Maher Duessel Not for Profit Training July Agenda

Transcription

1 Maher Duessel Not for Profit Training July 2018 Agenda Review of ITGCs Review of IT Checklist Other Security Issues Questions 2 1

2 Review of General Computer Controls 3 ITGC What is that? Information Technology General Controls: Logical access controls System development lifecycle controls Program change management Data Center Physical and Logical security System and data backup and recovery controls Computer Operation Controls.and sometimes IT entity level controls 4 2

3 Why does it matter? SAS No (the risk based standards) specifically requires ITGC to be addressed ITGC weaknesses have the potential to increase the risk of material misstatement No opinion is provided on ITGC Cannot rely on IT systems or data without effective IT controls 5 Logical Access Controls Only authorized persons have access to the system(s) and they can only perform specifically authorized functions Segregation of incompatible duties exists within logical access (access to assets vs. access to accounting records) For most organizations, lack of logical access controls can result in control weaknesses that require reporting 6 3

4 System Development Lifecycle Controls Describes the process to plan, create, test, and deploy an information system Details include preliminary analysis, systems analysis and requirements, systems design, development, integration and testing, acceptance and installation, maintenance, evaluation, and disposal Generally applies to software developed in house and not necessarily relevant to purchased software, but could apply to spreadsheets 7 Program Change Management Changes to software and spreadsheets are authorized including upgrades, patches, and configuration changes Changes are tested Changes are approved Changes are monitored Segregation of incompatible duties exists (person making the change shouldn t approve the change) Lack of proper controls in this area could result in errors and reportable control weaknesses 8 4

5 Data Center Physical Security Typically in reference to server/computer room and data storage facility: Access only to appropriate IT staff Appropriate/ redundant power and cooling Appropriate fire prevention mechanism 9 System and data backup and recovery controls Backing up data requires copying and archiving computer data so that it is accessible in case of data deletion or corruption ransom Consider that data backup cannot always restore all of a system s data and settings. Servers may need additional forms of disaster recovery If you depend on being online all the time for ticket sales, registration, etc., lack of adequate backup systems could result in reportable control weaknesses 10 5

6 Computer Operation Controls System startup procedures Emergency procedures System shutdown procedures System and job status reporting instructions Instructions re: console messages Copies of system flowcharts Maintenance of operating logs Logs may be necessary audit documentation that should be retained 11 Review of IT Checklist 12 6

7 IT Service Provider IT Service Provider 1. Does the entity have an in-house IT person, or are IT services contracted? Who, or what company? 1a. If IT services are contracted, is there an agreement in place for the services to be provided, and what would happen to any data maintained or services supported by the contracted service provider if the relationship were to end? Do contracts include Cloud Services? Get a SOC2 Report Suggested procedure: If the client has a contract with significant IT services (i.e., outsources IT functions for security and back up), obtain a copy of the contract and review to verify that services outlined in this checklist are provided by the contractor. Pull the contract into the perm file. 13 IT Service Provider (1. and 1a.) What is important about these questions/what are we looking for? 1. Not specific ITGC, but provides an understanding of who is responsible for elements of the ITGC 2. We want to make certain that the vendor you are using has the correct understanding about the items contracted. For example, you think a vendor is updating your virus protection, but they think they were only hired to do initial installation 3. We want to ensure the contract allows you ongoing access to your data. Cloud Services? Get a SOC2 Report 14 7

8 Accounting Software ACCOUNTING SOFTWARE 2. Major accounting (and/or billing, membership, donor related) software used: Note that QuickBooks and Peachtree are typically not part of a complex IT environment, but most other software types are complex and Question #11 (#12 for Gov. Binder) at A Scoping should be answered " Yes." 3. Was this software purchased from a vendor, or created "in-house"? If it is "in-house," who created the software, and who has current access to the software code? System Development and Change Controls 4. Who determines the level of software access that a particular user will receive? 15 Accounting Software (2. 3. and 4.) What is important about these questions/what are we looking for? 1. We are looking for a complete list of any software that is part of recording entries or completing financial statements 2. We want to understand any custom/aspects of the software (including spreadsheets) you are using 3. We want to make certain the right person determines who has access to each item 16 8

