itg general controls / it risk assessment taking it to the ... · pdf fileitg general controls...
TRANSCRIPT
IT General Controls 1
IT General Controls 1
ITG General Controls / IT Risk Assessment –
Taking it to the Next Level
June 7, 2016
John A. Gatto, CISA, CRISCPresident
JAG AssociatesPort Charlotte, FL
IT General Controls 2
1. Audit Structure
2. IT General Overview
3. IT General Controls
4. IT Risk Assessment & Audit Planning
Agenda
IT General Controls 2
IT General Controls 3
For an internal audit function to be effective, all Principles should be
present and operating effectively. How IA activity demonstrates this may
be quite different from organization to organization, but failure to achieve
any of the Principles would imply that an internal audit activity was not as
effective as it could be in achieving internal audit’s mission.
Demonstrates integrity
Demonstrates competence and due professional
care
Is objective and free from undue
influence (independent)
n.
Aligns with the strategies,
objectives, and risks of the
organization
Is appropriately positioned and
adequately resourced
Demonstrates quality and continuous
improvement
Communicates effectively
Provides risk-based assurance
Is insightful, proactive, and future-focused
Promotes organizational improvement
Core Principles of IA 2016
IT General Controls 4
Audit departments are still structured into Finance and IT
Teams rely on their counterparts without understanding their scope
Automation of common activities / tests isn’t always leveraged
Teams don’t know what their counterparts are doing
Teams don’t communicate well
Teams blindly trust in some “controls”
Teams don’t know what IT General Controls are protecting
Background
IT General Controls 3
IT General Controls 5
Current State
Financial Audit
Focuses on end-user and manual
processes
IT Audit
Focuses on application controls
and general IT controls
What’s Needed
Directing non-IT Auditors to ask
questions that will improve scope
Increasing the knowledge of IT
controls
Bridging the knowledge gaps to
cover more risk
IT General Controls 6
Improvements
Financial and operational controls now supported by
IT systems and system generated reports.
We need to:
• Recognize what our systems can and cannot do
• Realize that some system controls can be overridden or circumvented
• Understand the separation of business/operational activities and IT
IT General Controls 4
IT General Controls 7
Finance and IT rely on reports to validate the effectiveness of controls
Reports are generated based on query criteria or SQL; inaccuracies in filter criteria may exist
Reports are pulled from various databases; the incorrect source of record may be used:
Where is data being reported from?
Are the queries used appropriate?
At what intervals is data being propagated?
Review reconciliations between front-end and back-end systems
Review account reconciliations to identify discrepant processes
Reliance
IT General Controls 8
1. Audit Structure
1. IT General Overview
3. IT General Controls
4. IT Risk Assessment & Audit Planning
Agenda
IT General Controls 5
IT General Controls 9
Major IT Challenges
Control Frameworks
IT Auditor Competencies
IT General Overview
IT General Controls 10
Regulatory ComplianceRegulatory Compliance
Keeping up with the ever evolving legislative and regulatory requirements is time consuming and expensive as IT must design and maintain systems to comply with these legislative and regulatory requirements.
1 2 3 4 5 6 7
*ISACA: Top Business/Technology Issues Survey Results 2011
Major IT Challenges
IT General Controls 6
IT General Controls 11
IT Management & IT Governance IT Management & IT Governance
Considerations for security, shared services, IT resource maximization and governance concerns have contributed to a growing focus on enterprise-based IT management and IT governance.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 12
Information Security Management Information Security Management
After many spectacular data breaches and losses, and enormous spending in state-of-the-art security technologies, organizations are finally realizing that information security is all about being able to manage it adequately.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 7
IT General Controls 13
DR and BCP DR and BCP
Business continuity management (BCM) proactively improves the enterprise’s resilience against operational disruptions and provides the capability to adequately react to these.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 14
Challenges of Managing IT Risks Challenges of Managing IT Risks
IT’s pervasiveness and ubiquity also bring about (sometimes inconspicuously) significant risks that, if realized, might jeopardize the viability and success of the enterprise.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 8
IT General Controls 15
Vulnerability Management Vulnerability y Management ge
The process of vulnerability management allows enterprises to enhance the security of their systems as well as meet their regulatory requirements by assessing and mitigating vulnerabilities in their IT systems.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 16
Continuous Process Improvement Continuous Process Improvement
Modern enterprises now recognize that “business processes are the business” and that enterprise success is dependent on establishing the capabilities and infrastructures to continually improve business processes and rapidly implement change.
