Understanding IT General Controls Presenter: Ben Miron September 9, 2008
Session Objectives Understand the IT Environment Define and Identify IT General Controls Develop an understanding for the IT audit process Conduct an IT General Controls Walkthrough Example Tests of IT Controls Conclude and Document our Results 2
IT Environment Understand the IT Environment Purpose: Identifyall significant applications andinfrastructure Relationship between process and applications Relationship between applications and infrastructure Indicate where we might want to rely on electronic audit evidence Identify areas on which to focus our review 3
IT Environment IT Environment Application Controls IT General Controls 4
IT General Control Approach (COSO / Cobit Approach) Objectives Co omponent ts Control Environment Risk Assessment Control Activities Information and Communication F unctions Units Monitoring 5
Categories of Controls Manual Manual Controls Type Of Co ontrol Automated t IT-Dependent Manual Controls Application Controls IT Gen neral Contr rols Prevent Detect Misstatement In The Financial Statements Support The Continued Functioning Of Automated Aspects Of Prevent And Detect Controls Objective Of Control 6
Effect of ITGC on Application Controls Effective IT general controls: Help make sure that application controls function effectively over time Ineffective IT general controls: Application controls might ihtstill operate effectively Affects both financial statement and internal control audit strategy, such as thenature nature, timing, and extent of tests of application controls 7
IT GeneralControl Objectives Change Management: Only appropriately authorized, tested and approved changes are made Logical Access: Only authorized persons have access to the system and they can only perform specifically authorized functions Other IT General Controls (including IT operations): Process to determining that IT resources and applications continue to function as intended dover time 8
Logical Access Controls General system security settings are appropriate. Password settings are appropriate. Access to privileged IT functions is limited to appropriate p individuals. Access to system resources and utilities is limited to appropriate individuals. User access is authorized and appropriately established. Physical access to computer hardware is limited to appropriate individuals. id Logical access process is monitored. Segregation of incompatibleduties exists within logicalaccess access environment. 9
Other IT General Controls Financial data has been backed up and is recoverable. Deviations from scheduled processing are identified and resolved in a timely manner. IT Operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner. 10
Manage Change and Logical Access
Manage Change What is the manage change scope? New system implementations (SDLC) Upgrade of existing iti system Addition of new functionality to an existing system New or changed interfaces connecting different applications Minor enhancement Patch to an existing system Emergency changes Configuration changes 12
Manage Change Controls Changes are authorized. Changes are tested. Changes are approved. Changes are monitored. Segregation of incompatible duties exists within the manage change environment. Example: Multiple Applications with different change processes Meditech Change Process 1 Lawson Change Process 2 PeopleSoft 13
Logical Access Process Components User ID Maintenance System Settings Maintenance Monitoring And more Logical Security Procedures Configurations Policies Security Policy Confidentiality Policy Data Definition Policy Policy Awareness Programs And more System Configurations Groups and Profiles Super Users Password Settings Segregation of Duties Logical laccess Path And more 14
Conducting IT General Control Walkthroughs
Walkthroughs: The Purpose Why do we perform walkthroughs? To confirm: Our understanding of the processing procedures Our understanding of the relevant controls That relevant controls have been placed in operation and are operating effectively Our documentation 16
Walkthroughs: The Methods Methods odsof gathering g evidence ceduring walkthroughs: Inquiring of a client to corroborate our understanding Selecting an item over which the controls are designed to operate and inspecting evidence of the operation of the controls on that item Examining the client s documentation of the control s design Examining reports used to monitor the controls Observing whether the process owner or others act upontheresults of thecontrols 17
Walkthroughs: The Results Following our walkthrough, we make a preliminary evaluation of the effectiveness of controls The preliminary evaluation is made for each IT general control 18
Tests of Controls
Tests of Controls Determine whether the controls: Operated as we understood they would operate Were applied throughout the period of intended reliance Were applied on a timely basis Encompassed applicable transactions Were based on reliable information Resulted in the timely correction of any errors identified 20
Tests of Controls Nature What are the different ways we can test controls? Inquiry Observation Inspection Re performance Inquiry alone does not provide sufficient evidence that the control operated throughout the period of intended reliance. 21
Tests of Controls Exceptions What is an exception? An internal control exception occurs when we find that the control we are testing did not operate as intended. We investigate all internal control exceptions to determine: Our understanding is correct Their causes and implications The potential effects on other audit procedures The appropriate reporting to management and the audit committee 22
Tests of Controls Example Program Changes: Program change requests from the business line filter through the Business System Administrator, i who determines if the change is valid. Emails the request to IT and a completed Issue Tracker form to the email account. The Issue Tracker form lists the requestor s name and details the problem encountered. The request is then input into an Access Database and assigned a ticket number for tracking purposes. p Changes to application source code must be done by the vendor. Accordingly, requested changes are input to a Web based application tracker. Manager meetings are held bi weekly to review, update, and prioritize issues. Any planned system downtime is communicated to users via email notifications. Changes are initially iti applied in the test tenvironment where they are validated d by both thit and the requestor. Test documentation is produced and stored with the Change Request Form. Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. Weekly team meetings are held in which it is determined which changes will be moved into production for that week. Standard, non code migration changes are moved into production daily. The application owner Initials all Change Request Forms before migration. The ticket owner (analyst) is ultimately responsible for making the change and moving it into production by compiling / rebuilding the change in the production environment. CM.1 CM.2 CM.3 CM.4 23
Tests of Controls Example Test Objective and Scope Test Population Source of Data Sample Selection Process Cont. To verify that changes are authorized, tested and approved by the business priorto implementation to production. Extracted data from Random / Haphazard Control Effective Date January 1, 2008 Conclusion Effective Control ID Control Description Frequency Type CM.1 Prior to development, all changes must be Event Driven Preventative authorized by IT and business management. CM.2 Changes are applied in the test environment where they are validated by both IT and the requestor. Event Driven Preventative CM.1 Approvals for change migrations to production are Event Driven Preventative ti emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. CM.4 The application owner Initials all Change Request Event Driven Preventative Forms before migration. 24
Tests of Controls Example Test Matrix Item ID Item Description Evidence Ref Control ID 1 Code change 1 CM T 01 CM.1 CM.2 CM.3 CM.4 2 Code change 2 CM T 02 3 Code change 3 CM T 03 X 25
Evaluating Control Deficiencies
Tests of Controls: Evaluate When we have an exception, we must: Consider the results of the tests in relation to our preliminary evaluation of thecontrols to determine whether it is still appropriate. In some instances, the assessment is no longer appropriate. p Reconsider our combined risk assessment and our audit approach. 27
Tests of Controls: Documentation Should include: A detailed description of the specific controls tested The procedures used to test the controls The number of times each control will be tested The method used to select ect the items tested A list of the items tested A list of any exceptions, their causes, and implications Any changes to our strategy resulting from our tests We carry this forward in years that we rotate our tests t (NA under Integrated t daudit). 28
Components of a Finding Observation Standard/Leading Practice Cause Business Risk/Effect Recommendation 29
Summary Identify ITGCs in the IT environment Document and walkthrough controls Perform Tests of Controls Describe how we evaluate the results of our tests to arrive at a conclusion Document test procedures and deficiencies 30
Questions?
