it auditing for non uditors - chapters site · resources in accounting, finance, audit and it §...
TRANSCRIPT
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT AUDITING FOR NON-IT AUDITORS
Danny M. Goldberg, Founder
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Danny M. Goldberg • Founder, GOLDSRD
(www.goldsrd.com) • Former Director of Corporate
Audit/SOX at Dr Pepper Snapple Group
• Former CAE - Tyler Technologies • Published Author (Book/
Articles) • Texas A&M University – 97/98
• Chairman of the Leadership Council of the American Lung Association - North Texas – Calendar Year 2012
• Served on the Audit Committee of the Dallas Independent School District (CY 2008)
• Current Dallas and Fort Worth IIA Programs Co-Chair
• Fort Worth IIA Board Member • IIA North America Learning
Committee Member (2014-15) Certifications: • CPA – Since 2000 • CIA – Since 2008 • CISA – Since 2008 • CGEIT - Since 2009 • CRISC - Since 2011 • CRMA – Since 2011 • CCSA – Since 2007 • CGMA – Since 2012
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Danny M. Goldberg • Highly-Rated, Internationally Recognized
Speaker – 3rd Rated Speaker, 2015 IIA All-Star Conference – One of the Top Rated Sessions, 2015 GAM
Conference – 8th Rated Speaker, 2015 MISTI AuditWorld – 10th Rated Speaker, 2015 ISACA CACS – One of the Top Rated Speakers, 2014 IIA All-Star
Conference – 7th Rated Speaker, 2014 ISACA ISRM Conference – One of the Top Rated Speakers, 2014 IIA Mid-
Atlantic Conference – 3rd Rated Speaker, 2014 ISACA CACS – One of the Top Rated Speakers, 2014 IIA Gaming
Conference
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
People-Centric Skills • Added to IIA and ISACA Bookstores, Summer 2015 • Published August 2014 (Wiley Publications) • Over 2,000 copies sold - Amazon Rating • Coauthored with Manny Rosenfeld
– Chief Audit Executive with four global F500 Cos. and a global Financial Services organization.
• First book specific to internal audit communications and personal interactions
• This is not a reference book! – Story book format – Character development – Fictional Internal Audit Department – Fictional Professional Coach/Trainer – Situational
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GoldSRD Snapshot
Staff Augmentation:
§ Market leader in locating cost-effective, recognized resources in accounting, finance, audit and IT
§ All requests filled within 72 hours
Professional Development: § Nationally-Recognized Leader in Audit and People-Centric© Skills Training
§ Institute of Internal Auditors (“IIA”) Recognized CPE Provider (only 6 firms in North America!)
§ Over 170 Full-Day Courses on Audit, IT Audit, Accounting, Finance, Personal Development and People-Centric© Skills
§ Registered with NASBA to offer CPE’s for all courses in course catalog
(Live and Web-Based)
§ Interactive and Educational Courses for all levels
Executive Recruiting:
§ Unique approach to filling positions, including personality assessment for candidate and organization
§ Expansive network of qualified candidates actively looking
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Bi-Monthly Webinar Series • Each two-hour webinar will be on the first Monday of EVERY OTHER
month (beginning in February), starting promptly at Noon CST (minimum of ten attendees to hold the class or it will be rescheduled/refunded). Each webinar can be purchased for $50.00 or an annual subscription can be purchased at a 20% discount at $240.00
• Group discounts can drive individual pricing down to $20/hour and, based on group size, down to $13.50/hour! All webinars are NASBA-Certified!
Date Topic
August 7th Project Management for IA
October 9th Conflict Management/Negotiation Skills
December 4th Business Etiquette for the Modern Auditor
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Straw Poll • What is an internal auditor’s
responsibility in regards to knowledge of IT risks and controls?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IIA Standards and IT Auditing • 1210.A3 – Proficiency – Internal auditors must have sufficient knowledge
of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.
– However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GOLD NUGGET #1 • GTAG – Global Technology Audit
Guide • Prepared by The IIA, GTAG is
written in straightforward business language to address timely issues related to information technology (IT) management, risk, control, and security
• HERE’S THE KICKER – IIA members access GTAG’s FREE!
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GTAG I – Categories of IT Knowledge
• Defines three categories of IT knowledge for auditors: – Category I: Knowledge of IT needed by all
professional auditors, from new recruits up through the CAE
– Category II: Knowledge of IT needed by audit supervisors
– Category III: Knowledge of IT needed by IT Audit Specialists
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Category I Knowledge • Understanding concepts such as applications,
operating systems and systems software, and networks
• IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls
• Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components
• Understanding IT risks without necessarily possessing significant technical knowledge
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Straw Poll • How many of you can confidently
raise your hand (not half-way but a full hand raise) and agree that you have Category I knowledge?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
SIMILARITIES/DIFFERENCES BETWEEN INTERNAL AUDIT
AND IT AUDIT
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Type of Audit Objectives Financial/Operational • Completeness • Accuracy • Validity • Authorization • Rights & Obligations • Presentation &
Disclosure • Efficiency • Effectiveness
IT Objectives • Security • Availability • Confidentiality • Integrity • Scalability • Reliability • Effectiveness • Efficiency
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Type of Audit Objectives Financial/Operational • Completeness • Accuracy • Validity • Authorization • Rights & Obligations • Presentation &
Disclosure • Efficiency • Effectiveness
IT Objectives • Security • Availability • Confidentiality • Integrity • Scalability • Reliability • Effectiveness • Efficiency
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT CONTROLS & CONTROLS FRAMEWORKS
INTRODUCTION/OVERVIEW
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Control Frameworks • Internal Controls
– COSO Internal Control – Integrated Framework (Most Popular)
• General Computer Controls – COBIT (Most Popular)
• Control Objectives for Information and Related Technology
• Generally applicable and accepted standard for good IT security and control practices that provides a reference framework for management, users, and audit practitioners
• Developed by the IT Governance Institute – ITGI Control Objectives For Sarbanes Oxley – ITIL (IT Infrastructure Library)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
WHAT IS COBIT®?
