Upload
elfrieda-newton
View
216
Download
2
Embed Size (px)
Citation preview
A D V I S O R Y S E R V I C E S
IT Auditor’s Perspective: An Overview and Discussion of IT Controls
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 2
Learning Objectives
• Describe concepts related to internal controls from the perspective of the IT auditor
• Identify and distinguish Information Technology (IT) automated application and general controls
• Understand the relationship between types of controls and system layers
• Questions, Comments and General Discussion
Control Overview
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 4
Definition
• Control
• Dictionary Definition: To exercise authoritative or dominating influence over; direct (Source: Dictionary.com; web address: http://dictionary.reference.com/browse/control)
• Auditor’s Definition: An activity that is performed to prevent or detect an error or exception from entering or continuing in a process
• Internal Control
• A process, effected by an organization's people and IT systems, designed to help the organization accomplish specific goals or objectives (Source: Wikipedia; web address: http://en.wikipedia.org/wiki/Internal_control)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 5
Common Generic Control Objectives and Examples• Financial
• Financial statements are presented in accordance with Generally Accepted Accounting Principles (Financial Reporting Reliability)
• Example:
• The division of responsibilities such that a clerk responsible for processing cash receipts does not have access to make, change, or delete corresponding accounting entries within the financial system
• Operational
• Operational goals related to efficiency and effectiveness are achieved
• Example:
• Standard operating procedures, Quality Assurance (QA) checks
• Regulatory
• The organization complies with applicable laws and regulations
• Example:
• Logical security controls placed into operation to protect the confidentiality of data covered by Payment Card Industry Data Security Standard (PCI – DSS) or Health Insurance Portability and Accountability Act (HIPAA)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 6
Internal Control Concepts
• Key Concepts for Internal Control
• Internal control is a process.
• Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management, board, and other stakeholders.
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 7
Internal Control – A Renewed Focus
• Sarbanes-Oxley Act of 2002
• Intended to expand corporate governance, increase public confidence in financial reporting information and strengthen our capital markets systems
• Effects of Sarbanes-Oxley
• Created the Public Company Accounting Oversight Board (PCAOB)
• Reinforces Auditor Independence
• Strengthen Internal Control Structure with organizations
• Upgrade Financial Disclosures
• Created Accountability at the Executive Level
• Protect Investors
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 8
Internal Control – A Renewed Focus (continued)
• Payment Card Industry – Data Security Standard (PCI-DSS)
• Created to protect the financial data of consumers from loss
• Partially a response to the rise in identity theft awareness
• Partially a response to the rise in data exposure/breaches in the marketplace
• Designed to protect key financial data
• At rest
• Generally a requirement for access controls
• In transit
• Generally a requirement for encryption
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 9
Internal Control – A Renewed Focus (continued)
Examples
Fidelity National Information Services (FIS)
Type of Breach: Hack
Cost: $13 millionAfter breaking in to FIS's network and gaining access to the company's database, a group of criminals obtained 22 legitimate ATM cards. Copies of the cards were made and shipped to Greece, Russia, Spain, Sweden, the Ukraine and the United Kingdom
Bank of America
Type of Breach: Insider Theft
Cost: $10 millionA Bank of America employee leaked customer information to members of an identity theft ring. Customer names, Social Security numbers, driver's license numbers, bank account numbers, PINs, account balances, dates of birth, addresses, and phone numbers were obtained.
Source: privacyrights.org
Application Controls: What Are They and Why They Matter
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 11
Overview of Application Controls
• What is a control (again)?
• An activity that is performed to prevent or detect an error or exception from entering or continuing on in a process
• What is application software?
• A subclass of computer software that employs the capabilities of a computer directly and thoroughly to a task that the user wishes to perform
• Examples: Word processors, spreadsheets, media players, Enterprise Resource Planning (ERP) systems (e.g., SAP, Oracle, etc.)
