• TO ENSURETHE EFFICIENT & EFFECTIVE
DEVELOPMENT / MAINTENANCE OF IT SYSTEMS
PROPER IMPLEMENTATION OF IT SYSTEMS
PROTECTION OF DATA AND PROGRAMS
COMPONENTS OF GENERAL IT CONTROLS
• ORGANISATION AND MANAGEMENT CONTROLS
• SEGREGATION OF DUTIES• PHYSICAL & LOGICAL ACCESS CONTROLS• SYSTEMS DEVELOPMENT CONTROLS• PROGRAM AMENDMENT CONTROLS• BUSINESS CONTINUITY PLANNING
CONTROLS
ORGANISATION &
MANAGEMENT CONTROLS
ORGANISATION & MANAGEMENT CONTROLS
• TO ENSURE– ECONOMIC USE OF IT SYSTEMS
– REFLECTION OF IT IN BUSINESS PLANS
– DELIVERY OF THE SYSTEM IN A CONTROL -CONSCIOUS STRUCTURE
– SYSTEM’S RESPONSE TO CHANGES
IT STRATEGY • APPROPRIATE FORMULATION • DOCUMENTED FOR THE NEXT 3
YEARS– COVER IT SYSTEMS TO BE
DEVELOPED / ENHANCED• IN LINE WITH BUSINESS STRATEGY• CURRENT / APPROPRIATE• DULY APPROVED BY BOARD
IT PLANNING AND MANAGEMENT
• GUIDED BY USER MANAGEMENT• INVOLVE USERS &MANAGEMENT
– THROUGH BOARD AGENDA / MINUTES, BUDGETS / FORECASTS
• THROUGH IT STEERING COMMITTEE• USER INVOLVEMENT IN IT PLANNING• GENERATION OF REPORTS AGAINST
STRATEGY
IT SECURITY POLICY
• FORMALISED POLICY• APPROVED BY BOARD • OBJECTIVES WELL ESTABLISHED• SCOPE AND EXTENT LAID DOWN• ENABLE RESPONSIBILITY-FIXATION
FOR UPDATING / MONITORING.• DISTRIBUTTION TO STAFF.• ENSURE CONFIDENTIALITY / SECURITY
OF INFORMATION
END-USER COMPUTING
• POLICY AND PROCEDURES FOR– END-USER COMPUTING
– SOFTWARE COPYRIGHTS
– USING STANDARD SOFTWARE
– ANTI-VIRUS PROCEDURES
• DISTRIBUTION TO THE STAFF.
INTERNAL AUDIT
• INVOLVEMENT IN– IT DEVELOPMENT
– IT OPERATIONS.
• INVOLVEMENT VERIFIED FROM
– THE TERMS OF REFERENCE
– EXPERTISE IN IT
CONTROL CONSCIOUSNESS
• DEPENDS ON – MANAGEMENT ATTITUDE
– ORGANISATION STRUCTURE.
• ASSESSED THROUGH – IT RISK ASSESSMENT
– TREATMENT OF RISKS
• DOCUMENT RETENTION – MANAGEMENT POLICY– PROCEDURES TO FORECAST
NEEDS • PERSONNEL
– RECRUITMENT / HIRING POLICY– TRAINING TO THE USERS– EXPERIENCE OF STAFF– ASSESSMENT OF PERFORMANCE – DEPENDENCE ON KEY PERSONNEL
OUTSOURCING• POLICY & DOCUMENTATION
• COVERED BY CONTRACTS
• SECURITY & CONFIDENTIALITY – DATA & PROGRAMS
• PERIODICAL REVIEW OF COSTS
• DEPENDENCE &REPORTING TO BOARD
• CONTROLS ON OUTSOURCED DATA
INVESTMENT
• PROPERLY LAID DOWN PROCEDURES FOR VALUATION OF ASSETS - HARDWARE AND SOFTWARE.
• CLEAR POLICY FOR TO CAPITALISE /CHARGE OFF SUCH COSTS.
• PERIODICAL REVIEW BY THE MANAGEMENT, OF THE EXPECTED CHANGES / EXPENDITURE.
• MANAGEMENT REVIEW OF THE IMPACT OF NEW TECHNOLOGY.
INSURANCE
• INSURANCE OF IT ASSETS .
• INSURANCE POLICY FOR LOSS OF PROFITS / INCREASED COST OF WORKING.
• PRIOR ASSESSMENT OF COST OF RECOVERY
SEGREGATION OF DUTIES
OBJECTIVES
TO HAVE REASONABLE SEGREGATION OF DUTIES
• WITHIN IT DEPARTMENT
• BETWEEN IT AND USER DEPARTMENTS
• TO PREVENT / DETECT ERRORS OR IRREGULARITIES.
