ISACA PROFESSIONAL RESOURCES



Similar documents
Internal Controls. A short presentation from Your Internal Audit Department

Toronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;

INFORMATION TECHNOLOGY CONTROLS

Certified Information Systems Auditor (CISA)

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Central Agency for Information Technology

CISA TIMETABLE (4 DAYS)

Internal Control Questionnaire and Assessment

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

Information Shield Solution Matrix for CIP Security Standards

Internal Controls, Fraud Detection and ERP

Fraud Checklist. From the enquiries made and procedures performed in completing Part B of this checklist we consider the risk of irregularities to be

General Computer Controls

Table of Contents: Chapter 2 Internal Control

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Access Control Intro, DAC and MAC. System Security

Internal Control Guide & Resources

PART 10 COMPUTER SYSTEMS

Master Document Audit Program

State of Oregon. State of Oregon 1

Maryland Insurance Administration

Audit of NSERC Award Management Information System

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

AUDIT OF SBA S COMPLIANCE WITH JOINT FINANCIAL MANAGEMENT IMPROVEMENT PROGRAM PROPERTY MANAGEMENT SYSTEM REQUIREMENTS AUDIT REPORT NUMBER 3-34

CONTROLLING COMPUTER-BASED INFORMATION SYSTEMS, PART I

Communicating Internal Control Related Matters Identified in an Audit

Security Management Practices. Keith A. Watson, CISSP CERIAS

Standard CIP Cyber Security Systems Security Management

Auditing Application User Account Security and Identity Management with Data Analytics

Submitted by: Christopher Mead, Director, Department of Information Technology

Remote Access Agreement

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Data Management Policies. Sage ERP Online

Presented by: Mike Morris and Jim Rumph

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Newcastle University Information Security Procedures Version 3

April promoting efficient & effective local government

4 Testing General and Automated Controls

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

How To Audit A Financial Statement

City of Berkeley. Prepared by:

Bank Account Reconciliation, Bank Account Access and Automated Clearing House (ACH) Transactions Review

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

VA Office of Inspector General

Sarbanes-Oxley Control Transformation Through Automation

IT Application Controls Questionnaire

SUPPLIER SECURITY STANDARD

Supporting FISMA and NIST SP with Secure Managed File Transfer

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

ACCOUNTING AND FINANCIAL REPORTING REGULATION MANUAL

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

This interpretation of the revised Annex

CHIS, Inc. Privacy General Guidelines

Department of Education. Network Security Controls. Information Technology Audit

Follow-up Audit Vital Registry and Health Statistics Program

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

WIRE TRANSFER GUIDE. 1 Fedline Advantage/Fedline Web from Federal Reserve Bank 2 Autosolution from Bankers Bank 3 Telephone 4 Other (Internet)

Risk Management Advisory Services, LLC Capital markets audit and control

San Francisco Chapter. Information Systems Operations

Module 2 IS Assurance Services

Intel Enhanced Data Security Assessment Form

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

ISO Information Security Management Systems Professional

How To Protect Decd Information From Harm

Checklist for Observation of Physical Inventory Counts

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Transcription:

ISACA PROFESSIONAL RESOURCES SEGREGATION OF DUTIES WITHIN INFORMATION SYSTEMS This is an excerpt from the CISA Review Manual 2005 Chapter 2 - Management, Planning and Organization of IS CISA Review Manual 2005 - Pages 88-91 The entire publication and other exam study material can be purchased through the ISACA bookstore at www.isaca.org/cisabooks. CISA REVIEW MANUAL SEGREGATION OF DUTIES DISCLAIMER ISACA has produced this publication as an educational resource to assist individuals preparing to take the CISA Certification Exam. It was produced independently from the CISA Certification Board, which has no input into or responsibility for its content. ISACA makes no claim that the Segregation of Duties Control Matrix is an industry standard. The material is solely intended as a general guideline to assist in identifying potential conflicts. Functions, designations, nature of business processes, technology deployed and risks may vary from one organization to another. In determining the proper controls, the IS auditing professional should apply his or her own professional judgment to the specific circumstances presented within an enterprise or information technology environment. CISA Review Manual 2005 1

