Effectively Assessing IT General Controls



Similar documents
Certified Information Systems Auditor (CISA)

The Information Systems Audit

IT Audit in the Cloud

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Practical Guidance for Auditing IT General Controls. September 2, 2009

Cloud Computing An Auditor s Perspective

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

ITIL AND COBIT EXPLAINED

Information Technology General Controls (ITGCs) 101

Domain 1 The Process of Auditing Information Systems

Overview of how to test a. Business Continuity Plan

IT Governance Dr. Michael Shaw Term Project

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

ICTEC. IT Services Issues HELSINKI UNIVERSITY OF TECHNOLOGY 2007 Kari Hiekkanen

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Understanding changes to the Trust Services Principles for SOC 2 reporting

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

THE BLUENOSE SECURITY FRAMEWORK

IT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo

Microsoft s Compliance Framework for Online Services

IT Risks and New Technology

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

Information Technology Auditing for Non-IT Specialist

How To Improve Your Business

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Auditing Cloud Computing and Outsourced Operations

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Surviving an IT Audit. Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing Risk Assessment

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Auditing in the New Millennium:

Information Technology General Controls And Best Practices

Western Intergovernmental Audit Forum

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Information Technology Internal Audit Report

External Penetration Assessment and Database Access Review

Cybersecurity The role of Internal Audit

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

HOW SECURE IS YOUR PAYMENT CARD DATA?

SECURITY AND EXTERNAL SERVICE PROVIDERS

2014 NABRICO Conference

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Key Considerations of Regulatory Compliance in the Public Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Hans Bos Microsoft Nederland.

IT Service Management tools - Acquisition and implementation

White Paper. Regulatory Compliance and Database Management

How To Pass The Comptia Cloud Essentials Exam

Managing Cloud Computing Risk

ISO Controls and Objectives

Domain 5 Information Security Governance and Risk Management

Refresher on cloud computing

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Internal Control Deliverables. For. System Development Projects

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Altius IT Policy Collection Compliance and Standards Matrix

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

SRA International Managed Information Systems Internal Audit Report

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Connecting the dots: IT to Business

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

SECURITY CONSIDERATIONS FOR LAW FIRMS

Third Party Risk Management 12 April 2012

2009 Solvay Brussels School and IT Governance institute

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Auditing Applications. ISACA Seminar: February 10, 2012

Ayla Networks, Inc. SOC 3 SysTrust 2015

The Role of Internal Audit In Business Continuity Planning

IT Governance and IT Operations Bizdirect, Mainroad, WeDo, Saphety Lisbon, Portugal October

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Application controls testing in an integrated audit

Supplier Security Assessment Questionnaire

Service Organizations and the Internal Audit function conference Institute of Internal Auditors in Israel

Services Providers. Ivan Soto

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

CISM Certified Information Security Manager

3 rd -party Security Risk Assessment

Transcription:

Effectively Assessing IT General Controls Tommie Singleton UAB AGENDA Introduction Five Categories of ITGC Control Environment/ELC Change Management Logical Access Controls Backup/Recovery Third-Party Providers What the Results Mean 2 INTRODUCTION PCAOB/AS5-ICFR AICPA/Risk-Based Standards IIA/GAIT, GTAG ISACA/COBIT, ITAF ISACA ITAF 3630/ITGC Introduction to ITGC Information Resource Planning IT Service Delivery IT Human Resources Physical/Environment Control Outsourcing/3 rd Party IT InfoSec Management Information Systems Operations BCP/DRP Database Mgmt & Control Identification & Authentication Systems Software Support Hardware Support Network Management & Controls SDLC Enterprise Portals O/S Management & Controls 3 4 1

ITGC: Control Environment Ensure that the data processing that takes place in systems and IT occurs in a controlled environment, supporting data integrity and security. Loosely equivalent to COSO s control environment & COBIT s PO domain a.k.a. Entity-level controls ITGC: Control Environment Data processing accuracy, timeliness, integrity, and security depend on it Financial reporting systems depend on it umbrella of applications and automated controls Application controls affected by it 5 6 ITGC: Control Environment IT risks that have substantive inherent risks Controls that mitigate those IR Compared to generally accepted benchmarks (could be a set of best practices) Two factors of likelihood/probability and impact/magnitude ITGC: Control Environment IT Strategy IT Governance (e.g., ITGI) Computer Operations (e.g., ITIL) IT Investment & Capital Budgeting, including IT portfolio (e.g., ROI) Alignment of IT with business goals, objectives Managing IT Projects (e.g., PM principles) Managing IT Human Resources IT Risk Assessment IT Polices & Procedures 7 8 2