ORGANISATION STRUCTURE
• APPROPRIATE ORGANISATION STRUCTURE.
• FORMAL RECOGNITION.
• APPROPRIATE REPORTING .
• SIZE / STYLE OF OPERATIONS SHOULD MATCH NEEDS.
SEGREGATION OF DUTIES - IT
• FOR IT STAFF.
• FOR PROGRAMMERS.
• FOR OPERATORS.
• FOR NETWORK ADMINISTRATORS.
• FOR SECURITY.
SEGREGATION OF IT & USERS
• THROUGH LIMITATION OF RESPONSIBILITIES.
• THROUGH POWERFUL IDs.
• FIXATION OF RESPONSIBILITY TO INITIATE OR AUTHORISE TRANSACTIONS.
• REGULATE AMENDMENTS TO MASTER FILES / OTHER DATA.
• ENABLE CORRECTION OF INPUT ERRORS.
LOGICAL ACCESS CONTROLS
OBJECTIVES
• PREVENTION OF UNAUTHORISED ACCESS TO SENSITIVE DATA OR PROGRAMS.
• PROTECTION OFDATA /SYSTEM CONFIDENTIALITY, INTEGRITY AND RELIABILITY OF DATA /
IDENTIFICATION OF SENSITIVE DATA / APPLICATIONS
• PROCEDURES LAID DOWN TO IDENTIFY SENSITIVE DATA / APPLICATIONS.
• THROUGH SECURITY POLICY.
• THROUGH RISK ASSESSMENT PROCESS.
DESIGN OF USER ACCESS RESTRICTIONS
• THROUGH UNIQUE USER IDS / PASSWORDS.
• THROUGH MENU FACILITIES.
• MANAGEMENT APPROVAL FOR THE MENU OPTIONS.
EFFECTIVENESS OF USER ACCESS RESTRICTIONS
• THROUGH REGULAR CHANGE OF PASSWORDS.
• THROUGH PROTECTION OF PASSWORD .
• THROUGH REPORTS ON SECURITY BREACHES.
IT ACCESS
• PREVENTION OF SYSTEMS DEVELOPMENT STAFF FROM DATA/PROGRAM ACCESS IN PRODUCTION ENVIRONMENT.
• PROPER PROCEDURES TO EFFECT EMERGENCY CHANGES
CONTROL OVER POWERFUL IDs/ UTILITIES
• ADEQUATE CONTROL OF THE ALLOCATION/AUTHORISATION AND USE OF POWERFUL USER IDS/ PASSWORDS.
• REGULAR REPORT ON BREACHES..
PHYSICAL ACCESS CONTROLS
OBJECTIVES
• MINIMISATION OF POTENTIAL RISK OF ACCIDENT OR MALICIOUS DAMAGE TO IT ASSETS
• PREVENTION OF THEFT OF IT ASSETS.
PHYSICAL SECURITY
• ADEQUATE PHYSICAL SECURITY TO COVER THE IT ASSETS.
• PROPER DOCUMENTATION..
SYSTEMS DEVELOPMENT,
MAINTENANCE AND CHANGE CONTROLS
OBJECTIVES
• USERS’ SATISFACTION THROUGH AVAILABILITY& PERFORMANCE OF SYSTEMS .
• SYSTEM RELIABILITY, CONTROLLABILITY COST EFFECTIVENESS.
• DATA INTEGRITY CONTROLS
IN-HOUSE DEVELOPMENT
• PROPER METHODOLOGY FOR IN-HOUSE DEVELOPMENT, WITH INBUILT CONTROLS.
• PROPER PROGRAMMING STANDARDS LAID DOWN.
PACKAGE SUPPORT
• ADEQUATE VENDOR SUPPORT
• MAINTENANCE THROUGH CONTRACTS / AGREEMENTS.
• TESTING OF CHANGES AND UPGRADES BEFORE INSTALLATION.
• SOURCE CODE PROVIDED.
THIRD PARTY DEVELOPMENT / MAINTENANCE
• ASSURANCE ON QUALITY AND COSTS/BENEFITS OBTAINED.
• GOOD REPUTATION OF VENDOR WITH KNOWLEDGE OF COST MANAGEMENT.
• EXISTENCE OF STANDARDS TO CHECK WITH ACTUALS.
PROJECT REVIEW BY MANAGEMENT
• REVIEW BY MANAGEMENT ON THE COST & PROGRESS OF NEW DEVELOPMENTS.
• PROPER REPORTING LINES.
• THROUGH BUDGETS .• EFFECTIVE COST
ACCOUNTING AND CONTROLS.
USER INVOLVEMENT IN DEVELOPMENT
• USER INVOLVEMENT.
• USERS’ SIGN OFF OF SPECS.
• USER TESTING FOR ACCEPTANCE.
