RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

DASHBOARD: RISK & CONTROLS ASSESSMENT TOOLKIT

PHASE I: RISK ASSESSMENT

PHASE II: CONTROLS GAP ANALYSIS

PHASE III:
MONITORING
In Development

WORK STEP:

OUTPUT /
DELIVERABLE(S):

7. Develop
control test
scripts; design
1. Identify the in-scope
2.processes
Document each process
3. Identify objectives and 4.
risks,
Identify
and assess
the controls
the risks
5.&Determine
perform awhich
controls
of6.
the
gap
Develop
controls
analysis
written
are "significant"
procedurescontrols
for the significant contro
and carry out
routine
monitoring.

Listing of inscope
processes and
sub-processes

Office of Ethics, Risk, and Compliance Services

UC Berkeley

Process
narratives and
maps

Risk
Assessment
Matrix (RAM)

RiskControl
Matrix (RCM)

Listing of
significant
controls

Control
templates

7. Monitoring
plan, Test of
Control (TOC)
scripts,
completed TOCs

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

RISK & CONTROLS ASSESSMENT TOOLKIT

Using the Toolkit

Toolkit Overview:

This toolkit provides the overall process, work steps, work templates, and examples
to help you (a) identify the risks inherent in a process or project, (b) assess those
risks and rank them by severity, (c) identify the controls that mitigate the risks, and
(d) determine if the controls are adequately mitigating the risks.
Depending on your project and where you are with it, this tool can help you to carry
out all or just some of these activities.

The main page for the toolkit is the dashboard, which provides an overview of the
process, and contains hyperlinks to worksheets for each of the seven work steps
that make up the process.

Toolkit Functionality:

By clicking on a dashboard work step, the user is taken to a worksheet for that
step. All the worksheets are organized in the same way, containing the same
resources for carrying out that step.
The resources for each work step include statements describing the purpose of the
work step and its outcomes, a listing of the specific tasks that must be carried out
to complete the work step, tips, templates that can be downloaded and filled out,
and examples of completed templates.

You may need to zoom in or out in your version of Excel to optimize the view of
each worksheet.
You may need to scroll p or down to see all the content available for that page.
Navigation Tips:

Advanced Excel users: Although the formula bar, headings, and gridlines are not
shown, and each sheet is "locked," there is no password to unlock each sheet; so if
you feel you need to adjust a setting to improve your interaction with the toolkit,
you are able to do so.

To report any functionality issues with the toolkit, please contact:

Hans GudeDirector, Enterprise Risk Services
Office of Ethics, Risk, and Compliance Services
510.643.3812
hgude@berkeley.edu
Vr. 12.21.12
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

Work Step:

Purpose:

Output / Deliverable(s):

Principal Tasks:

Tips!

Template(s):

Guidance & Example(s):

Definition(s):
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

PHASE I: RISK ASSESSMENT

1. Identify the In-Scope Processes

To categorize and group the activities the organization carries out, and to
clarify and articulate which processes will be assessed.
A listing of in-scope processes and sub-processes.
1a. Identify the major process(es) to be assessed.
1b. Identify the sub-processes to be assessed.
1c. Document the processes identified.

>Your list of processes should reflect how your organization actually

carries out its work, vs. generic processes.
>Processes are scalable, meaning a set of processes and sub-processes
can be developed for almost any level within the organization, from
enterprisewide to a small department.
>Do some research, as appropriate, to see if your organization has
already defined its major processes.
>Insofar as possible, define organizationally lower-level processes within
the organization's already-defined enterprisewide processes.
>Organization charts can be a good source of the principal processes a
unit carries out.

Document
<None--See examples>
Document
Sample process categories and sub-categories
Sample business process listing--financial reporting
focus
Word or Concept
Business process

Link
<None>
Link
Link
Link
Definition
Wikipedia link

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Work Step 1

SAMPLE PROCESS CATEGORIES AND SUB-CATEGORIES

Examples of Process Categories
Examples of Process Sub-Categories
Buy to Pay
Financial Reporting

Financial Close
Payroll Processing

Hire to Retire
Human Resources

Rewards and Recognition

Employee Development

End-User Device Support

Information Technology

Device Procurement and Provisioning

Physical and Logical Security

Proposal Development and Submittal

Research Administration

Award Setup
Award Closeout

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

Work Step:

Purpose:

Output / Deliverable(s):

PHASE I: RISK ASSESSMENT

2. Document Each Process

To understand the principal steps / activities involved in a process, and to
document them in order to have a baseline for identifying the processes'
control activities.

Process narratives and maps

2a. Obtain all available information about how each process is carried
out; follow up with interviews as necessary. If the process is transactional,
then one technique is to take a single transaction and "walk it through"
(perform a walk-through of) each step, documenting the step as you go.

Principal Tasks:

2b. Write up the process in narrative (paragraph) form. Provide the draft
to knowledgeable people for review and comment. Finalize narrative.
2c. Develop the process map(s)--a.k.a., work-flow diagrams. Provide the
draft to knowledgeable people for review and comment. Finalize process
map(s).

Tips!

Template(s):

Guidance & Example(s):

Definitions:
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

>The two documents (narrative and process maps) support each other's
development. So it may be more efficient to develop one, then use it as a
basis to develop the other.
>Before beginning interviews, search websites for descriptions of what
the entity does.
>Ask for existing documents that describe the entity's activities.
>Obtain the entity's organization chart, which is often a good indication of
how the entity defines the various activities it carries out.
>Determine if there have been internal audit reports related to the entity;
these can be a good source of background information.
>With regard to existing process descriptions, be aware that what is
documented may not be what is actually done. Validate this during
interviews.

Document
Process narrative (MS Word)
<<Process map: See examples>>

Process
Process
Process
Process

Document
narrative, student fin. aid
narrative, treasury
map, CSS IT
map, AREC

Word or Concept
<None>

Link
Link
<None>
Link
Link
Link
Link
Link

Definition

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

PHASE II: CONTROLS GAP ANALYSIS

Work Step:

Purpose:

Output / Deliverable(s):

3. Identify Objectives and Risks, and Assess

the Risks
To understand why the process is carried out (its objectives), the risks to
achieving the objectives, and the controls currently in place that mitigate
the risks.
Risk Assessment Matrix (RAM)

3a. Identify the entity's objectives. As appropriate, organize them into

strategic, operations, financial, and compliance objectives. These
categories overlap, so that a particular objective might fall into more than
one category.
3a(1). <Optional> For each objective, list several activities the
entity carries out that help it to achieve the objectives.

3b. Identify the risks to achieving the objectives.

Principal Tasks:
3b(1). <Optional> For each risk, identify its consequences.
Consequences can be the same for two or more risks.

3c. Assess the likelihood and impact of each risk, or group of risks (you
may choose to assess risks as a group (by objective), or separate out each
risk; this choice depends on whether the risks vary broadly in their
severity).
3d. Multiply the likelihood and impact scores to achieve the risk severity
score.

Identifying objectives:
>Department or initiative websites often contain objectives in the form of
mission, vision, and values statements.
>Also look for strategic and operations plans as a source of objectives.
>Service-level agreements (SLAs) are good sources of operational
objectives.

Identifying risks:Click here for different techniques used to identify risks.

Tips!

How to write a risk statement:

>Risks are events that MIGHT occur; as a result, risk statements should
contain one of the following words: could, might, may.
>Remember, risks are the events that could hinder your ability to achieve
your objectives.
>Risk statements should be complete sentences that enable readers to
understand exactly what the risk is.
>Avoid single words or phrases that simply allude to a risk or that require
special knowledge or group membership to understand.
How to identify and assess the risks:
1. Assemble a group of cross-functional or multi-level individuals to draw
on the group's collective knowledge.
2. As an alternate first step, work with one or two people with deep
understanding of the entity to take a first cut, then share the results with
the larger group to validate results.

Document
Template(s):

Office of Ethics, Risk, and Compliance Services

UC Berkeley

Link

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services
Template(s):

Guidance & Example(s):

Risk assessment matrix (MS Word)

Risk assessment scale--5 levels by category (Excel)
Risk assessment scale--4 levels simplified (jpg)

Link
Link
Link

Document

Link

Sample objective statements

Link

Sample risk and consequences statements

Link

Risk consequences:
>For each risk, if you asked the question, "So what?", the answer gets you
to the consequences of that risk.
>You will find that consequences can often be repeated for (be common
to) a number of your risk statements.
>There will often be more than one consequence per risk.
>Having a concrete list of consequences helps to clarify the potential
impact (severity) of the risk once you move on to the risk assessment
task.

Objective:
An entitys objectives are defined under four categories:
Strategichigh-level goals, aligned with and supporting its mission.
Definitions:

Operationseffective and efficient use of its resources.

Financial reportingreliability of financial reporting.
Compliancecompliance with applicable laws and regulations.

Risk:
The possibility that an event will occur that will adversely affect the
achievement of objectives.
Risk severity:
>The combination of a risk's likelihood of occurring and its impact if it
does occur.
>Usually severity is the product (multiplication) of the risk's numerical
likelihood and impact scores.
>When using a 15 scale, the severity range of a risk is 1 (lowest risk,
1x1) to 25 (highest risk, 5x5).
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Work Step 3

SAMPLE OBJECTIVES
All categories of compensation that should be reported are reported
All compensation reported is accurate
All employees who should be included in the AREC report are
included, and only those who should be included are included
All expenses charged to the UCB ghost card are valid and authorized
All travel vouchers are input and processed accurately and timely
Campus security and privacy requirements are met
Centers must meet the operational needs of users and be
accountable to users
Conform with the allowability of costs provisions of A-21, or limitations
in the program agreement, program regulations, or program statute
Costs are given consistent accounting treatment within and between
accounting periods
Costs are reasonable and necessary for the performance and
administration of federal awards
Employee compensation and benefits are accurate
Information in the SLIS accurately reflects the UC Berkeley covered
population
Information in the SLIS is up to date
Information submitted to UCOP is properly authorized
IT investments are aligned with the campuss IT standards
Personnel records are accurate and complete
Quality of service to the user must be equal to, if not better than,
services available now
Shared Service Centers must be large enough to achieve economies
of scale
Significant financial savings for the campus must result
Staff are hired possessing the skills appropriate to the position
Technology support services are delivered timely and effectively
Travel vouchers are properly approved

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Work Step 3

SAMPLE RISK AND CONSEQUENCES STATEMENTS

Sample Objective

Sample Risk Statements

Sample Consequences

Prevent environmental
contamination.

Public health impacts (acute and chronic).

Pollutants (chemical, radiological, biological) could be
Agency fines.
released to the atmosphere.
Bad public relations.

Prevent food-borne illness.

One or more persons could become ill through

consumption of contaminated food.

Injury/death.
Bad public relations.
Damage to reputation.
Lawsuits.
Loss of revenue.

Prevent laboratory injuries.

All or part of the body could be exposed to

chemical(s).

Staff, faculty, student injury/death.

Loss of research funding
State fines.
Bad public relations.
Damage to campus facility.
Temporary loss of campus space.

Maintain industry / UCB standards

for system and network security.

Protected information may be inappropriately

accessed and released.

Change in accreditation status

Subject to review by external agencies
3rd party actions
State and federal fines for privacy violations

Ensure that gifts are processed

accurately and timely and confirm
Funds may be improperly used due to fund terms
that fund terms have been
being inaccurate or incomplete.
accurately recorded in the Berkeley
Financial System.

Address disability needs of staff

who request accommodations.

Requested accommodation may be inappropriately

addressed.

Need to refund money.