Control OBjectives for Information & related Technology
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COBIT® • Designed to be used by auditors and
business process owners – Uses a set of 34 high-level control
objectives that cover 210 control objectives grouped into four domains: • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate
• Provides guidance for executive management to govern IT within the enterprise – More effective tools for IT to support
business goals – More transparent and predictable
full life-cycle IT costs – More timely and reliable
information from IT – Higher quality IT services and more
successful projects – More effective management of IT-
related risks
• Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
IT Governa
nce
Resource Management
Perfo
rma
nce
Me
asure
me
nt
Risk
M
ana
ge
me
nt
ü Effectiveness ü Efficiency ü Availability ü Integrity ü Confidentiality ü Reliability ü Compliance
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COBIT®: Plan & Organize # Control Statement
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Define the Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COBIT®: Acquire & Implement
# Control Statement
A11 Identify Automated Solutions
A12 Acquire & Maintain Application Software
A13 Acquire & Maintain Technology Infrastructure
A14 Develop & Maintain Procedures
A15 Install & Accredit Systems
A16 Manage Changes
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COBIT®: Deliver & Support # Control Statement
DS1 Define & Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance & Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify & Allocate Costs
DS7 Educate & Train Users
DS8 Assist & Advise Customers
DS9 Manage the Configuration
DS10 Manage Problems & Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COBIT®: Monitor & Evaluate # Control Statement
M1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT Risk Framework Benefits • Aligned with business risk – focus on what is important to the
business • Valuable input to the IT and business strategy, as well as the IT
Audit plan • Linked to maturity assessment to provide roadmap for process
improvement • Addresses risk factors affecting each aspect of the IT
environment: – IT Governance, IT Processes, IT Applications and
Infrastructure • Compatible with other IT frameworks including COBIT, PMI, ITIL,
ISO, etc • End-to-End (comprehensive) view of all IT processes, such as
development, support, help desk, security, etc. • Addresses all critical “layers” of the IT environment, i.e.
applications and infrastructure such as network, OS, DB
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Control Types • Dual Controls
(Partially Automated and Manual) – People enabled
controls – People rely on
information from IT systems for the control to function
• Manual – People enable control – Fully independent of IT
systems
• Automated – Programmed controls – Strong in nature – Lack human error – Repetitive, same
functioning – Test of 1 vs. Many
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT Controls Overview • Classification – General Controls – Application Controls
• Classification – Preventative – Detective – Corrective
• Classification – Governance controls – Management controls – Technical controls
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Types of IT Controls • Preventive controls prevent errors, omissions,
or security incidents from occurring – EXP: data-entry edits, access controls, antivirus
software, firewalls, intrusion prevention systems
• Detective controls detect errors or incidents that elude preventative controls – EXP: monitoring accounts or transactions to identify
unauthorized or fraudulent activity
• Corrective controls correct errors, omissions, or incidents once they have been detected – EXP: correction of data-entry errors, recovery from
incidents, disruptions or disasters
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Background • Results from IIA external Quality
Assessment Reviews (QARs) - developing an appropriate IT audit plan is one of the weakest links in internal audit activities
• Many times, instead of risk-based auditing, internal auditors review what they know or outsource to other companies, letting them decide what to audit
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Introduction & Overview • What is a Risk Assessment?
– Process of identifying, estimating and evaluating the nature and severity of risks associated with an organization, specific business unit or product
– Methodology to produce a risk model to optimize the assignment of company resources through a comprehensive understanding of the organization’s business environment and associated risks
• What is an IT Risk Assessment? – Risk assessment with a focus on development, use,
management and monitoring of information technology – Methodology to produce a risk model to optimize the
assignment of IT audit resources through a comprehensive understanding of the organization’s IT environment and the risks associated with each auditable unit
– Integral component of an overall risk assessment for a company
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Introduction & Overview • Why perform an IT Risk Assessment? – Identify areas of highest relative IT risk for
an organization – Bring IT risk awareness to management – Assist management to develop an
approach to manage and respond to their IT Risks
– Develop a risk-based internal audit plan to assess controls that address identified IT risks
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT Risks • Physical Environment/
Disaster Recovery (back-ups)
• IT Maintenance and Support = Staffing
• Outsourcing • Security • Access (who/what/why) • Change Management • IT Governance • Downtime/Accessibility • Legacy (Old) Systems • Project Management
• Succession Planning/Training/Expertise
• Budgeting (appropriate) – Asset Management
• Legal & Regulatory • System Interfaces • System Implementations • Technology Changes • Cloud Computing • Data Privacy • PCI Compliance • Utilization/Oversight of 3rd
Parties
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GROUP EXERCISE
IN GROUPS, BASED ON YOUR KNOWLEDGE, DISCUSS THE TOP FIVE IT-RELATED RISKS TO YOUR
ORGANIZATION
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Top IT Risks • Regulatory Changes/Scrutiny • Rapid Speed of Disruptive Innovations & New Technologies • Privacy/Identity Management • Succession Challenges & Ability to Attract & Retain Top Talent • Cyber Security & Incident Response Risk • IT Resiliency & Continuity Risk • Technology Vendor and Third-Party Risk • IT Governance • IT Systems Development Projects
SOURCES: Protiviti: Executive Perspectives on Top Risks for 2017; Deloitte.com – IT Risks in Financial Services; IIA CBOK – Navigating Technology’s Top 10 Risks
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Introduction & Overview IT Risk Assessment addresses key IT management processes and supporting technologies • Areas for consideration include:
– IT Governance and Control; Performance Measurement – Program Management; Technology Management;
Vendor Management – Applications Support and Development – Systems Operations, Maintenance and Support – Information Systems Security – Business Continuity and Disaster Recovery Planning
(Dallas County Records Building)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT Audit Plan Development Process
Source: IIA – GTAG 11
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
UNDERSTAND THE BUSINESS
Gather information: • Business objectives and strategies • Organizational structure and
changes • Key business processes and
locations • Company’s disclosed risks (10-K) • Available company risk information • Key industry risks and issues
Client Profile • Business Objectives/Strategies • Organizational structure • Business Process and Locations
Preliminary risk information • 10-K disclosed risks • Other company risk information • Key industry issues
Key Activities Key Deliverables
The first step in defining the annual IT audit plan is to understand the business. As part of this step, auditors need to identify the strategies, company objectives, and business models that will enable them to understand the organization’s unique business risks. And how business and IT service functions support the organization.
