Class 4: Information Technology General Controls (ITGCs)
Why do we care about ITGCs
ITGCs are pervasive. ITGCs support the operating effectiveness of application controls. If we rely on controls that utilize system generated information, it is usually necessary to test the ITGCs that support that information
Why are Program Development and Program Changes so Important?
Transaction processing Automated controls and accounting procedures Management reports Data integrity
The database is restricted to only authorized individuals with update/write access.
ITGC
The income, holdings, and activity files transmitted from ABC Bank to System C are monitored for success/failure by the Support Team on a daily basis.
ITGC
What is the Umbrella Effect and how does it pertain to ITGCs?
ITGC controls are like an umbrella that protects the application controls. The holes in the umbrella on the left symbolizes failures in ITGCs. The umbrella on the right symbolizes strong ITGC controls that effectively protect the underlying application controls and financial data.
Mainframe security logs are reviewed daily.
access to programs and data
Databases are monitored to ensure no unauthorized changes occur
Access to Programs and Data
Passwords are required to access the application.
Access to Programs and Data
Requests for new access must be approved by IT and the user's supervisor.
Access to Programs and Data
What are the four ITGC domains?
Access to Programs and Data Program Changes Computer Operations Program Development
Where would you typically associate more risk: Computer Operations or Access to Programs & Data? Why?
Access to Programs & Data While there are higher and lower risk controls in each area, in general, Access to Programs & Data will contain high risk controls. Access to Programs & Data controls often relate to the restricted access of financial data or appropriate segregation of duties. While backing up system data, monitoring job scheduling, and the help desk function are important activities, they are typically farther from the financial data.
Validations exist to ensure data loads from System A to System B have the correct account code and date range, and prevent the recording of duplicate entries.
Application Control
Backups
Applications, data and system software are copied to tape or other storage media Can be full or incremental on any schedule (daily, weekly, etc.) May be rotated off-site on a set schedule Data mirroring is not a substitute for true data backups
Manual reconciliations occur by the Inventory team to validate control totals between the Warehouse Management System the data actually received by the ERP application. Additionally, any errors noted by the Inventory team are placed in a suspense file, which is reviewed by the Accounting group.
Business Process Manual Control
All code changes are tested and approved in the QA environment before they are migrated to production.
ITGC
Changes to scheduled jobs must be approved by a manager in the Accounting department.
Computer Operations
First we evaluate design - are the right controls defined?
Consider frameworks Consider context Consider layers of technology
Application Control Categories
Data integrity controls (Headers/Trailers, Unique Keys - Checksums/Totals/Record Count) Data transfer security controls (Encryption, Restricted Access Data management controls (Audit Trail - Date/Time Stamp, Unique File Names, Archiving) System interface controls (Completeness/Accuracy - Checks to identify missing, inaccurate, or redundant data (inbound and outbound) Validation/reconciliation processes (Tie-Outs, Analytics or spot checks, Exception/Failure Reports)
Layers of the Control Environment (in to out)
Database Application Operating System Network
Network
Definition: A means of transmission of data between two points Key Points The network layer is rarely looked at during a financial audit PwC will perform other procedures around the network such as attack/penetration and wireless audits within advisory
Database
Definition: Mechanism for storing all the application data DB2 - Commonly used on mainframe Oracle - Commonly used for UNIX Sysbase & SQL - Commonly used on Intel-based environments Key Points Risk is that large amounts of data can be changed through DB tools Access to change data directly through the database should be limited as it bypasses many of the financial audit controls
Application
Definition: Software programs that perform business tasks such as accounting, word processing, inventory, payments, etc. Application is the front end interface to the user SAP, PeopleSoft, and TurboTax are examples Key Points Applications developed by the client pose a higher risk Many of the larger clients use ERPs to house their accounting software Though two clients may be running the same ERP or accounting software, there are different risks to consider
Operating System
Definition: The physical machine and the operating system Mainframe - significant processing power to handle high transaction volumes Mid-Range Servers - used for significant volumes but less than mainframe (most popular is AS400) Intel Based Servers - Cluster of multiple servers (such as Windows or UNIX) Key Points Risks are different by platforms
Program development or program changes?
