Understanding IT General ControlsUnderstanding IT General ControlsPresenter: Ben Miron
September 9, 2008
Session ObjectivesSession Objectives
• Understand the IT Environment
• Define and Identify IT General Controls
• Develop an understanding for the IT audit process
• Conduct an IT General Controls Walkthrough
• Example Tests of IT Controls
• Conclude and Document our Results
2
IT EnvironmentIT Environment
• Understand the IT Environment
• Purpose:– Identify all significant applications and infrastructureIdentify all significant applications and infrastructure
– Relationship between process and applications
– Relationship between applications and infrastructurep pp
– Indicate where we might want to rely on electronic audit evidence
– Identify areas on which to focus our review
3
IT EnvironmentIT Environment
IT
Environment
Application Controls
IT General ControlsIT General Controls
4
IT General Control Approach (COSO / Cobit Approach)
Objectives
Control EnvironmentControl Environment FF
UnitsUnitsts Risk AssessmentRisk Assessment
Control ActivitiesControl ActivitiesInformation andInformation and
unctionsunctions
ss
ompo
nent
CommunicationCommunication
MonitoringMonitoring
Co
5
Categories of ControlsCategories of Controlson
trol
ManualManual Controls
Type
Of C
o
A t t d
IT-Dependent Manual Controls
nera
l ro
ls
Automated Application Controls
IT G
enCo
ntr
Prevent Detect
Misstatement In The Financial Statements
Support The Continued Functioning Of Automated
Aspects Of Prevent And Detect Controls
6
Objective Of Control
Effect of ITGC on Application Controls
• Effective IT general controls:– Help make sure that application controls function effectively over timeeffectively over time
• Ineffective IT general controls:A li ti t l i ht till t ff ti l– Application controls might still operate effectively
– Affects both financial statement and internal control audit strategy such as the nature timing and extentaudit strategy, such as the nature, timing, and extent of tests of application controls
7
IT General Control ObjectivesIT General Control Objectives
• Change Management:• Change Management:
– Only appropriately authorized, tested and approved changes are madechanges are made
• Logical Access:
– Only authorized persons have access to the system y p yand they can only perform specifically authorized functions
• Other IT General Controls (including IT operations):
– Process to determining that IT resources and li ti ti t f ti i t d d
8
applications continue to function as intended over time
Logical Access ControlsLogical Access Controls
• General system security settings are appropriate• General system security settings are appropriate.• Password settings are appropriate.• Access to privileged IT functions is limited to appropriate p g pp p
individuals.• Access to system resources and utilities is limited to
appropriate individualsappropriate individuals.• User access is authorized and appropriately established.• Physical access to computer hardware is limited to
i i di id lappropriate individuals.• Logical access process is monitored.• Segregation of incompatible duties exists within logical access
9
Segregation of incompatible duties exists within logical access environment.
Other IT General ControlsOther IT General Controls
• Financial data has been backed‐up and is recoverable.
• Deviations from scheduled processing are identified and resolved in a timely manner.
• IT Operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner.
10
Manage ChangeManage Change
• What is the manage change scope?– New system implementations (SDLC)
U d f i ti t– Upgrade of existing system
– Addition of new functionality to an existing system
– New or changed interfaces connecting differentNew or changed interfaces connecting different applications
– Minor enhancement
– Patch to an existing system
– Emergency changes
12
– Configuration changes
Manage Change ControlsManage Change Controls
• Changes are authorized.
• Changes are tested.
• Changes are approved.
• Changes are monitored.
• Segregation of incompatible duties exists within the manage change environment.
Meditech Change Process 1Example:
Lawson
P l S ftChange Process 2
Example:
Multiple Applications with different change processes
13
PeopleSoftprocesses
Logical Access Process C tComponents
Logical Security • System Configurations• Groups and Profiles• Super Users
Logical Security• User IDMaintenance
• System Settings p• Password Settings• Segregation of DutiesL i l A
Configurationsy g
Maintenance
• Monitoring
• And more
Procedures
• Logical AccessPath
• And more
• And more
• Security Policy
Policies
y y
• Confidentiality Policy
• Data Definition Policy
14
• Policy Awareness Programs
• And more
Walkthroughs: The PurposeWalkthroughs: The Purpose
• Why do we perform walkthroughs?
• To confirm:– Our understanding of the processing procedures
– Our understanding of the relevant controls
– That relevant controls have been placed in operation and are operating effectively
Our documentation– Our documentation
16
Walkthroughs: The MethodsWalkthroughs: The Methods
• Methods of gathering evidence during walkthroughs:e ods o ga e g e de ce du g a oug s
– Inquiring of a client to corroborate our understanding
– Selecting an item over which the controls are gdesigned to operate and inspecting evidence of the operation of the controls on that item
– Examining the client’s documentation of the control’s design
Examining reports used to monitor the controls– Examining reports used to monitor the controls
– Observing whether the process owner or others act upon the results of the controls
17
upon the results of the controls
Walkthroughs: The ResultsWalkthroughs: The Results
• Following our walkthrough, we make a preliminary evaluation of the effectiveness of controls
• The preliminary evaluation is made for each IT general control
18
Tests of ControlsTests of Controls
• Determine whether the controls:– Operated as we understood they would operate
– Were applied throughout the period of intended reliance
Were applied on a timely basis– Were applied on a timely basis
– Encompassed applicable transactions
– Were based on reliable information– Were based on reliable information
– Resulted in the timely correction of any errors identified
20
Tests of Controls NatureTests of Controls – Nature
• What are the different ways we can test controls?
