Transcript IT Controls - Northern Arizona University

IT Controls
Overview
Northern Arizona University
Compliance, Controls & Business Services
December 2011
IT Controls
• Introduction
• What are IT Controls?
 General Controls
 Application Controls
• Why are IT Controls Important?
• Who is responsible for IT Controls?
• Where are IT Controls Applied?
IT Controls - Introduction
“IT controls are fundamental to the reliability
and integrity of the information processed by
the automated systems on which most
organizations are dependent for their business
and financial transaction processing — and
overlooking or minimizing their importance
creates a significant risk.”
- CICA Information Technology Advisory Committee (2004)
What are IT Controls?
Controls over computer-based systems are broken
down into two major categories – general and
application controls.
• General controls apply to all systems
components, processes, and data for a given
organization or systems environment
• Application controls (a.k.a. business process
controls) pertain to the scope of individual
business processes or application systems
Internal Control Classifications
Controls may be classified
to help understand their
purposes and where they
fit into the overall system
of internal controls.
What are General IT Controls?
• By definition, General Computer Controls are
control activities performed within the IT
organization or the technology that they support
that can be applied to every system that the
organization relies upon;
• They are designed to encompass an
organization’s IT infrastructure rather than
specific applications. General controls help
ensure confidentiality, integrity, and availability;
contribute to safeguarding of data; and promote
regulatory compliance.
Why are IT General Controls
Important?
IT systems support many of the university’s business
processes, such as these below…
Purchasing
Accounts Payable
Inventory
Payroll
Why are IT General Controls
Important?
… AND
Without effective General Controls, reliance on
these IT systems may not be possible
Why are IT General Controls
Important?
• If general controls are ineffective, there may
be potential for material misstatement in each
computer-based accounting application.
General Controls
Include:
• Organization Controls
 Policies and Procedures
 Segregation of Duties
• Access Controls
 Physical Security
 Logical Access
• Change Management Controls
• Business Continuity Controls
 Disaster Recovery
 Fault Tolerant Systems
 Backup
Organization Controls – Policies &
Procedures
• A clear, concise, and well-written set of information
technology policies, procedures, and control
documentation is a strategic link between the
university’s vision and its day-to-day operations.
• These documents are critical to the university
because they provide guidelines for
faculty/staff/students and enable the smooth
functioning of the computer operations function
without constant management intervention.
Organization Controls – Segregation of
Duties
• The functions of initiating, authorizing, inputting, processing, and
checking data should be separated to ensure no individual can both
create an error, omission, or other irregularity and authorize it and/or
obscure the evidence.
• Controls are provided by granting access privileges only in accordance
with job requirements for processing functions and accessing sensitive
information.
• Inadequate segregation of duties increases the risk of errors being
made and remaining undetected; it also may lead to fraud and the
adoption of inappropriate working practices.
• Sarbanes-Oxley provided a compelling case for the implementation
and maintenance of appropriate segregation of duties at the
organizational, manual process and system level.
Access Controls - Physical Security
What is Physical Security?
Examples:
Measures used to protect its
facilities, resources, or proprietary
data stored on physical media.
• Facility monitoring (surveillance
systems, cameras, guards,
exterior lighting)
• Access controls to facilities/data
center/computers (access cards)
• Alarm systems (fire, burglar,
water, humidity, power
fluctuations)
• Shred sensitive documents
• Proper storage/disposal of hard
drives and other electronic
storage media
• Secure storage of back-up copies
of data and master copies of
critical software
Access Controls – Logical Access
What is Logical Access?
Examples:
Limit access to system and
information to authorized individual
•
•
•
•
•
•
•
•
•
Passwords
System authentication
Logs of logon attempts
Application-level firewalls
Antivirus and anti-spyware
software should be installed and up
to date
Intrusion detection systems which
would identify suspicious network
activity
Encryption for sensitive data
File shares should be adequately
restricted to appropriate users
Patches/system updates should be
applied timely
Protect & Use Strong Passwords
• Don't use passwords that are based on personal
information that can be easily accessed or
guessed.
• Don't use words that can be found in any
dictionary of any language.
• Develop a mnemonic for remembering complex
passwords.
• Use both lowercase and capital letters.
• Use a combination of letters, numbers, and
special characters.
• The longer the password, the tougher it is to
crack. Use at least 10 characters.
• Use different passwords on different systems.
• Keep your passwords in a secure place, out of
plain sight
• Don’t share passwords on the phone, in texts or
by email.
Change Management Controls
Change Management Control Objectives include:
• To manage the IT change process such that
introduction of errors and incidents related to
change are minimized.