Different thresholds at different organizations. While development most often describes projects to build new functionality, significant changes should be treated with the same rigor as new system development activities.
Backups for the in-scope applications are performed daily, and monitored for success/failure by the Operations group. Any failures are investigated and resolved.
ITGC
Logical security settings for the ERP application are reviewed by the designated data owner on a quarterly basis.
ITGC
On a monthly basis, a log showing all database administrator activity, which is not modifiable by any human, is generated and reviewed by the IT manager.
ITGC
Application Controls
Input data is complete, accurate, and valid Internal processing produces the expected results Data processing accomplishes the desired tasks Output data/reports are complete, accurate, and valid
Four Main Control Testing Techniques (in order from least level of comfort to highest level of comfort)
Inquiry Observation Inspection Reperformance
Problem Management & Resolution
Problem identification Escalation procedures Monitoring
Network Security
Internal and Perimeter Network Security Lower Risk in an audit because it is further from the data. Areas of focus include: Wireless, Internet, E-mail, EDI, EFT, Extranets with business partners, and dial-in. In other words, any connection to the outside world!
What is the difference between the Program Development and Program Changes domain?
It is important to understand how management distinguishes between these domains. Typically, Program Changes will be routine in nature. Program Development will be projects or implementations that require significant manpower or funding.
Physical Security
Lower Risk, Furthest from Data Facility security (all significant locations) through keycard access system Data center security through keycard access system Security on wiring closets, server rooms, other physical network locations Protection of sensitive system documentation
Entity Level Controls Over IT
Operate across the entire IT organization. Reflect the "tone at the top" of the IT management structure. Link IT to corporate entity level controls. Affect the nature, timing, and extent of ITGC testing (e.g. multiple change management processes or no IT ELCs exist)
What is application security?
Policies and procedures to ensure that only authorized individuals have the ability to use applications Security over the use of applications, which may or may not have direct data access Controls around granting, removing, and monitoring application access.
Computer Operations - Examples
Preventative: Batch jobs are configured properly. Detective: Job failures reviewed by management to resolution.
Database Security - Examples
Preventative: Database access to is only granted to DBAs in IT. Detective: The Information Security Department reviews all table updates or deletes weekly. All activity to financially significant tables is reconciled to proper approval from the business.
Physical Security - Examples
Preventative: Doors are secured by magnetic badge systems. Detective: Alerts are sent to security when a breach is detected; these alerts are then followed up.
Network and OS Security - Examples
Preventative: Terminated users are automatically deactivated in AD. Passwords Configurations Detective: Weekly Terminations Review by IT
Application Security - Examples
Preventative: Users are granted roles appropriate to their job function. Detective: Periodic Access Reviews
The IT Director reviews all changes made to production code on a weekly basis.
Program Change
Controls restricting developers from accessing the production code would be included in which domain?
Program Changes
New system developments are designed using the Business Requirements Document.
Program Development
User training is held for all financially significant system implementations.
Program Development
User acceptance testing is required before code is moved to production.
Program change/ program development
External
Security measures are also implemented at the perimeter level to mitigate risks associated with communication needs. Mechanisms: Firewalls, Intrusion Detection Systems
What is Data Security?
Security over databases, data files and/or datasets Controls around direct access to data using special system utilities NOT security over access to data from within an application
Operating System Security
Sensitive accounts (i.e. "sa" account) May have the ability to override controls at the data and application layers (the "sa" account at the unix OS layer could potentially allow access to database or application layer) Includes native security (Windows, UNIX, AS400) or third party tools (Mainframe-RACF or TopSecret)
Application Security
Significant audit impact Potential directly update data, however often there are application layer controls that mitigate risk. Segregation of Duties considerations Access controls are usually well defined in theory, but often difficult to execute at the roles/privilege level.
