoritarian

Impoverished

Country Club

Team Leader

Middle

of the

road

Co

nce

rn f

or

Pro

du

ctio

n

Concern for People



13

Theory X and Y impact the effectiveness of management of control in an organisation. Depending on

the goals of an organisation, either Theory X or Y will be best suited to achieve these goals. On the

other hand, when taken this theory too literally, X and Y seem to represent unrealistic extremes.

Theory X emphasizes strict procedures to achieve business goals in a controlled manner. In contrast,

Theory Y stimulates to manage people by empowerment. Most organisations require a leadership

style that falls somewhere in between these extremes.

The table below summarizes McGregor’s Theory X-Y.

Theory X Theory Y

The average human being has an inherent dislike

of work and will avoid it if he can.

The expenditure of physical and mental effort in

work is as natural as play or rest.

Because of their dislike for work, most people

must be controlled and threatened before they

will work hard enough.

Control and punishment are not the only ways to

make people work, man will direct himself if he is

committed to the aims of the organization.

The average human prefers to be directed,

dislikes responsibility, is unambiguous, and

desires security above everything else.

If a job is satisfying, then the result will be

commitment to the organization.

The average man learns, under proper conditions,

not only to accept but to seek responsibility.

Imagination, creativity, and ingenuity can be used

to solve work problems by a large number of

employees.

TABLE 2: MCGREGOR’S THEORY X-Y

FIEDLER

A synthetic model for leadership styles was proposed by Fred Fiedler (Fiedler, 1967). In the Fiedler

Contingency Model, it was argued that successful leadership depends on matching a leader’s style to

a situation’s demands. According to Fiedler, a manager has to understand his or her leadership style,

diagnose the particular situation, and then match style and situation. Fiedler also distinguishes

between task-oriented leaders (that just want to get the job done), and relationship-oriented

leaders (that place greater value on people than tasks).

Most leadership and organisational models discuss two ends of a spectrum. Leaders believe in

Theory X or Y, they are either more task-oriented or people-oriented, and organisations are loosely

organised in the form of an Adhocracy, or much more strictly organised in the form of Machine

Bureaucracies. We can relate to these extremes, as we are able to name numerous examples of

companies that appear to fit well with either end of the spectrum – whether it be the Theory X

Machine Bureaucracy in the form of a car manufacturer, or if it’s the Theory Y Adhocracy in the form

of an ad-agency. Similarly, most of us will be able to pinpoint where the organisation that we are

part of is located.

14

Simply put, some organisational aspects (such as leadership style or organisational structure) seem

to intuitively match well with one another. Figure 2 graphically displays these aspects.

FIGURE 2: ORGANISATIONAL THEORIES IN A TASK-PEOPLE MINDED SPECTRUM

1.2 OTHER INDICATORS

Given the organisational spectrum discussed above, we are able to add even more indicators to this

spectrum that affects management of control.

INNOVATION AND CREATIVITY Some organisations stimulate their employees to be creative, flexible and innovative. Organisations

that do so appear to fit well with the right-hand side of the spectrum. These types of organisations

are often thriving when their employees are given a ‘carte blanche’ to be successful. Using a

restrictive ‘tough boss’ leadership style and strict management control would be counter-productive

in such an environment. Similarly, a ‘Theory X manager’ will most likely clash with employees soon

after his or her arrival.

SIZE AND MATURITY Small and young organisations will find themselves on the right side of the spectrum as well.

Employees at these organisations will most likely be empowered to do whatever it takes to grow and

survive in the earliest stages of organisational maturity. Managers at start-ups will most likely

encourage entrepreneurship and employee empowerment. Large diversified organisations are

harder to control and manage from the outset, simply due to their size and complexity. Therefore,

smaller organisations have an edge when it comes to management control – their structure is often

simple, and lines of communication are short and informal.

Philip Wickham argues that entrepreneurship can also be seen as a management style in which

there is a strong focus on change and opportunity (Wickham, 1998). This supports the notion that

we expect to see organisations that experience less change, and may be in a less dynamic market, on

the left side of the spectrum.

COMPETITION Strong competition can also be a significant indicator for a specific organisational structure or

leadership style. In the highly competitive Technology, Media, and Telecommunications (TMT)

industry, even the former incumbents and ex-monopolists are facing tough battles for survival. This

Theory Y (McGregor)

Adhocracy (Mintzberg)

Concern for People (Blake and Mouton)

Entrepreneurial

Structure (Mintzberg)

Professional

Bureaucracy (Mintzberg)

Theory X (McGregor)

Concern for Production (Blake and Mouton)

Divisionalised


Machine


Task minded People minded



15

shift in market conditions forces them to increase flexibility, foster entrepreneurship, and to strive

for innovation. In other words, these companies are required to move to the right of the spectrum

to gain competitive advance against young and agile organisations.

When put together, all of these aspects can be plotted schematically, as shown in figure 3.

