A D V I S O R Y S E R V I C E S IT Auditor’s Perspective: An Overview and Discussion of IT Controls

A D V I S O R Y S E R V I C E S

IT Auditor’s Perspective: An Overview and Discussion of IT Controls

© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved. 2

Learning Objectives

• Describe concepts related to internal controls from the perspective of the IT auditor

• Identify and distinguish Information Technology (IT) automated application and general controls

• Understand the relationship between types of controls and system layers

• Questions, Comments and General Discussion

Control Overview


Definition

• Control

• Dictionary Definition: To exercise authoritative or dominating influence over; direct (Source: Dictionary.com; web address: http://dictionary.reference.com/browse/control)

• Auditor’s Definition: An activity that is performed to prevent or detect an error or exception from entering or continuing in a process

• Internal Control

• A process, effected by an organization's people and IT systems, designed to help the organization accomplish specific goals or objectives (Source: Wikipedia; web address: http://en.wikipedia.org/wiki/Internal_control)


Common Generic Control Objectives and Examples• Financial

• Financial statements are presented in accordance with Generally Accepted Accounting Principles (Financial Reporting Reliability)

• Example:

• The division of responsibilities such that a clerk responsible for processing cash receipts does not have access to make, change, or delete corresponding accounting entries within the financial system

• Operational

• Operational goals related to efficiency and effectiveness are achieved

• Example:

• Standard operating procedures, Quality Assurance (QA) checks

• Regulatory

• The organization complies with applicable laws and regulations

• Example:

• Logical security controls placed into operation to protect the confidentiality of data covered by Payment Card Industry Data Security Standard (PCI – DSS) or Health Insurance Portability and Accountability Act (HIPAA)


Internal Control Concepts

• Key Concepts for Internal Control

• Internal control is a process.

• Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management, board, and other stakeholders.


Internal Control – A Renewed Focus

• Sarbanes-Oxley Act of 2002

• Intended to expand corporate governance, increase public confidence in financial reporting information and strengthen our capital markets systems

• Effects of Sarbanes-Oxley

• Created the Public Company Accounting Oversight Board (PCAOB)

• Reinforces Auditor Independence

• Strengthen Internal Control Structure with organizations

• Upgrade Financial Disclosures

• Created Accountability at the Executive Level

• Protect Investors


Internal Control – A Renewed Focus (continued)

• Payment Card Industry – Data Security Standard (PCI-DSS)

• Created to protect the financial data of consumers from loss

• Partially a response to the rise in identity theft awareness

• Partially a response to the rise in data exposure/breaches in the marketplace

• Designed to protect key financial data

• At rest

• Generally a requirement for access controls

• In transit

• Generally a requirement for encryption


Internal Control – A Renewed Focus (continued)

Examples

Fidelity National Information Services (FIS)

Type of Breach: Hack

Cost: $13 millionAfter breaking in to FIS's network and gaining access to the company's database, a group of criminals obtained 22 legitimate ATM cards. Copies of the cards were made and shipped to Greece, Russia, Spain, Sweden, the Ukraine and the United Kingdom

Bank of America

Type of Breach: Insider Theft

Cost: $10 millionA Bank of America employee leaked customer information to members of an identity theft ring. Customer names, Social Security numbers, driver's license numbers, bank account numbers, PINs, account balances, dates of birth, addresses, and phone numbers were obtained.

Source: privacyrights.org

Application Controls: What Are They and Why They Matter


Overview of Application Controls

• What is a control (again)?

• An activity that is performed to prevent or detect an error or exception from entering or continuing on in a process

• What is application software?

• A subclass of computer software that employs the capabilities of a computer directly and thoroughly to a task that the user wishes to perform

• Examples: Word processors, spreadsheets, media players, Enterprise Resource Planning (ERP) systems (e.g., SAP, Oracle, etc.)

• Contrasted with system software, which is any computer software which manages and controls computer hardware so that application software can perform a task (e.g. Unix, Windows)

(Source: Wikipedia; web address: http://en.wikipedia.org/wiki/Application_software, http://en.wikipedia.org/wiki/System_software)

http://en.wikipedia.org/wiki/Application_software

http://en.wikipedia.org/wiki/System_software


Application Controls and IT General Controls

And Transactions

Business ProcessesBusiness Processes

Process AProcess A Process BProcess B Process CProcess C

Significant Accounts in Financial StatementsSignificant Accounts / Disclosures in Financial Statements

Balance SheetBalance Sheet

IncomeStatement

Income Statement SCFPCash Flow NotesNotes OtherOther

Financial Applications (application controls)Financial Applications (application controls)

Financial Application AFinancial Application A Application BApplication B

IT Services (general controls)IT Services (general controls)

