Pub. 3 2013 Issue 2

ARIZONA BANKER  Spring 2013 23 on the effectiveness of the controls over their production. A classic example of inspection used to test controls is inspection of records for evidence of authorization. Authorization is a critical control requirement within an audit. Documentation evidence includes requesting, approv- ing, reviewing and modifying or changing an authorization component or the authorization in its entirety and the sup- porting documentation must evidence that the transaction is appropriate, accurate and complies with applicable laws, regulations, policies, and procedures. An entity’s policies and procedures are often considered essential evidence of control documentation and a link between the entity’s vision and day-to-day operations, allowing employees to understand their roles and responsibilities within predefined limits. Policies and procedures allow management to guide operations without constant management intervention and set expectations of employee behavior. For example, given these statements, the documentation evi- dence associated with authorizing an employee to have access to a computer likely includes: • Policies & procedures • Authorization request mechanism(s) • Reviews for request appropriateness • Request authorization by appropriate resources • Request establishment within approved limits • Periodic review that access is still valid • Appropriate action to amend, modify or eliminate access. In aggregate, you can see there is a significant amount of documentation in paper and/or electronic form for this one example of compliance documentation. Organizations can become overwhelmed with the upkeep and maintenance all of the documentation needed to evidence compliance. The risks of not having up-to-date, compliance ready documentation has grown into an enormous problem with fines, loss of business revenue, reputation or even civil and criminal penalties becoming more prevalent. Many organizations realize that their technical staff’s time and energy is not well spent on creating and updating docu- mentation - efforts they typically dislike. Additionally staff struggles to monitor and enforce compliance when it comes to routine tasks or control activities. When not a valued use of time often the end result is insufficient or inappropriate evidence, especially when audits are pending or underway and required evidence is lacking. Z For more informa Ɵ on, contact Suzanne Farr at Terra Verde Services at 877-707-7997, ext 7 or suzanne.farr@terraverde.net. Suzanne is the Chief Opera Ɵ ng O ffi cer of Terra Verde Services and has over 30 years of IT, opera Ɵ onal and audit experience.