• No results found

Information Technology General Controls (ITGCs) 101

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Technology General Controls (ITGCs) 101"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Presented by – Sugako Amasaki (Principal Auditor)

University of California, San Francisco

December 3, 2015

Information Technology

General Controls (ITGCs) 101

(2)

Introduction

Why are IT General Controls Important?

Types of Controls

IT General Controls Review - Audit Process

IT General Controls Review - Overview and Examples

Access to Programs and Data

Program Changes and Development

Computer Operations

Q&A

(3)

IT systems support many of the University’s business processes, such as these below:

Finance

Purchasing

Research

Patient care

Inventory

Payroll

Why are IT General Controls Important?

We cannot rely on IT systems or data therein

(4)

Why are IT General Controls Important?

Financial Objectives, such as:

- Completeness

- Accuracy

- Validity

- Authorization

Operational & IT Objectives, such as:

- Confidentiality

- Integrity

- Availability

- Effectiveness and Efficiently

Ineffective ITGCs = No achievement of

business objectives

(5)

How are controls implemented?

Automated Controls

Manual Controls

Partially Automated Controls

What are controls for?

Preventive Controls

Detective Controls

Corrective Controls

(6)

IT General Controls Review - Audit Process

1. Understand and identify the IT Environment and systems to be reviewed

2. Perform interviews, walkthroughs, and documentation reviews to gain an

understanding on processes

3. Assess appropriateness of existing control environment (control design)

(7)

IT General Controls Review - Overview

Access to Program and Data

Risk: Unauthorized access to program and data may result in improper

changes to data or destruction of data.

Objectives: Access to program and data is properly restricted to

authorized individuals only.

IT General Controls

Program Changes

Development

Program

Operations

Computer

Access to

Program and

Data

(8)

Access to programs and data components to be considered:

Policies and procedures

User access provisioning and de-provisioning

Periodic access reviews

Password requirements

Privileged user accounts

Physical access

Appropriateness of access/segregation of duties

Encryption

System authentication

Audit logs

Network security

IT General Controls Review - Overview

Access to Programs and Data

(9)

Area Existing Control Design How to Test/Validate User access

provisioning A formal process for granting or modifying system access (based on appropriate level of approval) is in place. Review an evidence of approval User access

de-provisioning A formal process for disabling access for users that are transferred or separated is in place. Compare existing user accounts with a list of users that are transferred or separated

Periodic access

reviews Periodic access reviews of users, administrators, and third-party vendors are performed. Review an evidence of periodic reviews Password

requirements Unique (to individual) and strong passwords are used. Assess password rules enforced Privileged user

accounts Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel.

Review accounts with privileged access rights

Physical access Only authorized personnel are allowed to access secured areas

and computer facilities. Walkthrough of areas (e.g. data center, backup storage etc.)

IT General Controls Review - Example

Access to Programs and Data

(10)

IT General Controls Review - Overview

Program Changes and Development

Risk: Inappropriate changes to systems or

programs may result in inaccurate data.

Objectives: All changes to existing systems

are properly authorized, tested, approved,

implemented and documented.

IT General Controls

Program Changes

Development

Program

Operations

Computer

Access to

Program and

Data

Risk: Inappropriate system or program

development or implementation may result

in inaccurate data.

Objectives: New systems/applications being

developed or implemented are properly

authorized, tested, approved, implemented

and documented.

(11)

Program changes and development components to be considered:

Change management procedures and system development methodology

Authorization, development, implementation, testing, approval, and

documentation

Migration to the production environment (Separation of Duties (SOD))

Configuration changes

Emergency changes

Data migration and version controls

Post change/implementation testing and reviews

IT General Controls Review - Overview

Program Changes and Development

(12)

Area Existing Control Design How to Test/Validate Change

management controls

A formal process for proper change management is in

place. Review/assess change management procedures and validate that procedures are followed

Change

documentation All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked.

Review change logs

Testing Appropriate level of testing is performed. Review an evidence of test plans and results

Approval Appropriate approval prior to migration to production is

required. Review an evidence of approval Migration Access to migrate changes into production is appropriately

restricted. Verify that a separation of duties (SOD) between developers and operators (= making changes) exists

IT General Controls Review - Example

Program Changes and Development

(13)

IT General Controls Review - Overview

Computer Operations

Risk: Systems or programs may not be available for users or may not be

processing accurately.

Objectives: Systems and programs are available and processing

accurately.

IT General Controls

Program Changes

Development

Program

Operations

Computer

Access to

Program and

Data

(14)

Computer operations components to be considered:

Batch job processing

Monitoring of jobs (success/failure)

Backup and recovery procedures

Incident handling and problem management

Changes to the batch job schedules

Environmental controls

Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)

Patch management

IT General Controls Review - Overview

Computer Operations

(15)

Area Existing Control Design How to Test/Validate Batch job

processing Batch jobs are appropriately scheduled, processed, monitored, and tracked. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Monitoring of

jobs Failed jobs are followed-up and documented (including successful resolutions and explanations) Validate that failed jobs are followed-up and documented Backup and

recovery Backups for critical data and programs are available in the event of an emergency. Review/assess procedures for backup and recovery and validate that procedures are followed

Problem/issue

management A formal process for problem/issue handling is in place in order to ensure timely identification, escalation , resolution and documentation of problem.

Review/assess procedures for problem/issue management and validate that procedures are followed

IT General Controls Review - Example

Computer Operations

(16)

References

Download now ( PDF - 16 Page - 722.66 KB )

Related documents

Content Server / Spark. Version: 6.3. Configuration Guide: Third-Party Software

Configuration Guide V6.3: Third-Party Software 272 objectClass: groupofuniquenames 273 uniqueMember: uid=mirroruser,ou=people,dc=FatWire,dc=com 274

by William A. Scott, Stikeman Elliott LLP

The regulatory framework also provides that a number of the general rules relating to trading securities apply equally to derivatives; gives authority to the OSC to regulate

4 Billing Habits Every Attorney Should Develop Now

“Any attorney that tries to reconstruct time days after the work is done is going to be inaccurate in how the time is being remembered,” said George Apostolides, head of

Open Innovation for Ideating and Designing New Product Service Systems

This paper has the scope to show an innovative combination of methodology and IT tools able to offer a Product Service Lifecycle Management (PSLM) approach for collecting

SUMMARY OF AUDIT FINDINGS

The scope of this IT general controls audit was to review general security issues, access controls, program change and patch management, systems software, physical

Information Technology General Controls And Best Practices

Evaluate if reasonable controls are in place over system security, both logical and physical, to determine if software applications and the general network environment are

Is there a rationale and role for long-acting anticholinergic bronchodilators in asthma?

Recently, Phase I –III clinical investigation with long-acting anticholinergic bronchodilators in asthma has begun: two Phase II trials of umeclidinium bromide (umeclidinium)

Indic Cosmology

A tropical year (also known as a solar year) is the length of time the Sun, as seen from the Earth, takes to return to the same position along the ecliptic (its path among the stars