www.isaca.org Open in urlscan Pro
2606:4700::6810:d7f8  Public Scan

Form analysis
0 forms found in the DOM

Text Content

ISACA_logo_RGB
 * Why ISACA?
 * Membership
 * Credentialing
 * Training & Events
 * Resources
 * Enterprise

 * Clear
   
   SearchLoading
   
   
 * Sign In
 * Support
 * Careers
 * Join
 * MyISACA
 * Cart (0)

 * Professional Join
 * Recent Grad Join
 * Student Join

 * Membership
 * Certifications
 * Certificates
 * CPE Certificates
 * Learning Access
 * Resources
 * Order History

Search

For 50 years and counting, ISACA® has been helping information systems
governance, control, risk, security, audit/assurance and business and
cybersecurity professionals, and enterprises succeed. Our community of
professionals is committed to lifetime learning, career progression and sharing
expertise for the benefit of individuals and organizations around the globe.

Today, we also help build the skills of cybersecurity professionals; promote
effective governance of information and technology through our enterprise
governance framework, COBIT® and help organizations evaluate and improve
performance through ISACA’s CMMI®. We serve over 165,000 members and enterprises
in over 188 countries and awarded over 200,000 globally recognized
certifications. ISACA is, and will continue to be, ready to serve you.

 * Why ISACA Home
 * What We Offer
   
   Benefit from transformative products, services and knowledge designed for
   individuals and enterprises.

 * About Us
   
   Information and technology power today’s advances, and ISACA empowers IS/IT
   professionals and enterprises.

 * One In Tech
   
   One In Tech is a non-profit foundation created by ISACA to build equity and
   diversity within the technology field.

 * * Participate and Volunteer
   * Leadership and Governance
   * Academic Partnership
   * Advocacy
   * Contact Us
   * Newsroom

Gain a competitive edge as an active informed professional in information
systems, cybersecurity and business. ISACA® membership offers you FREE or
discounted access to new knowledge, tools and training. Members can also earn up
to 72 or more FREE CPE credit hours each year toward advancing your expertise
and maintaining your certifications.

As an ISACA member, you have access to a network of dynamic information systems
professionals near at hand through our more than 200 local chapters, and around
the world through our over 165,000-strong global membership community.
Participate in ISACA chapter and online groups to gain new insight and expand
your professional influence. ISACA membership offers these and many more ways to
help you all career long.

 * Membership Home
 * IamISACA
   
   We are all of you! Meet some of the members around the world who make ISACA,
   well, ISACA.

 * Professional
   
   Contribute to advancing the IS/IT profession as an ISACA member.

 * Recent Graduate
   
   Start your career among a talented community of professionals.

 * Student
   
   Get an early start on your career journey as an ISACA student member.

 * * Member Benefits
   * Membership Levels
   * Browse Chapters
   * Join Now
   * Contact Us

Validate your expertise and experience. Whether you are in or looking to land an
entry-level position, an experienced IT practitioner or manager, or at the top
of your field, ISACA® offers the credentials to prove you have what it takes to
excel in your current and future roles.

Take advantage of our CSX® cybersecurity certificates to prove your
cybersecurity know-how and the specific skills you need for many technical
roles. Likewise our COBIT® certificates show your understanding and ability to
implement the leading global framework for enterprise governance of information
and technology (EGIT). More certificates are in development. Beyond
certificates, ISACA also offers globally recognized CISA®, CRISC™, CISM®, CGEIT®
and CSX-P certifications that affirm holders to be among the most qualified
information systems and cybersecurity professionals in the world.

 * Credentialing Home
 * Certifications
 * Certificates
 * * Badges
   * Career Pathways
   * Verify a Certification
   * Contact Us

ISACA® is fully tooled and ready to raise your personal or enterprise knowledge
and skills base. No matter how broad or deep you want to go or take your team,
ISACA has the structured, proven and flexible training options to take you from
any level to new heights and destinations in IT audit, risk management, control,
information security, cybersecurity, IT governance and beyond.

ISACA delivers expert-designed in-person training on-site through hands-on,
Training Week courses across North America, through workshops and sessions at
conferences around the globe, and online. Build on your expertise the way you
like with expert interaction on-site or virtually, online through FREE webinars
and virtual summits, or on demand at your own pace.

 * Training & Events Home
 * Train Your Way
   
   Choose the Training That Fits Your Goals, Schedule and Learning Preference

 * Conferences
   
   Connect with new tools, techniques, insights and fellow professionals around
   the world.

 * In-Person Training
   
   Learn why ISACA in-person training—for you or your team—is in a class of its
   own.

 * Online Training
   
   Advance your know-how and skills with expert-led training and self-paced
   courses, accessible virtually anywhere.

 * * Cybersecurity Training
   * Career Home
   * Find Training by Topic
   * Training Partners
   * Academic Partnership
   * Sponsorship Opportunities
   * Learning Access

Get in the know about all things information systems and cybersecurity. When you
want guidance, insight, tools and more, you’ll find them in the resources ISACA®
puts at your disposal. ISACA resources are curated, written and reviewed by
experts—most often, our members and ISACA certification holders. These leaders
in their fields share our commitment to pass on the benefits of their years of
real-world experience and enthusiasm for helping fellow professionals realize
the positive potential of technology and mitigate its risk.