9 Accounting Software 5. Are user rights within the software documented, such as who has rights to what areas of the accounting system (ex: A/R, A/P, GL, printing checks)? 6. Please list all employees/positions with access to the accounting software ( including billing, membership, and donor software), and whether or not that access is restricted at any level: Name and/or position Restriction level (full access, limited to AR/AP/HR/Payroll functions, etc.) Logical Access Controls Suggested procedure: Verify access controls via review of access levels onscreen with the Software Administrator or via review of access levels via printout. Verify there are no potential segregation of duties issues. Access to certain modules should be limited to their performed duties - cross-reference to the Internal Controls Narrative in the B-series. Also, be sure to document user access to other financial applications that are material to the financial statements (i.e., billing software that is separate from the financial accounting software). Investigate any Administrative, Guest, or similar user accounts for propriety. 17 Accounting Software (5. and 6.) What is important about these questions/what are we looking for? 1. We are going to match the responses here to what is in the software 2. We are going to test for appropriate logical access controls/ segregation of duties 18 9

10 Appropriate Access Controls No shared passwords or logins Consider an agreement if third party vendor has access ( HIPPA?) Guest passwords should be temporary and only when on site with appropriate limits IT shouldn t be able to approve accounting transactions Accounting shouldn t have admin level IT access What if we have to combine admin and accounting = keep a log so someone can review it and use different passwords for accounting vs. admin function (Admin can stop logging events, change passwords, give people access) Same issues as in a paper system 19 Accounting Software 7. Is any financial reporting information (for example, Excel spreadsheets that detail fixed assets, loans information, etc.) maintained outside the accounting/ accounting related software, on the network? If so, is access to these folders/spreadsheets restricted at any level? Logical Access Controls Suggested procedure (Note: only for spreadsheets maintained out of the accounting system that have a material impact on the financial statements and where there is a risk of spreadsheet alteration by an unauthorized user): Observe where the spreadsheet is saved and verify user access. If access is not restricted, are there compensating controls in place that would detect significant alterations to the spreadsheet? 8. How is file and folder access determined on the network servers, and who defines who has access to what? Has a recent evaluation been performed of the access levels provided to various employees? Logical Access Controls 20 10

11 Accounting Software 9. Are logins and passwords used to access both computer terminals and the accounting software? If so, is the password sufficiently complex and required to be changed at intervals based on assessed level of risk? Logical Access Controls Suggested procedures: Observe a person without access to the accounting system attempt to log in and observe a person with access to the accounting system attempt to log in with the incorrect password. If the client asserts that the accounting system automatically changes passwords periodically, observe the Administrator pull up the specific property in the system to verify that automatic passwords are taking place. 10. Who maintains the master information for all user names and passwords, both with the network, and with the accounting software program? Logical Access Controls 21 Accounting Software (9. and 10.) NIST provides current guidance on best practice for passwords Recommend phrases of 16 characters Change when there is a breach or event No repeat passwords Lock out after certain number of attempts Policy should be developed based on risk No longer mandatory change of passwords at specific intervals 22 11

12 Accounting Software 11. What approvals are required for new, changed, or terminated passwords? 12. Is there a written acceptable usage policy that users must sign (network, , Internet usage, etc.), and can this be provided for our review? Are all employees required to sign at employment, or yearly, etc.? Entity Level Controls 13. What is the procedure for disabling and removing user accounts from the network as it relates to termination of employment? 23 Disaster Contingency DISASTER CONTINGENCY 14. Does a formal disaster contingency plan exist? Consider inquiring about whether Cybersecurity insurance has been purchased as part of the plan. System and data backup and recovery controls 15. Is the disaster contingency plan tested on a regular basis? If yes, please explain how frequently. Can it be provided for review? More than just doing backups 24 12

13 Disaster Contingency (14. and 15.) Components of a disaster contingency plan: Communication plan and role assignments Plan for equipment (protect/replace) Data continuity system what do you need to be able to operate and related logistics Backup check Inventory of workstations, software, scanners, etc., needed on a daily basis (might include photos) Vendor communication and service restoration plan 25 Backups BACKUPS 16. How often are server backups performed (daily, weekly, etc.), and who performs the backup? Is this backup file saved onsite, offsite, or online? When was the last time the backup was tested to ensure it was functioning as intended? System and data backup and recovery controls 17. If you use an online backup software/service, what is the software/service? Have you ever tested the service to ensure all necessary items that are expected to be backed up actually are being backed up? If so when/how often? 18. What would happen to old backup versions if you stop using the backup software/service - can they be downloaded/still accessed, etc. Could they be transferred to another service provider? 26 13

