baa ais it controls
TRANSCRIPT
-
8/16/2019 Baa Ais It Controls
1/31
BAA-Audit & Information Systemsy
Winston Phethi
-
8/16/2019 Baa Ais It Controls
2/31
Introduction What are IT Controls? General Controls
Application Controls Why are IT Controls Important? Who is responsible for IT
Controls? Where are IT Controls Applied?
-
8/16/2019 Baa Ais It Controls
3/31
―IT controls are fundamental to the reliability and
integrity
of the information processed bythe automated systems on which mostorganizations are dependent for their business
and financial transaction processing — andoverlooking or minimizing their importancecreates a
significant
risk .‖
- CICA Information Technology Advisory Committee (2004)
-
8/16/2019 Baa Ais It Controls
4/31
Controls over computer-based systems arebroken down into two major categories – general and application controls.
General controls apply to all systemscomponents, processes, and data for a givenorganization or systems environment
pplication controls(a.k.a. business process
controls) pertain to the scope of individualbusiness processes or application systems
-
8/16/2019 Baa Ais It Controls
5/31
Controls may beclassified to helpunderstand their
purposes and wherethey fit into theoverall system ofinternal controls.
-
8/16/2019 Baa Ais It Controls
6/31
By definition, General Computer Controls arecontrol activities performed within the ITorganization or the technology that theysupport that can be applied to every system
that the organization relies upon; They are designed to encompass an
organization’s IT infrastructure rather thanspecific applications. General controls help
ensure confidentiality, integrity, andavailability; contribute to safeguarding ofdata; and promote regulatory compliance.
-
8/16/2019 Baa Ais It Controls
7/31
Purchasing Accounts Payable
Inventory Payroll
IT systems support many of the businessprocesses, i.e. in accounting departmentsuch as these below…
-
8/16/2019 Baa Ais It Controls
8/31
… AND Without effective General Controls, reliance onthese IT systems may not be possible
-
8/16/2019 Baa Ais It Controls
9/31
If general controls are ineffective, there maybe potential for material misstatement ineach computer-based accounting application.
-
8/16/2019 Baa Ais It Controls
10/31
Include: Organization Controls Policies and Procedures Segregation of Duties
Access Controls Physical Security
Logical Access
Change Management Controls
Business Continuity Controls
Disaster RecoveryFault Tolerant SystemsBackup
-
8/16/2019 Baa Ais It Controls
11/31
A clear, concise, and well-written set ofinformation technology policies, procedures,and control documentation is a strategic link
between the university’s vision and its day-to-day operations. These documents are critical to the university
because they provide guidelines forfaculty/staff/students and enable the smooth
functioning of the computer operationsfunction without constant managementintervention.
-
8/16/2019 Baa Ais It Controls
12/31
The functions of initiating, authorizing, inputting, processing,and checking data should be separated to ensure no individualcan both create an error, omission, or other irregularity andauthorize it and/or obscure the evidence.
Controls are provided by granting access privileges only in
accordance with job requirements for processing functions andaccessing sensitive information.
Inadequate segregation of duties increases the risk of errorsbeing made and remaining undetected; it also may lead to fraudand the adoption of inappropriate working practices.
Sarbanes-Oxley provided a compelling case for the
implementation and maintenance of appropriate segregation ofduties at the organizational, manual process and system level.
-
8/16/2019 Baa Ais It Controls
13/31
What is Physical Security? Examples:
Measures used to protect itsfacilities, resources, orproprietary data stored on
physical media.
Facility monitoring (surveillancesystems, cameras, guards,exterior lighting)
Access controls to facilities/data
center/computers (access cards) Alarm systems (fire, burglar,water, humidity, powerfluctuations)
Shred sensitive documents Proper storage/disposal of hard
drives and other electronicstorage media
Secure storage of back-upcopies of data and master copiesof critical software
-
8/16/2019 Baa Ais It Controls
14/31
What is Logical Access? Examples:
Limit access to system andinformation to authorizedindividual
Passwords System authentication Logs of logon attempts Application-level firewalls Antivirus and anti-spyware
software should be installedand up to date
Intrusion detection systemswhich would identifysuspicious network activity
Encryption for sensitive data File shares should be
adequately restricted toappropriate users
Patches/system updatesshould be applied timely
-
8/16/2019 Baa Ais It Controls
15/31
Don't use passwords that are based onpersonal information that can be easilyaccessed or guessed.
Don't use words that can be found in anydictionary of any language.
Develop a mnemonic for rememberingcomplex passwords.
Use both lowercase and capital letters. Use a combination of letters, numbers,
and special characters. The longer the password, the tougher it is
to crack. Use at least 10 characters. Use different passwords on different
systems. Keep your passwords in a secure place,
out of plain sight Don’t share passwords on the phone, in
texts or by email.
-
8/16/2019 Baa Ais It Controls
16/31
Change Management Control Objectivesinclude: To manage the IT change process such that
introduction of errors and incidents related to
change are minimized. To ensure that standard methods and
procedures are used so that changes can beaddressed expediently and with the lowest
impact on service quality.
-
8/16/2019 Baa Ais It Controls
17/31
Change Management Controls could include:
Monitoring and logging of all changes
Steps to detect unauthorized changes
Confirmation of testing Authorization for moving changes to production
Tracking movement of hardware and other infrastructurecomponents
Periodic review of logs Back out plans
User training
Specific defined and followed procedures for emergencychanges
-
8/16/2019 Baa Ais It Controls
18/31
-
8/16/2019 Baa Ais It Controls
19/31
Definition A comprehensive approach to ensuring normal
operations despite interruptions.
Components
Disaster Recovery Fault Tolerant Systems
Backup and Recovery
-
8/16/2019 Baa Ais It Controls
20/31
A documentation of the procedures to ensure
that the organization continues to operate byproviding the ability to successfully recover
computer services in the event of a disaster. Must ensure that plans are comprehensive, up-
to-date, and approved by key organizational,management, and executive personnel.
Must test the plans regularly and document theresults.
-
8/16/2019 Baa Ais It Controls
21/31
-
8/16/2019 Baa Ais It Controls
22/31
The ability of a system to respond gracefullyto an unexpected hardware or softwarefailure.
There are many levels of fault tolerance, thelowest being the ability to continue operationin the event of a power failure. Many fault-tolerant computer systems mirror alloperations -- that is, every operation isperformed on two or more duplicate systems,so if one fails the other can take over.
-
8/16/2019 Baa Ais It Controls
23/31
Requirements should be defined for backupof critical data (type and frequency).
Procedures should be in place to periodicallyvalidate recovery process.
-
8/16/2019 Baa Ais It Controls
24/31
Include: Input controls
Processing controls
Output controls
-
8/16/2019 Baa Ais It Controls
25/31
Input Control objectives: All transactions are initially and completely
recorded
All transactions are completely and accuratelyentered into the system
All transactions are entered only once
-
8/16/2019 Baa Ais It Controls
26/31
Controls in this area may include: Pre-numbered documents
Control total reconciliation
Data validation Activity logging
Document scanning
Access authorization
Document cancellation
-
8/16/2019 Baa Ais It Controls
27/31
Processing control objectives: Approved transactions are accepted by the
system and processed
All rejected transactions are reported,corrected, and re-input
All accepted transactions are processed onlyonce
All transactions are accurately processed All transactions are completely processed
-
8/16/2019 Baa Ais It Controls
28/31
Controls over processing may include: Control totals Programmed balancing Segregation of duties Restricted access File labels Exception reports Error logs Reasonableness tests
Concurrent update control
-
8/16/2019 Baa Ais It Controls
29/31
Output control objectives: Assurance that the results of input and
processing are output
Output is available only to authorizedpersonnel
The most important output control is reviewof the data for reasonableness.
-
8/16/2019 Baa Ais It Controls
30/31
Output controls could include: Complete audit trail
Output distribution logs
Output reports
-
8/16/2019 Baa Ais It Controls
31/31
Global Technology Audit Guide – Information TechnologyControls. D. Richards, A. Oliphant, C. LeGrand
Five Questions to Ask About Information Technology Controlsand Security – Berry Dunn:http://consulting.berrydunn.com/content/five-questions-ask-
about-information-technology-controls-and-security Information Technology Audit –General Principals:
http://www.intosaiitaudit.org/india_generalprinciples.pdf
Auditor’s Guide to Information systems auditing – RichardCascarino
Information Technology General Control Considerations andImplications – Clifton Gunderson
IT For Non-IT Auditors – Matt Hicks UCOP
http://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://www.intosaiitaudit.org/india_generalprinciples.pdfhttp://www.intosaiitaudit.org/india_generalprinciples.pdfhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-securityhttp://consulting.berrydunn.com/content/five-questions-ask-about-information-technology-controls-and-security