IT general controls: The Eurosystem approach · (SOX) Internal controls IT general controls are...
Transcript of IT general controls: The Eurosystem approach · (SOX) Internal controls IT general controls are...
1
IT general controls:
The Eurosystem approach
Visit to the Central Bank of Armenia
Yerevan, 25-27 Sept 2013
2
IT general controls
Increased focus on IT general controls
Sarbanes Oxley Act
(SOX)
Internal controls
IT general controls
are needed to support
the reliability of
application controls
For example, ensuring
database security is often
considered a requirement
for reliable financial
reportingIT controls
3
Integrated audit in the ESCB
• A business process audit is scheduled
• The business process is supported by an
application system
• The effectiveness of application controls
depends on the effectiveness of IT general
controls (ITGC)
• What IT general controls should be
included in the audit scope?
4
Possible approaches
A set of controls embedded within automated
solutions (applications)
Controls that apply to the overall functioning
of the organisation’s IT systems and to a
broad set of applications
IT General controls
Application controls
5
Possible approaches
Limited
Vertical
Approach
[b]
Deep
Vertical
Approach
[c]
Application
Approach
[a]
Horizontal Approach (ITGC review) [d]
IT General controls
Application controls
6
Application approach
• Partial assurance
• Need to be complemented with horizontal approach
PROs CONs
Audit scope explicitly limited to
application controls
• More time to focus on the specific application
• More efficient
7
Limited vertical approach
• Lack of transparency on the audit scope
• No assurance that the most relevant ITGC are reviewed
PROs CONs
Auditors identify which IT
general controls should be
reviewed
• Possibility of expanding or reducing the scope depending on the actual situation
8
Deep vertical approach
• Difficulty in identifying relevant ITGCs during the preparation
• Need of specific skills
• Audit effort
PROs CONs
Audit scope includes a
selection of IT general controls
• Higher value to the business management
• Comparable results between audit reports
• Reusability of results
9
Horizontal approach
• Difficulty in representing the business impact of findings
PROs CONs
IT General controls covered by
ad-hoc audit engagements
• Full analysis of a specific problem
• Reusability of results
10
Deep vertical approach
• The task force identifies the most relevant IT general controls
– For example:• Change management
• Security
• Computer operations
• The auditors evaluate those controls
• Full coverage of ITGCs is obtained over time, through multiple business audits and dedicated IT horizontal audits
11
The IT general control catalogue
1. IT Governance1.1 – IT Organisation, Roles and Responsibilities (PO4) and IT Human Resources (PO7)
1.2 – Operating policies, procedures and supporting documentation (DS13, AI1/2)
1.3 – IT Risk Management (PO9)
2. Security
2.1 – Network Security (DS5.10)
2.2 – Logical Access Management (DS5.3/4)
2.3 – Data integrity and confidentiality (DS5.8/10/11; DS11)
2.4 – Malicious Code Monitoring (DS5.9)
2.5 – Logging and Security Monitoring (DS5.5; DS13.3)
2.6 – Physical Security (DS12)
3. Change Management3.1 – Change and Release Management (AI6/7)
3.2 – Infrastructure and Configuration Management (and Protection) (DS9 and DS5)
4. Operations (Service Delivery/Support/Man.)4.1 – Availability, Capacity, Performance and IT Service Continuity Management (DS3/4)
4.2 – Incident/Problem Management (DS8/10, 5.6)
4.3 – Service Level Management (DS1)
5. End User Computing5.1 – End User Computing (ITCO SOX)
6. Third party management6.1 – Third party management (DS2)
IT General controls are selected from a “catalogue”
IT General Control
Catalogue
12
The IT general control catalogue
ITGC - 6 - Third party management
6.1 - Third party management (DS2)
High Level Control Objective - Third party services used to operate/ support systems meet business requirements, are
defined appropriately in contracts and the risks associated with third party service providers are monitored and managed.
Third Parties comply with all security requirements and policies for the protection of data as specified in underlying contracts.
CIA Rating: MMM
Inherent Risk - Inadequate control over Third Party services and/or inappropriate access to sensitive/critical data may lead to
i) System unavailability. ii) Inadequate protection of information assets, which could result in security breaches and/or financial
or reputational loss. RiskIT: 16, 31, 32, 33, 34
Illustrative ITGC Control
Practices
Illustrative ITGC Tests of Control Practices:
For the relevant system(s) and underlying IT components &
infrastructure [in scope], check that:
COBIT 4.1
References and
ESCB IT Policies
6.1.1 Third party service delivery
(DS2.4) Third party services meet business
requirements and are secure, accurate
and available; support processing
integrity; and are defined clearly in
contracts.
Risks associated with third party
contracts are monitored and managed
in accordance with established
performance criteria.
?
RiskIT: 16, 32, 33, 34
Most common issues (control
weaknesses):
Ineffective control is exercised
over the delivery of services by
the third party.
Deliverables fail to meet
requirements.
Delays and cost overruns arise.
A relevant service contract(s) is in place which includes
adequate definitions of the services to be performed and the
obligations which the third party should abide by.
Business requirements, policies and procedures exist from
which appropriate controls can be derived.
Controls to support security and data integrity are defined
and communicated to all parties.
Third Parties have no undue access to sensitive data.
Contracts have been reviewed and are duly approved and
signed prior to the commencement of work.
The third party reports on the attainment of agreed-upon
performance criteria (in line with defined SLAs and the
supplier contract).
ITCO SOX: 21 -
Manage Third-
party Services
COBIT:
DS2.4 Supplier
Performance
Monitoring
ESCB:
ITC/09/237 Annex
4 (10.2.3)
High level control
objective
Inherent risk
Control practices
Possible tests of
control practices
13
Selection of ITGCs
• Drivers for selecting the ITGCs to assess:
– Business audit objective and scope (and
relevant risks)
– Criticality assessment
– IT environment
– Resource constraints (time, skills)
– Global coverage of ITGCs