Understanding IT General ControlsUnderstanding IT General ControlsPresenter: Ben Miron

September 9, 2008

Session ObjectivesSession Objectives

• Understand the IT Environment

• Define and Identify IT General Controls

• Develop an understanding for the IT audit process

• Conduct an IT General Controls Walkthrough

• Example Tests of IT Controls 

• Conclude and Document our Results

2

IT EnvironmentIT Environment

• Understand the IT Environment

• Purpose:– Identify all significant applications and infrastructureIdentify all significant applications and infrastructure

– Relationship between process and applications

– Relationship between applications and infrastructurep pp

– Indicate where we might want to rely on electronic audit evidence

– Identify areas on which to focus our review

3

IT EnvironmentIT Environment

IT

Environment

Application Controls

IT General ControlsIT General Controls

4

IT General Control Approach (COSO / Cobit Approach)

Objectives

Control EnvironmentControl Environment FF

UnitsUnitsts Risk AssessmentRisk Assessment

Control ActivitiesControl ActivitiesInformation andInformation and

unctionsunctions

ss

ompo

nent

CommunicationCommunication

MonitoringMonitoring

Co

5

Categories of ControlsCategories of Controlson

trol

ManualManual Controls

Type

Of C

o

A t t d

IT-Dependent Manual Controls

nera

l ro

ls

Automated Application Controls

IT G

enCo

ntr

Prevent Detect

Misstatement In The Financial Statements

Support The Continued Functioning Of Automated

Aspects Of Prevent And Detect Controls

6

Objective Of Control

Effect of ITGC on Application Controls

• Effective IT general controls:– Help make sure that application controls function effectively over timeeffectively over time

• Ineffective IT general controls:A li ti t l i ht till t ff ti l– Application controls might still operate effectively 

– Affects both financial statement and internal control audit strategy such as the nature timing and extentaudit strategy, such as the nature, timing, and extent of tests of application controls

7

IT General Control ObjectivesIT General Control Objectives

• Change Management:• Change Management:

– Only appropriately authorized, tested and approved changes are madechanges are made

• Logical Access:

– Only authorized persons have access to the system y p yand they can only perform specifically authorized functions

• Other IT General Controls (including IT operations):

– Process to determining that IT resources and li ti ti t f ti i t d d

8

applications continue to function as intended over time

Logical Access ControlsLogical Access Controls

• General system security settings are appropriate• General system security settings are appropriate.• Password settings are appropriate.• Access to privileged IT functions is limited to appropriate p g pp p

individuals.• Access to system resources and utilities is limited to 

appropriate individualsappropriate individuals.• User access is authorized and appropriately established.• Physical access to computer hardware is limited to 

i i di id lappropriate individuals.• Logical access process is monitored.• Segregation of incompatible duties exists within logical access

9

Segregation of incompatible duties exists within logical access environment.

Other IT General ControlsOther IT General Controls

• Financial data has been backed‐up and is recoverable.

• Deviations from scheduled processing are identified and resolved in a timely manner.

• IT Operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner.

10

Manage Change and Logical AccessManage Change and Logical Access

Manage ChangeManage Change 

• What is the manage change scope?– New system implementations (SDLC)

U d f i ti t– Upgrade of existing system

– Addition of new functionality to an existing system

– New or changed interfaces connecting differentNew or changed interfaces connecting different applications

– Minor enhancement

– Patch to an existing system

– Emergency changes

12

– Configuration changes

Manage Change ControlsManage Change Controls

• Changes are authorized.

• Changes are tested.

• Changes are approved.

• Changes are monitored.

• Segregation of incompatible duties exists within the manage change environment.