FIGURE 3: SCALE MODEL - THEORY AND ORGANISATIONAL FACTORS COMBINED

As discussed above, organisations can be managed in many different ways, with equally different

leadership styles. But how do these different organisational structures and management styles

influence the ways in which management can control its organization, and manage its risks? The

next paragraph looks at how risk management should be tailored to each individual organisation.

1.3 RISK MANAGEMENT, CONTROL AND THE ROLE OF THE CONTROL

ENVIRONMENT

One of the aspects of management that has received much attention during the last decade has

been risk management and control. Besides the basic need for risk management by a company’s

stakeholders, regulatory pressures have led to a surge in attention for compliance-driven risk

management efforts. Regardless of the type of organisation, it needs to manage risks from the shop

floor to the C-suite level. But, there is no ‘one-size-fits-all’ method for managing risks.

Methodologies for the banking industry differ tremendously from those in other sectors, for

example, due to specific compliance requirements such as BASEL IIiii and other sector-specific

requirements.

The reality, however, is that some compliance requirements such as Sarbanes-Oxleyiv

do not

distinguish small and nimble media companies from large multinational car manufacturers. Every

company that meets certain criteria (in the case of Sarbanes-Oxley, the criteria is having an SEC

registrationv

), the regulations apply, and therefore the company must meet certain risk

management and control demands.

16

Similarly, in the financial statement auditing approach of ‘Big-Four’ accounting firms, there is hardly

any room for tailored approaches. Every company must meet certain pre-set general risk

management and control criteria, regardless of its size or organisational structure. In practice,

auditors will encounter firms that pass these general criteria with flying colours, and these tend to

be the companies that are mature, and that have strict and well documented management control

frameworks.

But, auditors also encounter companies that fail to meet most of these pre-set criteria. This does not

mean that these companies are out-of-control, by any means. It does mean, however, that these

companies have other methods to ensure that their organisational objectives are met. These

methods often include short communication and reporting lines, frequent but unstructured

interaction between management and employees, and more principle-based control frameworks.

These companies require a different approach for risk management, compliance, and governance

auditing. The auditor should ideally take into account the various organisational structures and

leadership style and amend his or her auditing approach accordingly. Unfortunately, only few tools

and theories exist that enable auditors to tailor their audit approach to these ‘misfit’ companies.

COSO – INTERNAL CONTROL OVER FINANCIAL REPORTING GUIDANCE FOR SMALLER PUBLIC

COMPANIES One of the leads financial auditors use in Sarbanes-Oxley audits is the organisation’s Control

Environment. The Control Environment, also known as the Internal Environment, is the basis of

COSO’svi Enterprise Risk Management framework. COSO defines the Internal Environment as:

The internal environment encompasses the tone of an organization, influencing the risk

consciousness of its people, and is the basis for all other components of enterprise risk

management, providing discipline and structure. (COSO ERM, 2004)

COSO has also developed an internal control framework specifically designed for smaller

organisationsvii

. In this framework, COSO acknowledges that smaller entities may be less formally

organised along well established guidelines, and may have less formal procedures and processes.

This means that implementing the regular COSO ERM framework may lead to false negatives and

significant costs, and may therefore be counter-productive. As COSO states:

The focus is on businesses that have many of the following characteristics:

Fewer lines of business and fewer products within lines

Concentration of marketing focus, by channel or geography

Leadership by management with significant ownership interest or rights

Fewer levels of management, with wider spans of control

Less complex transaction processing systems and protocols

Fewer personnel, many having a wider range of duties

Limited ability to maintain deep resources in line as well as support staff positions

such as legal, human resources, accounting and internal auditing.

COSO recognises that smaller companies face specific difficulties from a control point of view.

Specifically, it lists the following challenges for smaller organisations:

Obtaining sufficient resources to achieve adequate segregation of duties



17

Management’s ability to dominate activities, with significant opportunities for

management override of control

Recruiting individuals with requisite financial reporting and other expertise to serve

effectively on the board of directors and audit committee

Recruiting and retaining personnel with sufficient experience and skill in accounting and

financial reporting

Taking management attention from running the business in order to provide sufficient

focus on accounting and financial reporting

Maintaining appropriate control over computer information systems with limited

technical resources.

To overcome these challenges, COSO does not suggest going ahead with a full scale COSO ERM

implementation. Instead, COSO recognises the specific characteristics of smaller organisations. One

of the key differences between COSO ERM and COSO for Smaller Public Companies, is the emphasis

placed on the organisation’s Internal Environment. As COSO puts it:

A smaller company can have unique advantages in establishing a strong control

environment. Employees in many smaller businesses interact more closely with top

management and are directly influenced by management actions. Through day-to-day

practices and actions, management can effectively reinforce the company’s fundamental

values and directives. The close working relationship also enables senior management to

recognize quickly where employees’ actions need modification. (COSO for Smaller Public

Companies, 2006)

It is obvious that COSO for Smaller Public Companies relates to our indicators. On the one hand the

characteristics of these companies, according to COSO, correspond to organisational structures

“Entrepreneurial Structure” and “Adhocracies” from Mintzberg. Similarly, a high concern for people

and the characteristics of Theory Y can be relevant contributing factors to overcome the challenges

that COSO defines.

