General IT Control (GITC) for BP Professionals County/IIA OC Presentation...Analysis to determine...

3© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Omar Rahman, Senior AssociateIT Audit and Assurance

T: 614-772-2353E: [email protected]

With you today

IA Note:PIO: Needs updating – Pre-Kids Photo

IA Note: IA reviewed Mr. Rahman’s background and determined the following:1) Happy husband and father

of 2 adorable girls (1 year and 4 years old).

2) UCLA Alum3) Worked in External Audit,

Internal Audit (KPMG Federal), and IT Audit Assurance (Current Position)

4) Licensed CPA and CISA


What’s in it for me?— Understand General IT Processes

and Controls— Understand some of the

requirements for each control.

Testing Approaches

IT Audit


SOX Process1. Risk Assessment/Scoping

Analysis to determine which processes will be in scope. Determine significant controls and locations/ business units to be included. Define project approach, milestones, timeline, and resources.

2. Documentation/Document Updates/Control ValidationInterviews with control owners to update documentation to reflect any changes from prior year. Document design of significant controls, in addition to documenting related policies and procedures.

3. Gap Analysis and Follow UpAnalyze controls matrix to verify that all risks are adequately addressed. Comparison of documented controls to risks identified and other control reference sources.

4. Walkthroughs/Inquiries/Test of DesignEvaluate design of IT Controls. Speak with control owners and test a sample of one to verify that the control is operating effectively.

5. Test of EffectivenessControls testing to evaluate effectiveness of controls. Internal Audit select samples based on the frequency and level of risk of a control.

6. RemediationIdentify, accumulate, and evaluate design and operating control exceptions; communicate findings and correct exceptions. Additional testing of controls with identified exceptions.

7. Reporting

Reporting to management of any findings

IA Note: All steps in the SOX process is relevant to testing GITC Controls.


Designed to prevent errors or exceptions from being introduced or errors from occurring.PREVENTIVE

Designed to detect errors or exceptions. A detective control is not complete unless it includes corrective action.DETECTIVE

Designed to correct errors or exceptionsCORRECTIVE

Performed by one or more personnelMANUAL

Performed by an application or computerAUTOMATED

Performed by personnel in combination with an application or computer systemCOMBINED

Nature of ControlsIA Note: Same nature of controls as BP


General Controls IT controls (GITC) support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. GITC’s typically apply to applications, operating systems, databases and infrastructure.

Spreadsheets, text files and databases used within the financial reporting process and in general operations

Performed within significant application(s) to help ensure that transactions are processed appropriately.

IT Application Controls (ITAC)

General IT Controls (GITC)

End User Computing (EUC)

Type of Controls


Inspection

Observation

Inquiry

Test Procedures

Recalculation

Re-performance

General ITControls (GITC)


General IT ControlsThe policies and procedures that relate to one or more IT applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

There are four main pillars (areas) which GITCs are defined by:

1. Access to Programs and Data (APD) – Physical & Logical Access management and controls (Passwords, Administrative Users, User Access Reviews, Data Center Access and Access Provisioning and De-provisioning)

2. Program Changes (PGC) – Change management for application, configuration and infrastructure changes & emergency changes

3. Program Development (PGD) – Specialized project implementations, including project management, data conversion/migration & security set-up as it relates to Financial Reporting

4. Computer Operations (COP) – Controls supporting the daily functions of a system, including Backups, Off-Site Rotations, Incidents & Problems, Batch-Job processing etc.

IA Note:These are processes like any other process, the only difference is that there is no direct reporting impact.

The proper operation of information systems support IT Application Controls (ITACs) and automated controls with a manual component.


General IT Controls – If GITCs Fail

Financial Applications (application controls)

And TransactionsBusiness Events

and

Trans-actions

Application A

Application C

Application B

Financial Applications

WCGW 2Interest Calculation Inaccurate

WCGW 4Report Incomplete

Financial Applications (application controls)Business ProcessesControls

Control 1 Control 2 Control 3 Control 4

WCGW 1Invoice Capture Incomplete

App Control 1

App Control 4

App Control 2

Business Process Control 1

WCGW 5Interface not C&A

NEW

App Control 5NEW

IA Note:Your control environment is much weaker, what could go wrongs may go unaddressed!


The Technology Layers – The Complexity Cake

Physical

Networks

Operating Systems (OS)

Database (DB)

Application

ProcessesApplication & Manual Controls

IT General Controls

Technology Examples by Layer

Inventory / AP / Payroll / Fixed Assets Modules

Salesforce / ADP / Netsuite / SAP / Oracle EBS

SQL Server / Oracle DB / DB2 / PostgreSQL /

Windows / Linux Red Hat / Unix

Local Area Networks (LAN) / Wide Area Network (WAN)

Server room / Data Center

IA Note: This looks similar to the OSI (Open Systems Interconnection) Model but is not as detailed (OSI goes into specific protocols) and an OSI layer can span multiple layers in our model.This is where IT processes appear complex, the key is to keep track of the relationship between the application, databases, OS and servers.

Access to Program and Data (APD)


Access Provisioning (New Users)Objective: To determine whether adequate controls over theaccess to programs and data have been established bymanagement to ensure that the access provisioned to usersis authorized and necessary to fulfill their job responsibilities.

On a minimum, the auditors would request for:

1. Request for access – note that the actual user must not request their own access. The request must be documented in a form of email or ticket with a timestamp.

2. Manager/supervisor approval – the approval must be documented in form or email or ticket with a timestamp.

Note: Access to the application must be created on or after the manager approval date.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts every layer.


Access De-Provisioning (Removal of access)Objective: To determine whether adequate controls overthe access to programs and data have been establishedby management to ensure that the access has been de-provisioned or removed for terminated/separatedemployees.

On a minimum, the auditors would request for:

1. Request from HR or user’s manager – email or ticket requesting to remove a terminated user.

2. Evidence that access has been removed – email or ticket from IT or application admin confirming that access has been removed. A timestamp must be provided to ensure that a terminated user’s access has been removed timely.

Note: When removing access from the Active Directory, it would be helpful to record (either email or ticket) the date when the access is removed/disabled.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts every layer.


AdministratorsObjective: To determine whether super user access,including delivered and system user IDs are restricted toauthorized individuals to mitigate the risk ofunauthorized/inappropriate access to the relevantprograms or data.On a minimum, the auditors would request for:

1. System generated listing of roles that have administrative access.

2. System generated listing of users who have administrative access.

Note: 1. For generic or service accounts with admin

access, always make sure to document who have access to the password and the justification why they have access.

2. On a minimum, roles that have access to create, modify or remove user access in the system are considered as admin users.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts Application, Database, and OS Layers.


Other Controls to think about

• Password configuration • Is it currently in line with the Corporate IT Policy?

• How does the user authenticate to the application? Single sign on? Local authentication?

• User Access Reviews• Who validates the appropriateness of business users?

• Who validates the appropriateness of admin users?

• Typically the last line of defense for APD controls.

• Data Center Access• What is the process for authorizing access to the data center?

• Who should have access to the data center?

• What is the process for granting data center access to vendors or third party providers?

Program Change (PGC)


Considering Program Change Risks- DebriefOverall Risk: Changes to systems, infrastructure and databases do not follow a specified workflow that ensures the authorization, documenting, testing and approval of changes prior to their implementation in production.

- Policy/Procedure:- The company does not have a policy & procedure

document defined, no Standard Operating Procedure (SOP) document or the SOP/Policy is not followed

- Authorization- Changes are not authorized; Change requests are not

screened before developers start working on them - Documenting

- All documentation related to changes is not stored/retained for review (no audit evidence)

- Testing- Changes not tested prior to migration - Environments for testing are inadequate

- Approval- Changes migrated to production have not been screened

by management and could impact production transactions and data

- Inappropriate personnel have access to migrate changes.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts Application, Database, OS, and Network Layers


Program ChangesWhat it looks like in the system?

System Change Log from system:

Selected Change




Corresponding Ticket




Authorization:




Testing:




Approval prior to migration

Computer Operations(COP)


BackupsObjective: To determine whether adequate controlsover computer operations has been established bymanagement to ensure that data is properly backed upand free from errors.

What IT Auditors would need:1. Backup Configurations – backup schedule and

email notification configuration 2. Evidence of monitoring – auditors would need

evidence from management that daily backups are monitored and acted upon if it has failed.

Note: If a backup has failed to run, make sure to create a ticket. Document if the job has completed the following day or if manual intervention is needed.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts Application, Database, and OS Layers


Restoration testingObjective: To determine whether adequate controlsover computer operations has been established bymanagement to ensure that the data being backed upis tested and is free from errors.

What IT Auditors would need:1. Evidence of restoration testing - this is a

documentation stating how the server subject to testing is selected as well as the result of the testing.

Note: A Disaster Recover (DR) document is also a good alternative to evidence a restoration testing.

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts Application, Database, and OS Layers

Program Development (PGD)


Quick Overview of Program Development TasksOverall Risk: New development/implementations of applications, databases, OS, and infrastructure do not follow a specified workflow that ensures the authorization, documenting, testing and approval of changes prior to their implementation in production.

You would obtain evidence for the following tasks:- Implementation Plan

• Management authorized large scale development• SDLC policy is present

- Testing• Formal testing occurred with approvals provided by management

- Training• Training was conducted to all relevant personnel

- Cutover Activities• Cutover activities are documented with clear cut confirmation

that activities were successful- Post Implementation

• Review of post-migration App/OS/DB was performed and any issues were tracked and resolved.

- Security User Access Review• Roles and User Profiles have been reviewed and approved

- Data Conversion• Data post-migration reconciles to pre-migration data

Physical

Networks


Database (DB)

Application

Processes

IA Note: Control impacts Application, Database, OS, and Network Layers


Questions?

Thank you

General IT Control (GITC) for BP Professionals County/IIA OC Presentation...Analysis to determine...

Documents

Transcript of General IT Control (GITC) for BP Professionals County/IIA OC Presentation...Analysis to determine...