If an associate is allowed to perform a control that they are not competent enough to perform, is this a design flaw, implementation flaw, or operating flaw?
DESIGN FLAW.
If the control doesn’t require competent personnel by design, that’s a design flaw
Design flaw: Control doesn’t require or ensure competent personnel.
Operating flaw: Control requires competent personnel, but they don’t perform it properly.
In a Type 2 audit, control operating effectiveness is tested over a specific time period - does management’s description of the control system and control design/implementation also have to be tested of the same time period or are they tested as of a point in time like a Type 1 audit?
YES
In a Type 2 audit, ALL are tested OVER A SPECIFIED TIME PERIOD, none at a point in time.
-
Final Review - Weak Areas42
-
COSO ERM12
-
COSO ERM for Cloud Computing19
-
COSO ERM (+Cloud Computing)13
-
NIST PF Rapid Fire20
-
NIST SPF 800-398
-
COBIT Domains40
-
COBIT Design Factors Rapid Fire25
-
COBIT Framework25
-
Threats and Attacks Rapid Fire78
-
Information Systems Rapid Fire37
-
Network Security Definitions62
-
Trust Services Rapid Fire27
-
Network Infrastructure Definitions29
-
Cloud Services Definitions19
-
Data & Analytics18
-
SOC Controls2
-
SOC Reporting10
-
Safeguards8
-
Change Management31
-
Open Systems Interconnection (OSI)30
-
Frameworks9
-
Business Resiliency9
-
General Controls Definitions14
-
Framework Identification45
-
Disaster Recovery Plan11
-
COSO4
-
COSO IF Rapid Fire20
-
PCI DSS7
-
GDPR Drills12
-
CIS Rapid Fire54
-
Center for Internet Security (CIS) Rapid Fire55
-
CIS Simplified8
-
COBIT Very Simple5
-
COBIT Framework/System Principles20
-
COBIT Design Factors23
-
NIST CSF Rapid Fire20
-
NIST Very Simple5
-
Resiliency, Continuity, and Recovery9
-
Business Impact Analysis (BIA)15
-
Incident Response Plan (IRP)16
-
BIA & IRP Metrics22
-
NIST CSF + PF Table35