• To ensure that standard methods and procedures
are used so that changes can be addressed
expediently and with the lowest impact on
service quality.
Change Management Control Examples
Change Management Controls could include:
•
•
•
•
•
•
•
•
•
Monitoring and logging of all changes
Steps to detect unauthorized changes
Confirmation of testing
Authorization for moving changes to production
Tracking movement of hardware and other infrastructure components
Periodic review of logs
Back out plans
User training
Specific defined and followed procedures for emergency changes
Too bad they didn’t have change
management controls in place…
Business Continuity Controls
• Definition
 A comprehensive approach to ensuring normal
operations despite interruptions.
• Components
 Disaster Recovery
 Fault Tolerant Systems
 Backup and Recovery
Disaster Recovery
• A documentation of the procedures to ensure that the
organization continues to operate by providing the ability
to successfully recover computer services in the event of a
disaster.
• Must ensure that plans are comprehensive, up-to-date, and
approved by key organizational, management, and
executive personnel.
• Must test the plans regularly and document the results.
• NAU’s Business Continuity and Disaster Recovery Site
webpage:
http://home.nau.edu/comptr/businesscontinuity.asp
You know you are in trouble when…
Fault Tolerant System
• The ability of a system to respond gracefully to
an unexpected hardware or software failure.
• There are many levels of fault tolerance, the
lowest being the ability to continue operation
in the event of a power failure. Many faulttolerant computer systems mirror all
operations -- that is, every operation is
performed on two or more duplicate systems,
so if one fails the other can take over.
Backup and Recovery
• Requirements should be defined for backup of
critical date (type and frequency).
• ITS provides a 12GB Home Drive (Bonsai)
• Procedures should be in place to periodically
validate recovery process.
What are IT Controls?
Controls over computer-based systems are broken
down into two major categories – general and
application controls.
• General controls apply to all systems
components, processes, and data for a given
organization or systems environment
• Application controls (a.k.a. business process
controls) pertain to the scope of individual
business processes or application systems
Application Controls
Include:
• Input controls
• Processing controls
• Output controls
Input Controls
Input Control objectives:
• All transactions are initially and completely
recorded
• All transactions are completely and accurately
entered into the system
• All transactions are entered only once
Input Controls - Examples
Controls in this area may include:
• Pre-numbered documents
• Control total reconciliation
• Data validation
• Activity logging
• Document scanning
• Access authorization
• Document cancellation
Processing Controls
Processing control objectives:
• Approved transactions are accepted by the
system and processed
• All rejected transactions are reported, corrected,
and re-input
• All accepted transactions are processed only once
• All transactions are accurately processed
• All transactions are completely processed
Processing Controls - Examples
Controls over processing may include:
• Control totals
• Programmed balancing
• Segregation of duties
• Restricted access
• File labels
• Exception reports
• Error logs
• Reasonableness tests
• Concurrent update control
Output Controls
Output control objectives:
• Assurance that the results of input and
processing are output
• Output is available only to authorized
personnel
• The most important output control is review
of the data for reasonableness.
Output Control - Examples
Output controls could include:
• Complete audit trail
• Output distribution logs
• Output reports
Why are IT Controls Important?
• IT controls are essential to protect assets,
customers and sensitive information;
demonstrate safe, efficient and ethical
behavior; and preserve brand, reputation and
trust.
• IT controls support business management and
governance as well as provide general and
technical controls over IT infrastructures.
Who is responsible for IT Controls?
Everybody!
• But control ownership must be specified otherwise no one
is responsible.
• Many institutions have allocated the responsibility of
information controls to the Information Technology
management, in effect making this IT’s responsibility.
• In fact, the security of information, whether written, verbal,
or physical, is a much broader responsibility. Regulations
also require controls that are outside the purview of IT. If
only IT is seen as responsible, other technical related
requirements can easily slip through the cracks.
Where are IT Controls Applied?
Everywhere!
• IT includes technology components,
processes, people, organization, and
architecture (infrastructure) – as well as the
information itself.
References
•
•
•
•
•
•
Global Technology Audit Guide – Information Technology Controls. D.
Richards, A. Oliphant, C. LeGrand
Five Questions to Ask About Information Technology Controls and Security –
Berry Dunn: http://consulting.berrydunn.com/content/five-questions-askabout-information-technology-controls-and-security
Information Technology Audit –General Principals:
http://www.intosaiitaudit.org/india_generalprinciples.pdf
Auditor’s Guide to Information systems auditing – Richard Cascarino
Information Technology General Control Considerations and Implications –
Clifton Gunderson
IT For Non-IT Auditors – Matt Hicks UCOP