1 / 28

Internal Controls in a computerized environment

Internal Controls in a computerized environment. Some concepts of control do not change Objectives Framework (COSO)* Internal Environment Implementation will change More focus on system (imbedded) controls Continuous rather than periodic controls Random v. systematic errors

Thomas
Download Presentation

Internal Controls in a computerized environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Controls in a computerized environment Some concepts of control do not change Objectives Framework (COSO)* Internal Environment Implementation will change More focus on system (imbedded) controls Continuous rather than periodic controls Random v. systematic errors *COBIT augments existing framework

  2. Computerized Controls Benefits: Decrease human error, restrict access, decrease duplication of input, audit trail Detriments: Confidentiality, system integrity, completeness, input errors, audit trail

  3. Categories of IC in a computerized environment General Controls – pervasive, relate to the entire system Part of Control Environment, must be managed well to enhance effectiveness of application controls Examples: physical access restrictions, backup process, policies, disaster recovery, IT segregation of duties

  4. General Controls – System reliability Definition: “A system that operates without material error, fault or failure during a specified time in a specified environment.” Components: Separation of incompatible functions Access Backup and recovery Management of the IS function

  5. General Controls—based on COBIT Company level controls Monitoring, planning, assessment—Definition of IT roles, Assessment of significant IT activities outside the IT function… Change controls Approval, separation of duties, policies—Testing & QA of changes, authorization of changes, separate developers from production environment Operations Policies, roles—Formal backup policies, operational policies and procedures well defined Security Review, access, data/system—periodic review of access, policies for admitting new users/user access, review of exception logs

  6. Criteria for implementing principles of system reliability • Policies-The entity has defined and documented its security policies relevant to the particular principle. • Communications-The entity has communicated its defined policies to authorized users. • Procedures- The entity uses procedures to achieve its objectives in accordance with its defined policies. • Monitoring- The entity monitors the system and takes action to maintain compliance with its defined policies. NOTE: Management involvement and support is necessary

  7. Principles to achieve system reliability a. Security- The system is protected against unauthorized access (both physical and logical). b. Availability- The system is available for operation and use as committed or agreed. c. Processing integrity- System processing is complete, accurate, timely, and authorized. d. Confidentiality- Information designated as confidential is protected from unauthorized disclosure. e. Privacy- Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.

  8. Security • Security is a management issue, not a technology issue • Redundancy—Defense in depth • Control categories—apply to manual and computer • Preventive • Detective • Monitoring • Examples?

  9. Availability • Threats: • Hardware/software failure • Natural/man-made disasters • Human error • Worms/Viruses • Sabotage

  10. Availability • Controls: • Disaster Recovery Plan (continuity) • Access Controls – physical and automated • Preventive maintenance • Surge protectors/uninterruptible power supply • Training

  11. Processing Integrity • Accurate, timely, authorized transactions and completeness • Types of controls: • Source Data controls • Data entry controls • Processing controls • Output controls

  12. Source Data Controls • Form Design • Cancellation • Secure Storage • Segregation of Duties • Authorization

  13. Data Entry Controls • Computer field checks • Range checks • Completeness checks • Validity Checks Means to achieve: • Error logs • Batch totals • Sequence checks

  14. Processing Controls • Data matching • Batch total recalculation • Write Protection

  15. Output Controls • Usually manual • Reconciliations • Key reconciliation for a system is sub-ledger to control account in G/L • Source documentation verification

  16. Confidentiality • Each organization has its own definition of what this means. • Examples of items usually considered confidential: • Business Plans • Pricing • Customer Lists • Contracts

  17. Confidentiality • Controls • Encryption: Storage and Transmission • Access Controls: Read/Write, changes, deletion, copy, etc. • Authentication: Unique ID, Passwords, Fingerprints

  18. Confidentiality • Threats: • E-mail • Instant Messaging • Downloads NOTE: Monitoring in this area is required as new threats are occurring almost daily

  19. Privacy • Focuses on protecting personal information about customers and employees • Vs. confidentiality which deals predominately with organization data • Same controls as those for Confidentiality (Encryption, Access, Authentication) • Federal and some States have regulations around customer information privacy • Identity theft issues

  20. Access Control Matrix • A table listing all authorized users and their corresponding abilities within a system. This should include type of access as well • Read • Change • Delete/Add • Powerful SOD tool • Change management is key to remaining effective • Type of control? • Preventive

  21. Categories of IC in a computerized environment Application Controls – specific, relate to individual portions of the system—or types of transactions Prevent, detect, correct errors in input, processing, output Examples: software passwords, security matrix, edit reports, smart fields, batch totals

  22. Key application controls Batch totals -aid in computer environment, often embedded in the process Source data controls – pre-numbered, turnaround, computer-readable Online data entry preformat prompt accuracy (completeness)

  23. More application controls Input validation edit program sequence checks validity check File maintenance reconcile master with other data data security Output controls user review reconcile batch totals error logs

  24. Computer systems - Segregation of Duties Recommended IT department segregation of duties: Systems Analyst, Programmer, Computer operator, Testing group, AIS Librarian (data, programs), Manager. What type of control is this? Preventive Once way for a company to address this risk is to? Share it – can use external consultant for pieces of application support, or utilize a web based application

  25. Computer systems - Accessand safeguarding Data protection controls Physical and logical Lock rooms, require passwords Data transmission, Internet Preventive Labeling, librarians, data dictionaries Backup… Uninterruptible power sources Disaster recovery

  26. Modifications - IT During an IT modification, controls need to be in place to ensure the continuation of system: Reliability Security Confidentiality Integrity Availability

  27. Control Activities • Management should ensure that both IT general and application controls exist and support the objectives of the compliance effort. Some of the key areas related to IT include: • Designing and implementing controls designed to mitigate significant identified IT risks • Monitoring key IT controls for continued effectiveness • Documenting and testing IT controls related to §404

  28. Things to keep in mind regarding IT • General computer controls should be: • based on financial reporting requirements • signed off by key business process owners • not left to the sole responsibility of the IT function. • IT application controls should also be defined by business-user requirements, and not the IT function.

More Related