Presenter: Ben Miron September 9, 2008

Similar documents
IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

The Common Controls Framework BY ADOBE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Auditing IT General Controls

Introduction to Automated Controls

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

Certified Information Systems Auditor (CISA)

I. PURPOSE III. PROCEDURE

Introduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter

AUTHORITY FOR ELECTRICITY REGULATION

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Trust Services Principles and Criteria

Information Technology General Control Review

DISASTER RECOVERY PRIMER

IT CONTINUITY, BACKUP AND RECOVERY POLICY

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

NEN The Education Network

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

TAN Jenny Partner PwC Singapore

QuickBooks Online Security White Paper July 2017

Xceedium Xio Framework: Securing Remote Out-of-band Access

Chapter 8: IT Service Management. Topics covered: 1.1 Roles of helpdesk support staff. 1.2 Different types of helpdesk support level

Introduction to Business continuity Planning

ConRes IaaS Management Services for Microsoft Azure

Network Performance, Security and Reliability Assessment

A CommVault White Paper: Business Continuity: Architecture Design Guide

CoreMax Consulting s Cyber Security Roadmap

<Document Title> INFORMATION SECURITY POLICY

Position Description IT Auditor

FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK

CCISO Blueprint v1. EC-Council

IT Audit Auditing IT General Controls

Cyber security tips and self-assessment for business

T Yritysturvallisuuden seminaari

Maher Duessel Not for Profit Training July Agenda

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Sparta Systems TrackWise Digital Solution

VMware vcloud Air SOC 1 Control Matrix

Campus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1

ISSP Network Security Plan

PECB Change Log Form

DATA BACKUP AND RECOVERY POLICY

Campus Network Design

Networks - Technical specifications of the current networks features used vs. those available in new networks.

Cybersecurity Checklist Business Action Items

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

WHITE PAPER- Managed Services Security Practices

Network Security Policy

SECURITY & PRIVACY DOCUMENTATION

INFORMATION TECHNOLOGY NETWORK ENGINEER I (7961) INFORMATION TECHNOLOGY NETWORK ENGINEER II (7962)

CYBERSECURITY RISK ASSESSMENT

7.16 INFORMATION TECHNOLOGY SECURITY

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

L2F Case Study Overview

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

Oracle Data Cloud ( ODC ) Inbound Security Policies

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Secure Access & SWIFT Customer Security Controls Framework

University Information Technology Data Backup and Recovery Policy

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

NW NATURAL CYBER SECURITY 2016.JUNE.16

PeopleSoft Finance Access and Security Audit

Solution Pack. Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites

CIO Guide: Disaster recovery solutions that work. Making it happen with Azure in the public cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

SHARED SERVICES - INFORMATION TECHNOLOGY

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

University of Hawaii Hosted Website Service

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Information Security in Corporation

University Information Systems. Administrative Computing Services. Contingency Plan. Overview

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Integrigy Consulting Overview

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

JOB TITLE: Senior Database Administrator PRIMARY JOB DUTIES Application Database Development

Security Correlation Server System Deployment and Planning Guide

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Page 1 of 5. Rental Network Software Corp., Rental Management Software v9.0 (R90) Release Notes. Topics Covered:

San Francisco Chapter. What an auditor needs to know

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Information Technology Procedure IT 3.4 IT Configuration Management

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

LOGGING AND AUDIT TRAILS

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Administration and Data Retention. Best Practices for Systems Management

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

System Security Administration

Data Center Operations Guide

Application of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA

Transcription:

Understanding IT General Controls Presenter: Ben Miron September 9, 2008

Session Objectives Understand the IT Environment Define and Identify IT General Controls Develop an understanding for the IT audit process Conduct an IT General Controls Walkthrough Example Tests of IT Controls Conclude and Document our Results 2

IT Environment Understand the IT Environment Purpose: Identifyall significant applications andinfrastructure Relationship between process and applications Relationship between applications and infrastructure Indicate where we might want to rely on electronic audit evidence Identify areas on which to focus our review 3

IT Environment IT Environment Application Controls IT General Controls 4

IT General Control Approach (COSO / Cobit Approach) Objectives Co omponent ts Control Environment Risk Assessment Control Activities Information and Communication F unctions Units Monitoring 5

Categories of Controls Manual Manual Controls Type Of Co ontrol Automated t IT-Dependent Manual Controls Application Controls IT Gen neral Contr rols Prevent Detect Misstatement In The Financial Statements Support The Continued Functioning Of Automated Aspects Of Prevent And Detect Controls Objective Of Control 6

Effect of ITGC on Application Controls Effective IT general controls: Help make sure that application controls function effectively over time Ineffective IT general controls: Application controls might ihtstill operate effectively Affects both financial statement and internal control audit strategy, such as thenature nature, timing, and extent of tests of application controls 7