Others have pointed out the possibility of other means of control, besides the straightforward

transactional control methods. Robert Simons (Simons, 1994) argued that management could

leverage specific characteristics of their organisations, and control the organisation without

hampering the empowerment and entrepreneurial spirit of organisations at the right hand side of

our spectrum.

SIMONS’ LEVERS OF CONTROL More specifically, Simons shows how managers use innovative control systems to drive continuous

strategic renewal. It describes controls (‘the levers’) that enable business leaders to retain control of

their organisations and capitalize on the autonomy and drive present at lower levels while

simultaneously responding to emerging opportunities. The model takes on the challenge of finding a

way to allow empowerment to flourish while encouraging accountability. It establishes a critical

bridge between the disciplines of strategy and accounting and control; essentially combining top-

down direction and bottom-up creativity. Simons’ model is shown in figure 4.

18

FIGURE 4: SIMONS’ LEVERS OF CONTROL

The first of Simons’ Levers of Control systems is an organisation’s Belief System. In an empowered

environment people need to understand and be committed to the mission, objectives and strategy

of the organization. Belief systems explain how the organization creates value, the level of

performance the organization strives for and how individuals are expected to manage both internal

and external relationships.

“The fastest cars need the best brakesviii

”, and much like a fast car, every organisation needs its

Boundary Systems. The term Boundary Systems would imply that there are strict rules to comply

with. However, the boundaries only define what is not allowed. Telling people what to do in

procedures and rule books hampers the initiative and creativity unleashed by empowered and

entrepreneurial employees. Within these boundaries everything is possible, which in turn promotes

creativity and innovation, and empowers employees to do what is right.

To effectively and efficiently control their organisation, management needs Interactive Control

Systems. Interactive Control Systems are communication structures that managers use to involve

themselves regularly and personally in the decisions of subordinates. Through them senior managers

focus organisational attention and learning on key strategic issues. Interactive control systems track

the uncertainties that keep senior managers awake at night (Rijsewijk, 2007).

Finally, Simons points to the use of Diagnostic Control Systems. Diagnostic Control Systems act as a

dashboard for management, instantly showing signs of abnormal behaviour of the organisation.

Diagnostic Controls Systems can be in the form of KPI’s, which are tracked on a day-to-day basis. The

monitoring of Diagnostic Control Systems can help an organisation to keep critical performance

variables within limits.

The levers of control allow, or even oblige, an organisation to implement traditional internal

controls, but it also encourages management to deploy other means of controlling their

organisation, such as monitoring or diagnostic controls.

Core Values

Critical

Performance

Variables

Strategic

Uncertainties

Risks to be

Avoided

Business

Strategy

Diagnostic Control System

Boundary System Belief System

Interactive Control System



19

COCO An alternative to COSO is the CoCo control model from the Canadian Institute of Chartered

Accountants, which was issued in 1995. It acknowledges, as does COSO, that the control

environment is the foundation of internal control, but CoCo takes it one step further. The intent with

CoCo is to address what is being felt as an imbalance with COSO (which adopts a mechanistic

approach to governance and control) – the contribution is to emphasize the people and cultural

aspects of control.

CoCo states that effective internal control is not only enforced by segregation of duties and policies

and procedures, but the model focuses on intangible things as leadership, shared values, and mutual

trust, e.g. entity-level controls. It acknowledges the fact that is obvious to management: that an

organization consists not only of processes and systems, but also of people, and that people are

most often the key to success or reason for failure. CoCo therefore focuses on the commitment,

capability and learning of people in the organisation. Figure 5 shows the CoCo Risk Management

model.

FIGURE 5: COCO: CRITERIA OF CONTROL RISK MANAGEMENT MODEL

CONCLUDING REMARKS For some organisations it can be challenging to implement a full scale COSO ERM framework. For

these organisations it is necessary to find other frameworks in order to be in control. We have seen

that these frameworks emphasize the control environment, which is strongly influenced by the

structure of the organisation and the leadership style of management. From our point of view the

Levers of Control model by Simons is a very strong framework to build upon. It is a balanced

approach of empowerment and control without overlooking traditional controls.

Focus Processes

(knowing what needs

to be done)

Capability

Processes

(having the resources

to do it)

Commitment

Processes

(wanting to do it)

Learning

Processes

(making adjustments

for change)

Monitor results

Monitor environment

Apply systems thinking

Perform self assessment

Establish shared values

Provide responsibility and authority

Establish reward systems to create

cohesion

Equip with necessary skills

Information

Physical equipment

People

Finances

Evaluate and set objectives

Evaluate risks and reliability

decisions

Action

20

Even though financial and operational auditors are used to dealing with the control environment (or

internal environment) in their audits, the role of the control environment is practically non-existent

in IT auditing. In chapter two we discuss COBIT, a framework for IT organisations. We noticed that

COBIT does briefly touch upon the concept of soft controls, but given the abundance of technical

details to feast on, IT auditors usually focus on the easier-to-audit hard controls. Management,

however, usually follows the path of least resistance and will implement the type of controls that are

both effective and efficient for their organisation.