Available 24/7 through white papers, publications, blog posts, podcasts,
webinars, virtual summits, training and educational forums and more, ISACA
resources.

 * Resources Home
 * Insights & Expertise
   
   Audit Programs, Publications and Whitepapers

 * COBIT
   
   The leading framework for the governance and management of enterprise IT.

 * Journal
   
   Peer-reviewed articles on a variety of industry topics.

 * * Store
   * Frameworks, Standards and Models
   * IT Audit
   * IT Risk
   * Cybersecurity
   * News and Trends
   * ISACA Digital Videos
   * ISACA Podcast
   * Glossary
   * Engage Online Communities

Add to the know-how and skills base of your team, the confidence of stakeholders
and performance of your organization and its products with ISACA Enterprise
Solutions. ISACA® offers training solutions customizable for every area of
information systems and cybersecurity, every experience level and every style of
learning. Our certifications and certificates affirm enterprise team members’
expertise and build stakeholder confidence in your organization. Beyond training
and certification, ISACA’s CMMI® models and platforms offer risk-focused
programs for enterprise and product assessment and improvement.

On the road to ensuring enterprise success, your best first steps are to explore
our solutions and schedule a conversation with an ISACA Enterprise Solutions
specialist.

 * Enterprise Home
 * Train
   
   Build your team’s know-how and skills with customized training.

 * Certify
   
   Affirm your employees’ expertise, elevate stakeholder confidence.

 * Performance Solutions
   
   Build capabilities and improve your enterprise performance using: CMMI V2.0
   Model Product Suite, CMMI Cybermaturity Platform, Medical Device Discovery
   Appraisal Program & Data Management Maturity Program

 * * CMMI - An ISACA Enterprise
   * Medical Device Discovery Appraisal Program
   * CMMI Cybermaturity Platform
   * CMMI-CMMC
   * Partner with ISACA
   * Partner Directory
   * Contact Enterprise Solutions

 * Why ISACA?
   * Why ISACA Home
   * What We Offer
   * About Us
   * One In Tech
   * Participate and Volunteer
   * Leadership and Governance
   * Academic Partnership
   * Advocacy
   * Contact Us
   * Newsroom
 * Membership
   * Membership Home
   * IamISACA
   * Professional
   * Recent Graduate
   * Student
   * Member Benefits
   * Membership Levels
   * Browse Chapters
   * Join Now
   * Contact Us
 * Credentialing
   * Credentialing Home
   * Certifications
   * Certificates
   * Badges
   * Career Pathways
   * Verify a Certification
   * Contact Us
 * Training & Events
   * Cybersecurity Training
   * Training & Events Home
   * Train Your Way
   * Conferences
   * In-Person Training
   * Online Training
   * Career Home
   * Find Training by Topic
   * Training Partners
   * Academic Partnership
   * Sponsorship Opportunities
   * Learning Access
 * Resources
   * Resources Home
   * Insights & Expertise
   * COBIT
   * Journal
   * Store
   * Frameworks, Standards and Models
   * IT Audit
   * IT Risk
   * Cybersecurity
   * News and Trends
   * ISACA Digital Videos
   * ISACA Podcast
   * Glossary
   * Engage Online Communities
 * Enterprise
   * Enterprise Home
   * Train
   * Certify
   * Performance Solutions
   * CMMI - An ISACA Enterprise
   * Medical Device Discovery Appraisal Program
   * CMMI Cybermaturity Platform
   * CMMI-CMMC
   * Partner with ISACA
   * Partner Directory
   * Contact Enterprise Solutions
 * Join
   * Professional Join
   * Recent Grad Join
   * Student Join
 * MyISACA
   * Membership
   * Certifications
   * Certificates
   * CPE Certificates
   * Learning Access
   * Resources
   * Order History
 * Sign In
 * Support
 * Careers
 * Cart (0)

HOME / RESOURCES / NEWS AND TRENDS / NEWSLETTERS / ATISACA / 2022 / VOLUME 31 /
DO YOUR POLICY DOCUMENTS REPRESENT CURRENT PRACTICES


@ISACA


DO YOUR POLICY DOCUMENTS REPRESENT CURRENT PRACTICES?

Author: Veronica N. Rose, CISA, CDPSE, ISACA Board Director, Author, and Senior
Advisor under Advisory Consulting at KPMG
Date Published: 3 August 2022


Process owners are subject matter experts who understand processes, procedures
and controls in place, whether documented or not. However, auditors usually go
by the maxim that “If it’s not documented, it does not exist.” Process owners
may be performing their role efficiently, yet no supporting documentation of the
process is available. But how about findings where controls are well documented
but not functional? Does this mean documentation of controls is becoming
ceremonial?

Is documentation done for the sake of passing an audit or compliance
requirement?

