1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems and LANs in use (hardware and software). (It may be appropriate to complete a separate form for LANs.) [ ] Instructions: CRI will need to gain an understanding of the different processes that are dependent on the general computer system and the related controls that ensure the integrity of the computer output. Computer general control activities relate to information technology personnel and operations as a group rather than directly to specific financial statement assertions. Therefore, the letter P or S appears in the column next to each control activity to indicate whether it is to be a primary control ( P ) or a secondary control ( S ). This form is designed for either an in-house system or computer service organization. However, completion of this form is unnecessary for service centers if there is a suitable service auditor s report on the service organization s internal controls. Please complete this form for EACH of the systems used by the University and provide policies and procedures, organizational charts, narratives, and any other information that will be helpful in our understanding. 1. Organization controls tested through inquiry and observation a. The information technology (IT) department is independent of the departments it serves. b. IT personnel are prohibited from initiating or authorizing transactions. c. IT personnel are prohibited from initiating changes to master files. i. In circumstances when master file changes are made by IT personnel, appropriate procedures are followed to control the changes. d. Departments that initiate master file changes are given a report showing the changes that were made. e. Appropriate procedures are followed when IT personnel make corrections to errors in data files or applications. f. There is separation of duties between programmers, system administrators, and users. Procedures require requesting entity to identify and authorize May be necessary under extreme circumstances to resolve a critical issue S N/A SAP is a real-time transactional ERP. Areas of responsibility/usage clearly defined
2 g. The duties of IT personnel are rotated periodically. Typically on a biannual basis and as new systems/applications are deployed h. IT personnel are required to take annual vacations of at least one continuous week. N This is encouraged but not required i. During the vacationing personnel s absence, their duties are performed by other personnel. i. If there is an internal audit function, the internal auditors report to the audit committee on whether the computerized accounting applications are designed and operated to produce information that can be used to prepare financial statements that accurately represent the client s financial condition and results of operations. 2. Access controls tested through inquiry, observation, or document inspection. (If the entity has more than one computer system or a LAN, this section of the form should be completed for each system or LAN. To do so, a copy can be made and completed for each system or LAN.) Secondary and tertiary duties are assigned based on staffing S N/A a. One employee is assigned the responsibility for IT security. While IT has a named Security Coordinator there are various security responsibilities assigned throughout IT b. There are adequate physical controls to ensure that access to computer facilities is restricted to authorized personnel. c. Programmers are restricted from access to applications in live operation, job control language, and live data files. d. Procedures are in place to prevent testing of new or revised applications on live data files. e. Software users are prohibited from having access to source code, the compiler, and programming documentation. f. Access to application processing parameter databases or table files is restricted to authorized personnel, and changes to those files are adequately reviewed. g. Software utilities that can alter data or applications are adequately controlled and their usage is logged for subsequent management review. h. Access control software is used for terminals and workstations so that A proximity card system is used to control access. As applicable Test systems are in place for all major functions System audit features capture all changes
3 i. Access is limited to specified persons. As applicable via ACL s, firewall settings, client software/accounts ii. Individuals have access only to those applications or files that are necessary to perform their duties. Based on internal authorization roles i. If passwords are used to control terminal or workstation access: i. Procedures are established to determine that those passwords are confidential and unique. Requirements set, crackers used ii. Passwords are changed at regular intervals. Every 90 days iii. Passwords are promptly canceled for terminated employees. j. Regarding IT personnel who are terminated: i. They are released from sensitive duties immediately. ii. Their access to the IT system is suspended immediately. iii. Their actions are appropriately supervised until their departure from the premises. k. There are procedures to prevent remote access to the network through dial-up, Internet, or Virtual Private Network (for example, dial-back, polling lists, user ID, or passwords). l. If confidential or sensitive information is transmitted through public carrier networks (for example, by leased line), protection methods are used to prevent or detect unauthorized access, either through carrier security methods or independent methods (for example, encryption methods). m. For internal network traffic, procedures that are commensurate with data traffic sensitivity are in place to provide security over transmissions across the network. n. Intrusion detection systems are in place on the internal network to monitor the network. o. All data has been classified and appropriate risk ranking has been established that will support and provide evidence for the use of implemented network security controls. p. For centralized data centers, there are appropriate controls over access to system administrator instruction manuals. Daily updates supplied VPN/dial up requires managed account VPN and/or SSL is employed Client encryption S N Commercial IDS is not installed. Several local procedures are in place to monitor and react to any issues Data pools are identified and risk factors noted Physically secured
4 q. For decentralized, distributed client server systems, there are appropriate education, training, and support materials available for the system administrator and security administrator over the servers. 3. Application development controls tested through inquiry, observation, or document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The following control activities apply to all key applications, both those developed in-house and those purchased from third-party vendors. a. There are established procedures for development of new applications, as well as modifications of existing applications. i. Approval is required and obtained for development of new applications or programs, or for modifications of existing ones. b. Application development procedures give adequate consideration to development of adequate control features for the new or modified applications. c. Application development procedures require active involvement by the users (and internal audit, if applicable). d. Formal testing procedures have been established to check the functioning of new applications and modifications of existing applications (including testing of modifications made by vendors to purchased software). e. During the testing phase, the user group (or the personnel who will run the system for the user group) tests the application as a complete product, and performs testing under conditions similar to those in which the application or system is expected to be run. f. There are formal standards and procedures for documentation of new applications as well as modifications of existing applications. If managed by IT See IT Work Request linked from http://www.olemiss.edu/depts/it/projects.html. Project life cycles include phases for testing/implementing authorizations. Absolutely. The SAP Support Desk coordinates testing and roll-out. Functional users are invited to the IT or SAP training lab where they test application functionality. A typical project will include two or three of these sessions.
