application controls - intro ted wallerstedt, cisa, cia principal information systems auditor...
TRANSCRIPT
![Page 1: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/1.jpg)
Application Controls - Intro
Ted Wallerstedt, CISA, CIA
Principal Information Systems Auditor
University of Minnesota
![Page 2: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/2.jpg)
Application Controls - Agenda
• Introduction 9:00• Input Controls 9:05• Interface Controls 9:35• Break 10:05• Access Controls 10:10 • Audit Trails 10:50
![Page 3: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/3.jpg)
Introduction
• Why audit applications?
![Page 4: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/4.jpg)
Application Risks - STRIDE
• Spoofing Identity• Tampering with data• Repudiation• Information Disclosure• Denial of Service• Elevation of Priveldges
![Page 5: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/5.jpg)
Application Security –Input & Interface Controls
Quinn Gaalswyk, CISA
Senior Information Systems Auditor
University of Minnesota
![Page 6: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/6.jpg)
Application Input Controls• Controls imbedded in the application • Used to control functional/business transactions• Prevent or detect data integrity issues
#1 REVIEW AND EVALUATE DATA INPUT CONTROLS
![Page 7: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/7.jpg)
Application Input Control Types - Edits
• Prevent input from being entered that may cause data-integrity problems
![Page 8: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/8.jpg)
10 Common Input Edits
1. Numeric - alphanumeric restrictions
2. Dates and hour fields set to convert input into the correct format
![Page 9: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/9.jpg)
10 Common Input Edits
3. Transaction "reasonableness" checks on inputs
![Page 10: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/10.jpg)
10 Common Input Edits 4. Limited input fields prevent invalid entries
– E.g. Drop Down Lists
5. Duplicate entries not allowed for data that is to be unique
6. “Logic" checks– E.g. Parts Not Greater than Sum
![Page 11: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/11.jpg)
10 Common Input Edits 7. “Calculation" checks on inputs
![Page 12: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/12.jpg)
10 Common Input Edits 8. Programmed cutoff dates
– E.g. preventing wrong period inputs
9. Execution of a transaction not allowed until valid data entered into all required fields
10.Database operatives disallowed – E.g. * or =
![Page 13: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/13.jpg)
Application Input Control Types – Error/Exception Reports
• Detects data inputted that may cause data-integrity problems
• Push vs. Pull Reports • Input is not or cannot be prevented by edits
#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED.
![Page 14: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/14.jpg)
Error/Exception Report Considerations
• Who is reviewing the log?– Confirm review documentation
• What activity/data is logged?– Log Size– Reviewing Time
![Page 15: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/15.jpg)
Application Input Control Auditing• Automated (application) controls: confirm
operating effectively– Test data– Sample of one
• Reports: confirm creation and review– Test generation as automated (application)
control– Larger sample of report reviews – Email or
written confirmation
![Page 16: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/16.jpg)
Group Activity –Identify Expected Edits and
Report Controls
![Page 17: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/17.jpg)
Scenario: Edits & Reports TestingeChecks AR/AP Application
What edits or reports would you expect to see?
![Page 18: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/18.jpg)
Scenario: Edits & Reports TestingeChecks AR/AP Application
What are the top controls you want to test?
![Page 19: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/19.jpg)
Interface Controls Defined• Controls ensuring proper transfer of data
between systems• Controls around both source and downstream
systems
#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.
![Page 20: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/20.jpg)
Common Interface Types1. Automated interface
– Batch Processing (i.e. automated jobs) – Manual kickoff
2. Manual - Typing Interface
![Page 21: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/21.jpg)
Automated Interface - Batch Processing • Multiple places batches/jobs can be ran from:
– Separate shared job scheduler• E.g. Autosys
– Operating system • Cron jobs
– Database • SQL Agent tool
– Application directly
![Page 22: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/22.jpg)
Automated Batch Components• Batch/Job schedules
– List of what jobs will run when– May include automated and manual
• Job dependencies• Operator access (if applicable)• Job managing software (if separate)
![Page 23: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/23.jpg)
Auditing Automated Batches • Access to batch schedules • Batch schedule change procedures• Batch dependencies noted• Notifications if automated job abends
– Confirm operator call list/operator monitoring– Confirm call is automated
![Page 24: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/24.jpg)
Common Interface Controls
1. Transfer Failure Notification/Reporting–Timely and to appropriate individuals
2. Control totals and accompanying reporting–Record Counts–Total Amounts–Hash Totals
![Page 25: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/25.jpg)
Common Interface Controls3. Header Footer Checks
– Interchange Control Envelope ISA - IEA
4. Reconciliation reports– Review of control totals and/or discrepancies
![Page 26: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/26.jpg)
Common Interface Controls5. Transfers should be secured throughout
process–Corruption and viewing–Source system security–File creation and storage–Network security
![Page 27: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/27.jpg)
Common Interface Controls6. Input controls into the
system where valid – interface edit– Example: duplicate
transaction flag review or prevent for a credit card company
![Page 28: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/28.jpg)
Interface Synchronization• Data synchronization if multiple sets stored • Determine source of truth• Review synchronization process and test data
#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.