The next chapter discusses soft controls and hard controls, and suggests the use of an organisational

model to evaluate to what extent both types of controls should be used by management, and where

IT auditors should look for assurance in their audits. Similarly, IT auditors or consultants that are

advising management with regards to the implementation of IT control measures can use the model

to determine which type of controls will function best at the organisation.



21

2. HARD CONTROLS AND SOFT CONTROLS IN IT AUDITING This chapter discusses the de-facto standard IT control framework COBIT and some alternative

thoughts on IT management and control. We argue that a combination of hard controls (e.g. COBIT)

and soft controls (the control environment, for example) should be used in IT auditing. An

application of this balanced approach is discussed in chapter 3.

2.1 COBIT AT A GLANCE

The COBIT framework is owned and maintained by ITGI, the IT Governance Institute. ITGI aims to

advance the development of IT governance for organisations. Its defining work is the COBIT

framework, which has been in development since 1996. The current version (4.1) has been released

in 2007. COBIT is now the de-facto standard in IT governance guidance, and is used in countless

enterprises globally.

One of the key drivers for its success is the basic premise of the link between organisation goals and

IT goals. IT governance serves only one purpose, and that is to help attain the business goals a

company has. From there on, COBIT breaks the IT goals into manageable key activities, performance

metrics, and control objectives. This approach allows organisations to align business goals with IT

governance goals. Figure 6 shows the basic COBIT principle.

FIGURE 6: BASIC COBIT PRINCIPLE

COBIT focuses heavily on controls to manage IT processes. These controls include the ubiquitous

change management and security management controls, and are grouped in IT processes that follow

the recognisable responsibility domains, as shown in the table below.

that are

used by

which responds

to

to deliver

drives the

investments in

Business Requirements

Enterprise Information

IT Resources

IT Processes

COBIT

22

Domain Description

Plan and Organise (PO) Provides direction to solution delivery (AI) and

service delivery (DS)

Acquire and Implement (AI) Provides the solutions and passes them on to be

turned into services

Deliver and Support (DS) Receives the solutions and makes them usable

for end users

Monitor and Evaluate (ME) Monitors all processes to ensure that the

direction provided is followed

TABLE 3: COBIT DOMAINS

Unlike COSO, COBIT does not discuss the internal environment of an entity. COBIT controls are

transactional in nature, and the framework does not accommodate meta-process controls such as

Simons’ interactive or monitoring controls. The closest COBIT gets to capturing the relevance of the

organisation the controls should be embedded in, is in section PO4 (Plan and Organise), in which the

control objective is to define the IT Processes, Organisation, and Relationships. However, true to its

goal, the COBIT framework focuses on the governance of the IT organisation. In other words, PO4

discusses who is responsible for various tasks.

We can plot COBIT on our scale model, along with COSO, CoCo, and Simons discussed in chapter

one. The figure below shows the combination of all of the above models, leadership styles, and

organisational structures. The figure also shows when organisations can benefit most from soft

controls (shown on the right hand side of the scale).

FIGURE 7: COMPLETE SCALE MODEL



23

As discussed, the COBIT framework does not link culture, organisation, or other ‘soft building blocks’

of an entity to IT control. In financial and operational auditing, however, the starting point of most

audits is just that: the culture, the organisation, and the control environment. Why, then, does the

leading IT governance framework pay so little attention to these sometimes intangible, but

profoundly important aspects?

In the next paragraphs we will expand on how these ‘soft building blocks’ play an important part in

any organisation, and on how IT auditors and managers can use these soft controls to better

understand organisational IT control.

2.2 SOFT CONTROLS EXPLAINED

Management can use a variety of controls to manage their organisations and to meet business goals.

Most controls in the post-SOx era are transactional and procedural in nature. These controls can be

tested in a straightforward manner, and often allow for automation; consider for example the

username – password combination that a financial reporting application requires when logging in.

Soft controls, however, aim to direct human behaviour in organisations. Soft controls are mostly

intangible, and relate to communication and human interaction. The prime example of a soft control

is the ‘tone at the top’, the core of the internal environment. The tone at the top refers to the

message top management sends; not just through official communications, but also in the form of

‘leading by example’. Does management strongly believe in ethical business practices? Or, does

management want to meet their goals by any means necessary?

Soft controls follow from an organisation’s culture, its management style, and its structure.

Empowered employees in a small scale media company are trusted by management to make the

right decisions that are in the best interest of the company. Instead of limiting an employee’s

freedom, management encourages them to do what’s right for the company. Management may use

a combination of interactive controls (such as frequent verbal updates), and monitoring controls

(focusing on key performance indicators such as ROI) to manage and control the organisation.