44
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
DEFINE IT UNIVERSE Next, auditors need to define the IT universe. This can be done through a top-down approach that identifies key business objectives an d processes, significant applications that support the business processes, the infrastructure needed for the business applications, the organization’s support model for IT, and the role of common supporting technologies such as network devices.
• Degree of System and Geographic Centralization
• Technologies deployed • Degree of customization • Degree of formalized policies and
standards • Degree of regulation and compliance • Degree and method of outsourcing • Degree of operational (changes,
configuration) standardization • Level of reliance on technology
• IT Inventory tied to business processes/applications
Key Activities Key Deliverables
45
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GOLD NUGGET #2 • Starting Point – IT Universe/
Inventory • Auditable without? • If IT has been through an audit,
they should have this (might not be updated)
• Might only include systems/applications that IT manages (this is key)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
PERFORM RISK ASSESSMENT After auditors have a clear picture of the organization’s IT environment, the third step is to perform the risk assessment – a methodology for determining the likelihood of an event that could hinder the organization from attaining its business goals and objectives in an effective, efficient, and controlled manner.
• Conduct interviews or workshops to gather risk ratings by designated key client participants
• Based on the executive risk assessment inputs, develop the Risk Assessment / Risk Map
Risk Scorecard / Risk Map • Risks prioritized based on Impact and
Likelihood/Vulnerability risk ratings • A summary of risk assessment
interview notes as an attachment would be a useful tool to the internal audit plan development process and to the overall risk management process
Key Activities Key Deliverables
47
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Define Impact and Vulnerability Criteria
Vulnerability • Complexity • Control
Effectiveness • Prior Risk
Experience • Rate of Change • Preparedness
Impact • Strategic • Financial • Reputation • Legal and
Regulatory • Operational • Stakeholders • Competitor
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
FORMALIZE AUDIT PLAN The objective of the audit plan is to determine where to focus the auditor’s assurance and consulting work to provide management with objective information to manage the organization’s risk and control environment.
• Determine the resource needs (skill sets, tools, competencies) given the risk information for the planned audits
• Allocate resources and schedule the audits
Detailed risk-based internal audit plan showing: • Linkage of IA projects to the risk
assesment process and risk information
• Alignment of resource competenties to risk focus of the project audit timeline
Key Activities Key Deliverables
49
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Key Deliverables • IT Risk Assessment deliverables can
include: – Risk Scorecards – Risk Maps – System Inventory/Mapping (see next slide) – IT Audit Universe – Internal Audit Plan:
• List of audit projects to be executed, timeframe, and budgeted hours
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Key Applications /
Module
Business Critical Process
Application vendor
Operating
System Datab
ase
Business IT Support
Key Interfaces
App Owner
Application Support
Database Support
Operating System Support
Server Name
Database Name
A Oracle Financial system Oracle
Avantis, ADP,
Toptech IBM AIX Oracle Owner App Mgr DB Mgr OS Mgr epa650trafxs2
File based database
B Avantis
Project/ Maintenanc
e Mgmt Vendor - Ivensys Excel
MS Win 2003
MS SQL Owner App Mgr DB Mgr OS Mgr
epa650avantis2
WRProduction
C ADP Payroll
Outsource
d - ADP (SAS70) None N/A N/A Owner App Mgr DB Mgr OS Mgr N/A N/A
D Toptech
Marketing terminal, all daily liftings
Outsourced -Toptech FAS
Proprietary
QNX Proprie
tary Owner App Mgr DB Mgr OS Mgr epa650tmsprimary N/A
EFAS (Fixed Asset) Fixed Assets
Sage Software (formerly
Best Software) Excel
MS Win 2000 Sybase Owner App Mgr DB Mgr OS Mgr
epa650app1
DB files in \\epa650app1\apps\bestserv\*
F
Excel Spreadsheets
Financial / Accounting Processes Microsoft Oracle N/A N/A Owner App Mgr DB Mgr OS Mgr
epa650ntshare1 N/A
System Inventory/Mapping
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Example Risk Map
0
2.5
5
0 2.5 5
Vulnerability
Impact
Security Policy Awareness and Enforcement
Data Privacy (vulnerability and access)
Business Continuity Plan
OSS Stability
Data Center Climate Controls
Segregation of Duties
Instance Management
Communication of IT Strategy & Direction
IT Purchasing Process
Role Definitions
SDLC Adoption and Compliance
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT RISK UNIVERSE AREA IMPACT VULNERABILITY RISK CATEGORY ROTATION
IT Governance
IT Governance H H Mitigate Consult
Regulatory Compliance & SOX Support H M Assurance Annual
IT Strategy & Planning
IT Strategy & Planning M M Assurance Every Two Years
Architecture
Architecture Design and Management L H Cumulative Impact Annual
Project Management
Project Mgmt (PMLC) H M Assurance Annual
Systems Development Lifecycle (SDLC) H M Assurance Annual
Data Management & Operations
Data Retention / Backup L M Review Resources As Needed
Applications & Databases
Change Management H H Mitigate Consult
Data Quality & Integrity M H Mitigate Consult
Infrastructure Patch Management M H Mitigate Consult
Interface Validation & Integrity M H Mitigate Consult
Support
Problem Management H L Assurance Annual
Service Level Management L M Cumulative Impact Every Two Years
Example IT Audit Plan – IT Processes
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GROUP EXERCISE
IN GROUPS, THINK OF A SIMPLE METAPHOR TO DEFINE IN LAYMAN’S TERMS WHAT GENERAL CONTROLS ARE
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
THE HOUSE ANALOGY INSIDE OF THE HOUSE:
APPLICATION CONTROLS
FOUNDATION OF THE HOUSE: GENERAL
CONTROLS
56
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
House Metaphor
Foundation • Without a strong
foundation, all of the “insides” are irrelevant – they will be destroyed if the foundation does not work well
Furniture, Electronics, Hardwood Floors • Beautiful furnishings
and eccentric artwork will become severely damaged if the foundation cracks a sinkhole swallows the insides!
