AIS IT Controls/General Controls
ITGC vs App Control
ITGC - The environment ----Could be power coming into room, people joining in room. Anything that could affect app control App Control - The process Processes the data in function
6 Components of ITGC
-Administrative -Logical Security (Access Controls) -Change Control -Network Operations -Physical/Environmental Security -Recovery
IT Governance Management Focus
-Aligning IT Strategy with business strategy -Cascading strategy & goals to enterprise -Providing organizational structure to facilitate implementation of strategy/goals -Insisting that IT control framework to adopted/implemented -Measuring its performance
IT Governance is:
-Aligning IT strategy with business strategy -Insisting that IT control framework be adopted & implemented. ---Need good control ---Gives examples, purpose ---COBIT -Measuring ITs performance
Network
-Allows others to access the database in several locations. -Allows you to share info with customers, vendors, etc. -Ability for your vendors, customers, and employees to access your database
Administrative
-Based on idea of governance/lining vision, structure & ideas of the company with IT. -Taking what company wants and lining it up with what IT people are doing. -Risk Assessment is lined up with IT -Steering Commitee
Physical & Environment (GCC Controls)
-COLO's: Keeping info at a different location, & company will do it for you. Hire someone else to store your data. Want company to have several locations, that mirrors data, in case one goes down. -Security: Mantraps, Biometrics, key cards, cameras -Physical Security: Temperature, humidity, fire, etc.
COLO
-Colocation -Data center facility where businesses can rent space for servers. Don't need to be in own building -Offside, reduces power used, more efficient. Physically secured base, cool down equip. so doesn't overheat/breakdown -Security: Need key card to get in, escort at all times, security guards.
IT Governance Committee
-Committee to help governance of IT -Proper "Tone at the Top"' -Formal process to select, design, & implement IT systems (SDLC) -Who should be on the IT governance committee? -CTO, -CFO, -COO -Someone on ACCTG/FINAN team -IT, Leadership its subjective -Possibly CSO, lawyers, etc.
Logical Controls (GCC Controls)
-Determing who uses what; who can use what, rule-based authentication. -3 Elements of Authentication: ---What you know ---What you have ---What you are
Segregation of Duties (In administration)
-Development -Production -System Administration ----Oversees right people, in right place.
Development (Authorization Seg. of Duties)
-Development are the coders -Building the system, where the coders create codes and system. -Could have someone configure your software. This would replace development process.
Segration of Duties in Change Control
-Different between who authorizes this, tests, approves, etc. -Between who develops, review, tests, etc.
Output Controls
-Email: Confirmation emails to make sure that customer knows whats going on & make sure everything went through -Reports: If there are errors, Going to mess up alof of reports. Financials will be wrong, and count wrong, etc.
Application Audit vs ITGC Audit
ITGC Audit- Deals with the platform & environmental controls (availability and confidentiality) App Audit- Gives assurance to the integrity of the Data & Business process on processing, transmitting & storing data
Small Company (Seg. of Duties)
Authorization Custody Recording
BCP
Business Continuity Plan -Risk Assesment -Test -Refine
Key risks (returns)
Occurance-returns not valid
Hardware
The machine itself
Key Controls Authorization of Transaction
Of order/contract Of credit
Application Control
The software itself
Determination of User Requirements(Systems Analysis Phase of SDLC)
-Get a complete understanding of the system. --Observe --Review Documentation -Inquire --Interviews --Questionnaires
Steering Committee
-Governing Body to help facilitate the IT resources. Could have CEO, etc. -Ability to make decisions, controls over IT, govern them, etc. -Want to make sure IT people are doing what they need to. -Coordinate between business & IT
Company should have what in IT government?
-IT Governance Committee -A formal process to: ---Select ----Detect ---Implement IT systems (SDLC or system development life cycle)
Uninterruptable Power Supply
-If a company's power goes down, there are generators that can be able to run for a long amount of time. -It will keep computer running for the time when primary power is lost.
Example of ITGC & App Control
-Information goes into app as data -App control processes data & creates output -Data--->Application Controls--->Output (Reports)
Network Operations (GCC Control)
-Need to have backups want to make sure information is reviewed & saved. -"Rotate the tapes" Keep offsite so not in same location. -Malware, viruses - Want to make sure you have good software to project from viruses -Backups & Malware/Virus issues
Review of Rights
-Once a quarter, someone sits down and goes over entire organization and asks what others do. What capabilities they have? What access they have? Etc. -Need to check & see if right people have proper rights. Need to make sure people don't have too many rights. See if someone was fired but still has access.