I i– Inquiry
– Observation
Inspection– Inspection
– Re‐performance
• Inquiry alone does not provide sufficient evidence• Inquiry alone does not provide sufficient evidence that the control operated throughout the period of intended reliance.
21
intended reliance.
Tests of Controls ExceptionsTests of Controls – Exceptions
• What is an exception? p
• An internal control exception occurs when we find that the control we are testing did not operate as g pintended. We investigate all internal control exceptions to determine:– Our understanding is correct
– Their causes and implications
– The potential effects on other audit procedures
– The appropriate reporting to management and the dit itt
22
audit committee
Tests of Controls ExampleTests of Controls ‐ ExampleProgram Changes:• Program change requests from the business line filter through the Business System
Ad i i h d i if h h i lid E il h IT dCM 1 Administrator, who determines if the change is valid. Emails the request to IT and a completed Issue Tracker form to the email account.
• The Issue Tracker form lists the requestor’s name and details the problem encountered. The request is then input into an Access Database and assigned a ticket number for tracking purposes.
CM.1
p p• Changes to application source code must be done by the vendor. Accordingly, requested
changes are input to a Web‐ based application tracker. • Manager meetings are held bi‐weekly to review, update, and prioritize issues. Any planned
system downtime is communicated to users via email notifications. Ch i iti ll li d i th t t i t h th lid t d b b th IT• Changes are initially applied in the test environment where they are validated by both IT and the requestor. Test documentation is produced and stored with the Change Request Form.
• Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign
CM.2
CM.3analyst.
• Weekly team meetings are held in which it is determined which changes will be moved into production for that week. Standard, non‐code migration changes are moved into production daily. The application owner Initials all Change Request Forms before migration. The ticket owner (analyst) is ultimately responsible for making the change and moving it
CM.4
23
The ticket owner (analyst) is ultimately responsible for making the change and moving it into production by compiling / rebuilding the change in the production environment.
Tests of Controls Example ‐ Cont.
Test Objective and Scope To verify that changes are authorized, tested and approved by the business prior to implementation to productionthe business prior to implementation to production.
Test Population Source of Data Extracted data from
Sample Selection Process Random / Haphazard
Control Effective Date January 1, 2008
Conclusion Effective
Control ID Control Description Frequency Type
CM 1 Prior to development all changes must be Event Driven PreventativeCM.1 Prior to development, all changes must be authorized by IT and business management.
Event Driven Preventative
CM.2 Changes are applied in the test environment where they are validated by both IT and the requestor.
Event Driven Preventative
CM 1 A l f h i ti t d ti E t D i P t tiCM.1 Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst.
Event Driven Preventative
CM.4 The application owner Initials all Change Request Event Driven Preventative
24
CM.4 The application owner Initials all Change Request Forms before migration.
Event Driven Preventative
Tests of Controls Example –Test Matrix
Item ID Item Description Evidence Ref Control ID
CM 1 CM 2 CM 3 CM 4CM.1 CM.2 CM.3 CM.41 Code change 1 CM‐T‐01
2 Code change 2 CM‐T‐02
3 Code change 3 CM T 033 Code change 3 CM‐T‐03X
25
Tests of Controls: EvaluateTests of Controls: Evaluate
• When we have an exception, we must:– Consider the results of the tests in relation to our preliminary evaluation of the controls to determinepreliminary evaluation of the controls to determine whether it is still appropriate. In some instances, the assessment is no longer appropriate.g pp p
– Reconsider our combined risk assessment and our audit approach.
27
Tests of Controls: Documentation
h ld l dShould include:
• A detailed description of the specific controls tested
• The procedures used to test the controls• The procedures used to test the controls
• The number of times each control will be tested
• The method used to select the items testede et od used to se ect t e te s tested
• A list of the items tested
• A list of any exceptions, their causes, and implications
• Any changes to our strategy resulting from our tests
We carry this forward in years that we rotate t t (NA d I t t d A dit)
28
our tests (NA under Integrated Audit).
Components of a FindingComponents of a Finding
• Observation
• Standard/Leading Practice
• Cause
• Business Risk/Effect
• Recommendation
29
SummarySummary
• Identify ITGCs in the IT environment
• Document and walkthrough controls
• Perform Tests of Controls
• Describe how we evaluate the results of our tests to arrive at a conclusion
• Document test procedures and deficiencies
30
Elements in the IT Infrastructure
k lNetwork Elements
– LAN/WAN– RouterRouter
– Switch
– Firewall
– Modem
– Remote Access Server
– Intrusion DetectionIntrusion Detection Devices (IDS)
34
Common IT TermsCommon IT Terms
i ( ) h• Operating System – An operating system (OS) is the program that, controls the hardware and acts as the intermediary between the application(s) and the hardware. Common OS pp ( )are Windows(2000, XP, NT), UNIX, Novell and OS400
• Hardware – Hardware is the physical aspect of computers, t l i ti d th i f ti t h ltelecommunications, and other information technology devices.
