Information Technology Control

Day IV

Afternoon Sessions

Session Overview.

• Internal control in Information technology is must.

• Use of computer and data processing has been increased now a days as computer are being used in every field.

• Inaccurate information generated by computers has a widespread impact on the society.

Continued…

• Inaccurate information might cause misallocation of resources within the economy, perpetrate frauds, general distrust on the system as a whole might develop

• Need to maintain the integrity of data processed by the computers pervades our lives now.

Continued…

• It is to be ensured that computer system performed the task entrusted to them efficiently and effectively.

• It is necessary to be confident of the output information basing on which we take all decisions

CIA rule..

• Expert in the field of IT have defined that the data processing facilities should guarantee three characteristics of data –CIA

• C—confidentiality

• I----integrity

• A---availsbility

CIA rule continued..

• Confidentiality- means data should not be leaked out to unauthorized persons

• Integrity—means that the data is honest and correct and that it is not corrupted,

• Availability –indicates that data is always when ever we need it.

• IT controls, when established and enforced effectively, would ensure “CIA’ of data and give us the required confidence.

Factors necessitate control over IT

• Need to control evolutionary use of com.• High cost of errors• Computer abuse• Possibility of loss of data processing capabilities• Possibility of incorrect decisions• Value of hardware, software and personnel• Need to maintain individual privacy.

Broad grouping of information technology control

• 1) General Control (2) Application controls

• (1) General controls: These are the structure, policies and procedures that apply to all or large segment of an entity’s information systems and help ensure their proper operation. They create environment in which application systems and control operate.

Categories of General Controls

• Entity-wide security program planning and management

• Access controls• Controls on the development, maintenance

and change of the application software,• System software control• Segregation of duties and• Service continuity.

2. Application controls

• Application controls are the structure, policies, and procedure that apply to separate, individual application systems and are directly related to individual computerized applications These controls generally designed to prevent, detect and correct errors and irregularities as information flows through information systems.

Continued..

• General and application controls are interrelated and both are needed to help ensure complete and accurate information processing. Because information technology changes rapidly, the associated controls must evolve constantly effective.

General controls

• Organization and Management controls

• Segragation of duties

• Physical and Logical Access Controls

• System Development Controls

• Programme Amendment controls

• Business Continuity Planning or Backup and Recovery controls.

Audit checks on General controls.

• Verify if there is formal IT strategy and detailed tactical plans and see if these are in line with stated business objective

• Identify major IT units• Examine if there is a sufficiently

empowered IT Steering Committee activity involved in the Management of IT and the reporting structure for the IT department.

Continued..

• Verify if policies, standards, procedures and methodologies have been approved for controlling IT

• Examine if management takes in to consideration the total costs (Direct and indirect) of IT systems.

• Examine organization chart to determine adequacy of segregation of duties.

Continued…

• Review job description to determine that the segregation is maintained.

• Review back up assignments to ensure that segregation is maintained.

• Verify if there is a formal IT security Policy and security program for organization.

• Verify it users are aware of all security procedures and associated disciplinary actions and if ‘security drills’ are conducted regularly.

Continued….

• Check if there are appropriate physical access restrictions for the computer room.

• Check if appropriate logical access safeguards for programs and data have been built in, and if these are being maintained and updated.

• Check if a formal methodology (e.g.SSADM, PRINCE) has been adopted for design and development of IT systems

Continued..

• Check if formal project management framework has been put in place and whether a project management methodology (PRINCE) has been adopted to minimize risk of delays, failure etc.

• Check the level of involvement of users in the design and implementation of systems

Continued…

• Verify if an adequate audit trail has been built into the system verify the adequacy of specific controls at each stage of the

System Development Life Cycle. verify if there are formal procedures for management

authorization of amendments, through testing before live implementation, management review of the resulting changes and adequate documentation of the amendments

Continued..

• Verify if amendment schedules have been specified to allow time for adequate installation and testing of the new hardware and software.

• Verify if before implementing the amendments various manuals have been suitably modified.

Continued..

• Ascertain if the time schedule for affecting the amendments was adhered to

• Evaluate if the testing of change procedures interfere with normal operations

• Evaluate if the testing of change procedures interfere with normal operations.

Continued..

• Check if procedures for backup are adhered to in practice and the backed up data is stored off-site in a secure place.

• Verify if the backup procedures are adequate to ensure that programs and data can be reconstituted easily. Examine if data recovery arrangements are documented and tested regularly.

Continued..

• Check if there is a formal recovery plan; review the standby arrangements for processing as also for recovery of the main system.

• Identify the inputs to the application• Check if there are procedures for

authorization of input data, conduct a test check of authorizations.

Continued..

• Verify the adequacy of checks (manual and computerized) fir validation of data.

• Verify the adequacy of procedures for ensuring uniqueness and completeness of data e.g. control totals, cancellation of documents.

• Verify procedures for handling incorrect data and its re input (after correction) to the system.

Continued.

• Check the control for validation of completeness and accuracy of data at each stage of processing.

• Check procedures for error handling at each stage of processing.

• Check if there are procedures for periodically verifying integrity checks, periodic reconciliation with independently held records.

Continued ..

• Check the controls for ensuring accurateness and adequacy of outputs, e.g. overall reconciliation of output back of input

• Check if there are controls to ensure that outputs are adequately safeguarded before distribution, and that these reach the proper destination.

Continued.

• Check the controls on issue of financial stationery e.g. stock checks, reconciliation between issues, output printed and distributed, cancellations. Two other areas where an auditor needs to obtain assurance regarding the adequacy of internal controls are where ‘end user computing’ and use of external IT service suppliers are involved.

Continued..

• Check if access of microcomputers is adequately restricted and controlled e.g.thriugh locking of computers.

• Check if sensitive information is protected adequately through encryption, use of passwords etc.

• Check if there are procedures for backing up data, and if these are adhered to practice.

Continued…

• Check if floppy disks (and tape cartridges) are stored securely

• Check control for prevention of entry of viruses, verify if microcomputers and scanned periodically viruses

• Check the adequacy of support services for maintenance and repairs.

Continued…

• Examine the contract between the IT supplier and the organization and see if the interest of the auditee organization have been safeguarded.

• Examine the Service level Agreement (SLA) and see whether the levels of service agreed to by the IT provider are appropriate, and whether these are adhered to in practice

• Examine the controls instituted for ensuring data security, especially confidentially.