THANK YOU!!!
Appendix - Common IT Definitions
Elements in the IT Infrastructure Network Elements LAN/WAN Router Switch Firewall Modem Remote Access Server Intrusion Detection Devices (IDS) 34
Common IT Terms Operating System An operating system (OS) is the program that, controls the hardware and acts as the intermediary between the application(s) and the hardware. Common OS are Windows(2000, XP, NT), UNIX, Novell and OS400 Hardware Hardware is the physical aspect of computers, tl telecommunications, ti and other information technology devices. Application An application is any program designed to perform a specific function directly for the user or, in some cases, for another application program. 35
Common IT Terms (cont.) Local larea Nt Network A local larea network k(lan) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area. Wide Area Network A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a LAN. 36
Common IT Terms (cont.) Virtual Private Network A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure encrypted access to their organization's network. Server A server is a computer program that contains programs that t provides services to other computer programs in the same or other computers. (e.g. file server, print server, application server, etc.) 37
Common IT Terms (cont.) Remote Access Remote access is the ability to get access to a computer or a network from a remote location. Direct Dial up Dial up pertains to a telephone connection. A dial up connection is established and maintained for a limited time duration. Gateway Server A gateway is a network point that acts as an entrance to another network. 38
Common IT Terms (cont.) Application i Server An application server is a server program in a computer in a distributed network that provides the business logic for an application program. Infrastructure In information technology and on the Internet, infrastructure is the physical hardware used to interconnect tcomputers and users. Firewall A firewall is a physical device or set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. 39
Common IT Terms (cont.) ERP ERP (Enterprise resource planning) is an industry term for the broad set of activities supported by multi module application software that helps a manufacturer or other business manage the important parts of its business. (e.g. SAP, PeopleSoft, etc.) Database A database is a collection of data that is organized so that its contents can easily be accessed, managed, andupdated. 40
Common IT Terms (cont.) Backup The act of storing data from one system to another system or to a form of electronic media (i.e. tape, CD). Backups are generally yperformed on a regular basis and can be full, incremental, or differential. Recovery The act of applying stored data to a system in order to allow it to resume normal operations. UPS Uninterruptible Power Supply. A battery device that allows the systems on a network to continue operating for a limited time after a power failure. This permits an orderly shutdown of the servers and limits the risk of data loss. 41
Common IT Terms (cont.) Business Continuity i Plan A business level lplan that describes how and where the business will prioritize its recovery from an unforeseen event and how it will restore and continue its operations. Disaster Recovery Plan An IT level plan that describes how and where the IT department twill prioritize iti the system and network recovery from an unforeseen event and how the department will restore and continue its operations (a Disaster Recovery Plan is part of an overall Business Continuity Plan and the two must be in sync). 42
Logical Access Path (LAP) How individuals get beyond logical security to the desired data Designed for the structured assessmentof risks and related security measures in complex computer systems User Data 43
Logical Access Path Overview User Transports data between the components of a network (e.g., end users terminals) and system software in the transaction software layer Controls within applications aimed at the security of logical data A shell that surrounds all system software layers. Each piece of software on each of the layers has an interface with the operating system Data Communication Software Operating System Transaction Software Application Software Data Access Methods Data Divides the available processing time among the active users and programs. Transactions (e.g., a menu option) can be composed of multiple programs Access methods and database management controls that manage which parts of the data the application can access and in what way 44
Logical Access Path (Three Tier) User Output t Data to User User Interface Input Data From User Output t Data to User Data Communication Software Transaction Software Central DB Buffer Central DB Buffer Application Software Application Server Data Access Methods Reading Database and Updating Buffer Main DB Database Server Stores all Data and Application Programs Operating System Data 45
Where To Find IT Terms & Acronyms There are multiple web sites on the Internet that can be used to explain IT terms & acronyms. Some good ones are: www.whatis.techtarget.com www.howstuffworks.com www.google.com Your TSRS co workers are also a great source for understanding terminology 46