1 2 3 4 5 6 7
Major IT Challenges
IT General Controls 9
IT General Controls 17
Advanced Persistent Threats (APTs)
Increasingly sophisticated APTs target specific vulnerabilities in organizational networks (using
techniques such as spear phishing) to install malware and
exfiltrate organizational data.
Seventy percent of CISOs believe it is likely their
organizations will be hit by an advanced attack in the near
future
Shortfalls in information security talent and inadequate detection
and response processes exacerbate vulnerability to
APTs.
Information Governance
Growth in digital universe as businesses created and used > 4.4
trillion gigabytes of data.
Information includes data on customer
behaviors and social media posts.
Lack of governance prevents effective management and protection of this
information.
Decentralization of data ownership,
increasing reliance on data for decisions
requires information governance.
2015 CEB IT Audit Hot Spots
IT General Controls 18
Business-Led IT
Businesses are reliant on increasingly powerful and often niche technology to increase
productivity.
Business leaders are increasingly procuring their own IT solutions, but do not always
follow central security standards.
Risk is heightened by IT’s limited visibility to these
technologies and the 3rd party relationships often have little
regard for the appropriate controls.
Insecure Employee Behaviors
With information security breaches rising at an
exponential rate, employee error and misconduct have
been identified as the biggest root cause of control failures.
Last year, 48% of data breaches were caused by
human error.
The increased “datafication” of the work environment, plus
ineffective training and awareness programs,
undermine the value of the employee security perimeter.
2015 CEB IT Audit Hot Spots
IT General Controls 10
IT General Controls 19
Legacy Systems
Businesses’ reliance on technology requires continuous
innovation and up-to-date, increasingly advanced systems.
However, 93% of organizations use older legacy systems,
which are not designed to cope with today’s complex digital
environment.
These systems are often incompatible with up-to-date
security programs and can be costly to maintain while hampering productivity.
2015 CEB IT Audit Hot Spots
IT General Controls 20
Major IT Challenges
Control Frameworks
IT Auditor Competencies
IT General Overview
IT General Controls 11
IT General Controls 21
COSO Sarbanes-
Oxley
NAIC / MAR
CobiT
Control Frameworks
IT General Controls 22
COmmittee of Sponsoring Organizations
of the Treadway Commission
§ “Business Control Model”
§ Originally formed to study causal factors of fraudulent financial reporting
COSO Sarbanes-
Oxley
NAIC / MAR
CobiT
COSO
IT General Controls 12
IT General Controls 23
COSO Sarbanes-
Oxley
NAIC / MAR
CobiT
Protect investors from executive fraud
Public Company Accounting Oversight Board (PCAOB)
External Auditor independence rules
Audit Committee independence requirements and oversight
Sarbanes-Oxley (SOX)
IT General Controls 24
COSO Sarbanes-
Oxley
NAIC / MAR
CobiT
Similar to Sox but less
stringent than Sox
Issued by the National
Association of Insurance
Commissioners
(NAIC)
For non-publicly traded
insurance companies
Requires controls to be in place and
tested ensuring financial reporting
accuracy and integrity
Requires assertion by Management
NAIC MAR
IT General Controls 13
IT General Controls 25
COBIT 5 Principles
1.
Meeting Stakeholder
needs
2.
Covering the Enterprise end to end
3.