When auditing documentation, a quick indication of potential trouble spots is to
look at the last reviews, change management, approvals and authorization process
in the organization: questions can pile up when you realize that business
processes contradict the defined procedures and policies and are not in any way
related to the controls in place. This raises many questions in how
organizations are managing this discrepancy.

Do organizations have dedicated teams that formulate policies, develop standards
and procedures, and review policies periodically? Should this be a departmental
assignment? Or should every process owner find their way on how to do it?

Who is ultimately accountable for the policies in the organization? Does your
board approve policies?

Do policy procedures reflect the current state and are there controls that need
to be relaxed? How often are the policies reviewed?

How often are your business processes re-engineered?

How about ensuring assurance for organizations without documentation that are
high performers?

As a process owner, or whatever line of defense you are at, here are some key
considerations to think through:

 * Development, implementation, continuous monitoring of effectiveness, and
   review of policy documents differentiate one organization from the rest.
   Therefore, ensure that you have a greater understanding of the types of
   controls and be specific on what each control mitigates.
 * The documentation does not reflect actual operations in most organizations.
   Thus, it is vital to check if the policies and procedures match the legal
   requirements.
 * Check for relevancy of the controls vs. the risks they are supposed to
   mitigate, and document the actual findings.
 * Consistently review documentation as per the scheduled timelines and
   communicate the changes made to the policy to everyone in the organization.
 * When auditing documentation, a quick indication that things are not perfect
   is to look at the last reviews, change management and authorization process.
   A document that was not updated as per the set timelines (e.g., in the last
   two years) does not look particularly promising to mitigate emerging risks.
 * Check whether there are compensating controls if what is implemented is
   contradictory to what is documented. However, even compensating controls need
   to be documented.
 * Determine how much information that is documented is different from what is
   actually taking place. Yes, reviewing documentation is hectic but having a
   dysfunctional control policy is very harmful to the health of your control
   objectives. In this case, process owners should avoid just changing the last
   review dates or having the board approve a document for the sake of
   compliance, and instead ensure it has been thoroughly reviewed.
 * Have a dedicated team that is accountable for formulating policies,
   developing standards and procedures, and reviewing policies periodically.
 * Ensure that policies are approved by the pertinent authorities.
 * New risks require new controls – ensure that the documented controls reflect
   the current state and if some controls need to be relaxed, update the
   documentation accordingly.
 * Depending on how often your business processes are re-engineered, ensure the
   right parties are involved in the process.
 * Ensure your documentation is aligned to industry best practices, standards
   and frameworks. Reference your documentation to applicable industry standards
   or frameworks.
 * Involve a consultancy agency to assist in the development of your
   documentation if you lack internal expertise.
 * Train stakeholders and share updates on any changes made to the documentation
   (don’t assume everyone is aware!) Too often, authors simply email the
   document to colleagues with a message like “I’ve written this. What do you
   think?” If they don’t hear anything back, they assume it’s all OK. But a
   review process like this rarely provides confidence that the document will
   communicate effectively.
 * Pay attention to documentation versioning, including the last revision
   history highlighting areas reviewed and approval dates.

With a thoughtful and strategic approach, documentation of controls can be more
than perfunctory and instead add real value for auditors’ stakeholders.

Previous Article
Next Article


QUICK LINKS


RESOURCES

COBITISACA JournalPress ReleasesResources FAQs
Insights and Expertise
 * Audit Programs and Tools
 * Publications
 * White Papers
 * Engage Online Community

News & Trends
 * @ ISACA
 * Industry News
 * ISACA Now Blog
 * ISACA Podcasts
 * ISACA TV
 * ISACA Videos

Frameworks Standards and Models
 * IT Audit
 * IT Risk
 * Glossary
 * Call for Case Studies

 * 
 * 
 * 
 * 
 * 

 * Contact Us
 * Terms
 * Privacy
 * Cookie Notice
 * Fraud Reporting
 * Bug Reporting
 * COVID-19

1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173,
USA  |  +1-847-253-1545  |  ©2022 ISACA. All rights reserved.






COOKIE SETTINGS




 * YOUR ISACA COOKIE PRIVACY...


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * TARGETING COOKIES


 * SOCIAL MEDIA COOKIES


YOUR ISACA COOKIE PRIVACY...

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer. More information


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎


PERFORMANCE COOKIES

Performance Cookies


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎


FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎


TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎


SOCIAL MEDIA COOKIES

Social Media Cookies


These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit.    If you do not allow these cookies you may not be
able to use or see these sharing tools.

Cookies Details‎


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label


 * 33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
    * Name
      cookie name


Clear
checkbox label label
Apply Cancel
Confirm My Choices
Deny All Allow All



ISACA COOKIE CONSENT INFORMATION



This website uses information gathering tools including cookies, and other
similar technology. We use cookies to personalize content and ads, to provide
social media features and to analyze our traffic. We also share information
about your use of our site with our social media, advertising and analytics
partners. Ad and Cookie Policy

Cookies Settings Accept All Cookies