Meditech Change Process 1Example:

Lawson

P l S ftChange Process 2

Example:

Multiple Applications with different change processes

13

PeopleSoftprocesses

Logical Access Process C tComponents

Logical Security • System Configurations• Groups and Profiles• Super Users

Logical Security• User IDMaintenance

• System Settings p• Password Settings• Segregation of DutiesL i l A

Configurationsy g

Maintenance

• Monitoring

• And more

Procedures

• Logical AccessPath

• And more

• And more

• Security Policy

Policies

y y

• Confidentiality Policy

• Data Definition Policy

14

• Policy Awareness Programs

• And more

Cond cting IT General ControlConducting IT General Control Walkthroughs

Walkthroughs: The PurposeWalkthroughs: The Purpose

• Why do we perform walkthroughs?

• To confirm:– Our understanding of the processing procedures

– Our understanding of the relevant controls

– That relevant controls have been placed in operation and are operating effectively

Our documentation– Our documentation 

16

Walkthroughs: The MethodsWalkthroughs: The Methods

• Methods of gathering evidence during walkthroughs:e ods o ga e g e de ce du g a oug s

– Inquiring of a client to corroborate our understanding

– Selecting an item over which the controls are gdesigned to operate and inspecting evidence of the operation of the controls on that item

– Examining the client’s documentation of the control’s design

Examining reports used to monitor the controls– Examining reports used to monitor the controls

– Observing whether the process owner or others act upon the results of the controls

17

upon the results of the controls

Walkthroughs: The ResultsWalkthroughs: The Results

• Following our walkthrough, we make a preliminary evaluation of the effectiveness of controls

• The preliminary evaluation is made for each IT general control

18

Tests of Controls

Tests of ControlsTests of Controls

• Determine whether the controls:– Operated as we understood they would operate

– Were applied throughout the period of intended reliance

Were applied on a timely basis– Were applied on a timely basis

– Encompassed applicable transactions

– Were based on reliable information– Were based on reliable information

– Resulted in the timely correction of any errors identified

20

Tests of Controls NatureTests of Controls – Nature

• What are the different ways we can test controls?

I i– Inquiry

– Observation

Inspection– Inspection

– Re‐performance

• Inquiry alone does not provide sufficient evidence• Inquiry alone does not provide sufficient evidence that the control operated throughout the period of intended reliance.

21

intended reliance.

Tests of Controls ExceptionsTests of Controls – Exceptions

• What is an exception? p

• An internal control exception occurs when we find that the control we are testing did not operate as g pintended. We investigate all internal control exceptions to determine:– Our understanding is correct

– Their causes and implications

– The potential effects on other audit procedures

– The appropriate reporting to management and the dit itt

22

audit committee

Tests of Controls ExampleTests of Controls ‐ ExampleProgram Changes:• Program change requests from the business line filter through the Business System 

Ad i i h d i if h h i lid E il h IT dCM 1 Administrator, who determines if the change is valid. Emails the request to IT and a completed Issue Tracker form to the email account. 

• The Issue Tracker form lists the requestor’s name and details the problem encountered. The request is then input into an Access Database and assigned a ticket number for tracking purposes. 

CM.1

p p• Changes to application source code must be done by the vendor.  Accordingly, requested 

changes are input to a Web‐ based application tracker. • Manager meetings are held bi‐weekly to review, update, and prioritize issues. Any planned 

system downtime is communicated to users via email notifications. Ch i iti ll li d i th t t i t h th lid t d b b th IT• Changes are initially applied in the test environment where they are validated by both IT and the requestor. Test documentation is produced and stored with the Change Request Form. 

• Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign 

CM.2

CM.3analyst. 

• Weekly team meetings are held in which it is determined which changes will be moved into production for that week. Standard, non‐code migration changes are moved into production daily. The application owner Initials all Change Request Forms before migration. The ticket owner (analyst) is ultimately responsible for making the change and moving it

CM.4

23

The ticket owner (analyst) is ultimately responsible for making the change and moving it into production by compiling / rebuilding the change in the production environment. 

Tests of Controls Example ‐ Cont.

Test Objective and Scope To verify that changes are authorized, tested and approved by the business prior to implementation to productionthe business prior to implementation to production.

