Transcript IT General Controls - University System of Georgia

Kristina Turner CPA, CISA, MMIS
University System of Georgia
RACAR – Macon State College
April 13, 2011
•
•
•
•
Audit Request List
Frozen Tables
BOR Auditing Tool Kit
Information Technology Controls
• Definitions
• Differences
• General Controls
• Categories
• Examples
2
3
• Updated List Added to the DOAA Website
each fiscal year
• http://www.audits.ga.gov/EAD/CollegeResources.html
• Navigation from Home Page:
• Information/Resources
• State Government Resources
• College/University Resources
• 2009_Updated_Auditors_Request_List.xls
4
5
Historically the following tables have been
frozen at the end of each fiscal year:
•TBBDETC
•TBBCTRL
•TBBEACT
•TBBTBDS
•TBRACCD
• TBRACCT
• TBRAPPL
• TBRDEPO
•TBRMISD
• TBBETBD
6
• The ZURGFTT table alone will meet the
needs of the auditor IF the institution
maintains detail for the entire fiscal year.
• SPRIDEN does not need to be frozen at
the end of the fiscal year. However, the
auditors will request the following fields:
• PIDM, LAST_NAME, FIRST_NAME, MI
7
• BANNER is the system of record for receivables
• The selected tables include the transaction level
detail for all items recorded on the Financial
Statements
• The auditor will use this data to select samples,
review transactions, perform analytical
procedures, and various other audit tasks.
8
• Requests for Frozen Tables are initiated by the
Atlanta office.
• Typically the requests are made to those
institutions receiving an audit.
• The tables are submitted to DOAA through our
Secure File Transfer System.
• DOAA removes the tables from the File Transfer
System upon receipt.
9
• Tables are imported into DOAA Data
Warehouse; All data is stored securely and
is encrypted
• Queries are run against the data by EAD
IT Personnel
• Output files are used by auditors for
testing
10
• Questions related to the output files
can be sent to Atlanta –
[email protected] or
[email protected]
11
12
• Useful Scripts for EAD
•
•
•
•
•
•
•
•
•
Listing of Detail Codes
Listing of Term Codes
Fee Assessment Rules
Listing of Cashiers and Supervisors
Listing of Supervisors and Restricted Users
Listing of All Users with Access to AR Objects, Including Class & Roles
List of Users with Access to TAISMGR Objects at the Database Level
List of Users with Permission to Access Specific Objects in the Database
TGRRCON
13
14
• Controls in place to ensure data’s:
•confidentiality
•integrity
•availability
15
Midlands Technical College warned employees last month that a flash
drive containing some of their personal information was taken from a
human resources office at the college.
The flash drive, since returned — without the personal data it previously
held — could compromise the personal information of some of the
college’s 500 employees. But Midlands Tech spokesman Todd Gavin
said no problems have been reported by employees so far….
The security breach at Midlands Tech is the second acknowledged by
an area college or university in the last week. The University of South
Carolina warned employees earlier this month that a breach of
computers at its Sumter campus exposed the personal information of
31,000 faculty, staff, retirees and students system-wide.
http://www.thestate.com/2011/03/09/1728561/midlands-tech-warns-employees.html
16
Missouri State University officials are notifying 6,030 College of Education
students that their social security numbers may have been compromised as a result
of an internal security breach.
In October and November 2010, in preparation for an accreditation, the College
of Education prepared lists of students by semester. The lists, which included social
security numbers, were for nine semesters between 2005 and 2009 (fall, spring,
summer). A list was created for each semester, so there were nine lists.
The lists were prepared in electronic format in October and November 2010 to
be available on secure servers to the College of Education personnel working on
the accreditation, as well as the accreditation team.
Unfortunately, these lists of names were posted in October/November 2010 on
an unsecured server. As a result, all nine lists ended up on Google. In all, 6,030
names with social security numbers were compromised and posted on the
web.
http://news.missouristate.edu/2011/03/03/coe-security-breach
17
Those still lining up for free cheese fries and mozzarella sticks after dinner are
in for a bitter surprise. Last week Dining Services discovered the glitch in their
system that for the past few months had granted students snack bar points
even if they had already swiped for dinner, a mishap that students were quick
to take advantage of as word swiftly spread across campus. The problem was
fixed on Sunday, and 45 students were turned away from snack bar that
evening when trying to swipe after dinner.
In August and again in December, Dining Services updated its food
accounting system, a program that controls at what time students can swipe
for meal points, and believes that the error occurred during this process. A
mishap during the upgrade altered the equivalency time, essentially allowing
students to use their dinner points from the following day’s meals. As the next
day’s meals were always accessible on any given day, students were granted
dinner equivalency at snack bar regardless of their meal consumption that day.
Abayasinghe did not yet calculate the total loss in revenue from the
additional snack bar points, but acknowledged that it may be significant.
http://record.williams.edu/wp/?p=12034
18
“Payroll has failed to take out medical and dental
deductions from 6 paychecks so far upon starting
employment. they claimed it was computer error, and
states the money is retroactive. Why should the
employee be liable for a company/ computer error? I
feel the company should eat the fees and make sure the
deductions are taken out going forward. Am I wrong?