5 g. Procedures are in place to prevent unauthorized changes to applications, preferably as part of the entity s system development life cycle methodology. h. There are controls over the movement of new or modified code from development to testing and to the live operating environment. 4. System software controls tested through inquiry, observation, or document inspection. (System software includes the operating system, database management systems, telecommunications software, security software, utility software, file management systems, library management packages, compilers, sorts, job control software, and time-sharing software.) a. If entity personnel have the technical expertise and tools to develop or modify system software: i. Those personnel are prevented from having a detailed understanding of related applications and user controls over key files and transactions. ii. Those personnel are appropriately supervised. iii. The entity has controls over system software like those for application development in place (Items 3.a. h.). iv. Changes to the system software are reviewed and approved before moving them into the live operations environment. v. Changes to the system software are tested before moving them into the live operations environment. vi. Key system software parameters are periodically reviewed to ensure adequate use and governance of system resources and processing. vii. Maintenance and emergency software patches are installed and kept up to date per vendor specifications. 5. Operational controls tested through inquiry and document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The SAP landscape includes a sophisticated transport system that moves changes in a controlled manner across three systems: development, testing and production. Units are focused on defined segments Continuous monitoring of system resource usage/allocation though online tools Quarterly cycle for maintenance patches
6 a. Schedules are prepared and followed for processing of computer applications. b. Changes to work schedules are appropriately authorized and communicated to affected parties. c. Automated or manual logs are used to record system administrator activities and i. There are controls to ensure the completeness and accuracy of the logs. Via online calendar tracking ii. The logs are reviewed by appropriate supervisory As applicable personnel, and unusual entries are appropriately investigated. d. System administrators are required to report system failures, Maintained via call tracking system restart and recovery, or other unusual incidents, and those reports are reviewed by an appropriate official. e. System administrator instruction manuals (in the form of a printed manual or instructions that can be accessed on line) are available to each system administrator. f. System administrator instruction manuals contain the following: i. Setup of batch jobs and loading of operating systems or software (including applicable control statements or parameters used in processing). ii. Hardware components and data files to be used. iii. Input and output media to be used. iv. Termination of applications. v. Instructions on actions to be taken (such as rerun or restart procedures) if a process fails to operate properly. g. There are appropriate procedures to monitor system administrator compliance with prescribed operating procedures. h. There are appropriate procedures for back-up and storage of applications and data files. i. There is a documented background screening of IT personnel. HR Function j. Periodic security briefings are provided for IT personnel.
7 k. There are appropriate procedures to prevent test versions of applications from being run on live operating data and to control such tests when it is necessary to run them. l. In circumstances when system administrators must initiate input of data, procedures exist to allow the system administrators to determine whether the input is properly authorized. m. There are appropriate controls such as the following for situations when outside third parties (such as vendors from whom application or system software is licensed) are permitted to sign on to the client s system, for example, to perform problem determination and resolution procedures: i. The vendor must specifically request the client s authorization and a user ID and password (ideally a onetime use password) to sign on to the client s system. ii. The vendor must ask the client to turn on an activation switch that permits access to the system. iii. The client s procedures call for the client to call back vendors who initiate a request for access to the client s system to verify the identity and authority of the caller. 6. Disaster recovery/contingency planning tested through inquiry and observation a. Off-premises storage is maintained for: i. Master files and transaction files sufficient to recreate the current master files. Transport system employed for control This can be done electronically ii. Applications and related documentation. As applicable. Most applications and documentation are available from the vendor online. iii. Copies of the contingency plans. b. Contingency plans have been developed for alternative processing in the event of loss or interruption of the IT function. c. If contingency plans have been developed, the plans have S N been tested for adequacy in the event of a disaster. d. Copies of the backup files for the following are periodically tested to make certain that they are usable: i. Software copies. S N Only for restore purposes
8 ii. Master files. S N Only for restore purposes iii. Transaction or transaction history files. S N Only for restore purposes