Chapter 2 SEGREGATION OF DUTIES WITHIN IS Actual job titles and organizational structures may vary greatly from one organization to another, depending on the size and nature of the business. However, it is important for an IS auditor to obtain information to assess the relationship among various job functions, responsibilities and authorities in assessing adequate segregation of duties. The segregation of duties avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner and in the normal course of business processes. Segregation of duties is an important means by which fraudulent and or malicious acts can be discouraged and prevented. When duties are segregated, access to the computer, the production data library, the production programs, the programming documentation and the operating system and associated utilities can be limited. Potential damage from the actions of any one person is therefore reduced. The IS and end-user departments should be organized to achieve an adequate segregation of duties. See exhibit 2.2, segregation of duties control matrix, for a guideline of the job responsibilities that should not be combined. The segregation of duties control matrix (exhibit 2.2) is not an industry standard, but a guideline indicating which positions should be separated and which require compensating controls when combined. The matrix is illustrative of potential segregation of duties issues and should not be viewed or used as an absolute, rather it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls. In actual practice, functions and designations may vary in different enterprises. Further, depending on the nature of the business processes and technology deployed, the risks may vary. However, it is important for an IS auditor to understand the functions of each of the designations specified in the manual. The IS auditors need to understand the risk of combining functions indicated in the segregation of duties control matrix. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated. The organization structure and roles should be taken into account in determining the appropriate controls for the relevant environment. For example, an organization may not have all the positions described in the matrix or one person may be responsible for many of the roles described. The size of the IS/IT department may also be an important factor that should be considered, i.e., certain combinations of roles in an IS/IT department of a certain size should never be used. However, if for some reason combined roles are required, then mitigating controls should be described. The purpose of segregation of duties is to reduce or eliminate business risks through the identification of compensating controls. The magnitude and probability of risk can be assessed from low to high, depending on the organization. 2 CISA Review Manual 2005

Exhibit 2.2 Segregation of Duties Control Matrix Control Group Analyst Application Help Desk and Support Mgr. End User Data Entry Computer Operatoar DB Network Security Tape Librarian Quality Assurance Control Group Analyst Application Help Desk and Support Mgr. End User Data Entry Computer Operator DB Network System Security Tape Librarian X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Quality Assurance X X X Combination of these functions may create a potential control weakness. SEGREGATION OF DUTIES CONTROLS Several control mechanisms can be used to enforce segregation of duties. The controls are described in the following sections. TRANSACTION AUTHORIZATION Transaction authorization is the responsibility of the user department. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to detect the unauthorized entry of transactions. CISA Review Manual 2005 3

Chapter 2 CUSTODY OF ASSETS Custody of corporate assets must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and their duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to provide adequate security, while the administration group is often responsible for implementing and enforcing the security system. ACCESS TO DATA Controls over access to data are provided by a combination of physical, system and application security in the user area and the information processing facility. The physical environment must be secured to prevent unauthorized personnel from accessing the various tangible devices connected to the central processing unit and, thereby, permitting access to data. System and application securities are additional layers of security that may prevent unauthorized individuals from gaining access to corporate data. Access to data from external connections is a growing concern since the advent of the Internet. Therefore, IS management has added responsibilities to protect information assets from unauthorized access. Access control decisions are based on organizational policy and on two generally accepted standards of practice separation of duties and least privilege. Controls for effective use must not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users. Further access must not be unconditional, and access controls must adequately protect all of the organization s resources. To ensure these, it may be necessary to first categorize the resources. Policies establish levels of sensitivity, such as top secret, secret, confidential and unclassified, for data and other resources. These levels should be used for guidance on the proper procedures for handling information resources. They may be used as a basis for access control decisions as well. Individuals are granted access to only those resources at or below a specific level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored documents. Policy-based controls may be characterized as either mandatory or discretionary. Refer to the Mandatory and Discretionary Access Controls section, under the topic of Importance of Information Assets, in chapter 4 for further detail. 4 CISA Review Manual 2005

AUTHORIZATION FORMS Managers of user departments must provide IS with formal authorization forms (either hard copy or electronic) that define the access rights of their employees. In other words, managers must define who should have access to what. Authorization forms must be evidenced properly with management-level approval. Generally, all users should be authorized with specific system access via formal request of management. In large companies or in those with remote sites, signature authorization logs should be maintained and formal requests should be compared to the signature log. Access privileges should be reviewed periodically to ensure that they are current and appropriate to the user s job functions. USER AUTHORIZATION TABLES The IS department should use the data from the authorization forms to build and maintain user authorization tables. These will define who is authorized to update, modify, delete and/or view data. These privileges are provided at the system, transaction or field level. In effect, these are user access control lists. These authorization tables must be secured against unauthorized access by additional password protection or data encryption. A control log should record all user activity, and appropriate management should review this log. All exception items should be investigated. COMPENSATING CONTROLS FOR LACK OF SEGREGATION OF DUTIES In a small business where the IS department may only consist of four to five people, compensating control measures must exist to mitigate the risk resulting from a lack of segregation of duties. Compensating controls would include: Audit trails Audit trails are an essential component of all well-designed systems. They help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction. They enable the user and IS auditor to recreate the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated. Reconciliation Reconciliation is ultimately the responsibility of the user. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application ran successfully and that the data are in proper balance. Exception reporting Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner. Transaction logs A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system. Supervisory reviews Supervisory reviews may be performed through observation and inquiry or remotely. Independent reviews Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities. CISA Review Manual 2005 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information