Plan & Organize

Plan & Organize

Acquire & implement

Acquire & implement

Deliver & Support

Deliver & Support MonitorMonitor

IT Services (general controls)IT General Controls (Activities)

Plan & OrganizeProgram

DevelopmentAcquire & implementProgram Change

Deliver & Support

ComputerOperations MonitorAccess

Classes of TransactionsClasses of Transactions

Business EventsAnd TransactionsBusiness Events and Transactions

Business EventsBusiness Events and Transactions


Information Technology Controls– IT Application Controls

• IT Application Controls

• Apply to the processing of individual applications

• Help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed

• Examples

• Logical Access/Segregation of Duties

• System Configurations (e.g., three-way match)

• Key reports (exception/edit reports)

• Includes automated and manual controls with an IT component

• Dependent on the effectiveness of IT General Controls

• May be configurable parameters or hard-coded within the system


Application Control Categories

Control Categories Manual Aspect IT Aspect

Authorization Signature Review On line approval

Exception/Edit Manual Reconciliation, Review and Resolution

Program Development / Change control access / Integrity of Exception-Edit Report

Interface/ Conversion Manual Reconciliation and Analysis Automated Reconciliation

Management Review Review and Analysis Completeness and Accuracy of Reports

Reconciliation Manual Reconciliation Automated Reconciliation / Completeness and Accuracy of Reports

Segregation of Duties Job FunctionsSystem Access /

Profiles / User Groups

System Access Approvals / Termination Review Configurable System and Security Controls

System Configuration / Account Mapping

Policy Approval / Ability to override controls over processes

System settings in accordance with policy / Security change control


Types of Controls

• Preventive or Detective or Corrective

• Designed to prevent errors or exceptions from being introduced or errors from occurring

• Designed to detect errors or exceptions. A detective control is not complete unless it includes corrective action

• Designed to correct errors or exceptions

• Manual or Automated or Combined

• Performed by one or more personnel

• Performed by an application or computer

• Performed by personnel in combination with an application or computer system


When Should Application Controls Be Considered…

….during development?

….during testing?

….after implementation?


Blueprint Realization Final Preparation Go-Live Post Go-Live

Project Lifecycle

Co

st o

f C

on

tro

ls (

$)

When Should Application Controls Be Considered… (continued)

• Consideration throughout the project (beginning as early as possible) can help to identify, evaluate, and integrate controls rather than identifying and remediating control weakness afterwards thus helping to reduce the cost of control integration.

IT General Controls: What They Are and Why They Matter


IT General vs. Application Controls

• The effectiveness of application controls is dependent on general controls

Physical

Networks

Platforms

Data/DBMS

Applications

Processes

Physical

Networks

Platforms

Data/DBMS

Applications

Processes


Security Model Overview

Relationship of IT General and Application Controls and Financial Reporting


IT General Controls

IT General Control (ITGC) Categories

• Access to Programs and Data

• Program Change

• Program Development

• Computer Operations


Access to Programs and Data

Control Components

• Consider the following access to programs and data components:

• Information security policy / user awareness

• Configuration of access rules

• Access administration

• Identification and authentication

• Monitoring

• ‘Super users’

• Physical access


Program Changes Workflow

Change is requested

Analyzed, Recordedand Approved

Change ticket is closed

Prioritized and Scheduled

DevelopedTested, validated

and Approved

MigratedOwnership, Tracking and Monitoring


Program Development

Control Components

• Systems Development Life Cycle (SDLC)

• Consider the following program development components:

• Methodology for development / acquisition

• Design, development, testing, approval, and implementation

• Data migration


ITGC — Computer Operations

Control Components

• Consider the following computer operations components:

• Job processing

• Backup and recovery procedures

• Incident and problem management procedures


Summary of Key Points

• Internal control:

• Is a process, affected by an organization's people and IT, designed to help the organization accomplish specific goals or objectives

• IT application controls:

• Help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed

• IT general controls:

• Policies and procedures that relate to many applications and support the effective functioning of application controls and manual controls with an IT component

• These concepts are relevant!

• Almost every position in any career field deals with controls in some capacity

• When you think about the security of your own personal information, you’re actually thinking about control

Questions, Comments and General Discussion

© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.

• © 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 33179WDC

• The information contained herein is of a general nature and is not intended to address

• the circumstances of any particular individual or entity. Although we endeavour to provide• accurate and timely information, there can be no guarantee that such information is accurate• as of the date it is received or that it will continue to be accurate in the future. No one should• act on such information without appropriate professional advice after a thorough examination• of the particular situation.

Documents

A D V I S O R Y S E R V I C E S IT Auditor’s Perspective: An Overview and Discussion of IT Controls