14 Backups ( and 18.) We want to make certain that backups of crucial data are occurring We want to make certain that backup files are accessible and usable when needed 27 Backups 19. Is there a backup solely for the accounting/ accounting related systems (other than the server backup)? Is this an onsite/offsite/online backup? 20. How are files on individual computers backed up (such as Excel spreadsheets)? 28 14

15 Security SECURITY 21. Describe the physical security of the data center (i.e., server/server room), including how access is gained (physical key, fob, door code, etc.), and who determines access. Is there a procedure in place in the event a key is lost, or if a code is used: Data Center Physical security 22. Are Anti-malware systems (Norton, McAfee, etc.) in place? How is the software updated and how often? Who handles any issues that arise? Data Center Logical Access controls and Computer Operation Controls- virus protection 23. Are controls over perimeter and network security in place? Such controls may include firewalls, routers, terminal service devices, wireless security, intrusion detection, and vulnerability assessments and encrypting data, where appropriate. Data Center Logical Access 29 Perimeter Security What resources need to be protected Servers, workstations websites Credit cards, PII, HIPPA, financial data Who are you protecting them against Outside attacker servers/website Inside attacker What are your business needs Cost Website needed for daily transactions? 30 15

16 Perimeter 31 Security Basics Firewall a physical device or set of related programs located at a network gateway server that protects the resources of the network from outside users (Strainer). Needs to be configured and password Router a networking device that forwards data packets between computer networks (Traffic Cop). Needs to be properly configured with appropriate password protection Terminal Service Devices hardware device or server that provides terminals (PCs, printers) with a common connection point to a network 32 16

17 Current News During May 2018, the FBI made an urgent request for anyone using internet routers to turn them off and back on again. The FBI was attempting to thwart a sophisticated malware system linked to Russia. 33 Other Security Issues Intrusion detection Intrusion Prevention Vulnerability assessments identifying quantifying, and prioritizing system vulnerabilities Penetration testing Try to exploit any weaknesses (hack in) These items are important, especially if reliant on website and/or internet sales 34 17

18 Other Security Issues Wireless (WiFi) security Are you using encryption and authentication procedures? Do you have Guest WiFi and, if so, which systems can be accessed? Cell Phone what if a cell phone is lost? ipads What if ipad is lost? Privacy issues? Remote Access VPN or Virtual Network Secure encrypted access to an organization s network via internet 35 Other Security Issues Encryption do you have PII or HIPPA issues? Policy do you have an employee policy regarding data? Training do you train your staff about risks of clicking on s, downloading items? Phishing attempts do you practice phishing inhouse to determine compliance with policies? 36 18

19 Evaluation Evaluation Note that a "NO" answer above does not necessarily mean a comment needs carried to A-09 as a potential ML comment, or to A-08-6 as a risk. It is important that the answers to all of the above questions be evaluated in the aggregate, along with activity controls at other B narratives. A client could have four "NO" answers above, but all of these could be mitigated by controls noted at the other B narratives. If this is the case, it is recommended that the reasoning be documented at this wp. A different client could have a single NO" answer above, but due to a lack of other controls, that single "NO" answer would be significant in evaluating internal controls. IT controls are deemed adequate based upon the size and nature of the client. IT controls have deficiencies as noted above, and carried to A-09. However, these items are considered advisory in nature, and are not deemed to be major deficiencies of the system. IT controls have deficiencies as noted above, and carried to A-09. These items are considered to be deficiencies within the system, and have been carried to the A wp as a risk, and will be responded to at that wp. 37 Questions? Contact Me! Lisa Ritter, CPA, CFE, CITP 3003 North Front Street Suite 101 Harrisburg, PA Lritter@md cpas.com Pittsburgh Harrisburg Butler State College Erie Lancaster cpas.com 38 19