Data Security
Significant audit impact Potential direct impact to Restricted Access information processing objective DBA access typically well-defined (but direct data access tools and related controls are often less so...)
Internal
The design of the internal network should be based on an assessment of communication needs and risks in the environment. Mechanisms Domains and trust relationships, VLANs and Monitoring tools
Why do we test entity level controls over IT?
They are pervasive and can affect the nature, timing and extent of our ITGC testing.
How should the IT General Controls we test be determined?
Through engagement team discussion and the use of a risk-based, top-down approach. We should only test those controls that support key financial applications and business processes, particularly those that are integral to the continued operating effectiveness of relevant application controls, automated accounting procedures, or information supporting a manual control.
Program Changes objective
To ensure that changes to programs and related infrastructure components are requested, prioritized, performed, tested, and implemented in accordance with management's objectives.
Access to Programs and Data Domain Objective
To ensure that only authorized access is granted to programs and data upon authentication of a user's identity.
Computer Operations Domain Objective
To ensure that production systems are processed completely and accurately in accordance with management's objectives, and that processing problems are identified and resolved completely and accurately to maintain the integrity of financial data.
Program Development objective
To ensure that systems are developed, configured, and implemented to achieve management's objectives.
What is the primary reason that we test ITGCs?
To ensure the continued operating effectiveness of application controls and automated accounting procedures.
Batch Scheduling and Processing
Transactions are gathered and processed at a set time. Often referred to as the "batch cycle" or "critical path." Often runs overnight, but may run several times during a day. Typically managed by a batch scheduling software tool. Manual intervention at various points may be required.
How Do We Choose Which ITGCs to Test?
We only test ITGCs that support financially significant, in-scope systems. System scoping is determined based on the risk and materiality of business processes and related financial statement line items.
What type of questions would you ask of the Change Control Officer for the Program Changes domain?
You might ask some of these questions: How is access to modify production code controlled/restricted from developers? How are changes to system code approved and user acceptance tested?
What type of questions would you ask of the Security Administrator for the Access to Programs & Data domain as part of the audit?
You might ask some of these questions: How is direct access to the underlying databases managed and controlled? How does management ensure that there are no Segregation of Duties conflicts? How is access to each layer of the system (application, OS, database, network, etc) granted and removed?
What type of questions would you ask of the Project Management Office for the Program Development domain?
You might ask this question: How does management ensure that data converted from the old system to the new system is complete, accurate, and valid?
What type of questions would you ask with regards to the Computer Operations domain?
You might ask this question: How does management monitor scheduled jobs for failures? How does management ensure that real-time processing and interfaces maintain the integrity of financial data? How would management recover from a catastrophic system failure?
Terminated personnel's user IDs are disabled within one week of leaving the company.
access to programs and data
Access to Programs and Data controls
application security administration operating system security administration network/connection security administration application logical security operating system logical security network logical security application powerful accounts operating system powerful accounts network powerful accounts database administration direct data access via app/network/OS/util.
Computer Operations controls
batch processing interface processing monitoring of computer processing backups computer centre operations
Batch jobs are monitored for failure daily.
computer operations
Daily backups are performed for all systems.
computer operations
Inquiry
consists of seeking information of knowledgeable persons inside or outside the entity. Inquiry alone does not usually provide sufficient evidence to assess the effectiveness of a control.
in the umbrella effect, the umbrella represents
general controls
Program development controls
initiation, analysis and design construction testing data conversion implementation documentation and training segregation of duties
Reperformance
is the independent execution of procedures or controls that were originally performed as part of the entity's internal control.
Developers do not have access to the production systems.
program change
Field mapping is performed for all data conversion.
program development
Program Change controls
specification and authorization construction testing implementation documentation and training segregation of duties report integrity
Inspection
typically inspection of documentation as evidence of the performance of a control.
Observation
usually consists of looking at a procedure or physical asset.