IT GeneralControl Objectives Change Management: Only appropriately authorized, tested and approved changes are made Logical Access: Only authorized persons have access to the system and they can only perform specifically authorized functions Other IT General Controls (including IT operations): Process to determining that IT resources and applications continue to function as intended dover time 8

Logical Access Controls General system security settings are appropriate. Password settings are appropriate. Access to privileged IT functions is limited to appropriate p individuals. Access to system resources and utilities is limited to appropriate individuals. User access is authorized and appropriately established. Physical access to computer hardware is limited to appropriate individuals. id Logical access process is monitored. Segregation of incompatibleduties exists within logicalaccess access environment. 9

Other IT General Controls Financial data has been backed up and is recoverable. Deviations from scheduled processing are identified and resolved in a timely manner. IT Operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner. 10

Manage Change and Logical Access

Manage Change What is the manage change scope? New system implementations (SDLC) Upgrade of existing iti system Addition of new functionality to an existing system New or changed interfaces connecting different applications Minor enhancement Patch to an existing system Emergency changes Configuration changes 12

Manage Change Controls Changes are authorized. Changes are tested. Changes are approved. Changes are monitored. Segregation of incompatible duties exists within the manage change environment. Example: Multiple Applications with different change processes Meditech Change Process 1 Lawson Change Process 2 PeopleSoft 13

Logical Access Process Components User ID Maintenance System Settings Maintenance Monitoring And more Logical Security Procedures Configurations Policies Security Policy Confidentiality Policy Data Definition Policy Policy Awareness Programs And more System Configurations Groups and Profiles Super Users Password Settings Segregation of Duties Logical laccess Path And more 14

Conducting IT General Control Walkthroughs

Walkthroughs: The Purpose Why do we perform walkthroughs? To confirm: Our understanding of the processing procedures Our understanding of the relevant controls That relevant controls have been placed in operation and are operating effectively Our documentation 16

Walkthroughs: The Methods Methods odsof gathering g evidence ceduring walkthroughs: Inquiring of a client to corroborate our understanding Selecting an item over which the controls are designed to operate and inspecting evidence of the operation of the controls on that item Examining the client s documentation of the control s design Examining reports used to monitor the controls Observing whether the process owner or others act upontheresults of thecontrols 17

Walkthroughs: The Results Following our walkthrough, we make a preliminary evaluation of the effectiveness of controls The preliminary evaluation is made for each IT general control 18

Tests of Controls

Tests of Controls Determine whether the controls: Operated as we understood they would operate Were applied throughout the period of intended reliance Were applied on a timely basis Encompassed applicable transactions Were based on reliable information Resulted in the timely correction of any errors identified 20

Tests of Controls Nature What are the different ways we can test controls? Inquiry Observation Inspection Re performance Inquiry alone does not provide sufficient evidence that the control operated throughout the period of intended reliance. 21

Tests of Controls Exceptions What is an exception? An internal control exception occurs when we find that the control we are testing did not operate as intended. We investigate all internal control exceptions to determine: Our understanding is correct Their causes and implications The potential effects on other audit procedures The appropriate reporting to management and the audit committee 22

Tests of Controls Example Program Changes: Program change requests from the business line filter through the Business System Administrator, i who determines if the change is valid. Emails the request to IT and a completed Issue Tracker form to the email account. The Issue Tracker form lists the requestor s name and details the problem encountered. The request is then input into an Access Database and assigned a ticket number for tracking purposes. p Changes to application source code must be done by the vendor. Accordingly, requested changes are input to a Web based application tracker. Manager meetings are held bi weekly to review, update, and prioritize issues. Any planned system downtime is communicated to users via email notifications. Changes are initially iti applied in the test tenvironment where they are validated d by both thit and the requestor. Test documentation is produced and stored with the Change Request Form. Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. Weekly team meetings are held in which it is determined which changes will be moved into production for that week. Standard, non code migration changes are moved into production daily. The application owner Initials all Change Request Forms before migration. The ticket owner (analyst) is ultimately responsible for making the change and moving it into production by compiling / rebuilding the change in the production environment. CM.1 CM.2 CM.3 CM.4 23

Tests of Controls Example Test Objective and Scope Test Population Source of Data Sample Selection Process Cont. To verify that changes are authorized, tested and approved by the business priorto implementation to production. Extracted data from Random / Haphazard Control Effective Date January 1, 2008 Conclusion Effective Control ID Control Description Frequency Type CM.1 Prior to development, all changes must be Event Driven Preventative authorized by IT and business management. CM.2 Changes are applied in the test environment where they are validated by both IT and the requestor. Event Driven Preventative CM.1 Approvals for change migrations to production are Event Driven Preventative ti emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. CM.4 The application owner Initials all Change Request Event Driven Preventative Forms before migration. 24

Tests of Controls Example Test Matrix Item ID Item Description Evidence Ref Control ID 1 Code change 1 CM T 01 CM.1 CM.2 CM.3 CM.4 2 Code change 2 CM T 02 3 Code change 3 CM T 03 X 25

