IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

Similar documents
USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Introduction To IS Auditing

Auditing IT General Controls

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Presenter: Ben Miron September 9, 2008

IT Audit Auditing IT General Controls

Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View. October, 2004

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

ALERT LOGIC LOG MANAGER & LOG REVIEW

Position Description IT Auditor

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Effective COBIT Learning Solutions Information package Corporate customers

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Administration and Data Retention. Best Practices for Systems Management

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Information Technology General Control Review

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Auditing in an Automated Environment: Appendix B: Application Controls

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

The Minimum IT Controls to Assess in a Financial Audit (Part II)

SOC Reporting / SSAE 18 Update July, 2017

Sparta Systems TrackWise Digital Solution

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Achieving effective risk management and continuous compliance with Deloitte and SAP

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

COPYRIGHTED MATERIAL. Index

Business Continuity Planning

locuz.com SOC Services

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Global Security Consulting Services, compliancy and risk asessment services

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

SAS70 Type II Reports Use and Interpretation for SOX

Sparta Systems TrackWise Solution

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)

Certified Information Security Manager (CISM) Course Overview

The Data Catalog The Key to Managing Data, Big and Small. April Reeve May

FDIC InTREx What Documentation Are You Expected to Have?

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

SOX/COBIT Framework. and Netwrix Auditor Mapping. Toll-free:

Mobile: Website:

FRAUD-RELATED INTERNAL CONTROLS

SECURITY & PRIVACY DOCUMENTATION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Rich Powell Director, CIP Compliance JEA

REPORT 2015/149 INTERNAL AUDIT DIVISION

Managed Security Services - Endpoint Managed Security on Cloud

Sparta Systems Stratas Solution

General Information System Controls Review

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

VMware vcloud Air SOC 1 Control Matrix

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

COSO Enterprise Risk Management

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cybersecurity Overview

What Auditors Want. John Mitchell. PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, QiCA, CFE

TAKING THE MYSTERY OUT OF IT AUDIT

COURSE BROCHURE CISA TRAINING

IT Attestation in the Cloud Era

PeopleSoft Finance Access and Security Audit

Definition of Internal Control

1Z Oracle Identity Governance Suite 11g PS3 Implementation Essentials Exam Summary Syllabus Questions

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Table of Contents. Policy Patch Management Version Control

Predstavenie štandardu ISO/IEC 27005

NASDAQ BWISE ACADEMY COURSE CATALOG

San Francisco Chapter. What an auditor needs to know

Exam Requirements v4.1

Key Drivers for Data Security

Oracle Risk Management Cloud

NASDAQ BWISE ACADEMY COURSE CATALOG

User Guide. Manual. User Guide. Date 10-January Version 2.0

Opportunities to Integrate Technology Into the Classroom. Presented by:

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Version v November 2015

Records Retention Schedule

ITIL. Change Manager. ITSM Academy

NASDAQ BWISE ACADEMY COURSE CATALOG

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CISA Training.

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

TRAINING SEMINAR COURSE OUTLINE October

EX0-101_ITIL V3. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Exin EX0-101

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

University Information Technology Data Backup and Recovery Policy

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

ISO/IEC overview

Rethinking Information Security Risk Management CRM002

Certified Information Systems Auditor (CISA)

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Identity Intelligence

Transcription:

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1

Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance Manage Security Manage Change Manage Data Operations Manage Incidents Wrap-up 2

Background 25 Years Experience in IT Field Service, Software Engineer, SAP Configuration, Project Manager, IT Auditor, College Instructor, Cyber Security Engineer, IT Audit Manager Boise State University BBA Computer Information Systems Certified Information Systems Auditor since 2004, ISACA Boise Board of Directors IT Audit/Cyber Security Experience Micron Technology (IT Audit, SOX year one design and testing) Albertsons (Cyber Security Engineer, Internal Audit Liaison) SUPERVALU (IT Audit/IT SOX Manager, External Audit Liaison, Cyber Security Liaison) Lamb Weston (IT Audit Manager) - Current Owner CyberAIT (Architect, Investigate, Train) consulting 3

ICOFR need for IT General Controls Frameworks are used to meet responsibilities under SOX to maintain a system of Internal Control over Financial Reporting (ICOFR) COSO Framework used by most enterprises COBIT (in conjunction with COSO) can be used to provide the assessment and improvement of IT internal control practices of an enterprise. IT General Controls are controls that are a part of IT processes, provide a stable operating environment and enhance the effective operation of application controls. ITGC s are the foundation of the Financial and Operational Controls used for SOX assessments. Entity Level Controls Financial Controls Operational Controls IT General Controls ISACA, Relating the COSO Internal Control Integrated Framework and COBIT, USA, 2014, www.isaca.org/knowledge-center/research/researchdeliverables/pages/relating-the-cosointernal- Control-Integrated-Framework-and-COBIT.aspx 4

IT General Control Areas Project Governance Policies, Projects for Creation / Acquisition of Systems, SDLC Process Manage Security Policies, Passwords, Developer Access to Production, Access Reviews, SOD Manage Data Policies, Backup Configuration, Backup Execution, Offsite Storage, Restoration, Backup Tool Access Reviews Manage Change Policies, Change Approval, Change Testing, Change Deployment, Change Validation, Change Management Tool Access Reviews Manage Operations Policies, Schedule Exceptions, Schedule Changes, Physical Security of Data Centers Manage Incidents Policies, Incident Tracking, Emergency Changes 5