5 components of Effective IT Governance
-Organization & Governance Structure (Putting things in place to make sure its fully operating) -Executive leadership and support (Having CEOs and CFOs behind the structure & make sure things on board with everything. They must buy into operation as well) -Strategic & Operational Planning (On Sublevel, tech management. They need to understand the goals/rules & the vision. Need to find a way to get employees on board with everything.) -Service Delivery & measurement -IT Organization & Risk Management (Stepping Back to say "What could go wrong?" and "where and how is it going to happen?"
Application
-Our accounting system -----Quickbooks -Controls that are put into place
Production (Authorization seg. of duties)
-Production is live. Where it is used. -Where system is implemented and is used. -Needs to be separated from development -Full of the users.
Controls can be baked into an IT system
-Programming environment ---Development -Applications Themselves ---App control -Surrounding Elements ---ITGC -Automated Authorization
IT Governance
-Proper management, control, & use of IT systems -Structure of relationships and processes to Direct & Control enterprise, in order to achieve goals. Done by adding value, while balancing Risk vs Return over IT controls & processes.
System Analysis Report(Systems Analysis Phase of SDLC)
-Report to inform the IT governance committee of the results of the systems: ---Survey ---User needs determination ---BPR
System Admin (seg. of duties)
-Someone who ensures that only the right people have right access. -Need to make sure there are good people in control of segregation of duties; over these two.
Database
-Stores the information from our applications. -Is working together with the application -This is the core of the layers
Special Rights(supervisor)
-Super users, admins, DBA, etc. -Superuser-Controller could set himself up as a super user and could change whatever he likes. ----example: could set up a fake user, make changes and delete after. -Could create & control whatever, would have control over entire system.
System Survey(System Analysis Phase of SDLC)
-Survey done on Current System(Tells us what we need to change.) -Requires collecting data about current system. ---Inputs, Outputs, Processes, Controls, Data Storage, Transaction Volumes, Errors, Inefficiencies
SDLC
-Systems Development Life Cycle -Systematic process to manage the acquisition, design, implementation & use of IT systems. -System Design(Either creating/programming new one, purchasing something already set up -System implementation(Putting system in play) -Operation/Maintenance (Fixing bugs, improvement, finding weakness and reporting issues) -System Planning(Starting planning, whether you want something new or stay where you are) -System analysis
New IT Projects
-Usually starts with controller or executive saying they need something new. Want to change IT process. -IT governance, operations, projects are held together by info security. -If something goes wrong with security its on management since they put it place.
Input Controls
-Want completeness & accuracy -Need to find ----Which controls are working & not ----Controls that bring controls in order. -Field Check -Limit Check -Completeness Check -Reasonableness Check -Edit Check -Ensuring valid customer -Check sum digit -What going in field(numbers, letters, etc.) -Max/min -Can't leave blanks -Is this legit? -Stops with errror(Cannot do UT zip for CA) -Need to create account and password -Actual Card/Valid Payment
3 Elements of Autentication (Logical Controls)
-What you know: ---Username ---Passcode -What you have ---Token-based (Duo mobile) ---Changing passcodes (serial & token RSA) ---Key Fob ---USB Device -What you are ---Biometrics ---Palm Prints ---Retina Scan ---Finger Prints
SOC 1 Report
-Where an independent auditor will go in and test the security for a COLO and will report on it. -Different controls/lack of them.
Admin Rights
-Who can access what -Want to limit amount of admins we have. -Limit who can use what & when.
Processing Controls
-Would say process won't work because input doesn't fully work with errors. -Would stop input & make sure errors are fixed before process continues. -Won't process bad data.
Critical Importance of IT Governance
3 major purposes are served by the continual and proper use of the IT governance committee & SDLC. 1.Strategic Management alignment of the organization. 2.Internal control structure of the organization 3.Monitoring & Follow-up
Change Controls (GCC Controls)
Ability to monitor the control, authorize, test, and approve. Developers are authorized by the steering committee as 1st levels of approval Only can make changes once authorized by the steering committee
Key Controls Documentary Controls
Audit Trail Order Shipping Documents Invoice Sales Journal Cash receipts prelist Deposit Slip AR Subledger GL Bank rec
Key Controls Reconciliation/Analysis/Revie
Bank rec and review Reconcile orders to shipments and review Reconcile shipments to orders and review Analyze dferred revenue Analyze sales volume/trends/gross margin Review revenue reconciliation checklist
What would be a good IT control framework?
COBIT- Control objectives for IT Most effective control framework for IT governance
GCC
Controls we are concerned about, generally in nature. Used to protect the information
Order process
Customer order Pack slip Sales order Credit authorization Pick Ticket Bill of lading Invoice Customer Statements
Revenues and collections model
Cycle process assertion risk controls
Cycle and process
Cycle-putting things into context process-walk through, visual observation of how process is turning and how everything is in system, take a customer through whole process;credit check, authorizing, process, sshipping, posting,etc., done to make sure process is well.
Design Phase
Decide whether to: Buy: Reuqest for Approval(Most Middle market companies buy software and then configure to their needs. Alot of companies will just buy GL Software) Create: Alot of larger, more specific companies need to create new ones to specifically meet their needs. Would be much more diffcult to just use the same as someone else here.
System Conversion or Deployment 4 types ( Systems implementation phase)
Deployment-The process of using the new system and getting rid of the old one. Best ones are pilot or parallel Parallel-Running side by side, phase out eventually Direct cut over - Forget the old buying into new Phase in-Take on module/segment at a time Pilot-Only a gorup of people try it out.
Key Controls Safeguarding assets
Deposits to bank daily use of safes use of lockbox -----customers go straight to bank, then they let you know how much money has been deposited and given to the bank Armed Vehicles Dual controls at mail room Locks on doors
DRP
Disaster Recovery Plan -Hotsite - Data & System are still up and running. People just made a place to go work. Already have COLO, like replication of old site. Data still can start once we arrive. 1-2 days -Warmsite - maybe no data center, have spare sservers offsite. If building gone, desktops destroyed. Idea is "how quickly can we get people working? Site running, server working?" 3 days-week -Cold site-Nothing, no machines, start from scratch. 1 month plus to get up & running
BPR
Doesn't always lead to this buy might. Business Process Reengineering Fundamental rethinking and radical redesign of business process to bring about dramatic improvements in performance. Done after the system survey.
System Design (SDLC)
Either Purchasing or Designing in house.
Certificate Authority
Entity that issues digital certificates They make a public key, that can only be encrypted by a private key. They make this info to be a ble to encrypt and protect them
Assertion
Existence Occurance-Verify that transaction really did occur Completeness-want to make sure all is correct and not that someone hides an entry or pockets cash valuation-gross vs net, make sure estimate of bad debt is done correctly, based on historical data Rights/obligations-rights like selling AR to someone, would no longer be your obligation Presentation/disclosure-Once on financial statements need to be accurate and good. Fairly presented free of error
Key order risks(assertions)
Existence-AR recorded that doesn't exist, customer not authorized Occurance-Revenue recorded that doesn't exist, revenue transaction not authorized, cutoff is not appropriate, improper revenue recognition Completeness-missing AR or Revenue from records Valuation Gross-Invoices prepared for wrong amounts, AR and sales recorded for wrong amount Valuation Net-AR not reduced to NRV, Bad estimate on allowance, Revenue not recorded for discounts, refunds, or allowance Rights-Receivables dont belong to entities, still recorded, even what belonging to others presentation and disclosure-hold for reporting cycle
Key collections risks
Existense-cash recorded fictionally completeness-cash is stolen, cash is applied to wrong customer account lapping-manipulating the system, like mini ponzi scheme, but within a company, done because olack of seg of duties
Evaluation & Selection (system design phase)
Feasibility -Technical -Economical -Operational -Schedule -In most cases, the cost-benefit analysis is the most important of the four tests.
Penetration Study
First start with vulnerability assessment From VA, then jump into hacking the system. They get permission to hack the system to prevent hacking
FOB
Freight on Board or Free on Board --Transfering title from company to customer FOB Shipping-Record whne put on truck and left company FOB Destination-When customer signs for it and it is officially delivered to customer.
Conclusion of GCC/ITGCs
GCC and ITGCS= 1st line of defense Lack of these controls not good Signifcant deficiencies expose other financial processes/applications to significant risks
Vulnerability Assessment
Go around and see where a company is vulnerable and where systems are weak Done to strenghten controls Leads to penetration study
Authorization
Granting credit, signing contract with customer Want diferent person to handle cash CFO, CEO, COO Authorizing sale Authorize someone to take cash to bank Control
Machine (Six components)
Hardware Operating System Application Database Network Internet
ITGC
IT General Control -What is going on around the software -Controls that are designed to make sure the software is protected -Things that could impact the way its working -Anything that could affect app control
System Planning Phase of SDLC
IT Governance committee must monitor the IT system through Geedback about network utilization, security breaches and reports on operation of system. -IT Governance committee should consider: assessment of IT systems and their match to strategic organizational objectives & Feasability of each of the requested modifications or upgrades. -Will test, retest, review & do feasability study
Feasibility Study & 4 aspects of feasibility
IT governanc should evaluate the feasibility of each computing proposal. Feasibility 4 aspects: Techinical(Does technology exist?) Operational(Will it suck up operations? Will it make it so deficient we won't be able to perform?) Economic(Don't have money, can't find this) Schedule(If we don't jump now, won't pass competition but vice versa. Can we do it fast enough?)
