Internal Controls Over

Information Systems

Information Technology

Internal Controls Over

Information Systems

• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)

Agenda

• Internal Controls

• Segregation of Duties

• System Development Lifecycle (SDLC)

• Change Management

• Security

Application/Platform

Logical Security

Physical Security

Agenda

• Security (continued)

Environmental Controls

Monitoring

Backup

Disaster Recovery

• Third Parties/Cloud Computing

• Prioritization

• Summary

Internal Controls Over

Information Systems

Internal Controls

• Internal controls are established as mechanism to achieve desired business objectives

• Counter risks & threats, both external & internal, to business environment

• Ensure business requirements of quality, cost & delivery are met

• Resources are effectively & efficiently used

Internal Controls

• Confidentiality, integrity, availability (CIA) &

reliability of information are met, as well as comply

with statutory & regulatory requirements

• Our focus will be on the last one, (CIA), as it relates

to information systems & financial reporting

Confidentiality

Integrity

Availability

Internal Controls

• Internal controls over financial reporting (ICFR)

Focus is on financial data

• Internal controls over information systems

Information System controls typically apply to whole organization – Best Practices

Financial Audit - Focus is on financial applications

Information System Controls • Segregation of duties

• System development lifecycle (SDLC)

• Security

Logical

Physical

Environmental

Monitoring

Back up

Disaster recovery

• Third parties/cloud computing

Segregation of Duties

• Checks & balances

• Organizational structure

Who can submit invoices for payment?

Who can authorize?

Who reconciles bank statement?

• Very important especially for

Small organizations

Downsized organizations

Segregation of Duties

• Information systems

What access do information systems personnel have?

Are their logs tracking activity?

Is someone reviewing logs?

• Controlled with logical security

Typically by role

System Development Life Cycle

(SDLC)

System Development Life Cycle

(SDLC)

• Assess needs

• Design specifications/Vendor Selection

• Develop/test software

• Implement systems – training, documentation

• Support operations (maintenance)

• Evaluate performance (monitor)

Change Management

• Change management

Subset of SDLC

Quarterly, annual upgrades

Should be formal process

Integrated testing

Training

Sign off

Documentation

Includes configuration & upgrades for firewalls, routers

& VPN

Security

Application/Platform Security

• Risk & vulnerability will vary based on:

Applications and platforms being used

Location of systems: Onsite vs. hosted

Access to source code

Logical Security • Computer access

Access to only what they need to do their job

System/network level

Application level

• Password management

Are they complex?

Do they have to be changed?

Is there policy about not sharing, writing them down, etc.

• Wireless – Secured, Segmented

Logical Security

Access management

• New hires

• Job changes

• Terminations

Timely

• Access audits

Employees

Third parties

Physical Security

• Building

Proximity cards

Access based on role

Terminations

Lost cards

Access audits

Cameras

Who monitors?

Data retention

Physical Security • Data center

Similar to building controls

What about vendors?

• Work areas

Can computers be stolen?

Can data be stolen?

Can malicious software be uploaded?

• Mobile devices

Environmental Controls

• Generator

• UPS

• Sensors

Heat

Moisture

• Are they tested?

• Is there routine maintenance?

Monitoring

• User access – failed login attempts

• Unauthorized access attempts through firewalls, routers & VPN

• System usage – thresholds

• Is someone monitoring, reporting & remediating?

• Is a problem & incident system in place?

Backup • What’s backed up?

• How often?

• How long are they saved?

• Where are they stored?

• How do they get there?

• Who has access to them?

• Are they tested periodically?

• Redundancy – to supplement backups

Disaster Recovery

• Disaster recovery plan

What’s the plan?

Criticality matrix

Do key people know about plan?

Can key people get to plan?

Does it include an alternate location?

Periodic testing

Third Parties

• When you outsource services, you increase risk

• They need to have same or better controls as your organization

• New vendors

Did anyone look at risk?

Did anyone decide if it was acceptable?

Third Parties

• Current Vendors

Vendor Inventory – Assess risk

• How do you know controls are in place?

Selection process

SSAE16 (previously SAS70)

Inspections

Performance reports

Third Party

• Cloud computing

Do you know who they are?

Additional risks to consider

• Third-party access

VPN

Encrypted or password protected files

Others Control Areas

• Strategic Plan

• IT Strategy – strategic plan that includes risk management

• Organizational infrastructure

Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?

Current policies & procedures to prevent errors or disclosures

Prioritization

• How can we do all these things with our shrinking budgets?

• Pick highest areas of risk & address first

Probability & impact analysis

• Implement solutions based on size & complexity of your organization

Summary

Confidentiality – INTEGRITY – Availability

Information System Controls C I A

Segregation of Duties Y Y Y

SDLC & Change Management Y Y Y

Logical Security Y Y Y

Physical Security Y Y Y

Environmental Controls Y

Monitoring Y Y Y

Back Up Y Y Y

Disaster Recovery Y Y Y

Third Parties Y Y Y

Internal Controls Over Financial Reporting Y

Summary

Internal Controls over Information Systems

Ongoing process

Continually changing

Monitoring is key

Review periodically

Contact Information

Jeffrey Paulette

BKD IT Risk Services

417.865.8701

jpaulette@bkd.com

www.bkd.com/services/it-risk-services/