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT General Controls (ITGC’s) Major Categories
1. Access to Programs and Data 2. Program Changes 3. Program Development 4. Computer Operations
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ITGC #1: Access to Programs & Data
• RISK: Unauthorized access to program and data may result in improper changes to data or destruction of data
• OBJECTIVES: Access to program and data is properly restricted to authorized individuals only
COMPONENT CONSIDERATIONS: • Policies &procedures • User access provisioning &
de-provisioning • Periodic access reviews • Password requirements • Privileged user accounts • Physical access • Appropriateness of access/
segregation of duties • Encryption • System authentication • Audit logs • Network security
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
INFORMATION SECURITY Designing, implementing, and maintaining information security, including both physical and logical security over all access paths to programs and data. Accessing and prioritizing relevant security risks. Defining data owners, classifying data as to necessary security, and selecting and implementing security tools and techniques.
Critical Areas • Tools and techniques restrict access to
programs, data, and other information resources
• Restricts access to programs and information
• Physical access restrictions are implemented and administered to restrict access to information
• All information resources subject to appropriate physical and logical security
Value Add Areas • Virus Protection • Software is used in accordance with
licensing agreements and management’s authorization
• Information is protected against environmental hazards and related damage
• Security policies • Security standards • Data ownership • Information security architecture • Security administration • Logical access • Security logging & monitoring • Physical access • Environmental
Control Objectives Covers
60
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Information Security – Coverage Areas • Defining Data Owners – Identifying
owners is key; is it the business or IT? • Data Classification – Confidential,
Private, Highly Sensitive Customer Corporate and Customer Data, Sensitive Internal Data, Public
• User Provisioning/De-provisioning – Covered in next section
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ACCESS CONTROLS: APPROPRIATE ACCESS AND ACCESS REVIEWS
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Access Controls – Leading Practices • No matter what method is chosen to scope the
review of application controls, the module’s or application’s logical access controls need to be reviewed periodically.
• In most cases, the user and administrative access rights (e.g., read, write, and delete) are built using the inherent security platform and tools within the application.
• The strategies employed to determine which logical access rights will be assigned to users vary from a need-to-know basis to a need-to withhold basis.
• Access rights should be granted based on the user’s job function and responsibilities.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Access Controls – Leading Practices How logical access rights are created vary from package to package. In some cases, the logical access rights are granted based on a transaction code or a screen name or number, while others, such as SAP R/3, use more complex object based security protocols. When a review of an application’s logical access controls is performed, it is important to ensure that the general application security controls are reviewed as well, including: • Length of the user name or user identification • Password’s length • Password character combinations • Password aging (e.g., users must change their password every 90
days) • Password rotation (e.g., users cannot use any of their last eight
passwords) • User account lockout after six unsuccessful login attempts • Session timeout (e.g., the application automatically logs out a user if
the user has not interacted with the application within 15 minutes)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
User Access Administration • Common control concerns:
– Informal, decentralized or fragmented process – User roles not formally defined – Inadequate user access request methods:
• Forms too general • Requests and approvals not documented • Audit trail not maintained
– User termination notification processes not effective – User removal processes not comprehensive – Periodic reviews not performed – No intuitive access report available for management
review
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
DE-PROVISIONING: WHO SHOULD BE ULTIMATELY
ACCOUNTABLE?
HIRING MANAGER
HUMAN RESOURCES
INFORMATION TECHNOLOGY
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
User Provisioning • Who is responsible for user
provisioning? • When should user access be cut-off
once they notify/are notified they are leaving a company?
• How quickly should access be cut-off once this notification occurs?
• Does Active Directory alleviate all concerns?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
WHAT IS ACTIVE DIRECTORY/SINGLE SIGN-ON? IF ACTIVE DIRECTORY IS SHUT-OFF, CAN USER ACCESS THE
NETWORK?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ITGC’s #2 & 3: Program Changes/Development PROGRAM CHANGES • RISK: Inappropriate changes to
systems or programs may result in inaccurate data
• OBJECTIVES: All changes to existing systems are properly authorized, tested, approved, implemented and documented
PROGRAM DEVELOPMENT • RISK: Inappropriate system or
program development or implementation may result in inaccurate data.
• OBJECTIVES: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.
COMPONENT CONSIDERATIONS: • Change management
procedures and system development methodology
• Authorization, development, implementation, testing, approval, and documentation
• Migration to the production environment (Separation of Duties (SOD))
• Configuration changes • Emergency changes • Data migration and version
controls • Post change/implementation
testing and reviews
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
APPLICATION SYS IMPLEMENTATION & MAINTENANCE Selecting or developing, implementing, and maintaining application systems
Critical Areas • New application systems are
implemented appropriately and function as expected
• When new application systems are implemented, existing data that is appropriately converted
• All necessary modifications to existing application systems are implemented timely
• Modifications to existing systems are properly implemented and function as expected
Value Add Areas • New application systems are acquired
or developed consistent as expected • Application systems are maintainable
and supportable
Project planning & management Project prioritization Project budgeting Systems development methodologies • Design Specifications • Programming standards • Programmer access • Modifications to purchased software • Testing • Change control • Program documentation • User documentation
Control Objectives Covers
70
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
App Sys Implementation & Maintenance – Coverage Areas
• Superuser/Admin Access • Off the Shelf Software – What are
modifications? Why are they important?
• SDLC/Change Control
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Change Control • Types of changes:
– Program code changes, software updates, system patches, new software implementations
• Change controls should include: – Monitoring and logging of all changes – Steps to detect unauthorized changes – Confirmation of testing – Authorization for moving changes to production – Tracking movement of hardware and other infrastructure
components – Periodic review of logs – Back out plans – User training
• Specific procedures should be defined and followed for emergency changes
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
DATABASE IMPLEMENTATION & SUPPORT Managing the data architecture and maintenance in terms of defining and maintaining the structure of master file data, transaction data, and organization data. Maintaining the database management system (or its equivalent).