Test Population Source of Data Extracted data from 

Sample Selection Process Random / Haphazard

Control Effective Date January 1, 2008

Conclusion Effective

Control ID Control Description Frequency Type

CM 1 Prior to development all changes must be Event Driven PreventativeCM.1 Prior to development, all changes must be authorized by IT and business management.

Event Driven Preventative

CM.2 Changes are applied in the test environment where they are validated by both IT and the requestor.

Event Driven Preventative

CM 1 A l f h i ti t d ti E t D i P t tiCM.1 Approvals for change migrations to production are emailed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst.

Event Driven Preventative

CM.4 The application owner Initials all Change Request Event Driven Preventative

24

CM.4 The application owner Initials all Change Request Forms before migration.

Event Driven Preventative

Tests of Controls Example –Test Matrix

Item ID Item Description Evidence Ref Control ID

CM 1 CM 2 CM 3 CM 4CM.1 CM.2 CM.3 CM.41 Code change 1 CM‐T‐01

2 Code change 2 CM‐T‐02

3 Code change 3 CM T 033 Code change 3 CM‐T‐03X

25

Evaluating Control DeficienciesEvaluating Control Deficiencies

Tests of Controls: EvaluateTests of Controls: Evaluate

• When we have an exception, we must:– Consider the results of the tests in relation to our preliminary evaluation of the controls to determinepreliminary evaluation of the controls to determine whether it is still appropriate. In some instances, the assessment is no longer appropriate.g pp p

– Reconsider our combined risk assessment and our audit approach.

27

Tests of Controls: Documentation

h ld l dShould include:

• A detailed description of the specific controls tested

• The procedures used to test the controls• The procedures used to test the controls

• The number of times each control will be tested

• The method used to select the items testede et od used to se ect t e te s tested

• A list of the items tested

• A list of any exceptions, their causes, and implications

• Any changes to our strategy resulting from our tests

We carry this forward in years that we rotate t t (NA d I t t d A dit)

28

our tests (NA under Integrated Audit).

Components of a FindingComponents of a Finding

• Observation

• Standard/Leading Practice

• Cause

• Business Risk/Effect

• Recommendation

29

SummarySummary

• Identify ITGCs in the IT environment

• Document and walkthrough controls

• Perform Tests of Controls

• Describe how we evaluate the results of our tests to arrive at a conclusion

• Document test procedures and deficiencies

30

Questions?

THANK YOU!!!

Appendix - Common IT DefinitionsAppendix - Common IT Definitions

Elements in the IT Infrastructure

k lNetwork Elements

– LAN/WAN– RouterRouter 

– Switch

– Firewall

– Modem

– Remote Access Server

– Intrusion DetectionIntrusion Detection Devices (IDS)

34

Common IT TermsCommon IT Terms

i ( ) h• Operating System – An operating system (OS) is the program that, controls the hardware and acts as the intermediary between the application(s) and the hardware. Common OS pp ( )are Windows(2000, XP, NT), UNIX, Novell and OS400  

• Hardware – Hardware is the physical aspect of computers, t l i ti d th i f ti t h ltelecommunications, and other information technology devices.

• Application – An application is any program designed to pp pp y p g gperform a specific function directly for the user or, in some cases, for another application program.

35

Common IT Terms (cont )Common IT Terms (cont.)

L l A N t k A l l t k (LAN) i f• Local Area Network – A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the 

f i l ithi llresources of a single processor or server within a small geographic area.

• Wide Area Network – A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a LAN.

36

Common IT Terms (cont )Common IT Terms (cont.)

i l i k l k ( )• Virtual Private Network – A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users pwith secure encrypted access to their organization's network. 

• Server – A server is a computer program that contains th t id i t th tprograms that provides services to other computer programs 

in the same or other computers. (e.g. file server, print server, application server, etc.)

37

Common IT Terms (cont )Common IT Terms (cont.)

• Remote Access ‐ Remote access is the ability to get access to a computer or a network from a remote locationlocation.