COSO recognises the importance of soft controls, and it uses the internal environment as a base for

all other controls. In this sense, soft controls have a pervasive effect on all other control measures. A

flawed control environment is considered a significant deficiency or even a material weakness in an

organisation’s internal control framework in Sarbanes-Oxley audits. The reasoning is simple. In the

widely known Barings scandal, for example, management knew about significant control deficiencies

in their Singapore branch, but decided to do nothing (James Roth, 1998). At Enron, management

knew about rogue traders in their New York office, but decided to do nothing since the traders were

making money (by breaking the rules). In these examples, management wanted to make the

numbers, even if it meant unethical, irresponsible, or illegal behaviour. The best control framework

in the world will not yield the desired results if the control environment is flawed. This principle can

be translated to IT auditing and control. The next paragraph will discuss the use of soft controls in IT

auditing and control.

24

2.3 SOFT CONTROLS IN IT AUDITING: THE IT CONTROL ENVIRONMENT

As discussed in the previous paragraphs, we argue that organisations should combine soft controls

and conventional IT controls in order to improve management control over IT. This combined or

balanced approach should be tailored to each organisation. For this purpose, we use the scale (refer

to figure 7), with which the expected effectiveness and applicability of soft controls can be

established. The scale will aid management and IT auditors in their assessment of expected

applicability (in other words, which organisations will benefit most by using this approach). The next

step is implementing soft controls at IT departments. To do so, management and IT auditors should

focus on the IT Control Environment.

We define the IT Control Environment (ITCE) as the internal environment of an IT organisation,

influencing security and privacy awareness in its people. The ITCE provides discipline, structure,

ethical values and competence for all aspects of the IT organisation. The ITCE determines

management’s philosophy, operating style and the way in which management assigns authority and

responsibility.

Similar to how the COSO internal environment is the basis for all process controls, the ITCE is the

basis for all IT controls at the organisation. As with the COSO internal environment, due to its

pervasive effect, regular controls are either weaker or stronger as a result of the IT Control

Environment. The ITCE’s effect and applicability is dependent on where the organisation is located

on the spectrum, given the scale model discussed in chapter one. Furthermore, the ITCE is directly

related to the organisations’ overall control environment, and much of the organisation’s overall

control environment will be applicable for the ITCE. However, the ITCE is specifically suited to IT

departments – an area that as yet has had little to do with soft controls in general, and with the

organisations’ control environment in specific. We illustrate the use of ITCE in a case study in

chapter 3.



25

3. CASE STUDY: APPLYING THE BALANCED APPROACH In some companies, applying the COBIT framework by management or IT auditors will yield

tremendous results. In other companies, simply using the COBIT framework without taking into

account human factors will lead to unexpected disappointment. The balanced approach discussed in

chapter 2 is put to the test in a case study, which is

outlined in this chapter.

3.1 XS4ALL INTERNET B.V.

The authors of this thesis were asked to assess the IT

control framework as part of a Sarbanes-Oxley readiness

project. The project was initiated in February of 2007 and

finished during Q1, 2008. The organisation at which the

project was executed is one of the premier internet

service providers (ISP’s) in the Dutch marketplace:

XS4ALL. Even though the installed base is relatively small

compared to its competitors, its brand value and image is

excellent. The engagement was straightforward:

Determine to what extent the organisation met with the

corporate IT control framework, which was simply a

number of COBIT controls.

Early on in the Sarbanes-Oxley readiness assessments, it

was clear that the organisation would not meet some of

the key COBIT control objectives. The organisation had quickly developed from grass-roots origins

into a 300 FTE innovator. In doing so, little attention was paid to formal job descriptions, reporting

lines, documented control measures, and so on – and this was especially true at its IT department,

the engine room of the company. Instead, all effort was focussed on delivering high-quality service

for its customers. Even though the organisation succeeded in doing so, it faced some significant

challenges as a result of the Sarbanes-Oxley compliance demands.

This raised the question, ‘are we then out-of-control?’ The answer was clearly no. In its 15 years of

existence, only a handful of security incidents occurred. The IT department as a whole, and the

security and privacy officers in particular, were (and still are) admired and respected throughout the

company, and even among the IT security community outside of the company. The company’s

reputation is unparalleled, as the company is still viewed as one of the leaders in information

technology security.

So how, then, did XS4ALL ensure that it maintained its leading position in information security and IT

management, if the standard COBIT controls were few and far between?

The answer lies in the organisation itself. There, in its DNA, lies the cause for this ‘anomaly’; its

people and its culture made sure that operations remained stable and robust, that security issues

were dealt with swiftly, and that customer satisfaction remains the highest among its peers for

several years in a rowix. The developers and administrators are driven by a shared belief that they

must do the right thing, always. This belief is not forced onto them, but rather it is an intrinsic,

bottom-up motivation for operational excellence.

If you think

technology can solve

your security

problems, then you

don't understand the

problems and you

don't understand the

technology. Bruce Schneier

Cryptographer and computer security expert

26

One of the major findings during the SOx-readiness effort was the lack of segregation of duties

within the IT department. This finding did not faze management or the IT department; they still

knew they were in control. Ultimately, the track record, and the small number of security and

operational issues experienced during its existence did not fit well with the standard COBIT controls.

