IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1
Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance Manage Security Manage Change Manage Data Operations Manage Incidents Wrap-up 2
Background 25 Years Experience in IT Field Service, Software Engineer, SAP Configuration, Project Manager, IT Auditor, College Instructor, Cyber Security Engineer, IT Audit Manager Boise State University BBA Computer Information Systems Certified Information Systems Auditor since 2004, ISACA Boise Board of Directors IT Audit/Cyber Security Experience Micron Technology (IT Audit, SOX year one design and testing) Albertsons (Cyber Security Engineer, Internal Audit Liaison) SUPERVALU (IT Audit/IT SOX Manager, External Audit Liaison, Cyber Security Liaison) Lamb Weston (IT Audit Manager) - Current Owner CyberAIT (Architect, Investigate, Train) consulting 3
ICOFR need for IT General Controls Frameworks are used to meet responsibilities under SOX to maintain a system of Internal Control over Financial Reporting (ICOFR) COSO Framework used by most enterprises COBIT (in conjunction with COSO) can be used to provide the assessment and improvement of IT internal control practices of an enterprise. IT General Controls are controls that are a part of IT processes, provide a stable operating environment and enhance the effective operation of application controls. ITGC s are the foundation of the Financial and Operational Controls used for SOX assessments. Entity Level Controls Financial Controls Operational Controls IT General Controls ISACA, Relating the COSO Internal Control Integrated Framework and COBIT, USA, 2014, www.isaca.org/knowledge-center/research/researchdeliverables/pages/relating-the-cosointernal- Control-Integrated-Framework-and-COBIT.aspx 4
IT General Control Areas Project Governance Policies, Projects for Creation / Acquisition of Systems, SDLC Process Manage Security Policies, Passwords, Developer Access to Production, Access Reviews, SOD Manage Data Policies, Backup Configuration, Backup Execution, Offsite Storage, Restoration, Backup Tool Access Reviews Manage Change Policies, Change Approval, Change Testing, Change Deployment, Change Validation, Change Management Tool Access Reviews Manage Operations Policies, Schedule Exceptions, Schedule Changes, Physical Security of Data Centers Manage Incidents Policies, Incident Tracking, Emergency Changes 5
Financial Process Example Let s take a common financial transaction Electronic Journal Entry According to the PCAOB, the financial control testing would need to Cover the nature, timing, and extent of the testing of journal entries and other adjustments. During our review of the of IT General Controls foundation, we will explore how the Electronic Journal Entry is supported by the different IT General Control areas. 6
Project Governance Policies PMO, SDLC Projects for Creation / Acquisition of Systems Official Project Identification Tasks (Suggest, Research, Approve, Plan, Execute, Deploy) Capital Approval Board (CAB) Approval Gates (Approve, Plan, Execute (Design, Build, Test), Deploy) Software Development Life Cycle Process Established SDLC process Required Artifacts for : Design Process, Requirements Gathering, Architecture Specifications, Security Review Journal Entry Support If a GL Application upgrade is needed, the project would need PMO approval Project Artifacts would need to be created to support the project Approval Gates for each stage of the project should direct the project progress. 7
Manage Security Policies IT Security Policy, Acceptable Use Policy, Mobile Device Management Policy Passwords Password Configuration and Review (Based on Passwords in IT Security Policy) Developer Access to Production Monitoring of developer update access to production systems Journal Entry Support Single Sign On (SSO) Passwords for GL Accountants network access Passwords on the servers/systems that house the GL Application Passwords on the GL Application itself (if not controlled by SSO) GL Application Developers should not have update access to the GL Application Servers or Databases 8
Manage Security (cont.) Access Provisioning Network / Active Directory Request and Approval Server / System Access Request and Approval Application Access Request and Approval Access Reviews Functional / System Account Reviews Elevated Access Reviews Application Access Reviews SOX Dependent Tool Access Reviews Journal Entry Support Access requests to GL Application servers/systems and the GL Application itself Access reviews of the GL Application servers/systems and GL Application itself Access reviews of the applications used for provisioning and access reviews if applicable (e.g., Sailpoint) 9
Manage Security (cont.) Segregation of Duties in SOX Applications Segregation of Duties Matrix Access Terminations Dependent on Feed from HR Network / Active Directory Access Server / System Access Application Access Journal Entry Support GL Application SOD matrix for GL Process Removal of GL Finance team members Active Directory access. Removal of Access for GL Application Servers / Systems and the GL Application access 10
Manage Data Policies Backup Schedules, Retention Schedule, Data Destruction Backup Configuration Tool configuration by server / system type Backup Execution Management and Monitoring of Backup Execution Journal Entry Support Configuration of the backup tools for the GL Application Server and Database Management of the backups of the GL Application Server and Database 11
Manage Data (cont.) Offsite Storage Identification of Offsite Storage for backups Physical Access Reviews of the Offsite Storage Areas Restoration Backup Restoration Validation Backup Tool Access Reviews Journal Entry Support GL Application server and database backup offsite storage Planned restoration testing of the Server and Database Backups used for the GL Application 12
Manage Change Policies Change Ticket Requirements Change Approval A change request is created and approved according to policy Change Testing A valid Test program is created, executed and approved Change Deployment Approval is obtained before the changes are deployed to production Change Validation Post Deployment Validation takes place before releasing to end users Change Management Tool Access Reviews 13
Manage Change (cont.) Journal Entry Support A change is needed to update how Journal Entries are entered in the GL Application A valid change ticket is entered in the ticketing system that is approved before any further action is taken A testing plan is created and executed during the testing of the change. This testing needs to include User Acceptance Testing and approval of the test results by both the IT team and the Business Owners of the GL Application Before the deployment to production of the GL Application changes, the final deployment approval needs to be obtained to ensure that all of the expected change requirements are made After the deployment to production, a member of IT and the GL Management team needs to validate the change before releasing the changes to the entire user population 14
Manage Operations Policies Management and Monitoring of scheduled batch jobs Schedule Exceptions Batch Job Failure Notification to include the creation of a Issue Ticket Batch Job Restart Schedule Changes Changes to Scheduled Batch Jobs Physical Security of Data Centers Regular review of physical access Review of Vendor Access requests 15
Manage Operations (cont.) Journal Entry Support Batch jobs that post journal entries or create daily reconciliation reports are monitored and restarted when they fail If a business change needs to delay or reschedule jobs related to Journal Entries based on projects requirements. The data center that houses the GL financial information is adequately protected. 16
Manage Incidents Policies Incident Creation and Management, Escalation Process Incident Tracking Incidents are logged and tracked Incidents are approved for escalation Emergency Changes Related to a logged and approved Incident Change Documented and Approved within a time frame of the emergency fix Post-Deployment testing is documented as appropriate 17
Manage Incidents (cont.) Journal Entry Support An incident is reported that Journal Entries are not being routed for approval correctly. Based on the severity and number of people affected, an incident may be declared If the fix requires a change to production, an Emergency Change ticket needs to be created to track the change to the GL Application. 18
Wrap up IT General Controls can create a foundation for Finance and Operational Controls Project Governance Manage Security Manage Data Manage Change Manage Operations Manage Incidents Every company / situation is going to be different and will be dependent on the Risk Assessment of Business and IT Processes and in-scope Applications. Reference Book: IT Control Objectives for Sarbanes-Oxley Using COBIT 5, 3rd Edition 19
Questions? Dennis McLaughlin, CISA www.linkedin.com/in/dennisamclaughlin 20