In an increasingly complex computing world, information technology (IT) directors now have to contend with the pressures of IT compliance as directed by such regulatory acts as the Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA).  Compliance requirements, along with possible business losses due to network breaches, hacking, malicious software and other vulnerabilities have transformed the responsibilities of the administrator from just managing the network to becoming an integral part of the entire business process. 

Executives have come to recognize the significant contribution IT plays in the management of strategic business objectives and have entrusted them to implement IT controls to achieve these goals.  Controls may be defined as a process designed and implemented to reasonably assure the achievement of objectives in:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Safeguarding of assets

Controls can be categorized as preventive, detective, and corrective.  All three must be properly designed, implemented, tested and periodically reviewed to assure efficacy.

Preventive controls are designed to deter or prevent actions or processes that would be deemed undesirable.  Examples of such would be policies, procedures, separation of duties, limited access to sensitive data, and proper documentation.  These controls play an essential part in governing the business process thus guiding the company through its short and long term objectives.

Detective controls also play a vital role.  Human factors along with security issues may eventually compromise one or more of the preventive controls.  In the event that this occurs, detective controls can alert the staff and mitigate any harmful issues.  An example of this would be an Intrusion Detection System.  An Intrusion Detection System monitors a network for any anomalies and will send notification of a breach.  At this time, the IT staff can address any breach and take control of the situation.  The alert or alarm triggered by the detective control can also be used to review and refine the preventive control it was monitoring.

Corrective Controls take the responsibility of restoring the systems to its normal or expected state.  A great example of this would be to have data backup, especially off-site backup.  Studies indicate that if a company has a catastrophic data loss, the chances of its survival would be greatly reduced.  In fact, 43 percent would never reopen their doors and 51 percent would close their doors within two years.  In a case where they had off-site backup, even if an undesirable event were to occur, they could restore their data and continue with business.

As IT goals directly correlate with achieving business objectives it is important to put in place IT controls to ensure that repetitive and verifiable processes meet auditing standards.  By defining and monitoring these objectives through IT governance, companies can assure compliancy requirements as well as improve upon overall efficiency and reliability.