Strengthening Technology Controls to Prevent Fraud

Brad BelcherSystems Analyst & Hardware Technician

Jeff Brandenburg, CPA, CFEClifton Gunderson LLP

2

General Controls (ITGC)

• Ensure reliability of data generated by IT systems and support assertion that systems operate as intended and that output is reliable.

• Control environment – controls designed to shape the corporate culture or “tone at the top”

• Change management procedures – controls designed to ensure changes meet business requirements and are authorized

• Source code/document version control procedures – controls designed to protect the integrity of program code

3

General Controls (ITGC)

• Software development life cycle standards – controls designed to ensure IT projects are effectively managed

• Security policies, standards and processes – controls designed to secure access based on business need

• Incident management policies and procedures – controls designed to address operational processing errors

• Technical support policies and procedures – policies to help users perform more efficiently and report

4

Application Controls (ITAC)

Performed automatically by the system and designed to ensure the complete and accurate processing of data. May also ensure privacy and security of data transmitted between applications.

5

Application Controls (ITAC)

– Completeness checks – controls that ensure all records were processed from initiation to completion

– Validity checks – controls that ensure only valid data is input or processed

– Identification – controls that ensure all users are uniquely and irrefutably identified

– Authentication – controls that provide an authentication mechanism in the application system

6

Application Controls (ITAC)

– Authorization – controls that ensure only approved business users have access to the application system

– Problem management – controls that ensure all application problems are recorded and managed in a timely manner

– Change management – controls that ensure all changes on production environment are implemented with preserved data integrity.

– Input controls – controls that ensure data integrity fed from upstream sources into the application system

7

Specific Applications

Accounts Receivable– Limit those who can credit accounts

– New account set-ups

– Payment application

– Exception reports

8

Specific Applications

Inventory– Limit those who can process

adjustments

– Exception reports

– Set controls to identify problems when entered

9

Specific Applications

Accounts Payable– Limit access

– Restrict new vendor set-up

– Create exception reports

• Check gaps

• Vendor payment limits

• Vendor check activity

10

Specific Applications

Payroll– Limit access

– Employee hires

– Employee terminations – get them out!

– Pay ranges

– Activity reports

11

Specific Applications

General– Limit journal entry authorization and track who

makes them– Limit system access and create “roadmap” of who

can do what– Monitor who is accessing what– Internet/computer/cell phone policies

– Monitor and enforce– Consider risks associated with “Keys to the

Kingdom”

12

Contact

Brad BelcherAgVantage Software

Rochester, Minnesota877.282.6353

Jeff Brandenburg, CPA, CFEClifton Gunderson LLPMiddleton, Wisconsin

608.662.8667Jeff.Brandenburg@cliftoncpa.com