Financial Process Example Let s take a common financial transaction Electronic Journal Entry According to the PCAOB, the financial control testing would need to Cover the nature, timing, and extent of the testing of journal entries and other adjustments. During our review of the of IT General Controls foundation, we will explore how the Electronic Journal Entry is supported by the different IT General Control areas. 6

Project Governance Policies PMO, SDLC Projects for Creation / Acquisition of Systems Official Project Identification Tasks (Suggest, Research, Approve, Plan, Execute, Deploy) Capital Approval Board (CAB) Approval Gates (Approve, Plan, Execute (Design, Build, Test), Deploy) Software Development Life Cycle Process Established SDLC process Required Artifacts for : Design Process, Requirements Gathering, Architecture Specifications, Security Review Journal Entry Support If a GL Application upgrade is needed, the project would need PMO approval Project Artifacts would need to be created to support the project Approval Gates for each stage of the project should direct the project progress. 7

Manage Security Policies IT Security Policy, Acceptable Use Policy, Mobile Device Management Policy Passwords Password Configuration and Review (Based on Passwords in IT Security Policy) Developer Access to Production Monitoring of developer update access to production systems Journal Entry Support Single Sign On (SSO) Passwords for GL Accountants network access Passwords on the servers/systems that house the GL Application Passwords on the GL Application itself (if not controlled by SSO) GL Application Developers should not have update access to the GL Application Servers or Databases 8

Manage Security (cont.) Access Provisioning Network / Active Directory Request and Approval Server / System Access Request and Approval Application Access Request and Approval Access Reviews Functional / System Account Reviews Elevated Access Reviews Application Access Reviews SOX Dependent Tool Access Reviews Journal Entry Support Access requests to GL Application servers/systems and the GL Application itself Access reviews of the GL Application servers/systems and GL Application itself Access reviews of the applications used for provisioning and access reviews if applicable (e.g., Sailpoint) 9

Manage Security (cont.) Segregation of Duties in SOX Applications Segregation of Duties Matrix Access Terminations Dependent on Feed from HR Network / Active Directory Access Server / System Access Application Access Journal Entry Support GL Application SOD matrix for GL Process Removal of GL Finance team members Active Directory access. Removal of Access for GL Application Servers / Systems and the GL Application access 10

Manage Data Policies Backup Schedules, Retention Schedule, Data Destruction Backup Configuration Tool configuration by server / system type Backup Execution Management and Monitoring of Backup Execution Journal Entry Support Configuration of the backup tools for the GL Application Server and Database Management of the backups of the GL Application Server and Database 11

Manage Data (cont.) Offsite Storage Identification of Offsite Storage for backups Physical Access Reviews of the Offsite Storage Areas Restoration Backup Restoration Validation Backup Tool Access Reviews Journal Entry Support GL Application server and database backup offsite storage Planned restoration testing of the Server and Database Backups used for the GL Application 12

Manage Change Policies Change Ticket Requirements Change Approval A change request is created and approved according to policy Change Testing A valid Test program is created, executed and approved Change Deployment Approval is obtained before the changes are deployed to production Change Validation Post Deployment Validation takes place before releasing to end users Change Management Tool Access Reviews 13

Manage Change (cont.) Journal Entry Support A change is needed to update how Journal Entries are entered in the GL Application A valid change ticket is entered in the ticketing system that is approved before any further action is taken A testing plan is created and executed during the testing of the change. This testing needs to include User Acceptance Testing and approval of the test results by both the IT team and the Business Owners of the GL Application Before the deployment to production of the GL Application changes, the final deployment approval needs to be obtained to ensure that all of the expected change requirements are made After the deployment to production, a member of IT and the GL Management team needs to validate the change before releasing the changes to the entire user population 14

Manage Operations Policies Management and Monitoring of scheduled batch jobs Schedule Exceptions Batch Job Failure Notification to include the creation of a Issue Ticket Batch Job Restart Schedule Changes Changes to Scheduled Batch Jobs Physical Security of Data Centers Regular review of physical access Review of Vendor Access requests 15

Manage Operations (cont.) Journal Entry Support Batch jobs that post journal entries or create daily reconciliation reports are monitored and restarted when they fail If a business change needs to delay or reschedule jobs related to Journal Entries based on projects requirements. The data center that houses the GL financial information is adequately protected. 16

Manage Incidents Policies Incident Creation and Management, Escalation Process Incident Tracking Incidents are logged and tracked Incidents are approved for escalation Emergency Changes Related to a logged and approved Incident Change Documented and Approved within a time frame of the emergency fix Post-Deployment testing is documented as appropriate 17

Manage Incidents (cont.) Journal Entry Support An incident is reported that Journal Entries are not being routed for approval correctly. Based on the severity and number of people affected, an incident may be declared If the fix requires a change to production, an Emergency Change ticket needs to be created to track the change to the GL Application. 18

Wrap up IT General Controls can create a foundation for Finance and Operational Controls Project Governance Manage Security Manage Data Manage Change Manage Operations Manage Incidents Every company / situation is going to be different and will be dependent on the Risk Assessment of Business and IT Processes and in-scope Applications. Reference Book: IT Control Objectives for Sarbanes-Oxley Using COBIT 5, 3rd Edition 19

Questions? Dennis McLaughlin, CISA www.linkedin.com/in/dennisamclaughlin 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback