BAA-Audit & Information Systems

By
Winston Phethi

 Introduction

What

are IT Controls?

General Controls
Application Controls

Why

are IT Controls Important?

Who is responsible for IT
Controls?
Where are IT Controls Applied?

IT controls are fundamental to the reliability

and integrity of the information processed by

the automated systems on which most
organizations are dependent for their business
and financial transaction processing and
overlooking or minimizing their importance
creates a significant risk.
- CICA Information Technology Advisory Committee (2004)

Controls over computer-based systems are

broken down into two major categories
general and application controls.
General controls apply to all systems
components, processes, and data for a given
organization or systems environment
Application controls (a.k.a. business process
controls) pertain to the scope of individual
business processes or application systems

Controls may be
classified to help
understand their
purposes and where
they fit into the
overall system of
internal controls.

By definition, General Computer Controls are

control activities performed within the IT
organization or the technology that they
support that can be applied to every system
that the organization relies upon;
They are designed to encompass an
organizations IT infrastructure rather than
specific applications. General controls help
ensure confidentiality, integrity, and
availability; contribute to safeguarding of
data; and promote regulatory compliance.

IT systems support many of the business

processes, i.e. in accounting department
such as these below

Purchasing

Accounts Payable

Inventory

Payroll

 AND
Without effective General Controls, reliance on
these IT systems may not be possible

If general controls are ineffective, there may

be potential for material misstatement in
each computer-based accounting application.

Include:
Organization Controls
Policies and Procedures
Segregation of Duties

Access Controls

Physical Security
Logical Access

Change Management Controls

Business Continuity Controls
Disaster Recovery
Fault Tolerant Systems
Backup

A clear, concise, and well-written set of

information technology policies, procedures,
and control documentation is a strategic link
between the universitys vision and its dayto-day operations.
These documents are critical to the university
because they provide guidelines for
faculty/staff/students and enable the smooth
functioning of the computer operations
function without constant management
intervention.

The functions of initiating, authorizing, inputting, processing,

and checking data should be separated to ensure no individual
can both create an error, omission, or other irregularity and
authorize it and/or obscure the evidence.
Controls are provided by granting access privileges only in
accordance with job requirements for processing functions and
accessing sensitive information.
Inadequate segregation of duties increases the risk of errors
being made and remaining undetected; it also may lead to fraud
and the adoption of inappropriate working practices.
Sarbanes-Oxley provided a compelling case for the
implementation and maintenance of appropriate segregation of
duties at the organizational, manual process and system level.

Measures used to protect its

facilities, resources, or
proprietary data stored on
physical media.

What is Physical Security?

Facility monitoring (surveillance

systems, cameras, guards,
exterior lighting)
Access controls to facilities/data
center/computers (access cards)
Alarm systems (fire, burglar,
water, humidity, power
fluctuations)
Shred sensitive documents
Proper storage/disposal of hard
drives and other electronic
storage media
Secure storage of back-up
copies of data and master copies
of critical software

Examples:

Limit access to system and

information to authorized
individual

What is Logical Access?

Passwords
System authentication
Logs of logon attempts
Application-level firewalls
Antivirus and anti-spyware
software should be installed
and up to date
Intrusion detection systems
which would identify
suspicious network activity
Encryption for sensitive data
File shares should be
adequately restricted to
appropriate users
Patches/system updates
should be applied timely

Examples:

Don't use passwords that are based on

personal information that can be easily
accessed or guessed.
Don't use words that can be found in any
dictionary of any language.
Develop a mnemonic for remembering
complex passwords.
Use both lowercase and capital letters.
Use a combination of letters, numbers,
and special characters.
The longer the password, the tougher it is
to crack. Use at least 10 characters.
Use different passwords on different
systems.
Keep your passwords in a secure place,
out of plain sight
Dont share passwords on the phone, in
texts or by email.

Change Management Control Objectives

include:
To manage the IT change process such that
introduction of errors and incidents related to
change are minimized.
To ensure that standard methods and
procedures are used so that changes can be
addressed expediently and with the lowest
impact on service quality.

Change Management Controls could include:

Monitoring and logging of all changes

Steps to detect unauthorized changes
Confirmation of testing
Authorization for moving changes to production
Tracking movement of hardware and other infrastructure
components
Periodic review of logs
Back out plans
User training
Specific defined and followed procedures for emergency
changes

Definition
A comprehensive approach to ensuring normal
operations despite interruptions.

Components
Disaster Recovery
Fault Tolerant Systems
Backup and Recovery

A documentation of the procedures to ensure

that the organization continues to operate by
providing the ability to successfully recover
computer services in the event of a disaster.
Must ensure that plans are comprehensive, upto-date, and approved by key organizational,
management, and executive personnel.
Must test the plans regularly and document the
results.

The ability of a system to respond gracefully

to an unexpected hardware or software
failure.
There are many levels of fault tolerance, the
lowest being the ability to continue operation
in the event of a power failure. Many faulttolerant computer systems mirror all
operations -- that is, every operation is
performed on two or more duplicate systems,
so if one fails the other can take over.

Requirements should be defined for backup

of critical data (type and frequency).
Procedures should be in place to periodically
validate recovery process.

Include:
Input controls
Processing controls
Output controls

Input Control objectives:

All transactions are initially and completely
recorded
All transactions are completely and accurately
entered into the system
All transactions are entered only once

Controls in this area may include:

Pre-numbered documents
Control total reconciliation
Data validation
Activity logging
Document scanning
Access authorization
Document cancellation

Processing control objectives:

Approved transactions are accepted by the
system and processed
All rejected transactions are reported,
corrected, and re-input
All accepted transactions are processed only
once
All transactions are accurately processed
All transactions are completely processed

Controls over processing may include:

Control totals
Programmed balancing
Segregation of duties
Restricted access
File labels
Exception reports
Error logs
Reasonableness tests
Concurrent update control

Output control objectives:

Assurance that the results of input and
processing are output
Output is available only to authorized
personnel
The most important output control is review
of the data for reasonableness.

Output controls could include:

Complete audit trail
Output distribution logs
Output reports

Global Technology Audit Guide Information Technology

Controls. D. Richards, A. Oliphant, C. LeGrand
Five Questions to Ask About Information Technology Controls
and Security Berry Dunn:
http://consulting.berrydunn.com/content/five-questions-askabout-information-technology-controls-and-security
Information Technology Audit General Principals:
http://www.intosaiitaudit.org/india_generalprinciples.pdf
Auditors Guide to Information systems auditing Richard
Cascarino
Information Technology General Control Considerations and
Implications Clifton Gunderson
IT For Non-IT Auditors Matt Hicks UCOP