2. 2 Agenda
3. 3 Information Technology Assessment Overview�
4. 4 Information Technology Assessment Overview Serves as baseline for any audit that relies on systems, applications, or data
Relevant to achievement of financial reporting, operations, or compliance objectives
Use of IT affects the fundamental manner in which transactions are initiated, authorized, processed, and recorded
Some IT control activities are the responsibility of IT personnel, while others are the responsibility of all employees and/or third parties that access the organization’s systems.
5. 5 Information Technology Assessment Overview IT may affect any of the five components of the NYS Standards for Internal Control
Control Environment: attitude, management’s governance, ethical values, morale
Communication: exchange of useful information, timely, informative, affects all aspects of an organization’s operations
Assessing and Managing Risk: identify, assess impact and likelihood, manage (accept, reduce, avoid)
Control Activities: automated and manual tools that help identify, prevent, or reduce risks (documentation, approval, authorization, SOD, reporting)
Encryption, backup and recovery, passwords, virus protection, etc.
Monitoring: review of activities and transactions to assess quality and effectiveness
6. 6 IT Assessment Overview, Continued � Categorized as either General or Application
General controls apply pervasively information systems (mainframe, servers, network, end-user environments)
Application controls apply to the processing of data within the application software.
General Controls support the functioning of application controls.
7. 7
8. 8 Information Technology General Controls (ITGC)
9. 9 Information Technology General Controls (ITGC)
10. 10 Information Technology General Controls (ITGC)
11. 11 ITGC – Access to Programs and Data Determine that adequate controls have been established to reduce the risk of unauthorized/inappropriate access to the organization’s applications or data.
Information security function, policies, etc.
Physical access to the data center(s) housing the in-scope applications
Logical access to the applications and supporting operating systems, databases, etc.
Procedures for adding/removing/modifying user access rights
Powerful user access – application, operating system, and database
Password parameters
Segregation of duties
12. 12 ITGC – Program Change Determine that adequate controls have been established to obtain reasonable assurance that changes to existing systems/applications are authorized, tested, approved, properly implemented and documented.
Change Management Process – formal and documented
Change requests and approvals
Testing
Migrating changes to production
Emergency changes
13. 13 ITGC - Program Development Determine that adequate controls have been established to obtain reasonable assurance that new systems/applications being developed or acquired are authorized, tested, approved, properly implemented and documented.
Process for acquiring / developing new IT systems (i.e., System Development Life Cycle)
Authorization and approvals
Project Management Documentation – scope, requirements, budget, status reporting
Testing
Data Migration
14. 14 ITGC – Computer Operations Determine that adequate controls have been established to obtain reasonable assurance that system/application processing is appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved.
Job scheduling and processing procedures
Monitoring procedures
Problem Management procedures
Backup and Recovery procedures
Backup schedule, offsite storage
Periodic testing of backup media
15. 15
16. 16
17. 17 Top 12 Questions Internal Control Officers and Internal Auditors should ask IT
18. 18 # 12 Are procedures in place to ensure the accuracy, completeness, and timely processing of system jobs, including backups?
Defined job schedule and documented processing procedures, including backups
Defined and implemented problem management procedures to record, analyze, and resolve incidents
19. 19 # 11 Is physical access to the IT resources restricted to appropriate personnel?
Servers, mainframes, etc are located in a physically secure area where access is limited
Obtaining access to this area requires documented approval from an appropriate level of management
20. 20 # 10 Have authentication mechanisms been established that provide individual accountability?
Individual user IDs
Passwords with appropriate rules and syntax
Initial passwords and password resets
21. 21 # 9 Is access to powerful system and application level IDs appropriately restricted and is effective monitoring in place to govern the use of these IDs?
Access is restricted to a small group of personnel based on job function
Unique user IDs are utilized to maintain accountability
Where possible, access is logged and recorded for appropriate review
Access requirements to data outside of applications has been defined
22. 22 # 8 Have procedures been established for granting, modifying, and removing user access?
Formal, documented approval is required
Requests are made by authorized individuals and are retained in a central location
Access for terminated employees is removed in a timely manner
23. 23 # 7 Are periodic reviews of user access and user access rights performed and documented?
Inappropriate system access is removed
Access changes due to the review process are appropriately documented and retained
Access groups / roles are also periodically reviewed for appropriateness and segregation of duties
24. 24 # 6 Has a formal process been adopted to govern the acquisition or development of IT infrastructure and information systems?
System Development Life Cycle (SDLC)
Authorizations and approvals
Project Management
Testing
Data Conversion
25. 25 # 5 Has a formal change management process been established that outlines the requirements for making changes to systems and applications?
Documented process that is communicated to IT and user personnel
Periodic review and approval by management
26. 26 # 4 Are change requests (including those for emergency changes) formally documented, authorized, tested and approved prior to implementation into the production environment?
Change requests and supporting documentation is retained in a central repository
Appropriate testing is performed depending on the type of change
Documented authorizations / approvals are retained
27. 27 # 3 Is the ability to migrate changes into the production environment restricted to appropriate personnel?
Segregation of duties between developers and those responsible for migration
Changes to production libraries / directories are logged and proactively reviewed
28. 28 # 2 Has the organization adopted a formalized security policy that provides guidance and includes within its scope relevant aspects of the IT environment?
Policy is communicated throughout the organization to both full and temporary/part-time personnel
The policy is reviewed and approved by management on a periodic basis and updated as appropriate
29. 29 # 1 Has an information security function been established that is appropriately aligned within the organization?
Function is appropriately positioned and is independent of development and operations
Security personnel within the organization have the appropriate technical skill set to understand security concepts and implementation
30. 30 Questions and Discussion
31. 31