Do I have a fight? This is well over 600.00”
~Question from Employee on Business Forum
19
20
Generally, IT provides potential benefits of
effectiveness and efficiency for an entity's internal
control because it enables an entity to:
1. Consistently apply predefined business rules and perform
complex calculations in processing large volumes of
transactions or data.
2. Enhance the timeliness, availability, and accuracy of
information.
3. Facilitate the additional analysis of information.
21
Generally, IT provides potential benefits of
effectiveness and efficiency for an entity's internal
control because it enables an entity to:
4. Enhance the ability to monitor the performance of the
entity's activities and its policies and procedures.
5. Reduce the risk that controls will be circumvented.
6. Enhance the ability to achieve effective segregation of
duties by implementing security controls in applications,
databases, and operating systems.
22
§ 60 IT also poses specific risks to an entity's internal
control, including:
1. Reliance on systems or programs that are processing
data inaccurately, processing inaccurate data, or both.
2. Unauthorized access to data that may result in
destruction of data or improper changes to data,
including the recording of unauthorized or nonexistent
transactions or inaccurate recording of transactions.
3. Unauthorized changes to data in master files.
23
§ 60 IT also poses specific risks to an entity's internal
control, including:
4. Unauthorized changes to systems or programs.
5. Failure to make necessary changes to systems or
programs.
6. Inappropriate manual intervention.
7. Potential loss of data or inability to access data
as required.
24
• Integrated Approach –
• Technology Risk & Assurance Division and Education Audit Division
• TRA addresses IT General Controls significant to the
CAFR
• PeopleSoft FN
• PeopleSoft HCM or ADP
• P-Card Works (SAS 70 Review)
• BANNER Model maintained by ITS
• EAD addresses entity level controls and application
(business process) controls related to BANNER
25
• Two Categories
• General Controls
• “Represent the foundation of the IT control structure.
They ensure the reliability of data generated by IT
systems and support the assertion that systems operate
as intended and that output is reliable.” Wikipedia
• Application Controls
• “Fully-automated [controls] designed to ensure the
complete and accurate processing of data from input
through output.” Wikipedia
26
• General controls support the continued
effectiveness of applications.
• Application controls support the continued
effectiveness of business processes.
27
• Categories of General Controls
•Logical Access
•Change Management
•IT Operations
28
• Controls designed to manage access to
applications based on business need.
• “An entity must then establish sound policies and
procedures for granting authorized users access
while simultaneously protecting itself from
unauthorized access.”
• Mitigating IT Risks for Logical Access, ISACA Journal,
Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA
29
• General System Security Settings
• Password Settings
• Access to privileged IT functions is limited to appropriate
individuals
• Access to system resources and utilities is limited to appropriate
individuals
• User Access is authorized and appropriately established
• Physical access to computer hardware is limited to appropriate
individuals
• Segregation of duties exists within the logical access
environment.
30
•
•
•
•
•
•
•
•
Firewall
Anti-Virus Software
Malware & Spyware
Auto Updates
Time Out of Session
Re-authentication
Encryption
Security Questions
• Password Settings
• Minimum Length (6-8 char)
• Initial Log-on One Time
Password
• Password composition
(alphanumeric / special
characters)
• Frequency of forced
changes
• Locked Accounts
• Idle Session Time Out
31
• Security Administrators
• Full Access
• Access to System Utilities / Resources
• Database tools
• SQL Tools
•Crystal Reports
32
• Initiation of Access Request
• Standard access request forms
• Standard requests by business role
• Approval of Access Requests
• Supervisor
• Periodic Monitoring of Access & Access Logs
• Removal of Access
• Termination
• Transfers
33
•
•
•
•
•
Access to Data Center
Access to Hardware
Fire Suppression
Temperature Control
UPS (uninterruptible power supply)
34
• Performance of the following roles should be
separate:
• Requesting Access
• Approving Access
• Setting Up Access
• Monitoring Access & Violations
• Performing the rights of a privileged user
• Monitoring the privileged user
35
• Changes to the application are:
• Authorized
• Tested
• Approved
• Monitored
• Segregation of Duties within Change
Management Functions
36
• Types of Changes
• Updates
• Functionality Changes vs. Report Changes
• Bugs
• Procedures
• Required Approvals
• Required Testing
• Required Documentation
• Monitoring
• Ensure these procedures are operating effectively
37
• Performance of the following roles should be
separate:
• Request / approval of program development or
program change
• Development
• Test the change
• Move the programs in and out of production
• Monitor program development and changes
38
• Financial data is backed-up and recoverable
• Deviations from scheduled processing are
identified and resolved in a timely manner
• IT operations problems or incidents are
identified, resolved, reviewed, and analyzed in
a timely manner
39
• Procedures should include:
• Format
• Frequency and Retention Period
• Location (on-site or off)
• Testing
•Monitoring
40
• Disaster Recovery
• Returning to “normal” operations
• Vendors for Equipment
• Restoration Procedures
• Key Personnel and Alternate Processes
41
• Batch Processes
• Back-up Processes
• Procedures should include:
• Responsible official
• Monitoring Process
• Identification & Resolution Procedures
• Documentation Requirements
42
• Procedures for ensuring IT issues are resolved in
a timely manner include:
• Process for alerting key officials of a problem
• Method for analysis
• Resolution procedures
• Review of the resolution
43
Questions?
44