Critical Areas • The data structure is
appropriately implemented and functions consistent with management’s intentions
• All necessary modifications to the data structure are implemented timely and with proper approval (SDLC)
• Modifications to the data structure are appropriately implemented and the modified data structure functions consistent with management’s intentions
• Data architecture • Database implementation • Database administration & monitoring
• Database maintenance & modifications
Control Objectives Topics Covered
73
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GOLD NUGGET #3 • Master Files
– Customer – Employee – Vendor
• Why is protection of the master file important?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
NETWORK SUPPORT Designing, installing and operating networks and communication software and protocols. This includes defining the structure and interrelationships between components of the network, configuring the physical locations of files and equipment, and planning the operating capacity and capabilities to meet current network needs.
Critical Areas • New network and communication
software is appropriately implemented and functions properly and implemented in a timely manner.
• Modifications to existing network and communications software are properly implemented and function as expected
Value Add Areas • New network and communication
software is acquired consistent with management’s intentions
• Network and communication software is maintainable and supportable
Network & communication software: • Acquisition & approval • Implementation & testing • Support • Maintenance • Performance monitoring • Documentation
Control Objectives Topics Covered
75
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
SYSTEM SOFTWARE SUPPORT Selecting, implementing, and maintaining necessary systems software, including the parameters that configure and control such software. Implementing and monitoring system software changes, including vendor upgrades.
Critical Areas • New system software is appropriately
implemented and functions properly • All necessary modifications to system
software are implemented timely • Modifications to system software are
properly implemented and function as intended
Value Add Areas • New system software is acquired
consistent with management’s intentions
• System software is maintainable and supportable
• Operating system acquisition • Installation, configuration and
updates/patches
Control Objectives Topics Covered
76
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ITGC’s #4: Computer Operations
• RISK: Systems or programs may not be available for users or may not be processing accurately
• OBJECTIVES: Systems and programs are available and processing accurately
COMPONENT CONSIDERATIONS: • Batch job processing • Monitoring of jobs (success/
failure) • Backup and recovery
procedures • Incident handling and
problem management • Changes to the batch job
schedules • Environmental controls • Disaster Recovery Plan
(DRP) and Business Continuity Plan (DRP)
• Patch management
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
INFORMATION SYSTEMS OPERATIONS Supervising and maintaining computer systems operations. Providing scheduled, monitored, and secure computer operations. Satisfying end-user requirements for computer processing support and problem resolution.
Critical Areas • Production to process batch and on-line
transactions and prepare related reports are executed timely and completely
• Only valid production programs are executed
Value Add Areas • Data is retained in accordance with
laws, regulations, and company policy • Computer processing environment
service levels meet or exceed management’s expectations
• Users receive appropriate systems training in the use of application systems
• Users receive appropriate support to ensure that application systems function as intended
• Job scheduling • Processing control • Output control • Problem logging, tracking & reporting • Problem escalation & resolution • Capacity planning • Performance monitoring • Facilities management • Help desk procedures • Backup & Recovery • Business Continuity/Disaster Recovery
Control Objectives Covers
78
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Backup and Recovery Controls • Requirements should be defined for
backup of critical data (type and frequency)
• Periodic inventory of backup files should be performed
• Procedures should be in place to periodically validate recovery process
• Procedures should exist to destroy old backup media
• Physical controls should be in place at onsite and offsite storage locations
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Backups - Control Backups are performed on a periodic basis as per automated schedule. These could be tape backups or replication to disk. Data is stored offsite either on tape or replication to other facility.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Business Continuity/Disaster Recovery • Disaster recovery plan should be
documented, updated and tested • Management should identify, analyze,
and prioritize mission-critical functions based on: Criticality
• Scope and consequences of disruption • Survivability (time-sensitivity) • Coordination requirements with other
units or external partners • Facilities, infrastructure, and IT support
requirements.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Top Mistakes Companies Make in DR • Inadequate planning: Have you identified all critical systems,
and do you have detailed plans to recover them to the current day?
• Failure to bring the business into the planning and testing of your recovery efforts
• Failure to gain support from senior-level managers. The largest problems here are: – Not demonstrating the level of effort required for full recovery – Not conducting a business impact analysis and addressing all
gaps in your recovery model – Not building adequate recovery plans that outline your recovery
time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster
– Not having proper funding that will allow for a minimum of semiannual testing
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ENGAGEMENT-LEVEL IT RISK ASSESSMENT
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Initial Business Process Owner Interview
• You are interviewing the business process owner in a process that you audit every two years. You can ask up Yes/No questions to the process owner to get a preliminary determination of risk – make a list of those questions.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Questions • Significant change to people/process/
systems? • Do you periodically review access to
your systems? • Have you experienced significant
downtime? • Are there any known issues for the
system? • Any other audits that have occurred
and results? • Change in integration/flow of data? • Has the system demand change? • Do you policies/procedures and are
they updated? • Do you receive/review/understand SOC
reports? • Do you have any systems/databases not
managed by IT? • Penetration Testing • DR/BCP Tested?
• Is the system of record off the shelf or internally developed?
• If off the shelf, has the system been customized?
• If off the shelf, is the system currently in regards to updates and upgrades?
• When you run a report from the system, are you confident in the accuracy of the report?
• Has the audit log been turned off for any key systems?
• Any changes in external environment? What have you done?
• Change in third parties/vendors • Are there ways (in your opinion) to utilize
the system to make the process more efficient/effective?
• Is there a risk assessment of the system of record performed?
• Have there been any data breaches over the period under review?
• Any pending litigation?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
WHO OWNS GENERAL CONTROLS?