A different approach was needed.

3.2 USING AN ALTERNATIVE APPROACH

The different approach was found after numerous discussions with IT administrators, management,

and the corporate audit department. It was obvious that the standard approach would not yield the

desired results, as it led to false negatives.

The break came after taking another look at COSO’s control environment. This was the starting point

for the overall SOx risk assessment, but it did not extend to the IT department. In order to explain

the apparent control over IT in light of lacking formally documented controls, auditors turned to a

specific IT Control Environment. The ITCE has five different areas of control objectives, being

Integrity and Ethical Values, Commitment to Competence, Human Resources, Authority and

Responsibility, and Management Philosophy and Operating Style. These control objectives were

subsequently detailed into organisation-specific control activities, as discussed in paragraph 3.4.

These control activities were presented to the IT department and to the management team. For

most control activities, both the administrators, developers and management recognised the

controls, and determined that they were indeed part of the control environment at the organisation.

Management and IT staff also suggested additional or revised control activities. The final list of

control activities was then assessed to determine if all controls were in place. For some, this was not

the case and remediation followed.

The new approach mimicked the approach operational and financial auditors use in their audits, in

that it looked at the organisational aspects besides regular hard controls. This is something that is

still not commonplace in IT auditing, and there were no studies, nor was there any experience with

this approach.

It is important to note that the ITCE served as a base for all other IT controls. The ITCE controls are in

place alongside numerous other IT controls, such as a range of security-, change-, and IT operations

management controls. However, the ITCE allowed the organisation to implement an IT control

framework that actually suited the organisation, and that was recognised and supported by the

administrators and developers themselves. The finished product, the XS4ALL IT control framework,

actually added value; without weighing the organisation down with the burden of a standard COBIT-

only framework. Hard controls were kept lean and efficient, thus allowing the organisation to

maintain its flexibility.

Looking at our scale model (figure 7), it is obvious that XS4ALL is located at the right hand side of the

model.



27

FIGURE 8: SCALE MODEL APPLIED TO XS4ALL

The company is relatively young, loosely organised, in a competitive and innovative market, and its

people are empowered to do the right thing. Given this information, in hindsight it makes sense to

focus on the right side of the scale, and utilise soft controls, instead of hard controls (i.e. COBIT).

3.3 ORGANISATIONAL PERSPECTIVES: THE BUSINESS CONTROLLER

The balanced approach was discussed with many stakeholders throughout the company, among

which the Control department. To evaluate the balanced approach, we spoke at length with René

Maatkamp, head of the Control department. One of René’s responsibilities is to ensure that all

financial reporting and forecasting is timely and accurate. Since most applications that provide this

information are managed by the internal IT department, gaining assurance on effective IT

management is vital. In one of the interviews held, René noted the following:

“We need insight into business processes as well as IT processes, to understand what drives

our business, and to know how information is gathered and processed. To make sure that

the data in the systems is correct we need some form of control over the management of IT

processes. Given our history and culture, combining hard controls and soft controls makes

sense. We have to balance flexibility and structure, and use whatever works best. For some

aspects of management control, hard controls work best. For others, relying on the culture

and control environment works better.”

Weighing flexibility and structure means that the best of both worlds is used. To understand which

soft controls are likely to operate effectively, René points towards the strategy of the organisation.

“You have to find the soft controls that are embedded within the organisation, using those

aspects that are understood and second nature to the firm. For us, this is straightforward:

both Security and Privacy are key strategic values for our company. Therefore, everything

we do is checked against these values. This is especially true for our IT department, which is

really the basis for the rest of the company. If anyone goes against these values, they will be

corrected by their peers.”

The IT control environment should therefore match with the company’s strategic values. As noted by

Simons (Simons, 1994) the levers of control all stem from the company’s business strategy: a

28

company’s belief systems and core values should be in line with its business strategy, as should its

risks to be avoided, and its key performance variables.

3.4 ASSESSMENT OF SOFT CONTROLS

To actually assess the soft controls in place at the IT department, the auditors used a custom built

questionnaire. The use of (self-assessment) questionnaires has been argued to provide the best

result in control environment auditing (James Roth, 2004). The proposed ITCE is defined using a

specifically designed questionnaire, mimicking the COSO internal environment questionnaires. The

ITCE questionnaire is grouped into five focus areas. These areas are:

FIGURE 9: ITCE QUESTIONNAIRE FOCUS AREAS

The areas are subsequently detailed into multiple control objectives to assess to what extent the

organisation can rely on its ITCE, alongside its regular internal controls. For auditors, the

questionnaire can be used to assess to what extent he or she can to include soft controls in the audit

approach. The control objectives for each area draw heavily upon existing COSO internal

environment questionnaires, but have been tailored to suit IT departments. The questionnaire is

shown in the table below.

