This article apples to all our customers




MBSi’s services assume that user organizations will implement certain controls. To meet the control objectives outlined in this report, user organizations may need to apply specific controls. MBSi’s management provides control recommendations and offers implementation support where possible. Additionally, MBSi offers best practice guidance on control elements beyond its direct responsibility.

 

This section outlines additional controls that user organizations should implement to complement MBSi's controls. Recommended client considerations include:

 

- User organizations should establish robust and consistent internal controls for general IT system access and appropriate system usage across all components related to MBSi.

- User organizations must promptly remove user accounts for individuals who have been terminated and were involved in any significant functions or activities related to MBSi’s services.

- Transactions related to MBSi’s services should be properly authorized, secure, timely, and complete.

- Data sent to MBSi should be protected with appropriate measures to ensure confidentiality, privacy, integrity, availability, and non-repudiation.

- User organizations should enforce additional approval procedures for critical transactions related to MBSi’s services.

- User organizations must promptly report any significant changes to their control environment that could negatively impact MBSi’s services.

- User organizations are responsible for informing MBSi of any changes in personnel directly involved with MBSi’s services, whether in financial, technical, or administrative roles.

- User organizations must comply with the terms and conditions outlined in their contracts with MBSi.

- User organizations should develop and, if necessary, implement a business continuity and disaster recovery plan (BCDRP) to ensure the continuation of services provided by MBSi.

 

The controls listed above and those specified for control objectives do not encompass all possible controls that user organizations may need. Other controls might be necessary, so each client's internal control system should be evaluated in conjunction with the internal control structure described in this report.