ITGC: Change Management Structure and processes for software and hardware acquisitions, development, and implementation that ensure that they are appropriately managed to provide assurance that automated business processes, application controls and automated controls adequately support business goals and objectives, especially financial reporting. Equivalent to COBIT s AI6 process ITGC: Change Management Data processing accuracy, timeliness, integrity, and security depend on it Financial reporting systems depend on it Can affect applications and automated controls Applies to commercial and proprietary IT Initiation, authorization, development or purchase, testing, deployment of IT: effectively managing changes to IT 9 10 ITGC: Change Management IT risks that have substantive inherent risks (e.g., programming) Controls that mitigate those IR Compared to generally accepted benchmarks (could be a set of best practices) Two factors of likelihood/probability and impact/magnitude ITGC: Change Management P&P (i.e., a formal process) Application Development (e.g., SDLC) Configuration Management (e.g., ITIL, ISACA s G37, COBIT s DS9) Software Management (e.g., updates) O/S Management Network Management Hardware/Infrastructure Management 11 12 3

ITGC: Logical Access Control Restricted access control to data and programs to prevent unauthorized access or changes, including prevention of unintentional errors and fraud. Becoming more and more critical, high IR Can also be used to implement logical SoD ITGC: Logical Access Control Protecting programs from unauthorized changes or malicious activities Protecting data from unauthorized changes or malicious activities To implement effective logical SoD Includes employees and external malicious intruders Back door and front door (i.e., lots of ways to exploit access) 13 14 ITGC: Logical Access Control Password policy (best practices) SoD (restricted access) Access controls at all levels (e.g., no defaults, no open access) ITGC: Logical Access Control P&P (i.e., a formal process) InfoSec DBA access controls O/S access controls Application access controls Network access controls Software library access controls 15 16 4

ITGC: Backup/Recovery To ensure the entity can recover computer operations from a failure or pandemic event in a timely manner with integrity and accuracy. Scope can vary significantly b/w internal audit and external audit ITGC: Backup/Recovery Able to restore data after a system failure and loss of data, timely and accurately Able to restore data after a natural disaster, timely and accurately Able to restore business operations after a pandemic system failure Able to restore business operations after a natural disaster 17 18 ITGC: Backup/Recovery Data backups (best practices: offsite, regular, etc.) BCP (best practices) DRP (best practices) ITGC: Backup/Recovery Backup (e.g., best practices) Testing of restoring backup of data Testing of restoring business operations after a pandemic event Testing of BCP and DRP Make sure it is IN SCOPE! 19 20 5

ITGC: 3 rd -Party Providers To ensure reliable vendors are being used to provide IT services which operate at a high level of assurance and operational effectiveness. Focus here is providers associated with IT, not providers in general ITGC: 3 rd -Party Providers Vendors who are competent and reliable to provide quality services Vendor systems that have adequate controls for relevant areas Does the vendor have independent verification of adequate controls? 21 22 ITGC: 3 rd -Party Providers Reliability of vendor (reputation, tenure, etc.: e.g., is the Geek Squad a reliable vendor for network support?) Competency of vendor (experience, credentials, reputation) Adequacy of controls in vendor s services (SSAE #16/SOC-1 report, or SOC-2/SOC-3 report, etc.) ITGC: 3 rd -Party Providers Network support Help desk Application development Communication lines ecommerce Data center Cloud computing SaaS IaaS 23 24 6

RESULTS Downstream controls may mitigate the deficiency Consider manual and IT-dependent controls where control objectives overlap RESULTS Linking residual risks (RMM) to specific financial systems, transaction cycles, material account balances, or other audit objectives (GAIT & RBA) That is, make sure it is in scope Group or aggregated related controls for best analysis (GAIT) That is, make sure to consider all weaknesses and deficiencies 25 26 CONCLUSION Deficiencies in ITGC can INDIRECTLY lead to RMM ITGC deficiencies can lead directly or indirectly to operational failures Application controls can only be appropriately tested and relied upon if ITGC as a whole is reliable ITGC MATTERS!! 4/7/2011 Free template from www.brainybetty.com 27 28 7

Effectively Assessing IT General Controls Tommie Singleton, Ph.D., CPA, CISA, CITP tsingleton@uab.edu Free template from www.brainybetty.com 29 30 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information