Class 4: Information Technology General Controls (ITGCs)

¡Supera tus tareas y exámenes ahora con Quizwiz!

Why do we care about ITGCs

ITGCs are pervasive. ITGCs support the operating effectiveness of application controls. If we rely on controls that utilize system generated information, it is usually necessary to test the ITGCs that support that information

Why are Program Development and Program Changes so Important?

Transaction processing Automated controls and accounting procedures Management reports Data integrity

The database is restricted to only authorized individuals with update/write access.

ITGC

The income, holdings, and activity files transmitted from ABC Bank to System C are monitored for success/failure by the Support Team on a daily basis.

ITGC

What is the Umbrella Effect and how does it pertain to ITGCs?

ITGC controls are like an umbrella that protects the application controls. The holes in the umbrella on the left symbolizes failures in ITGCs. The umbrella on the right symbolizes strong ITGC controls that effectively protect the underlying application controls and financial data.

Mainframe security logs are reviewed daily.

access to programs and data

Databases are monitored to ensure no unauthorized changes occur

Access to Programs and Data

Passwords are required to access the application.

Access to Programs and Data

Requests for new access must be approved by IT and the user's supervisor.

Access to Programs and Data

What are the four ITGC domains?

Access to Programs and Data Program Changes Computer Operations Program Development

Where would you typically associate more risk: Computer Operations or Access to Programs & Data? Why?

Access to Programs & Data While there are higher and lower risk controls in each area, in general, Access to Programs & Data will contain high risk controls. Access to Programs & Data controls often relate to the restricted access of financial data or appropriate segregation of duties. While backing up system data, monitoring job scheduling, and the help desk function are important activities, they are typically farther from the financial data.

Validations exist to ensure data loads from System A to System B have the correct account code and date range, and prevent the recording of duplicate entries.

Application Control

Backups

Applications, data and system software are copied to tape or other storage media Can be full or incremental on any schedule (daily, weekly, etc.) May be rotated off-site on a set schedule Data mirroring is not a substitute for true data backups

Manual reconciliations occur by the Inventory team to validate control totals between the Warehouse Management System the data actually received by the ERP application. Additionally, any errors noted by the Inventory team are placed in a suspense file, which is reviewed by the Accounting group.

Business Process Manual Control

All code changes are tested and approved in the QA environment before they are migrated to production.

ITGC

Changes to scheduled jobs must be approved by a manager in the Accounting department.

Computer Operations

First we evaluate design - are the right controls defined?

Consider frameworks Consider context Consider layers of technology

Application Control Categories

Data integrity controls (Headers/Trailers, Unique Keys - Checksums/Totals/Record Count) Data transfer security controls (Encryption, Restricted Access Data management controls (Audit Trail - Date/Time Stamp, Unique File Names, Archiving) System interface controls (Completeness/Accuracy - Checks to identify missing, inaccurate, or redundant data (inbound and outbound) Validation/reconciliation processes (Tie-Outs, Analytics or spot checks, Exception/Failure Reports)

Layers of the Control Environment (in to out)

Database Application Operating System Network

Network

Definition: A means of transmission of data between two points Key Points The network layer is rarely looked at during a financial audit PwC will perform other procedures around the network such as attack/penetration and wireless audits within advisory

Database

Definition: Mechanism for storing all the application data DB2 - Commonly used on mainframe Oracle - Commonly used for UNIX Sysbase & SQL - Commonly used on Intel-based environments Key Points Risk is that large amounts of data can be changed through DB tools Access to change data directly through the database should be limited as it bypasses many of the financial audit controls

Application

Definition: Software programs that perform business tasks such as accounting, word processing, inventory, payments, etc. Application is the front end interface to the user SAP, PeopleSoft, and TurboTax are examples Key Points Applications developed by the client pose a higher risk Many of the larger clients use ERPs to house their accounting software Though two clients may be running the same ERP or accounting software, there are different risks to consider

Operating System

Definition: The physical machine and the operating system Mainframe - significant processing power to handle high transaction volumes Mid-Range Servers - used for significant volumes but less than mainframe (most popular is AS400) Intel Based Servers - Cluster of multiple servers (such as Windows or UNIX) Key Points Risks are different by platforms

Program development or program changes?

