Upload
jeffrey-paulette
View
1.501
Download
5
Embed Size (px)
DESCRIPTION
Understanding how Internal Controls over Information systems support Internal Controls over Financial Reporting.
Citation preview
Internal Controls Over
Information Systems
Information Technology
Internal Controls Over
Information Systems
• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)
Agenda
• Internal Controls
• Segregation of Duties
• System Development Lifecycle (SDLC)
• Change Management
• Security
Application/Platform
Logical Security
Physical Security
Agenda
• Security (continued)
Environmental Controls
Monitoring
Backup
Disaster Recovery
• Third Parties/Cloud Computing
• Prioritization
• Summary
Internal Controls Over
Information Systems
Internal Controls
• Internal controls are established as mechanism to achieve desired business objectives
• Counter risks & threats, both external & internal, to business environment
• Ensure business requirements of quality, cost & delivery are met
• Resources are effectively & efficiently used
Internal Controls
• Confidentiality, integrity, availability (CIA) &
reliability of information are met, as well as comply
with statutory & regulatory requirements
• Our focus will be on the last one, (CIA), as it relates
to information systems & financial reporting
Confidentiality
Integrity
Availability
Internal Controls
• Internal controls over financial reporting (ICFR)
Focus is on financial data
• Internal controls over information systems
Information System controls typically apply to whole organization – Best Practices
Financial Audit - Focus is on financial applications
Information System Controls • Segregation of duties
• System development lifecycle (SDLC)
• Security
Logical
Physical
Environmental
Monitoring
Back up
Disaster recovery
• Third parties/cloud computing
Segregation of Duties
• Checks & balances
• Organizational structure
Who can submit invoices for payment?
Who can authorize?
Who reconciles bank statement?
• Very important especially for
Small organizations
Downsized organizations
Segregation of Duties
• Information systems
What access do information systems personnel have?
Are their logs tracking activity?
Is someone reviewing logs?
• Controlled with logical security
Typically by role
System Development Life Cycle
(SDLC)
System Development Life Cycle
(SDLC)
• Assess needs
• Design specifications/Vendor Selection
• Develop/test software
• Implement systems – training, documentation
• Support operations (maintenance)
• Evaluate performance (monitor)
Change Management
• Change management
Subset of SDLC
Quarterly, annual upgrades
Should be formal process
Integrated testing
Training
Sign off
Documentation
Includes configuration & upgrades for firewalls, routers
& VPN
Security
Application/Platform Security
• Risk & vulnerability will vary based on:
Applications and platforms being used
Location of systems: Onsite vs. hosted
Access to source code
Logical Security • Computer access
Access to only what they need to do their job
System/network level
Application level
• Password management
Are they complex?
Do they have to be changed?
Is there policy about not sharing, writing them down, etc.
• Wireless – Secured, Segmented
Logical Security
Access management
• New hires
• Job changes
• Terminations
Timely
• Access audits
Employees
Third parties
Physical Security
• Building
Proximity cards
Access based on role
Terminations
Lost cards
Access audits
Cameras
Who monitors?
Data retention
Physical Security • Data center
Similar to building controls
What about vendors?
• Work areas
Can computers be stolen?
Can data be stolen?
Can malicious software be uploaded?
• Mobile devices
Environmental Controls
• Generator
• UPS
• Sensors
Heat
Moisture
• Are they tested?
• Is there routine maintenance?
Monitoring
• User access – failed login attempts
• Unauthorized access attempts through firewalls, routers & VPN
• System usage – thresholds
• Is someone monitoring, reporting & remediating?
• Is a problem & incident system in place?
Backup • What’s backed up?
• How often?
• How long are they saved?
• Where are they stored?
• How do they get there?
• Who has access to them?
• Are they tested periodically?
• Redundancy – to supplement backups
Disaster Recovery
• Disaster recovery plan
What’s the plan?
Criticality matrix
Do key people know about plan?
Can key people get to plan?
Does it include an alternate location?
Periodic testing
Third Parties
• When you outsource services, you increase risk
• They need to have same or better controls as your organization
• New vendors
Did anyone look at risk?
Did anyone decide if it was acceptable?
Third Parties
• Current Vendors
Vendor Inventory – Assess risk
• How do you know controls are in place?
Selection process
SSAE16 (previously SAS70)
Inspections
Performance reports
Third Party
• Cloud computing
Do you know who they are?
Additional risks to consider
• Third-party access
VPN
Encrypted or password protected files
Others Control Areas
• Strategic Plan
• IT Strategy – strategic plan that includes risk management
• Organizational infrastructure
Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?
Current policies & procedures to prevent errors or disclosures
Prioritization
• How can we do all these things with our shrinking budgets?
• Pick highest areas of risk & address first
Probability & impact analysis
• Implement solutions based on size & complexity of your organization
Summary
Confidentiality – INTEGRITY – Availability
Information System Controls C I A
Segregation of Duties Y Y Y
SDLC & Change Management Y Y Y
Logical Security Y Y Y
Physical Security Y Y Y
Environmental Controls Y
Monitoring Y Y Y
Back Up Y Y Y
Disaster Recovery Y Y Y
Third Parties Y Y Y
Internal Controls Over Financial Reporting Y
Summary
Internal Controls over Information Systems
Ongoing process
Continually changing
Monitoring is key
Review periodically
Contact Information
Jeffrey Paulette
BKD IT Risk Services
417.865.8701
www.bkd.com/services/it-risk-services/