• PROPER TRAINING OF USERS.
• PROVISION OF USER MANUALS.
BUSINESS CONTINUITY
PLANNING CONTROLS
OBJECTIVES
• MINIMISATION OF CHANCES OF MAJOR FAILURES
• TO ENSURE EARLY RESUMPTION OF BUSINESS , IN CASE OF NON-RELIABILITY OF THE SYSTEMS OR FACILITIES.
RISK ASSESSMENT - BUSINESS DISRUPTION
• PRIOR IDENTIFICATION OF THE CRITICAL SYSTEMS .
• DETERMINATION OF THE PERIOD FOR CONTINUANCE OF BUSINESS OPERATIONS WITHOUT THE CRITICAL IT SYSTEMS.
BUSINESS CONTINUITY
• PLANS FOR BUSINESS CONTINUITY LAID DOWN.
• REGULAR REVIEW/ UPDATING OF PLANS.
• USER PROCEDURES.
• BOARD APPROVAL FOR THE PLANS.
BACK-UP FREQUENCY
• PERIODIC DATA BACK-UP.
• MORE BACK-UP FREQUENCY.
• DEPEND ON CRITICALITY OF PROCEDURES / CHANGES.
BACK-UP COMPOSITION
• DATA FILES, PROGRAMS AND SYSTEM SOFTWARE .
• DOCUMENTATION SUCH AS USER MANUALS, SYSTEMS MANUAL ETC., SHOULD ALSO BE BACKED UP.
BACK-UP SECURITY / LOCATION
• SECURED BACK-UP IN AN OFF-SITE LOCATION.
• MAINTENANCE OF PROMPT AND PROPER RECORD OF MEDIA MOVEMENT .
• PROPER AUTHORISATION OF MEDIA MOVEMENTS.
TESTING
• REGULAR TESTING OF BACK-UP AND RECOVERY .
• DETERMINATION OF RECOVERY TIME
• TESTING AFTER CHANGES TO SYSTEMS / PROGRAMS.
• LOG OF TESTS CONDUCTED.
APPLICATION CONTROLS
APPLICATIONS• PROGRAMS TO HANDLE
ORGANISATIONAL FUNCTIONS LIKE –– PRODUCTION– FINANCE/COST ACCOUNTS– MATERIALS MANAGEMENT– PAYROLL– LIBRARY MANAGEMENT– SHARE TRADING– CUSTOMER SERVICE IN BANKS
CONTROL OBJECTIVES
FOR INPUT• TO ENSURE
– EXISTENCE OF PROPER AUTHORITY
– UNIQUENESS
– ACCURACY
– COMPLETENESS
OBJECTIVES
FOR DATA PROCESSING
• TO ENSURE– COMPLETENESS– ACCURACY– UNIQUENESS– VALIDITY – ACCEPTABILITY
OBJECTIVESFOR OUTPUT
• TO ENSURE
–COMPLETENESS–ACCURACY – CONTROL OVER THE
PLANNED DISTRIBUTION OF OUTPUT
OBJECTIVES
• TO ENSURE
– ACCEPTANCE OF EVERY INPUT INTO THE SYSTEM, ONLY ONCE
– ACCURATE RECORDING OF INPUT
• AGREEMENT OF TRANSACTION TOTALS, IN BATCH INPUTS WITH A MANUAL TOTAL
• MANUAL TOTALS ARE PRE-RECORDED IN BATCH HEADER DOCUMENTS
• TOTALS BE ENTERED WELL AHEAD OF COMMENCEMENT OF PROCESSING
• USER- DEVISED MECHANISM TO CONTROL PROCESSING ALL BATCHES.
• LOGGING & REVIEW OF THE CONTROL MECHANISM ON BATCH PROCESSING.
• DEVISING INBUILT VALIDITY CHECKS TO CHECK THE ACCURACY OF INPUT.
• EXAMPLE– A CHECK ON THE CUSTOMER
CODE AND ITS FORMAT AND A CHECK THAT THE CODE IS VALID).
• REJECTION, BY THE SYSTEM, OF INPUTS THAT FAIL VALIDITY TESTS
• GENERATION OF EXCEPTION REPORTS
• KEEPING ALL INVALID TRANSACTIONS, IN SUSPENSE ACCOUNTS, FOR ACTION BY USERS.
• IN CASE OF CRITICAL AND SMALL VOLUME INPUT, RESORTING TO ‘ONE-TO-ONE INPUT CHECKING’ COULD BE EFFECTIVE
OBJECTIVES
• TO ENSURE COMPLETE & PROPER PROCESSING OF DATA.
• TO CHECK AGAINST DUPLICATE PROCESSING.
• TO ENSURE APPLICATION OF ALL APPROPRIATE PROCESSES ON THE CORRECT DATA.