BOTH
BUSINESS MANAGEMENT
INFORMATION TECHNOLOGY
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ARE SOD’S AN IT OR BUSINESS CONTROL?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
What is Segregation of Duties (SOD)? • Control activity where different portions of a
transaction or set of transactions are divided among several people to reduce risk of unintentional errors and intentional fraud (i.e. misappropriation of assets, identity theft, etc.)
• Proper segregation of duties reduces the risk of fraud if users assigned access consistent with job responsibilities
• Segregation of duties is “preventative” in nature
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
General Categories of Duties • Four general
categories of duties are examined for segregation of duties: o Authorization (approval of a
transaction)
o Custody (physical or logical ownership/access to an asset or transaction)
o Record keeping (accounting for)
o Reconciliation and monitoring (detective review of a transaction)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Understand Segregation of Duties • In an ideal environment, different employees
would perform each of the four major functions. No one person should control two or more of these responsibilities.
• The more negotiable the asset, the greater the need for proper segregation of duties, especially when dealing with cash, negotiable checks and inventories.
• The need for segregation of duties applies to both systematic and manual process environments.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GROUP EXERCISE
WHAT IS THE DIFFERENCE BETWEEN ROLE-BASED AND INDIVIDUAL SECURITY MODELS?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Security Models: Role-Based • Roles are created for various job functions • Permissions to perform certain operations are assigned to specific
roles • Employees are assigned roles and acquire computer permissions to
perform particular system functions through those roles • Since users are not assigned permissions directly, management of
individual user rights becomes a matter of simply assigning appropriate roles to the user’s account
Three primary rules are defined: 1. Role assignment: Subject can exercise a permission only if the
subject has selected or been assigned a role 2. Role authorization: Subject's active role must be authorized for the
subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized
3. Permission authorization: Subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Security Models: Individualized • Roles are NOT created for various job
functions • Permissions to perform certain
operations are NOT assigned to specific roles but assigned to users that need them/ad hoc
• Users are assigned permissions directly so management of individual user rights is time-consuming
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Mitigating and Compensating Controls • If duties cannot be fully segregated, mitigating or
compensating controls must be established. • Mitigating or compensating controls are additional
procedures designed to reduce the risk of errors or irregularities (fraud): o For instance, if the record keeper also performs a
reconciliation process, a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
THE MOST EFFICIENT WAY TO TEST SOD?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Testing SoD • Make sure the provisioning/de-
provisioning process is sound • System Software (Add-ons) • Access review – Establishment of access from onset – User Reports have to be readable – Users have to “own” this responsibility
• Screen-prints/Attempts to use access
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Segregation of Duties in IT Functions Some special aspects of segregation of duties apply to IT functions. Segregation should exist between:
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT SoD • Systems Development and Operations
– Risk that the applications will not be properly documented if one group is doing everything for all of the applications in that segment
• Operations and data control – Most basic segregation is a general one: segregation of the duties
of the IT function from user departments. Generally speaking, that means the user department does not perform its own IT duties. While a department will sometimes provide its own IT support (e.g., help desk), it should not do its own security, programming and other critical IT duties. To mix critical IT duties with user departments is to increase risk associated with errors, fraud and sabotage
• Database administration and system development – Those responsible for duties such as data entry, support,
managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT C
om
mo
n SoD
Co
nflicts w
ithin IT
SOURCE: CISA Review Manual
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
PRE AND POST IMPLEMENTATION AUDITS
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Key Stats • 75% of all ERP projects fail, despite the industry’s focus on delivering better
customer service and advanced IT systems • An overwhelming majority of organizations (93%) customized their software to
some degree even with increased options • 52% of companies faced some sort of material operational disruption at the
time of go-live – a number that is surprisingly consistent over the last several years
• 60% of organizations failed to realize the business benefits they expected from their ERP implementations
• Top Reasons for Project Implementation Failure
Source: PWC 4th Global Portfolio and Programme Management Survey
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Pre/Post Implementation Audits – Key Concepts • Project Risk Management - Function of IT Risk Management. PRM policies,
procedures and processes help ensure projects are delivered on schedule within budget and meet business objectives
• Systems Development Life Cycle - Set of PRM policies and procedures that help guide development of project from concept to implementation
• Project Management - Set of policies and procedures that guide IT project management
• IT Change Management - Set of policies and procedures that guide management of changes in IT development environment
• Quality Management - Set of Project Risk Management policies and procedures that define independent oversight inherent in the Project Risk Management
• Pre-implementation Review - IT project review conducted before project is implemented into production environment
• Post-implementation Review - IT project review conducted six weeks to six months after project has been implemented into production environment
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Project Risk Management Policies and procedures that define and support systems development: • Project Management Controls • Systems Development Life Cycle Controls • Change Management Controls • Quality Management (Software testing) • Management and oversight of all of the
above
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Pre-Implementation Review • Pre-implementation review validates that all Project
Risk Management components are designed and implemented into the project under development: – Project plan (time/schedule, resources, quality) in place – Requirements are documented, approved and finalized – Program design is in place – Test plans and procedures are in place – An implementation plan has been created
• All project components adhere to change management procedures; quality management and oversight are in place through documentation reviews and status updates
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Post-Implementation Review • Validates that all components of the Project Risk Management
are present in the completed project documentation: – The project plan is updated and finalized – Requirements were documented, approved and finalized – Program design were documented – Test plans, procedures and results were documented – Issues lists were maintained – An implementation plan was finalized
• All project components adhered to change management procedures; quality management and oversight were evident through meetings, status reports, issues follow up and project sign off
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
System Implementation Audit Considerations
• Know What is Going On – Scope Audit – Impact of New System Functionality – Security, Sensitive Access & SoD
• User Acceptance Testing – Who designs tests? – Do end users understand technology
enough to perform testing?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
System Implementation Audit Considerations • Data Conversion/Migration (Retention) • Reports – Confirmation of Completeness/Accuracy – Canned versus Customized – Identify key reports
• Key Control Impact • Project Management documentation – Business requirements/Design Documentation
• Issues Log/Defect Tracking • Status Reporting
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GOLD NUGGET #4 • Google “project management
and implementation of ACA and time magazine”
• Lots of great articles and reading on the poster child for bad project management
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
ARE SOD’S AN IT OR BUSINESS CONTROL?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Application Controls – Layman’s Terms
• Do not think of Application Controls as something “IT”
• Application controls, at their core, have nothing to do with IT
• Business Rules set up in a system • Most likely would exist in some form
regardless if a system is used
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Defining Application Controls • Application controls are those controls that pertain to
the scope of individual business processes or application systems, including data edits, separation of business functions, balancing of processing totals, transaction logging, and error reporting.