Applying a Single
Integrated Framework
4. Establishing
a Holistic Approach
5. Separating
Governance from
Management
COBIT 5 Principles
Control Objectives for
Information and Related
Technologies
COSO Sarbanes-
Oxley
NAIC / MAR
CobiT
IT General Controls 26
Align, Plan and Organize
Build, Acquire and Implement
Deliver, Service and Support
Monitor, Evaluate and Assess
COBIT 5 Domains
IT General Controls 14
IT General Controls 27
COBIT 5 - Snapshot
IT General Controls 28
Align, Plan and Organize
IT General Controls 15
IT General Controls 29
Ensure enterprise
management and key stakeholders:
Are informed by IT on the current technology
environment, possible future trends and
value opportunities for the business
Discuss future business directions and enterprise goal
Ensure IT management contributes to:
Business strategy planning and
Identifies capabilities available to support
enterprise goals
Align business imperatives and priorities with IT
capabilities:
To establish enterprise priorities
Include them in the IT strategic plan
Control Activities
IT General Controls 30
Major IT Challenges
Control Frameworks
IT Auditor Competencies
IT General Overview
IT General Controls 16
IT General Controls 31
Common sense
Knowledge of area to be audited
Knowledge of Policies & Procedures
Flowcharting techniques
Core Audit Skills
Project Management
Competencies
IT General Controls 32
Management concepts
Auditing concepts
Negotiating skills
Communication skills
Audit tools (CAATs)
Sense of humor
Competencies
IT General Controls 17
IT General Controls 33
§Understanding of IT risks
§Corporate strategic / operational plan
§ Information Technology operational plan
§ IT Organizational charts
§Corporate Policies and Procedures
§ IT Infrastructure
§ Hardware
§ Applications
§ Networks
IT Competencies
IT General Controls 34
IT Risks
Information Security Breaches
Data Leakage and Privacy Violations
Outsourcing Exposures
Human Resource Shortcomings
Business Enablement Challenges
Funding and IT Governance Deficiencies
Regulatory Concerns
CybersecurityLost productivity from IT downtime
Inability to defend lawsuits due to poor record keeping
IT General Controls 18
IT General Controls 35
1. Audit Structure
2. IT General Overview
3. IT General Controls
4. IT Risk Assessment & Audit Planning
Agenda
IT General Controls 36
Definition of Internal Control
Fundamental Concepts
Components of Internal Control
Control Classifications
IT Controls
IT General Controls 19
IT General Controls 37
Definition of Internal Control
According to COSO
A process affected by an organization’s board of directors, management
and other personnel, designed to provide reasonable assurance regarding the
achievements of objectives in the these categories:
Operations
Efficiency and Effectiveness of Operations
Reporting
Reliability of Financial Reporting
Compliance
Compliance with Applicable Laws and Regulations
Safeguarding of assets
Definition of Internal Control
IT General Controls 38
IT control is a process that
provides assurance for information
and information services, and
helps to mitigate risks associated
with use of technology.
3838
•Two components•Automation of business controls
•Control of IT
Understanding IT Controls
IT General Controls 20
IT General Controls 39
IT controls are needed to:
• monitor and control cost
• remain competitive
• protect information assets
• comply with laws and regulation
Implementing effective IT controls will:
• improve efficiency
• increase reliability
• provide flexibility
• increase availability of assurance evidence
Importance of IT Controls
IT General Controls 40
A means to an end
Dynamic not static
Affected by people -
not just policies
and procedures
Impacts all levels of
the Company
procedures
Internal Controls is a PROCESS
Fundamental Concepts
IT General Controls 21
IT General Controls 41
Internal control provides reasonable assurance, not absolute assurance
• Achieving absolute assurance is not possible and costly
• Attempting to achieve absolute assurance is cost-prohibitive for most entities
Fundamental Concepts
IT General Controls 42
Control Environment
Risk Assessment
Information and Communication
Control Activities
Monitoring
Components of Internal Control
IT General Controls 22
IT General Controls 43
Employees at all levels use risk management. It applies to all
departments and environments across the entire organization.
Defined
§ Risk management is the process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk costs with benefits.
§ The total process of identifying, controlling, and minimizing information system related risks to a level commensurate with the value of the assets protected
Principles
§ Integrating risk management into planning, preparation, and execution.
§ Making risk decisions at the appropriate level in the organization.
§ Accepting no unnecessary risk.
Risk Management
IT General Controls 44
In our dynamic world, risks are constantly changing…
The maximum risk
an organization
may bear and
remain solvent
The existing level
and distrbution of
risks across risk
categories (e.g.
financial, market,
operational,
reputation, etc.)