Evaluating Control Deficiencies

Tests of Controls: Evaluate When we have an exception, we must: Consider the results of the tests in relation to our preliminary evaluation of thecontrols to determine whether it is still appropriate. In some instances, the assessment is no longer appropriate. p Reconsider our combined risk assessment and our audit approach. 27

Tests of Controls: Documentation Should include: A detailed description of the specific controls tested The procedures used to test the controls The number of times each control will be tested The method used to select ect the items tested A list of the items tested A list of any exceptions, their causes, and implications Any changes to our strategy resulting from our tests We carry this forward in years that we rotate our tests t (NA under Integrated t daudit). 28

Components of a Finding Observation Standard/Leading Practice Cause Business Risk/Effect Recommendation 29

Summary Identify ITGCs in the IT environment Document and walkthrough controls Perform Tests of Controls Describe how we evaluate the results of our tests to arrive at a conclusion Document test procedures and deficiencies 30

Questions?

THANK YOU!!!

Appendix - Common IT Definitions

Elements in the IT Infrastructure Network Elements LAN/WAN Router Switch Firewall Modem Remote Access Server Intrusion Detection Devices (IDS) 34

Common IT Terms Operating System An operating system (OS) is the program that, controls the hardware and acts as the intermediary between the application(s) and the hardware. Common OS are Windows(2000, XP, NT), UNIX, Novell and OS400 Hardware Hardware is the physical aspect of computers, tl telecommunications, ti and other information technology devices. Application An application is any program designed to perform a specific function directly for the user or, in some cases, for another application program. 35

Common IT Terms (cont.) Local larea Nt Network A local larea network k(lan) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area. Wide Area Network A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a LAN. 36

Common IT Terms (cont.) Virtual Private Network A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure encrypted access to their organization's network. Server A server is a computer program that contains programs that t provides services to other computer programs in the same or other computers. (e.g. file server, print server, application server, etc.) 37

Common IT Terms (cont.) Remote Access Remote access is the ability to get access to a computer or a network from a remote location. Direct Dial up Dial up pertains to a telephone connection. A dial up connection is established and maintained for a limited time duration. Gateway Server A gateway is a network point that acts as an entrance to another network. 38

Common IT Terms (cont.) Application i Server An application server is a server program in a computer in a distributed network that provides the business logic for an application program. Infrastructure In information technology and on the Internet, infrastructure is the physical hardware used to interconnect tcomputers and users. Firewall A firewall is a physical device or set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. 39

Common IT Terms (cont.) ERP ERP (Enterprise resource planning) is an industry term for the broad set of activities supported by multi module application software that helps a manufacturer or other business manage the important parts of its business. (e.g. SAP, PeopleSoft, etc.) Database A database is a collection of data that is organized so that its contents can easily be accessed, managed, andupdated. 40

Common IT Terms (cont.) Backup The act of storing data from one system to another system or to a form of electronic media (i.e. tape, CD). Backups are generally yperformed on a regular basis and can be full, incremental, or differential. Recovery The act of applying stored data to a system in order to allow it to resume normal operations. UPS Uninterruptible Power Supply. A battery device that allows the systems on a network to continue operating for a limited time after a power failure. This permits an orderly shutdown of the servers and limits the risk of data loss. 41

Common IT Terms (cont.) Business Continuity i Plan A business level lplan that describes how and where the business will prioritize its recovery from an unforeseen event and how it will restore and continue its operations. Disaster Recovery Plan An IT level plan that describes how and where the IT department twill prioritize iti the system and network recovery from an unforeseen event and how the department will restore and continue its operations (a Disaster Recovery Plan is part of an overall Business Continuity Plan and the two must be in sync). 42

Logical Access Path (LAP) How individuals get beyond logical security to the desired data Designed for the structured assessmentof risks and related security measures in complex computer systems User Data 43

Logical Access Path Overview User Transports data between the components of a network (e.g., end users terminals) and system software in the transaction software layer Controls within applications aimed at the security of logical data A shell that surrounds all system software layers. Each piece of software on each of the layers has an interface with the operating system Data Communication Software Operating System Transaction Software Application Software Data Access Methods Data Divides the available processing time among the active users and programs. Transactions (e.g., a menu option) can be composed of multiple programs Access methods and database management controls that manage which parts of the data the application can access and in what way 44

Logical Access Path (Three Tier) User Output t Data to User User Interface Input Data From User Output t Data to User Data Communication Software Transaction Software Central DB Buffer Central DB Buffer Application Software Application Server Data Access Methods Reading Database and Updating Buffer Main DB Database Server Stores all Data and Application Programs Operating System Data 45

Where To Find IT Terms & Acronyms There are multiple web sites on the Internet that can be used to explain IT terms & acronyms. Some good ones are: www.whatis.techtarget.com www.howstuffworks.com www.google.com Your TSRS co workers are also a great source for understanding terminology 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback