I was looking at your documentation about “Controls & Audits” => Internal Controls - Google Docs and found this definition under the “Basic Concepts”:
** Internal Controls are used to document all activities your organization employs to deal with “Problems” (e.g., Risk, Compliance, etc)**
This is different from what we have been doing so far hence I wanted to ask a few related questions. I might have been wrong or just misunderstood something hence please be patient and help me figure this out.
Open for any thoughts on this. Please comment.
So far we have used eramba this way:
Policies: documents rules and regulations on how our company is supposed to work. i.e. we have a policy like: Backup Policy - states what, where, when and how is to be backed up
Controls: are supposed to be checks we run in regular intervals to check if policies are beeing followed and are effective. i.e. we have controls like: Backup & Restore Testing Control - statest that Backups and Restores need to be monitored - during the audit, our IT administrator presents evidence of 1 random successful backup and restore within the last 6 months to show that the Backup Policy is being applied and effective.