Apps created from scratch
IT peeps want to build from ground up You buy package with ability to change it, open up/code, etec. -Give source code -People try to bolt in onto many subsystems. Not as dangerous as source code.
Strategic Management
IT systems must be strategically managed Strat. management is the process of: -Determing strategic Vision for the organization -Developing Long Term Objectives -Creating Strategies that will achieve the vision and objectives -Implementing those strategies
Large Company (Seg. of Duties)
Initiation-Starting, reaching out to customer outside of organization to talk about pricing Authorization-Actually signing contract Processing-Shipping goods, get to customer Recording-Making transaction. Writing down, recording revenue. Custody-Someone receiving check. Someone checking invoices, check if it was received Reconcile-Making sure someone foots and crossfoots Review/Analysis/Approve Want to make sure that most errors and fraud are detected at very beginning. If so, better off repairining errors/fraud
IDS vs IPS
Intrusion Detection System ---Detects when someone is intruding into the system/information Intrustion Protection System ---Learns patterns, overtime, in order to prevent intrusions.
Canned Software
Its already prepacked software Could go wrong since no changes are made to it. Many purchased software are implemented incorrectly.
Importance of IT in AIS
Most financial processing utilizes IT Many software apps are created from scratch(programmed) Many purchased software packages are implemented incorrectly. Changes to software or infrastructure poses risk.
Point of Sale transactions
No credit Cash check or credit on site Pricing tables ----predetermined sales price. cashier cant go back through and cant change cost of product. price stays same inventory ---perpetually done. recorded immediately as goes out drawer close-out ---evidence that everything has been reconciled at the end of th enight
Segregation of Duties
Not having the same people having their fingers in the same part of the transaction. Trying to prevent one person getting into multiple parts of transaction. Trying to rid errors and prevent/detect fraud. -Authorization -Custody -Recording
Custody
Process has ability to convert company's assets into cash. The ability to sign a check Signing check is not authorization ---Someone gave you ability to do this. ---Wirign check, signing check, getting checks and cash from customer is custody. Ability to do cash transactions. Custody is given to someone, from someone else in authority.
PKI
Public Key Infrastructure Uses asymmetric encryption There is a public key and a private key
Detailed Design (Systems Design Phase)
Purpose is to create the entire set of specifications necessary to build and implement the system Various parts of system that must be designed ---Outputs ---Inputs ---Processes ---Data Storage ---Internal Controls
Recovery and Continuity (GCC Controls)
Recovery-Bringing the information back Continuity-is like a COLO, if something is broken it goes to another subsidiary. DRP-disaster recovery plan BCP-Business continuity plan
Operation & Maintenance Phase (SDLC)
Regular Reports to management: IT Performance (SLA=service level agreement) ----IT load usage & excess capacity ----Downtime of IT Security ----Maintenance hours on IT systems IT Security IT user Satisfaction ---From both internal & external customers Help Desk info ----Change Management
Collections Process (Key Documents)
Remittance Advice helps processor of collection keep track of what to apply, portion thats ripped off invoice and sent to company with check Cash prelist takes out check, records check, sends to accounting, uses this or remittance Deposit validation Bank statement
Backouts
Reverses change & brings it back to original version.
Risk and Control
Risk ---Fraud-misappropriation/manipulation ---Error-Unintentional Controls ---Things in place to minimize risk
SSL
Secure Sockets Layer The mechanism that creates the network between two different companies. Under SSL, there is a public key infrastructure.
Control Activities
Seg. of Duties Authorization Documentary (Audit Trail) Safeguarding Recon/Review/Analysis IT Controls
Operating System
Tells the hardware, how to move its bits and bytes around Turns the machine code into language to make the machine function.
Governance
The combination of processes and structures Implemented by the board to inform, direct, manage, monitor The activities of the organization toward the achievement of its objectives.
Recording
Those that can get into accounting system, post transactions, etc. Anytime, it affects books and entries, it has to do with recording. --Posting --Journalizing, etc. Process
Version Control Software
Track changes made by coders Allows someone to track and see what happened, tests performed, etc. Segregates duties -Code reviews & testing are needed before this can fully be approved. The next version can only be changed if authorized, tested, approved, etc.
VPN
Virtual Private Network Someone can access/come in from a different location and can access the network
Data Flow Diagram
Way to step back and see where everything goes, how it all flows through the accounting process and the ordering process.
System design phase if: Purchasing Software
When evaluating each software proposal, the IT governance committee should consider: Price User needs Feasibility Vendor Support Vendor Reputation User Friendliness Only use RFP for Purchasing Software
Revenue Recognition
When is revenue recognize? Earned and collectable or collected ---Evidence of arrangement ---Fee is fixed or determinable ---delivery has taken place ---Payment is collectable