What is the
desired
risk/return
level
Acceptable
levels of
variation an
organization is
willing to accept
around specific
objectivesDetermination
of Risk
Appetite
Existing
Risk
Profile
Risk
Tolerance
Desired
Level of
Risk
Risk
Capacity
Risk Appetite
IT General Controls 23
IT General Controls 45
Control Environment
Tone of the organization
Foundation of all other components of
internal control
Includes: integrity, ethics, role and
involvement of Board of Directors
Risk Assessment
Identify and analyze relevant risks to achieve
of objectives
Basis for how the risks are
managed
Includes: Annual risk assessment, mid-year update,
on going risk monitoring
Information and Communication
Systems supporting the
exchange of information
Form and time frame enabling people to carry
out their responsibilities
Includes regular reporting, Policies &
Procedures, Intranet sites
Control Activities
Ensure management
directivesare carried out
Approvals, Authorizations, Reconciliation,
Security, Segregation of
Duties
Monitoring
Feedback on strengths and weaknesses in
system of internal control
Includes: Performance
measured to detect problems early
Management ensures that
internal controls are effective and
efficient
Components of Internal Controls
IT General Controls 46
Controls Life Cycle
Design
Implementation
Operational Effectiveness
Monitoring
IT General Controls 24
IT General Controls 47
1. Audit Structure
2. IT General Overview
3. IT General Controls
4. IT Risk Assessment & Audit Planning
Agenda
IT General Controls 48
SDLC
Organization
&
ManagementIT
General
Controls
DR &
Business
Continuity
End
User
Computing
Incident
Management
Operations
Management
ion
Operat
ManManageInfrastructure /
Physical
Security
SDLSDLSDL
Application
Control
Review
Change &
Release
Management
Risk
Management
Strategic
Planning
DR DR
Policy
Management
IT General Controls
IT General Controls 25
IT General Controls 49
Define elements of an IT control environment aligned with the enterprise’s management philosophy and operating style
Develop and maintain a set of policies to support IT strategy - relevance confirmed and approved regularly
Deploy and enforce IT policies to all staff so they become an integral part of enterprise operations
Disseminate awareness and understanding of business and IT objectives and direction to appropriate stakeholders and users throughout the enterprise
Policy Management
IT General Controls 50
Plan
DesignDesign
ImplementOperate
MonitorMonitor
Update Plan
gngngn
ImplementOperate
MoMoMo
Update
Policy Life Cycle
IT General Controls 26
IT General Controls 51
Establishes the foundation for a policy framework by covering the stakeholders and goals dimensions defined previously
Identifying gaps between the governance principles and current, valid policies helps
to redesign and improve the policy framework in use
Define a logical structure of documentation that will support and clarify
policy principles
The goal is to improve clarity of policy principles and support their
implementation
Policy Life Cycle - Plan
IT General Controls 52
Setup
Identification of policies needed
Risk-based approach is used that addresses policy principles
Set deadlines and priorities for their creation
Set deadlines for review and approval
Policy Structure Definition
Draft: Identify individuals responsible for researching and writing policies
Review: Identify individuals responsible for providing independent review of
policies
Procedures to obtain final policy approval from authorized individuals; determine policy communication and
training strategyng egy
Define writing quality standards, including document format, font,
language style, glossary and document structure
Policy Life Cycle - Design
IT General Controls 27
IT General Controls 53
• Getting the policies active
• Enforcing them
• Defining the activities to assist the organization in transitioning from a noncompliant to a compliant state
Implement
• An effective policy should be part of the organization’s DNA
• Building an accountable culture and using policies in daily operations ensures that the organization’s goals are met
• Organizations should “walk the talk” of policy principles
Operate
Policy Life Cycle – Implement / Operate
IT General Controls 54
• Confirms that policy requirements are properly implemented
• The organization is operating effectively
Evaluate / monitor
• Reviewed for updating or removal
• Adjusts the phases defined previously to maintain or improve the maturity of the policy framework
• Policies to be reviewed on a regular basis, typically every 12 months
Update / dispose
Policy Life Cycle – Evaluate / Update
IT General Controls 28
IT General Controls 55
Defining the role of IT
IT management (including goals and objectives)
Adequacy of policies and procedures
Compliance with policies and procedures
• Rights of access to specific types of information (HIPAA regulations)
• Ownership of information
• Processes and procedures for employment in sensitive areas
Rights f t ific t f info atio (HIPAA
Policies defining levels of security and privacy required:
Things to Look For…..
IT General Controls 56
Policy Management
Evergreen Process – timing and approvals
Cross referencing
Standards and procedures aligned with policy
Policy Review Board
Things to Look For….
