The primary input when designing IT controls should be internal and external risk reports. IT controls are specific activities performed by persons or systems to ensure that business objectives are met, and thatthe confidentiality, integrity, and availability of data and the overall management of the IT function are ensured1. Designing IT controls means creating and implementing the appropriate measures or actions to reduce the likelihood or impact of the IT risks that may affect the organization2. Internal and external risk reports are documents that provide information and analysis on the current and potential IT risks that the organization faces, as well as their sources, drivers, consequences, and responses3. Internal risk reports are generated by the organization itself, such as by the IT risk management function, the internal audit function, or the business units. External risk reports are obtained from external sources, such as regulators, industry associations, or third-party service providers. Internal and external risk reports are the primary input when designing IT controls, because they help to:
Identify and prioritize the IT risks that need to be addressed by the IT controls;
Evaluate the likelihood and impact of the IT risks, and compare them against the organization’s risk appetite and tolerance;
Determine the most suitable and effective IT control objectives and activities to mitigate the IT risks;
Align the IT control design and implementation with the organization’s objectives, strategies, and values;
Monitor and measure the performance and effectiveness of the IT controls in reducing the IT risks. The other options are not the primary input when designing IT controls, as they are either less relevant or less specific than internal and external risk reports. Benchmark of industry standards is a comparison of the organization’s IT control practices and performance with those of other organizations in the same industry or sector4. Benchmark of industry standards can help to improve the quality and consistency of the IT control design and implementation, as well as to identify the best practices and gaps. However, benchmark of industry standards is not the primary input when designing IT controls, as it does not address the specific IT risks that the organization faces, or the IT control objectives and activities that are appropriate and effective for the organization. Recommendations from IT risk experts are the suggestions or advice from the professionals or specialists who have the knowledge and experience in IT risk management and IT control design and implementation5. Recommendations from IT risk experts can help to enhance the IT control design and implementation, as well as to provide guidance and support to the organization. However, recommendations from IT risk experts are not the primary inputwhen designing IT controls, as they are based on the opinions and perceptions of the experts, and may not reflect the actual or objective level and nature of the IT risks, or the IT control objectives and activities that are suitable and efficient for the organization. Outcome of control self-assessments is the result or conclusion of the evaluation and testing of the design and operation of the existingIT controls by the organization itself, such as by the IT control owners, the IT risk management function, or the business units6. Outcome of control self-assessments can help to improve the IT control design and implementation, as well as to detect and correct any issues or deficiencies. However, outcome of control self-assessments is not the primary input when designing IT controls, as it does not cover the new or emerging IT risks that the organization may face, or the IT control objectives and activities that are relevant and necessary for the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1, Page 189.