Loss of trust.
Loss of future donations.

Litigation
Complaints
Possible corrective action

Ensure program services, data

capture activities and reporting
Medical treatment and benefits may not be
activities comply with UC policy and appropriately provided to employees.
federal / state disability laws.

Recovery of damages (back pay,

reinstatement of position, etc)
Loss of self-insurance status
Fines (specific to unlimited, e.g. under ADA)
3rd party actions

Provide entertainment expense

Employees could submit expense reimbursement
reimbursement policy guidance and
requests for unallowable expenses.
interpretation.

Customers could violate a policy, resulting in

payment to them of ineligible expenses.

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Work Step 3

TECHNIQUES FOR IDENTIFYING RISKS

Source: ERM for Dummies, Vance and Makomaski, Wiley Publishing, 2007

Approach

Objectives-Oriented
Approach
<<RECOMMENDED>>

Summary

Starts from the perspective of the

organizations objectives.

How Done

Downside

>Could overlook risks not uncovered

through an objective, like external
What risks or events could cause
events not normally thought of as
the organization to not meet its goals
tied to objectives.
and objectives?
>Have you got the right objectives?
>Have you got ANY objectives?

Risk-Oriented Approach

Focus on the risks themselves. You

want people to speculate about what What are the most important risks What risks didnt the group think of,
events or uncertainties might cause you believe your organization faces? perhaps because not all the right
the organization unacceptable levels
people were in the room?
of disruption.

Metric-Oriented Approach

Focus on risks that have a bearing on Numbers driven. Appropriate for

organizations key metrics (KPIs /
organizations focused on financial
SLAs)
performance metrics.

Could miss big natural or operational

risks.

Opportunity-Oriented
Approach

Departs from the negatives

approach to risk identification. Start
thinking about what life like in a riskIf we could eliminate any risks we
free universe.
wanted to, what opportunities could
we take that would make us even
This approach is a good way to
more successful?
identify areas where risk
management can help remove
barriers to value creation.

Be cautious not to lose sight of

organizational priorities and
objectives.

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

PHASE II: CONTROLS GAP ANALYSIS

Work Step:

Purpose:

Output / Deliverable(s):

4. Identify the Controls & Perform a Controls

Gap Analysis
To identify the current set of controls, and to determine if the current set
of controls is adequate to mitigate the identified risks (whether there are
any "gaps" in control coverage). Also, to determine if any of the existing
controls might be unnecessary.
RiskControl Matrix (RCM)

4a. Identify and describe the entity's controls (see "Tips" and
"Definitions" below for guidance on to how to spot controls).
>If a process narrative was developed, read through the narrative and
highlight (bold) any control statements.
>Similarly, if process maps were developed, identify points along the work
flow where controls occur.
>Synch up controls on narratives and process maps.
>Process narratives and maps reflect each other, so it may be most
efficient to identify controls on one, then transfer those to the other. It
may be appropriate that there is not a complete match of controls to both
documents, given potentially different levels of information
communicated.
>Give each control a unique number (the numbering method is not
important at this stage).

Principal Tasks:

4b. Develop the riskcontrol matrix (RCM) and Do a Gap Analysis.

>Down the left-hand column place the controls you have identified (as
best as you can, place them in chronological order).
>Complete all attributes for each control, including where it is performed,
whether it is automated or manual, and whether it is preventive or
detective.
>Across the top of the RCM, place the risks you have identified. For each
risk, indicate its risk severity from the earlier risk assessment.

4b(1). For each intersection of a risk and a control, determine if the

control contributes to mitigatigating the risk, even just a little. If it does,
put an X in the cell; if not, leave the cell blank.

b(2). Once the RCM is completed, for each risk at the top of the RCM, look
down its column and review the controls coverage for that risk. Based on
the number and type of controls, make a determination as to whether the
risk is adequately mitigated. (Key presumption: the controls are designed
and operating effectively.)

b(3). For each control, look across the row at how many risks it helps to
mitigate, and assess whether it may be unnecessary (a control that does
not mitigate any of the risks may be unnecessary).
b(4). Make a final determination as to whether there are any control gaps
or control redundancies. If there are gaps, determine the response: add a
new control, accept the risk, etc.