IT General Controls 29
IT General Controls 57
Control Objective ABC Control Activity
ProcessShort
DescriptionLong Description Description Risk
Communicate
Management
Aims and
Direction
IT Policy and
Control
Environment
Define the elements of a control
environment for IT, aligned with the
enterprise’s management philosophy
and operating style.
The Policy Management team has developed a framework that
defines the requirements for creating, maintaining and reviewing ITG
policies. In addition, the framework defines the policy exception
process including when it is used and how it is executed. The Policy
Owner (VP or above) approves the framework as changes occur.
Lack of a policy for internal
controls could result in the
organization not being able to
identify irregularities in a
timely manner.
Communicate
Management
Aims and
Direction
IT Policies
Management
Develop and maintain a set of policies
to support IT strategy. Their relevance
should be confirmed and approved
regularly.
A process exists to manage policies and standards. The Policy
Management organization facilitates the review of all policies on a
rotating, at least once every 2 years or as needed with the applicable
process owners to ensure the policy's appropriateness. The Policy
Owner reviews and approves his or her respective policy once the
review is complete.
A review of all Standards occurs at least once every 2 years or as
needed by the Standards Owner (Director or above). Evidence of the
review is documented and retained.
Lack of a process for
maintaining policies could
result in the business not
being prepared for changes
in the business environment.
Communicate
Management
Aims and
Direction
Policy, Standard
and Procedures
Rollout
Roll out and enforce IT policies to all
relevant staff, so they are built into and
are an integral part of enterprise
operations.
Function / Process Owners develop an implementation approach in
response to policy/standards modifications or creation of new
policies/standards.
The Policy Management organization facilitates the review and
approval of all modified or new policies/standards with the applicable
stakeholders to ensure appropriateness. The Policy Owner (VP or
above) reviews and approves his or her respective policy one the
review is complete. The Standards Owner (Director or above) reviews
and approves his or her respective standard once the review is
complete.
If appropriate resources are
not in place, excessive time
lags could occur between the
development, documentation,
and
communication of policies,
standards, and procedures.
Communicate
Management
Aims and
Direction
IT Policies
Management
Develop and maintain a set of policies
to support IT strategy. Their relevance
should be confirmed and approved
regularly.
The Policy Management organization receives policy exception
requests. Each request is reviewed to assess the risks associated
with the exception. The stakeholders review the exception request
and the Policy Owner approves or rejects each policy exception
request prior to the exception event occurring.
Lack of a process for
maintaining policies could
result in the business not
being prepared for changes
in the business environment.
Policy Control Matrix
IT General Controls 58
Description Test
The Policy Management team has developed a
framework that defines the requirements for creating,
maintaining and reviewing ITG policies. In addition, the
framework defines the policy exception process
including when it is used and how it is executed. The
Policy Owner (VP or above) approves the framework
as changes occur.
1.Obtain the current policy manual and
TOC
2.Obtain the exception process log and
select 25 exceptions and:
a. Ensure the submission was timely
b. Ensure the justification was
reasonable
c. Validate that approvals were
appropriate and timely
A process exists to manage policies and standards.
The Policy Management organization facilitates the
review of all policies on a rotating, at least once every 2
years or as needed with the applicable process owners
to ensure the policy's appropriateness. The Policy
Owner reviews and approves his or her respective
policy once the review is complete.
A review of all Standards occurs at least once every 2
years or as needed by the Standards Owner (Director
or above). Evidence of the review is documented and
retained.
1. Obtain the evergreen procedures and
perform the following:
a. Select 25 policies and determine when
they were issued and last revised
b. Ensure the Policy Manual contains the
latest version of the policy
c. Ensure appropriate signatures were
obtained and maintained
Policy Test Matrix
IT General Controls 30
IT General Controls 59
IT Organization & Management
Why is the organization of the IT group so important?
Ensures alignment with the business
Defines lines of reporting and responsibility
Allows the implementation of control systems
IT General Controls 60
Business Alignment - WHY
A winning business strategy requires the assessment of market forces, competitive challenges, organizational strengths and weaknesses, and customer needs.
IT capabilities are an important component of an organization’s capabilities and business expectations for IT are rising.
Business processes are enabled by computer systems, and there are no fall back paper processes.
Process changes are virtually impossible without the corresponding technology changes.
High levels of availability, reliability and security are needed for key business systems.