• Direct Dial‐up ‐ Dial‐up pertains to a telephone connection. A dial‐up connection is established and maintained for a limited time duration.

• Gateway Server ‐ A gateway is a network point that acts h kas an entrance to another network. 

38

Common IT Terms (cont )Common IT Terms (cont.)

li i l• Application Server ‐ An application server is a server program in a computer in a distributed network that provides the business logic for an application program. g pp p g

• Infrastructure – In information technology and on the Internet, infrastructure is the physical hardware used to i t t t dinterconnect computers and users.

• Firewall – A firewall is a physical device or set of related programs, located at a network gateway server, that protects p g , g y , pthe resources of a private network from users from other networks. 

39

Common IT Terms (cont )Common IT Terms (cont.)

( )• ERP – ERP (Enterprise resource planning) is an industry term for the broad set of activities supported by multi‐module application software that helps a manufacturermodule application software that helps a manufacturer or other business manage the important parts of its business. (e.g. SAP, PeopleSoft, etc.)

• Database – A database is a collection of data that is organized so that its contents can easily be accessed, managed and updatedmanaged, and updated.

40

Common IT Terms (cont )Common IT Terms (cont.)

k h f d f h• Backup – The act of storing data from one system to another system or to a form of electronic media (i.e. tape, CD). Backups are generally performed on a regular basis and can p g y p gbe full, incremental, or differential.

• Recovery – The act of applying stored data to a system in d t ll it t l tiorder to allow it to resume normal operations.

• UPS – Uninterruptible Power Supply.  A battery device that allows the systems on a network to continue operating for a y p glimited time after a power failure.  This permits an orderly shutdown of the servers and limits the risk of data loss.

41

Common IT Terms (cont )Common IT Terms (cont.)

i i i l b l l l h• Business Continuity Plan – A business level plan that describes how and where the business will prioritize its recovery from an unforeseen event and how it will restore yand continue its operations.

• Disaster Recovery Plan – An IT level plan that describes how d h th IT d t t ill i iti th t dand where the IT department will prioritize the system and 

network recovery from an unforeseen event and how the department will restore and continue its operations (a Disaster Recovery Plan is part of an overall Business Continuity Plan and the two must be in sync).

42

Logical Access Path (LAP)Logical Access Path (LAP)

• How individuals get beyond logical security to the desired data

User

data

• Designed for the structured assessment of risks and relatedassessment of risks and related security measures in complex computer systems

Data

p y

43

Logical Access Path OverviewLogical Access Path Overview

User

• Transports data between the components of a network (e g end users’

• Divides the available processing time among the active users and

Transaction Software

Data Communication Softwarenetwork (e.g., end users terminals) and system software in the transaction software layer

the active users and programs. Transactions (e.g., a menu option) can be composed of multiple programs

Application Software

Transaction Software programs

• Access methods and

• Controls within applications aimed at the security of logical data

Data Access Methodsdatabase management controls that manage which parts of the data the application can access and in what

• A shell that surrounds all system software layers. Each piece of software on each of the layers has an interface with the

44

DataOperatingSystem

wayan interface with the operating system

Logical Access Path (Three‐Tier)

User InterfaceO t t D tO t t D t

User

Data Communication SoftwareInput Data From User

Output Datato User

Central DB BufferCentral

DB BufferCentral

DB BufferCentral

DB Buffer

Output Datato User

Application Software

Transaction Software

Application Server

Data

Data Access Methods

Operating

Database Server

Stores all Data and Application Programs

Reading Databaseand Updating Buffer

System

Main DB

45

Database Server

Where To Find IT Terms & Acronyms

• There are multiple web‐sites on the Internet that can be used to explain IT terms & acronyms. Some good‐ones are:ones are:– www.whatis.techtarget.com

www howstuffworks com– www.howstuffworks.com

– www.google.com

• Your TSRS co workers are also a great source for• Your TSRS co‐workers are also a great source for understanding terminology

46