Assess the adequacy of internal control. 

The organisation lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of IT operational security and internal control assurance. Management and employees have an overall lack of awareness of internal controls.

Management has established an organisation-wide continuous improvement program that takes into account lessons learned and industry best practices for internal control monitoring. The organisation uses state of the art tools that are integrated and updated, where appropriate. Knowledge sharing is formalised and formal training programs, specific to the information services function, are implemented. IT control frameworks address not only IT technical issues, but are integrated with organisation-wide frameworks and methodologies to ensure consistency with organisation goals.

Management has established benchmarking and quantitative goals for internal control review processes. The organisation established tolerance levels for the internal control monitoring process. Integrated and increasingly automated tools are incorporated into internal control review processes, with an increased use of quantitative analysis and control. Process-specific risks and mitigation policies are defined for the entire information services function. A formal IT internal control function is established, with specialised and certified professionals utilising a formal control framework endorsed by senior management. Benchmarking against industry standards and development of best practices is being formalised.

Management supports and has institutionalised internal control monitoring. Policies and procedures have been developed for assessing and reporting on internal control monitoring activities. A metrics knowledge base for historical information on internal control monitoring is being established. An education and training program for internal control monitoring has been implemented. Peer reviews for internal control monitoring have been established. Self-assessments and internal controls assurance reviews are established over operational security and internal control assurance and involve information services function management working with business managers. Tools are being utilised but are not necessarily integrated into all processes. IT process risk assessment policies are being used within control frameworks developed specifically for the IT organisation. The information system services function is developing its own, technically oriented, IT internal control capabilities.

The organisation uses informal control reports to initiate corrective action initiatives. Planning and management processes are defined, but assessment is dependent on the skill sets of key individuals. The organisation has an increased awareness of internal control monitoring. Management has begun to establish basic metrics. Information services management performs monitoring over the effectiveness of critical internal controls on a regular basis. Controls over security are monitored and results are reviewed regularly. Methodologies and tools specific to the IT environment are starting to be used, but not consistently. Skilled IT staff is routinely participating in internal control assessments. Risk factors specific to the IT environment are being defined. 

The organisation has a lack of management commitment for regular operational security and internal control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. IT management has not formally assigned responsibility for monitoring effectiveness of internal controls. IT internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function.