Focus Area Control Objective

1.1 Integrity & Ethical values

Policies exists regarding acceptable IT practices, conflicts of interest or expected standards of ethical behaviour

1.2 IT employees understand what behaviour is acceptable or unacceptable, and know what to do when they encounter improper behaviour

1.3 IT Management takes appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct

1.4 IT Management avoids intervening or overriding established controls 1.5 Situations involving pressure to meet unrealistic targets do not exist

or are properly controlled, particularly for short terms results 1.6 Processes are in place to monitor the IT department's integrity and

ethical values 2.1 Commitment to

Competence IT employees have the competence and training necessary for their assigned duties

2.2 IT managers have adequate knowledge and experience to fulfil their responsibilities

Integrity and Ethical Values

Commitment to Competence

Human Resources

Authority and Responsibility

Management Philosophy and Operating Style



29

3.1 Management Philosophy and Operating Style

Turnover of IT department staff is low

3.2 Management provides personnel the opportunity to attend conferences and training programs on relevant topics

3.3 IT managers move carefully, proceeding only after analyzing the risks and potential benefits of ventures

3.4 Key systems and data are assessed, their owners identified and areas of competences are developed

3.5 IT managers do not ignore signs of inappropriate practices 3.6 IT employees understand and accept their responsibility regarding IT

security 4.1 Authority and

Responsibility IT employees are empowered, when appropriate, to correct problems or implement improvements

4.2 IT management implemented a division of roles and responsibilities that reasonably prevents a single individual from subverting a critical process

4.3 Roles and responsibilities of the IT organization are defined, documented and understood

5.1 Human Resources

IT Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour

5.2 Screening procedures, including background checks, are employed for IT job applicants

5.3 The IT organization adopted and promoted the company's culture of integrity management, including ethics, business practices and human resources evaluations

5.4 Job performance is periodically evaluated and reviewed with each IT employee

TABLE 4: IT CONTROL ENVIRONMENT QUESTIONNAIRE

The ITCE draws attention to an area that has been long overlooked in traditional IT control. Whereas

the control environment and ethical behaviour has received widespread attention in operational and

financial auditing (Hubbard, 2002), it has yet to make an impression on IT auditing. Perhaps because

of this lack of interest of IT auditors, management has not focused their attention on applying

internal environment controls down to the boiler room level of their organisations. Authors have

pointed out the relevance of internal control evaluations and control self-assessments (CSA’s) (Adil

Buhariwalla, 2006), and there is no reason to assume that the control environment stops at the door

of the IT department. Only few have argued that culture can have a significant effect on IT change

management (Melançon, 2006) or information security (Chang & Lin, 2007).

The areas and control objectives in the ITCE Questionnaire can help management control their IT

departments just as they would with all other departments in their organisations. IT auditors can use

the ITCE in their audit approach as a starting point for their audits. To do so, the ITCE Questionnaire

needs to be tailored to each organisation. The control objectives must be translated into control

activities that can be independently verified.

30

4. CONCLUSION

4.1 CONCLUSION

Companies can benefit by using a combination of hard controls and soft controls in their IT

departments, just as they would do for the rest of their organisations. While management chooses

to lead their organisations in ways that work best with the particulars for their specific organisation,

IT auditors and consultants are often stuck to a ‘best practice’ framework.

The use of soft controls, evaluating the control environment, and assessing the organisation prior to

commencing an IT audit is as yet not part of the IT auditor’s standard approach. The case study at

XS4ALL provides strong indicators that IT auditors and control consultants should re-evaluate our

approach. By factoring in the organisational aspects we can provide actual value added audit and

advisory services.

4.2 FURTHER RESEARCH

As with any case study, this research has its limitations. As only one implementation was studied, it

is as yet unclear to what extent the model and questionnaire can be used at other organisations. The

single case study, however, does show promising results.

To adequately assess the validity of the balanced approach, the combination of soft and hard

controls in IT environments should be tested at other companies, ideally at both ends of the

spectrum, to test the validity of the scale model. This will yield valuable insight into the usability of

the scale model, and into the robustness of the IT Control Environment Questionnaire.



31

APPENDIX

ACKNOWLEDGEMENTS

The authors of this thesis would like to express their gratitude to all those that helped in the

development and implementation of the model. We are also very grateful to those that provided

valuable feedback on the concept of soft controls in IT auditing and control. Special thanks goes to

XS4ALL, who have been bold enough to allow us to try a new form of IT assurance (and then allowed

us to tell everyone else about it).

Antoine Lucassen Ard Niesen

Bart van Staveren Jan Bouwsma

Jan Pieter Cornet Jasper Dietz

Kai Storbeck Marcel Seunnenga

René Maatkamp Roel van Rijsewijk

Scott McIntyre Simon Hania

Zing-Kyn Cheung

32

BIBLIOGRAPHY

Adil Buhariwalla, C. F. (2006). The softer side of controls: a people-focused approach to controls

doesn't mean the organization is going easy on risks. Internal Auditor .

Blake, R. R., & Mouton, J. S. (1964). The Managerial Grid - Key Orientations for Achieving Production

Through People. Gulf.

Chang, S. E., & Lin, C.-S. (2007). Exploring organizational culture for information security

management. Industrial Management & Data Systems .