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Tips!

IDENTIFYING CONTROLS
>For guidance in thinking about what are the controls in your process,
remember that based on the COSO definition of internal control (see
below), a control is a "process," so it is not necessarily a single activity but
a series of activities, or process steps. (However, limit your control
statements to a few sentences; avoid highlighting an entire paragraph and
calling it the control; it may need to be separated into several controls.)
>Also, before identifying controls, review the links below to "COSO control
components" and "control categories." These will help you spot controls.
>Finally, because controls are those activities that help you to achieve
your objectives (or mitigate the risks to achieving your objectives), when
reviewing your written process narratives to spot and call out control
activities, think about whether the sub-section of your process narrative
helps to achieve one or more objectives; if yes, then it may be a control
activity.
WHEN TO SEPARATE OUT CONTROLS VS. CALL IT ALL ONE
CONTROL
>Bear in mind that when a control is tested as part of routine monitoring
to determine if it is working as designed, if one part of the control design
fails in the test, then the whole control fails. As a result, when identifying
control statements, you may not want to pack too much into a single
control, but rather break it out into two or more separate controls.

Tips!

DETERMINING ADEQUACY OF CONTROL COVERAGE

>The determination of how adequate the control coverage is against a
specific risk cannot typically be quantified, but must rather be determined
through discussion and judgement.
>The determination about control adequacy should take into
consideration the severity of the risk and whether the risk is mitigated by
an appropriate combination of preventive and detective controls and
manual and automated controls.

Document
Template(s):

Guidance & Example(s):

Definition(s):

Link

Controls inventory

Link

Document
Mapping controls to a process map (example 1)

Link
Link

Mapping controls to a process map (example 2)

Link

COSO control components

Link

Control categories

Link

Sample control statements

Link

RCM--objectives driven (ITGCCs)

Link

RCM--objectives driven (AREC)

Link

RCM--simplified risk driven (travel)

Link

Internal control (controls):

Official COSO definition: "A process, effected by an entity's board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
>"Effectiveness and efficiency of operations,
>"Reliability of financial reporting, and
>"Compliance with applicable laws and regulations."

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

Link

Riskcontrol matrix (Excel)

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Work Step 4

SAMPLE CONTROL STATEMENTS

Note: These examples are
for illustration purposes only,
intended to show the
composition of a control
statement, and are not
intended to reflect actual
control activities.
Comments: Control
"statements" are a summary
of the control, usually from one
sentence to a short paragraph
in length, and are intended for
use in conducting the contols
gap analysis. The control
template will contain all the
information about the control.
The control statement should
indicate who performs the
control.
Control frequency does not
need to be indicated in the
control statement; that will be
identified in the risk-control
matrix and control template.

The SMG coordinator notifies Payroll via email that a new AREC-reportable employee has
been hired.
Athletics reconciles the list of names provided by the SMG coordinator from the SLIS to
the tracking spreadsheet that Athletics has been updating throughout the calendar year.
Differences are followed up on, and updates are provided as appropriate to Payroll and
the SMG coordinator for corrections to SLIS.