RUN-TO-RUN TOTALS
• PRIOR IDENTIFICATION OF RUN-TOTALS
• AGREEMENT OF RUN-TOTALS WITH THE TOTALS OF THE SYSTEM, AFTER DATA PROCESSING.
• WHEN TWO TOTALS CAN BE RELATED, CONTROLLING FROM THAT POINT FORWARD, BY MEANS OF THE SECOND TOTAL.
• EXAMPLE– USING PIVOT TOTAL IN
TIME RECORDING / PAYROLL SYSTEM
–REGULATING GROSS PAY WITH REGARD TO HOURS WORKED
–ITS ADOPTION FOR FURTHER PROCESSING.
INDEPENDENT CONTROL ACCOUNT
• TO PREDICT PROCESSING RESULTS
• TO HIGHLIGHT AN UNEXPECTED RESULT
• HERE, CONTROL ACCOUNT POSTED FROM AN INDEPENDENT SOURCE IS USED
• HELPS IN FLAGGING ERRORS CAUSED BY EXTRANEOUS FACTORS, LIKE ----– USE OF AN INCORRECT
LEDGER/ FILE DURING DATA PROCESSING
OBJECTIVES
• TO ENSURE•INPUT-OUTPUT CONSISTENCY
• COST-EFFECTIVE DISTRIBUTION OF OUTPUT
COMPLETENESS OF PRINCIPAL REPORTS
• PRIOR ESTABLISHMENT OF TOTALS OF THE DESIRED OUTPUT
• PRINTING OF TOTALS ON PRINTING OF THE OUTPUT
• COMPARISON OF THESE TOTALS WITH INDEPENDENT CONTROL ACCOUNT TOTALS.
• COMPARISON OF THESE TOTALS WITH PRE-COMPUTED TOTALS AS PER UPDATE REPORTS.
COMPLETENESS OF SELECTIVE REPORTS
• NOT POSSIBLE TO AGREE WITH PRINCIPAL REPORTS DUE TO ITS NATURE.
• THE TOTALS CAN BE PRINTED ON THESE REPORTS TO CONFIRM ADDRESSING ALL DATA RECORDS WHILE MAKING THE SELECTION.
• CAN BE INSTALLED
• DIFFICULT TO IMPLEMENT MANY CONTROL PROCEDURES REQUIRED FOR MANAGEMENT AUDITORS
– (UNLIKE IN BATCH PROCESSING)
POSSIBLE CONTROL MEASURES
• ONLY IN-BUILT PREVENTIVE CONTROLS LIKE PASSWORD PROTECTION
• CONVERSATIONAL EDITING
• LOG FILES TO MINIMISE THE RISKS TO SYSTEMS
• ONE-TO-ONE CHECKING• EXCEPTION REPORTING• REPORT ON SUSPENSE
ACCOUNT • POSTING & RECONCILIATION
OF DATA TO AN INDEPENDENT REAL CONTROL ACCOUNT.
• CONTROL PROBLEMS AS IN REAL TIME SYSTEMS.
• MORE RELIANCE ON THE GENERAL IT CONTROLS.
• COMPLETENESS OF REPORTS HINGES ON ACCURACY OF THE DATA MORE THAN PROGRAMS.
POSSIBLE CONTROL MEASURES
• ALL REPORTS TREATED AS EXCEPTION REPORTS
• COMPLETENESS OF REPORTS SHOULD BE PROVED .
• INTEGRITY CHECKING BY ADMINISTRATORS TO CHECK & CONTROL ERRORS.
• IDENTIFY MAIN INPUTS.• TEST-CHECK THE
PROCEDURES FOR INPUT-AUTHORISATION
• VERIFY THE ADEQUACY OF CHECKS FOR DATA VALIDATION
• VERIFY THE ADEQUACY OF PROCEDURES TO ENSURE COMPLETENESS OF DATA
• VERIFY THE PROCEDURES TO HANDLE INCORRECT DATA.
• CHECK THE CONTROLS, AT EACH STAGE OF PROCESSING FOR – DATA VALIDATION – DATA COMPLETENESS– DATA ACCURACY
• CHECK ERROR- HANDLING PROCEDURES AT EACH STAGE OF PROCESSING.
• CHECK THE CONTROLS FOR ACCURACY AND ADEQUACY OF INPUTS (BY RECONCILING OUTPUT
WITH INPUTS)• CHECK THE CONTROLS TO
PROTECT OUTPUT BEFORE DISTRIBUTION
• CHECK THE CONTROLS OVER THE ISSUE OF FINANCIAL STATIONERY.
• CHECK THE EFFECTIVENESS OF
– ACCESS RESTRICTION
– SECURITY OVER SENSITIVE INFORMATION
– PASSWORD MANAGEMENT
Top Related