Different thresholds at different organizations. While development most often describes projects to build new functionality, significant changes should be treated with the same rigor as new system development activities.

Backups for the in-scope applications are performed daily, and monitored for success/failure by the Operations group. Any failures are investigated and resolved.

ITGC

Logical security settings for the ERP application are reviewed by the designated data owner on a quarterly basis.

ITGC

On a monthly basis, a log showing all database administrator activity, which is not modifiable by any human, is generated and reviewed by the IT manager.

ITGC

Application Controls

Input data is complete, accurate, and valid Internal processing produces the expected results Data processing accomplishes the desired tasks Output data/reports are complete, accurate, and valid

Four Main Control Testing Techniques (in order from least level of comfort to highest level of comfort)

Inquiry Observation Inspection Reperformance

Problem Management & Resolution

Problem identification Escalation procedures Monitoring

Network Security

Internal and Perimeter Network Security Lower Risk in an audit because it is further from the data. Areas of focus include: Wireless, Internet, E-mail, EDI, EFT, Extranets with business partners, and dial-in. In other words, any connection to the outside world!

What is the difference between the Program Development and Program Changes domain?

It is important to understand how management distinguishes between these domains. Typically, Program Changes will be routine in nature. Program Development will be projects or implementations that require significant manpower or funding.

Physical Security

Lower Risk, Furthest from Data Facility security (all significant locations) through keycard access system Data center security through keycard access system Security on wiring closets, server rooms, other physical network locations Protection of sensitive system documentation

Entity Level Controls Over IT

Operate across the entire IT organization. Reflect the "tone at the top" of the IT management structure. Link IT to corporate entity level controls. Affect the nature, timing, and extent of ITGC testing (e.g. multiple change management processes or no IT ELCs exist)

What is application security?

Policies and procedures to ensure that only authorized individuals have the ability to use applications Security over the use of applications, which may or may not have direct data access Controls around granting, removing, and monitoring application access.

Computer Operations - Examples

Preventative: Batch jobs are configured properly. Detective: Job failures reviewed by management to resolution.

Database Security - Examples

Preventative: Database access to is only granted to DBAs in IT. Detective: The Information Security Department reviews all table updates or deletes weekly. All activity to financially significant tables is reconciled to proper approval from the business.

Physical Security - Examples

Preventative: Doors are secured by magnetic badge systems. Detective: Alerts are sent to security when a breach is detected; these alerts are then followed up.

Network and OS Security - Examples

Preventative: Terminated users are automatically deactivated in AD. Passwords Configurations Detective: Weekly Terminations Review by IT

Application Security - Examples

Preventative: Users are granted roles appropriate to their job function. Detective: Periodic Access Reviews

The IT Director reviews all changes made to production code on a weekly basis.

Program Change

Controls restricting developers from accessing the production code would be included in which domain?

Program Changes

New system developments are designed using the Business Requirements Document.

Program Development

User training is held for all financially significant system implementations.

Program Development

User acceptance testing is required before code is moved to production.

Program change/ program development

External

Security measures are also implemented at the perimeter level to mitigate risks associated with communication needs. Mechanisms: Firewalls, Intrusion Detection Systems

What is Data Security?

Security over databases, data files and/or datasets Controls around direct access to data using special system utilities NOT security over access to data from within an application

Operating System Security

Sensitive accounts (i.e. "sa" account) May have the ability to override controls at the data and application layers (the "sa" account at the unix OS layer could potentially allow access to database or application layer) Includes native security (Windows, UNIX, AS400) or third party tools (Mainframe-RACF or TopSecret)

Application Security

Significant audit impact Potential directly update data, however often there are application layer controls that mitigate risk. Segregation of Duties considerations Access controls are usually well defined in theory, but often difficult to execute at the roles/privilege level.