![Page 29: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/29.jpg)
Interface Example
![Page 30: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/30.jpg)
Application Security –Audit Trails
Quinn Gaalswyk, CISA
Senior Information Systems Auditor
University of Minnesota
![Page 31: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/31.jpg)
Application Audit Trails Value• Show detail of end user activity
– Troubleshooting – Identify breaches – Prevent repudiation
#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.
![Page 32: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/32.jpg)
Auditing Application Audit Trails• Obtain sample evidence of the audit trail and
review• End users and developers
cannot edit the audit trail– Users MAY view– Stored on DB or OS
• Pragmatic and useful– Expensive
![Page 33: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/33.jpg)
Data Flow Traceability • Data should be traceable through the entire
system• Confirm via audit trail and related controls
#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.
![Page 34: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/34.jpg)
Application Audit Trail Example
![Page 35: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/35.jpg)
Application Controls – Access Controls
Ted Wallerstedt, CISA, CIA
Principal Information Systems Auditor
University of Minnesota
![Page 36: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/36.jpg)
Authentication – Who are you?
#7. DOES AN AUTHENTICATION
METHOD EXIST?
• What are some ways that users can be authenticated?
![Page 37: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/37.jpg)
Authentication – Who are you?
• Passwords• Multifactor• Single Sign on
– Log on to OS– Log on to CAH– Lon on to TFA server
![Page 38: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/38.jpg)
Passwords
#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?
• What password controls do you expect to find?
![Page 39: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/39.jpg)
Password Controls
• Length• Complexity• Change Interval• History
![Page 40: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/40.jpg)
UMN Password Standard
• Password must be used for all devices• 8 or more characters long• Changed at least annually• Must be complex • A minimum of three types of characters• Account lockout required• Do not share passwords
![Page 41: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/41.jpg)
Activity - Passwords
You have received evidence of the password settings for the application. Based on the evidence:
• Does the Bookstore application meet UMN password standards?
• What questions do you have of the admin?
![Page 42: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/42.jpg)
![Page 43: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/43.jpg)
Application Administration
• Add/Delete users/groups• Change users/groups• Audit trail• Reporting
#9. IS THE ADMIN FUNCTION ADEQUATE?
![Page 44: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/44.jpg)
User Provisioning
• Add/Delete users/groups• Change users/groups• Audit trail• Reporting
#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?
![Page 45: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/45.jpg)
User De-Provisioning
• User quits or is fired• User changes jobs• User goes on leave
#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?
![Page 46: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/46.jpg)
Authorization – What are you allowed to do?
• Access Data (Read/Write)• Access Transactions (Execute)• Read (Display/Print/Copy)• Write (Create/Modify/Delete)
#8. IS AUTHENTICATION AND
AUTHORIZATION REQUIRED FOR ACCESS?
![Page 47: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/47.jpg)
Transaction Approval
EXAMPLES -• Transactions limited by dollar amount• Access requests• Move to production• Record of review
#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?
![Page 48: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/48.jpg)
Session Timeout
• Password protected screen savers • Required by UMN for HIPAA data• 30 minutes or less
#14. ARE USERS LOGGED OUT WHEN INACTIVE?
![Page 49: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/49.jpg)
Data Encryption
• HTTPS/SSL• PKI• Whole Disk• Record/field level
#15. IS DATA PROTECTED IN TRANSIT AND AT REST?
![Page 50: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/50.jpg)
Developer Access
• Segregation of Duties• Unauthorized changes• Disruption of service• Unauthorized transactions
#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?
![Page 51: Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota](https://reader035.vdocument.in/reader035/viewer/2022062407/56649d9e5503460f94a887e8/html5/thumbnails/51.jpg)
Activity – User Rights
You have requested a list of users and roles for the application. Based on the evidence:
• What issues do you have with the access list?
• What questions do you have of the admin?