• Objective of application controls is to ensure that: – Input data is accurate, complete, authorized, and correct. – Data is processed as intended in an acceptable time
period. – Data stored is accurate and complete. – Outputs are accurate and complete. – A record is maintained to track the process of data from
input to storage and to the eventual output
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Benefits of Application Controls • Reliability – Reduces likelihood of errors due to manual
intervention • Benchmarking – Reliance on IT general controls can lead to
concluding the application controls are effective year to year without re-testing
• Time and cost savings – Typically application controls take less time to
test and only require testing once as long as the IT general controls are effective
SOURCE: IIA GTAG 8 Auditing Application Controls
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Types of Application Controls • Input Controls – These controls are used mainly to check the integrity
of data entered into a business application, whether the data is entered directly by staff, remotely by a business partner, or through a Web-enabled application or interface. Data input is checked to ensure that is remains within specified parameters.
• Processing Controls – These controls provide an automated means to ensure processing is complete, accurate, and authorized.
• Output Controls – These controls address what is done with the data and should compare output results with the intended result by checking the output against the input.
• Integrity Controls – These controls monitor data being processed and in storage to ensure it remains consistent and correct.
• Management Trail – Processing history controls, often referred to as an audit trail, enables management to identify the transactions and events they record by tracking transactions from their source to their output and by tracing backward. These controls also monitor the effectiveness of other controls and identify errors as close as possible to their sources.
SOURCE: IIA GTAG 8 Auditing Application Controls
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Common Application Controls Type Description Examples
Edit Checks (Input)
Limit risk of inappropriate input, processing or output of data due to field format
• Required fields • Specific data format on
input
Validations (Input)
Limit risk of inappropriate input, processing, or output of data due to the confirmation of a test.
• Three-way match • Tolerance limits
Calculations (Processing)
Ensure that a computation is occurring accurately. • Accounts receivable aging
• Pricing Calculations
Interface Balancing (Processing)
Limit risk of inappropriate input, processing or output of data being exchanged from one application to another.
• Transfer of data between systems
• Error reporting during batch run
Authorizations Limit the risk of inappropriate input, processing or output of key financial data due to unauthorized access to key financial functions or data. Includes: • Segregation of incompatible duties • Authorization checks, limits and hierarchies
• Approval to post journal entries
• Two approvals for check printing
Application controls are commonly grouped into five categories
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Application Control Activities – Common Examples • Determining whether sales orders are processed
within the parameters of customer credit limits • Making sure goods and services are only
procured with an approved purchase order • Monitoring for segregation of duties based on
defined job responsibilities • Identifying that received goods are accrued
upon receipt • Ensuring fixed-asset depreciation is recorded
accurately in the appropriate accounting period • Determining whether there is a three-way match
among the purchase order, receiver, and vendor invoice
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Input Controls • Designed to provide reasonable assurance that
data received for computer processing is appropriately authorized and converted into a machine-sensible form and that data is not lost, suppressed, added, duplicated, or improperly changed.
• Include data checks and validation procedures such as check digits, record counts, hash totals, and batch financial totals.
• Computerized edit routines — which are designed to detect data errors — include valid character tests, missing data tests, sequence tests, and limit or reasonableness tests.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Input Controls - Examples • Input data validation checks – Limit test: test of reasonableness – Validity test: comparison against master files – Self-checking number: check for accuracy
• Batch integrity of online or database systems • Input controls for batch processing – Item count – check for completeness – Control total – check for accuracy – Hash total – can be a sum of all order numbers
• Error reporting and handling
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Processing Controls • Designed to provide reasonable assurance that
data processing has been performed as intended without any omission or double-counting
• Many processing controls are the same as the input controls, particularly for online or real-time processing systems, but are used during the processing phases
• Examples: – Run-to-Run Totals – Control-Total Reports – File and Operator Controls, such as external and
internal labels, system logs of computer operations, and limit or reasonableness tests
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Output Controls • Designed to provide reasonable assurance
that processing results are accurate and distributed to authorized personnel only
• Control totals produced as output during processing should be compared and reconciled to input and run-to-run control totals produced during processing
• Computer-generated change reports for master files should be compared to original source documents to assure information is correct
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GROUP EXERCISE
DISCUSS AND DETERMINE WHAT IS THE MOST EFFICIENT & EFFECTIVE APPROACH TO TESTING AN APPLICATION
CONTROL (EX. DEPRECIATION EXPENSE CALCULATION OF FIXED ASSETS)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Auditing Application Systems Approach • Meet with business process owners to:
– Understand business function that application supports – Identify responsible personnel (owner, superusers, application
administrators, security administrators)
– Map out process (if appropriate)
– Identify application inputs, outputs, interfaces – Identify application controls and manual controls
– Identify existing documentation
– Highlight any issues or concerns
• Identify key risks and test key controls – All key controls should be driven by risk
• Same approach to auditing in general
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Testing Application Controls • Are application controls working? • Substantive testing • Information technology general controls review • Ways to test:
– Inspection of system configurations – Inspection or re-performance of reconciliations with
supporting details – Re-Performance of the control activity using system
data – Inspection of user access listings – Re-Performance of the control activity in a test
environment
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Benchmarking • If it has not changed, do we need to retest annually? • Defined through SOX testing (PCAOB) • Factors to consider:
1. Effectiveness of the controls over the IT control environment i.e the controls over application changes, application purchases and overall computer operations.
2. In case of changes in softwares/applications during the period of audit, how well does the auditor understand the changes to the applications and the resulting comfort factor.