• Contrasted with system software, which is any computer software which manages and controls computer hardware so that application software can perform a task (e.g. Unix, Windows)
(Source: Wikipedia; web address: http://en.wikipedia.org/wiki/Application_software, http://en.wikipedia.org/wiki/System_software)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 12
Application Controls and IT General Controls
And Transactions
Business ProcessesBusiness Processes
Process AProcess A Process BProcess B Process CProcess C
Significant Accounts in Financial StatementsSignificant Accounts / Disclosures in Financial Statements
Balance SheetBalance Sheet
IncomeStatement
Income Statement SCFPCash Flow NotesNotes OtherOther
Financial Applications (application controls)Financial Applications (application controls)
Financial Application AFinancial Application A Application BApplication B
IT Services (general controls)IT Services (general controls)
Plan & Organize
Plan & Organize
Acquire & implement
Acquire & implement
Deliver & Support
Deliver & Support MonitorMonitor
IT Services (general controls)IT General Controls (Activities)
Plan & OrganizeProgram
DevelopmentAcquire & implementProgram Change
Deliver & Support
ComputerOperations MonitorAccess
Classes of TransactionsClasses of Transactions
Business EventsAnd TransactionsBusiness Events and Transactions
Business EventsBusiness Events and Transactions
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 13
Information Technology Controls– IT Application Controls
• IT Application Controls
• Apply to the processing of individual applications
• Help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed
• Examples
• Logical Access/Segregation of Duties
• System Configurations (e.g., three-way match)
• Key reports (exception/edit reports)
• Includes automated and manual controls with an IT component
• Dependent on the effectiveness of IT General Controls
• May be configurable parameters or hard-coded within the system
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 14
Application Control Categories
Control Categories Manual Aspect IT Aspect
Authorization Signature Review On line approval
Exception/Edit Manual Reconciliation, Review and Resolution
Program Development / Change control access / Integrity of Exception-Edit Report
Interface/ Conversion Manual Reconciliation and Analysis Automated Reconciliation
Management Review Review and Analysis Completeness and Accuracy of Reports
Reconciliation Manual Reconciliation Automated Reconciliation / Completeness and Accuracy of Reports
Segregation of Duties Job FunctionsSystem Access /
Profiles / User Groups
System Access Approvals / Termination Review Configurable System and Security Controls
System Configuration / Account Mapping
Policy Approval / Ability to override controls over processes
System settings in accordance with policy / Security change control
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 15
Types of Controls
• Preventive or Detective or Corrective
• Designed to prevent errors or exceptions from being introduced or errors from occurring
• Designed to detect errors or exceptions. A detective control is not complete unless it includes corrective action
• Designed to correct errors or exceptions
• Manual or Automated or Combined
• Performed by one or more personnel
• Performed by an application or computer
• Performed by personnel in combination with an application or computer system
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 16
When Should Application Controls Be Considered…
….during development?
….during testing?
….after implementation?
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 17
Blueprint Realization Final Preparation Go-Live Post Go-Live
Project Lifecycle
Co
st o
f C
on
tro
ls (
$)
When Should Application Controls Be Considered… (continued)
• Consideration throughout the project (beginning as early as possible) can help to identify, evaluate, and integrate controls rather than identifying and remediating control weakness afterwards thus helping to reduce the cost of control integration.
IT General Controls: What They Are and Why They Matter
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 19
IT General vs. Application Controls
• The effectiveness of application controls is dependent on general controls
Physical
Networks
Platforms
Data/DBMS
Applications
Processes
Physical
Networks
Platforms
Data/DBMS
Applications
Processes
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 20
Security Model Overview
Relationship of IT General and Application Controls and Financial Reporting
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 21
IT General Controls
IT General Control (ITGC) Categories
• Access to Programs and Data
• Program Change
• Program Development
• Computer Operations
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 22
Access to Programs and Data
Control Components
• Consider the following access to programs and data components:
• Information security policy / user awareness
• Configuration of access rules
• Access administration
• Identification and authentication
• Monitoring
• ‘Super users’
• Physical access
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 23
Program Changes Workflow
Change is requested
Analyzed, Recordedand Approved
Change ticket is closed
Prioritized and Scheduled
DevelopedTested, validated
and Approved
MigratedOwnership, Tracking and Monitoring
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 24
Program Development
Control Components
• Systems Development Life Cycle (SDLC)
• Consider the following program development components:
• Methodology for development / acquisition
• Design, development, testing, approval, and implementation
• Data migration
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 25
ITGC — Computer Operations
Control Components
• Consider the following computer operations components:
• Job processing
• Backup and recovery procedures
• Incident and problem management procedures
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 26
Summary of Key Points
• Internal control:
• Is a process, affected by an organization's people and IT, designed to help the organization accomplish specific goals or objectives
• IT application controls:
• Help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed
• IT general controls:
• Policies and procedures that relate to many applications and support the effective functioning of application controls and manual controls with an IT component
• These concepts are relevant!
• Almost every position in any career field deals with controls in some capacity
• When you think about the security of your own personal information, you’re actually thinking about control
Questions, Comments and General Discussion
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
• © 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 33179WDC
• The information contained herein is of a general nature and is not intended to address
• the circumstances of any particular individual or entity. Although we endeavour to provide• accurate and timely information, there can be no guarantee that such information is accurate• as of the date it is received or that it will continue to be accurate in the future. No one should• act on such information without appropriate professional advice after a thorough examination• of the particular situation.