After all certifications are received and the SLIS is up to date, the SMG coordinator prints
out from SLIS the campuss report, reviews it, and signs it. The chancellor reviews the
UC Berkeley data and certifies with his signature that the population contained in the
report is accurate and complete before it is sent to UCOP.
Reconciliations between the Student Aid Management System (SAMS), Campus Accounts
Receivable System (CARS), and the general ledger are performed monthly by the
Financial Aid Offices (FASOs) Fiscal Management Unit. These reconciliations are
prepared by the assistant director of fiscal management and reviewed by the associate
director.
All checks and EFTs greater than or equal to $100,000 require an additional manual
signature.
The invoicing and receivable system is reconciled to related accounts receivable
accounts. Reconciliations are prepared by an accounts receivable analyst and reviewed
by the director.
All vouchers (except credits) are approved online in BFS by the department approver
before payments are issued to the vendor.
The PI reviews and approves subrecipient invoices to ensure the items requested for
payment relate to an activity that is allowed per the grant agreement (and that the
requested payments are proper given the status of technical deliverables).
The RA reviews the detailed payroll expenses each month for general propriety and to
validate the accuracy of the charges, including the accuracy of employee names and pay
rates, and for possible other key entry errors.
Deficit fund balances (where actual expenses exceed budget) are swept monthly to
discretionary department funds.
IT management meets periodically to conduct strategic planning, address issues, and
monitor controls.
IT roles and responsibilities are defined, reviewed on a periodic basis, and communicated
to staff.
Management understands and provides oversight to ensure that separation of duties is in
place between critical functions.
IST maintains policies and procedures that address program development, changes,
security, and operations. These policies and procedures are guided by the governance
and oversight of the UC Office of the President.
Management understands and provides oversight to ensure that program maintenance
and program development activities are controlled.
IT management tracks, responds to, and ensures appropriate resolution to incidents that
reflect possible control issues, such as significant security breaches or data corruption
problems.

Office of Ethics, Risk, and Compliance Services

UC Berkeley

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

PHASE II: CONTROLS GAP ANALYSIS

Work Step:

Purpose:

Output / Deliverable(s):

Principal Tasks:

Tips!

5. Determine Which of the Controls are

"Significant" Controls
To identify the significant controls that are relied upon to achieve the
control objectives, and that (because they are significant) are the ones
that will be documented and routinely tested to ensure they are operating
effectively.

A listing of the significant controls for each process.

5a. Identify the significant controls.
5b. Document the significant controls identified.
If you completed a risk-control matrix in work step 4, controls that
mitigate a lot of the risks (support a lot of the objectives) may be
significant.
Document

Template(s):

Controls Inventory

Link
Document

Guidance & Example(s):

Link

Link

List of significant controls (1)

Link

List of significant controls (2)

Link

Word or Concept
Definition
Significant control
A control that, if other controls fail, provides reasonable assurance that
objectives will still be achieved in the following categories:
Definition(s):

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

>Effectiveness and efficiency of operations,

>Reliability of financial reporting, and
>Compliance with applicable laws and regulations.

RISK AND CONTROLS ASSESSMENT TOOLKIT

Risk Services

Return to Dashboard

PHASE II: CONTROLS GAP ANALYSIS

Work Step:

Purpose:

Output / Deliverable(s):

6. Develop Detailed Procedures for the

Significant Controls

To document the design of each control so it is clear how the control is to

be performed--who does it, how often, and using what reports. The
control template acts as a procedure document, and also serves as a
guide for how to test the control during the monitoring phase.

Control Template

6a. Based on any existing control descriptions and (as needed) on

interviews with the people carrying out the control, fill out the control
template. Modify the template as appropriate to add pertinent
information.
Principal Tasks:
6b. Distribute the draft control template for review and comment.
6c. Finalize the control template, and obtain sign-off from the appropriate
manager(s).

Tips!

Template(s):

>When documenting the control, be clear and precise: err on the side of
giving more information rather than less.
>The description of each control step should begin with a verb: "Review,"
"Compare," "Send," "Monitor," etc.
>Exercise good version control.
>Update control templates whenever there is a change in the control
procedure; review them at least annually.
>Archive the control templates in such a way that they are accessible to
the control performers, and so that there is no confusion about which
version is current.

Document
Control template (MS Word)
Document

Guidance & Example(s):

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley

Link
Link

Control template, asset reconciliation

Link

Control template, revenuegifts

Link

Control template, IT general computer controls

Link

Word or Concept
Definitions:

Link

<None>

Definition