Data Security

Significant audit impact Potential direct impact to Restricted Access information processing objective DBA access typically well-defined (but direct data access tools and related controls are often less so...)

Internal

The design of the internal network should be based on an assessment of communication needs and risks in the environment. Mechanisms Domains and trust relationships, VLANs and Monitoring tools

Why do we test entity level controls over IT?

They are pervasive and can affect the nature, timing and extent of our ITGC testing.

How should the IT General Controls we test be determined?

Through engagement team discussion and the use of a risk-based, top-down approach. We should only test those controls that support key financial applications and business processes, particularly those that are integral to the continued operating effectiveness of relevant application controls, automated accounting procedures, or information supporting a manual control.

Program Changes objective

To ensure that changes to programs and related infrastructure components are requested, prioritized, performed, tested, and implemented in accordance with management's objectives.

Access to Programs and Data Domain Objective

To ensure that only authorized access is granted to programs and data upon authentication of a user's identity.

Computer Operations Domain Objective

To ensure that production systems are processed completely and accurately in accordance with management's objectives, and that processing problems are identified and resolved completely and accurately to maintain the integrity of financial data.

Program Development objective

To ensure that systems are developed, configured, and implemented to achieve management's objectives.

What is the primary reason that we test ITGCs?

To ensure the continued operating effectiveness of application controls and automated accounting procedures.

Batch Scheduling and Processing

Transactions are gathered and processed at a set time. Often referred to as the "batch cycle" or "critical path." Often runs overnight, but may run several times during a day. Typically managed by a batch scheduling software tool. Manual intervention at various points may be required.

How Do We Choose Which ITGCs to Test?

We only test ITGCs that support financially significant, in-scope systems. System scoping is determined based on the risk and materiality of business processes and related financial statement line items.

What type of questions would you ask of the Change Control Officer for the Program Changes domain?

You might ask some of these questions: How is access to modify production code controlled/restricted from developers? How are changes to system code approved and user acceptance tested?

What type of questions would you ask of the Security Administrator for the Access to Programs & Data domain as part of the audit?

You might ask some of these questions: How is direct access to the underlying databases managed and controlled? How does management ensure that there are no Segregation of Duties conflicts? How is access to each layer of the system (application, OS, database, network, etc) granted and removed?

What type of questions would you ask of the Project Management Office for the Program Development domain?

You might ask this question: How does management ensure that data converted from the old system to the new system is complete, accurate, and valid?

What type of questions would you ask with regards to the Computer Operations domain?

You might ask this question: How does management monitor scheduled jobs for failures? How does management ensure that real-time processing and interfaces maintain the integrity of financial data? How would management recover from a catastrophic system failure?

Terminated personnel's user IDs are disabled within one week of leaving the company.

access to programs and data

Access to Programs and Data controls

application security administration operating system security administration network/connection security administration application logical security operating system logical security network logical security application powerful accounts operating system powerful accounts network powerful accounts database administration direct data access via app/network/OS/util.

Computer Operations controls

batch processing interface processing monitoring of computer processing backups computer centre operations

Batch jobs are monitored for failure daily.

computer operations

Daily backups are performed for all systems.

computer operations

Inquiry

consists of seeking information of knowledgeable persons inside or outside the entity. Inquiry alone does not usually provide sufficient evidence to assess the effectiveness of a control.

in the umbrella effect, the umbrella represents

general controls

Program development controls

initiation, analysis and design construction testing data conversion implementation documentation and training segregation of duties

Reperformance

is the independent execution of procedures or controls that were originally performed as part of the entity's internal control.

Developers do not have access to the production systems.

program change

Field mapping is performed for all data conversion.

program development

Program Change controls

specification and authorization construction testing implementation documentation and training segregation of duties report integrity

Inspection

typically inspection of documentation as evidence of the performance of a control.

Observation

usually consists of looking at a procedure or physical asset.


Conjuntos de estudio relacionados

Chap. 22: peripheral vascular system

View Set

2.02 Mix and Match (Nature of Product Mix)

View Set

New Testament Survey: Chapter 11: John

View Set

Documentation for Health Records

View Set