• Application – An application is any program designed to pp pp y p g gperform a specific function directly for the user or, in some cases, for another application program.
35
Common IT Terms (cont )Common IT Terms (cont.)
L l A N t k A l l t k (LAN) i f• Local Area Network – A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the
f i l ithi llresources of a single processor or server within a small geographic area.
• Wide Area Network – A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a LAN.
36
Common IT Terms (cont )Common IT Terms (cont.)
i l i k l k ( )• Virtual Private Network – A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users pwith secure encrypted access to their organization's network.
• Server – A server is a computer program that contains th t id i t th tprograms that provides services to other computer programs
in the same or other computers. (e.g. file server, print server, application server, etc.)
37
Common IT Terms (cont )Common IT Terms (cont.)
• Remote Access ‐ Remote access is the ability to get access to a computer or a network from a remote locationlocation.
• Direct Dial‐up ‐ Dial‐up pertains to a telephone connection. A dial‐up connection is established and maintained for a limited time duration.
• Gateway Server ‐ A gateway is a network point that acts h kas an entrance to another network.
38
Common IT Terms (cont )Common IT Terms (cont.)
li i l• Application Server ‐ An application server is a server program in a computer in a distributed network that provides the business logic for an application program. g pp p g
• Infrastructure – In information technology and on the Internet, infrastructure is the physical hardware used to i t t t dinterconnect computers and users.
• Firewall – A firewall is a physical device or set of related programs, located at a network gateway server, that protects p g , g y , pthe resources of a private network from users from other networks.
39
Common IT Terms (cont )Common IT Terms (cont.)
( )• ERP – ERP (Enterprise resource planning) is an industry term for the broad set of activities supported by multi‐module application software that helps a manufacturermodule application software that helps a manufacturer or other business manage the important parts of its business. (e.g. SAP, PeopleSoft, etc.)
• Database – A database is a collection of data that is organized so that its contents can easily be accessed, managed and updatedmanaged, and updated.
40
Common IT Terms (cont )Common IT Terms (cont.)
k h f d f h• Backup – The act of storing data from one system to another system or to a form of electronic media (i.e. tape, CD). Backups are generally performed on a regular basis and can p g y p gbe full, incremental, or differential.
• Recovery – The act of applying stored data to a system in d t ll it t l tiorder to allow it to resume normal operations.
• UPS – Uninterruptible Power Supply. A battery device that allows the systems on a network to continue operating for a y p glimited time after a power failure. This permits an orderly shutdown of the servers and limits the risk of data loss.
41
Common IT Terms (cont )Common IT Terms (cont.)
i i i l b l l l h• Business Continuity Plan – A business level plan that describes how and where the business will prioritize its recovery from an unforeseen event and how it will restore yand continue its operations.
• Disaster Recovery Plan – An IT level plan that describes how d h th IT d t t ill i iti th t dand where the IT department will prioritize the system and
network recovery from an unforeseen event and how the department will restore and continue its operations (a Disaster Recovery Plan is part of an overall Business Continuity Plan and the two must be in sync).
42
Logical Access Path (LAP)Logical Access Path (LAP)
• How individuals get beyond logical security to the desired data
User
data
• Designed for the structured assessment of risks and relatedassessment of risks and related security measures in complex computer systems
Data
p y
43
Logical Access Path OverviewLogical Access Path Overview
User
• Transports data between the components of a network (e g end users’
• Divides the available processing time among the active users and
Transaction Software
Data Communication Softwarenetwork (e.g., end users terminals) and system software in the transaction software layer
the active users and programs. Transactions (e.g., a menu option) can be composed of multiple programs
Application Software
Transaction Software programs
• Access methods and
• Controls within applications aimed at the security of logical data
Data Access Methodsdatabase management controls that manage which parts of the data the application can access and in what
• A shell that surrounds all system software layers. Each piece of software on each of the layers has an interface with the
44
DataOperatingSystem
wayan interface with the operating system
Logical Access Path (Three‐Tier)
User InterfaceO t t D tO t t D t
User
Data Communication SoftwareInput Data From User
Output Datato User
Central DB BufferCentral
DB BufferCentral
DB BufferCentral
DB Buffer
Output Datato User
Application Software
Transaction Software
Application Server
Data
Data Access Methods
Operating
Database Server
Stores all Data and Application Programs
Reading Databaseand Updating Buffer
System
Main DB
45
Database Server
Where To Find IT Terms & Acronyms
• There are multiple web‐sites on the Internet that can be used to explain IT terms & acronyms. Some good‐ones are:ones are:– www.whatis.techtarget.com
www howstuffworks com– www.howstuffworks.com
– www.google.com
• Your TSRS co workers are also a great source for• Your TSRS co‐workers are also a great source for understanding terminology
46