Edward Blunt, C. (2006). Delegating Root Authority and Auditing Activities on UNIX/Linux Systems.

Information Systems Control Journal .

Fiedler, F. E. (1967). Theory of Leadership Effectiveness. McGraw-Hill.

Friedman, T. L. (2006). The World Is Flat - A Brief History of th Twenty-First Century 2.0. Farrar, Straus

and Giroux.

Hubbard, L. D. (2002). The importance of ethics. Internal Auditor .

Huber, G. P., & Glick, W. H. (1993). Organizational Change and Redesign. Orford University press.

James Roth, P. C. (1998). A hard look at soft controls: Flexible, Dangerous, Essential: An Interview

with Jim Roth. Internal Auditor .

James Roth, P. C. (2004). Getting to the heart of the problem: meaningful evaluation of the control

environment is the real key to preventing financial reporting fraud. Internal Auditor .

Laudon, K. C., & Laudon, J. P. (1998). Management Information Systems. New Jersey: Prentice Hall

International Inc.

McGregor, D. (1960). The Human Side of the Enterprise. McGraw-Hill.

Melançon, D. (2006). Beyond checklists: A socratic approach to building a sustainable change

auditing practice. Information Systems Control Journal .

Mintzberg, H. (1979). The Structuring of Organizations. Prentice Hall.

Rijsewijk, R. F. (2007). Creativity and Corporate Governance - Alternative Control Solutions for the

TMT Industry.

Simons, R. L. (1994). Levers of Control: How Managers Use Innovative Control Systems to Drive

Strategic Renewal . Harvard Business School Press.

Wickham, P. A. (1998). Strategic Entrepreneurship. Pearson Education Ltd.



33

TABLES AND FIGURES

Table 1: FIVE ORGANISATIONAl STRUCTURES BY MINTZBERG ............................................................ 11

Table 2: MCGREGOR’S THEORY X-Y ...................................................................................................... 13

Table 3: COBIT DOMAINS ..................................................................................................................... 22

Table 4: IT CONTROL ENVIRONMENT QUESTIONNAIRE ....................................................................... 29

Figure 1: BLAKE AND MOUTON MANAGERIAL GRID ............................................................................ 12

Figure 2: ORGANISATIONAL THEORIES IN A TASK-PEOPLE MINDED SPECTRUM ................................. 14

Figure 3: SCALE MODEL - THEORY AND ORGANISATIONAL FACTORS COMBINED .............................. 15

Figure 4: SIMONS’ LEVERS OF CONTROL .............................................................................................. 18

Figure 5: COCO: CRITERIA OF CONTROL RISK MANAGEMENT MODEL ................................................ 19

Figure 6: BASIC COBIT PRINCIPLE ......................................................................................................... 21

Figure 7: COMPLETE SCALE MODEL ..................................................................................................... 22

Figure 8: SCALE MODEL APPLIED TO XS4ALL ........................................................................................ 27

Figure 9: ITCE QUESTIONNAIRE FOCUS AREAS .................................................................................... 28

ENDNOTES

i Control Objectives for Information Technology, an IT governance framework developed and maintained by the

Information Technology Governance Institute (ITGI).

ii The Contingency Viewpoint originated in the early 1960’s, and used a diagnostic approach to management

issues. No longer should there be ‘one best way’, but instead managers were encouraged to analyze and

understand situational differences, before choosing the best solution for any given problem. The solution

should be suited to the firm, the process, and the individual in each situation (Huber & Glick, 1993).

iii The BASEL II accord is a recommendation on banking laws, to be used by banking regulators. Basel II uses a

"three pillars" concept – (1) minimum capital requirements (addressing risk), (2) supervisory review and (3)

market discipline – to promote greater stability in the financial system.

iv The Sarbanes-Oxley Act of 2002 established new or enhanced standards for all U.S. public company boards,

management, and public accounting firms, in response to a number of major corporate and accounting

scandals.

v Any company listed on the New York Stock Exchange must comply with the SEC regulations, among which the

Sarbanes-Oxley legislation.

vi The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued several internal

control frameworks to help businesses and other entities assess and enhance their internal control systems.

The frameworks have since been incorporated into policy, rule, and regulation, and used by thousands of

enterprises to better control their activities in moving toward achievement of their established objectives.

vii Internal Control over Financial Reporting – Guidance for Smaller Public Companies was released in 2006 to

help smaller organizations improve their internal control systems, while taking into account their limited

possibilities to implement large scale (COSO ERM) internal control systems.

34

viii

Quote adapted from Roel van Rijsewijk.

ix http://www.xs4all.nl/overxs4all/feiten/index.php

Cover art by Capgros, distributed through www.sxc.hu. The image portrays a scale to be used for small weights,

such as the depicted 5 Lire coin.

http://www.xs4all.nl/overxs4all/feiten/index.php

http://www.sxc.hu/

Soft Controls in IT Auditing

Documents

Transcript of Soft Controls in IT Auditing