Question

Compare and contrast a descriptive control framework versus a prescriptive control framework. Why are these types of frameworks important in IT auditing? Provide an example not included in your textbook.

Answer 1

In general, a framework is a conceptual set of rules and ideas that provide structure to a complex and tough situation. Although a framework may be rigid in its skeleton, the data is to provide flexibility. For example, follows a framework to help guide the actual text and provide consistency. The framework includes distinct components, such as an introduction, learning objectives, headings, and a summary. Yet the authors have flexibility as long as they are within the confines of this framework.
       IT environments are different from one to the next. Despite many similarities, each environment is different. Each company, for example, has different objectives. They have different ways of achieving goals. They have different risk profiles. IT departments exist to help support and drive the business. As long as no two organisations are exactly alike, neither will two IT departments be exactly alike.
       An auditor must deal with multiple types of organisations. As a result, each adult is different. The size of the audit varies. The resources needed for the audit vary. The steps carried out for each audit also vary. A framework, however, provides a consistent system of controls to which IT departments can adhere. This system of controls also provides an auditor a consistent approach for conducting audits.
       Controls tend to be either descriptive or prescriptive. A descriptive control framework provides for governance at a higher level. These control frameworks are important in helping to align IT with business or enterprise goals. The challenge is that they don't provide a prescribed method for turning these objectives into action. A prescriptive control framework approach helps standardize IT operations and tasks, while still allowing for flexibility. Organisation often apply both approaches together within IT, and audits tend to make use of both.
       A more governing and descriptive type of framework may dictate a control objective that each IT organization should ensure systems security. Such as approach typically provides additional controls, such as ensuring network security or ensuring identity management. A major component of ensuring network security involves using firewalls. How each organisation actually applies this varies. What if there is not a local area network to wide area network connection? In this case, there may not be a firewall at any border, there may only be firewalls between internal network segments. One company might use a software firewall. Another might use hardware. There are also different types of firewalls. An administrator might use an Application Layer firewall in one situation and a network layer firewall in another. For the auditor, the control objective stays the same, yet the audit procedure may vary because of the difference.