3. The nature and timing of other related tests for application and business related controls.
4. Last but not the least, in case there are errors relating to the application controls that were benchmarked, what are the resulting consequences of errors.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Benchmarking Questions to Ask • Have there been changes in the risk level associated with the
business process and the application control from when it was originally benchmarked (i.e., does the business process provide substantially greater risk to financial, operational, or regulatory compliance than when the application control was originally benchmarked)?
• Are ITGCs operating effectively, including logical access, change management, systems development, acquisition, and computer operation controls?
• Can the auditor gain a complete understanding of the effects of changes, if any, on the applications, databases, or supporting technology that contain the application controls?
• Were changes implemented to the business process relying on the application control that could impact the design of the control or its effectiveness?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Nature, Timing, & Extent of Testing • Nature of Testing will depend on if the control is
embedded or configurable • Configurable application control:
– Inspect configuration of each significant transaction type (can be performed via walkthrough also)
– Consider override capability • Other menu and record level functionality
– Generally can be viewed within a configuration screen or via a system generated report
• Embedded application control: – Walkthrough of each significant transaction type – Consider override capability – Positive and negative aspects of control
• Identify any dependencies on other controls
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Electronic Audit Evidence (EAE) • Data generated by or processed through an
application, spreadsheet and/or end user computing solution, be it in electronic or printed form, used to support audit procedures – Data used for analytical and data analysis
procedures – Data supporting the performance of internal controls,
including key performance indicators – Data that represents substantive audit evidence to
support assertions for significant accounts • Aging list of accounts receivable • Spreadsheet specifying hedging transactions • List of gains and losses from sales of marketable securities
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
EAE Reliance • Establishing a basis for relying on
electronic data includes: – Determining the source of the electronic
data (which application produces the data)
– Determining, through identification and evaluation of internal controls or through substantive procedures, whether the electronic data is complete and accurate
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Testing Report Logic • Evaluate to what extent the logic of the report or
query guarantees that the report is complete and accurate
• Test procedures are determined based on risk assessment: – What is the origin of the software? – Is the report used frequently by the client? – Can the client influence the content of the report? – Can the client edit the output of the report? – Are we sure the data in the underlying database is
complete and accurate? • Test procedures are based on controls testing or
substantive testing
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Data Integrity/Validation • How do we verify the completeness of
a report? – Run the report ourselves – Walkthrough – Observation
• What type of questions should we ask? • What is the true source of information? • How does change management
factor in?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Walkthrough Questions • It is not the first question, it is usually the
next question – Interfaces – Reports – When discussing controls, make sure to
ask if the control: • Is in the system? • If it is manual, could it be done in the system?
– Include SME with Process Owner in interviews?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
WHO OWNS APPLICATION CONTROLS?
BOTH
BUSINESS MANAGEMENT
INFORMATION TECHNOLOGY
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
WHAT ARE SHADOW SYSTEMS & WHY DO PEOPLE USE THEM?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Spreadsheet Testing Guidance • The Use of Spreadsheets: Considerations for Section 404
of the Sarbanes-Oxley Act (July 2004) – Industry standard – Thorough but onerous – Time consuming testing – All-encompassing but overwhelming
• IT Control Objectives for Sarbanes-Oxley, 2nd Edition (September 2006) – Refined approach – Utilize professional judgment – Perform a risk analysis of the spreadsheet inventory
• Spreadsheet Management: Not What You Figured (March 2008) – Deloitte
• Auditing User Developed Applications (Previously GTAG 14)
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Spreadsheet Considerations • Every organization uses spreadsheets • Do you have a policy…or two? – How to test spreadsheets? – How users should identify and handle
spreadsheets?
• How do we identify key spreadsheets?
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
Impact Assessment – when assessing the impact of spreadsheets, organizations should consider the dollar value processed by the spreadsheet as well as how the spreadsheet is used. The chart below outlines the two variables of the impact assessment: dollar value and purpose.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Likelihood Assessment – when assessing the likelihood of error arising from a spreadsheet, organizations should consider the spreadsheet’s complexity, the number of users and the frequency of changes made to the spreadsheet
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
COMPOSITE RISK ASSESSMENT
ASS
ESSM
ENT
OF
IMPA
CT
(1-6
) LOW (5-6) MODERATE (15-24) HIGH (25-36)
LOW (3-4) MODERATE (7-14) MODERATE (15-24)
LOW (1-2) LOW (3-4) LOW (5-6)
ASSESSMENT OF LIKELIHOOD (1-6)
Composite Risk Assessment – Compilation of impact and likelihood assessments
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Once the risk rating is complete, the current literature gives the following action plan as a guideline: • LOW RISK RATING (1-6) – No action plan to test is
necessary due to the inherent risk • MODERATE RISK RATING (7-24) – Implement and assess
spreadsheet controls described in A-C • HIGH RISK RATING (25-36) – Implement and assess
spreadsheet controls described in A-G
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
Guidelines for Testing Spreadsheets
A. ACCESS CONTROL B. CHANGE CONTROL C. DOCUMENTATION – Ensure the
appropriate level of spreadsheet documentation is maintained and is kept up to date to understand the business objective and specific functions of the spreadsheet
D. TESTING – Formally test the spreadsheet by having someone who is independent of the business process review it. Have that individual confirm that the spreadsheet processing and related output is functioning as intended
E. INPUT CONTROL – reconcile data inputs to source documents to confirm that data are input completely and accurately.
F. SECURITY AND DATA INTEGRITY – Lock sensitive cells that are important for data processing.
G. LOGIC INSPECTION – Have someone other than the user or developer of critical spreadsheets inspect the spreadsheets logic. This review should be formally documented.
THE STANDARD IN STAFFING, RECRUITING AND PROFESSIONAL DEVELOPMENT
GOLD NUGGET - ITFNITA • Understanding the Basics of IT
Auditing make a general auditor much more capable of handling/understanding a multitude of risks
• Cannot wholly audit an area without considering IT risks
• Understand how general controls and application controls work together/play off each other
• Application controls are not IT – they are business rules established in the system