internal controls over information systems
Post on 28-Nov-2014
1.502 Views
Preview:
DESCRIPTION
TRANSCRIPT
Internal Controls Over
Information Systems
Information Technology
Internal Controls Over
Information Systems
• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)
Agenda
• Internal Controls
• Segregation of Duties
• System Development Lifecycle (SDLC)
• Change Management
• Security
Application/Platform
Logical Security
Physical Security
Agenda
• Security (continued)
Environmental Controls
Monitoring
Backup
Disaster Recovery
• Third Parties/Cloud Computing
• Prioritization
• Summary
Internal Controls Over
Information Systems
Internal Controls
• Internal controls are established as mechanism to achieve desired business objectives
• Counter risks & threats, both external & internal, to business environment
• Ensure business requirements of quality, cost & delivery are met
• Resources are effectively & efficiently used
Internal Controls
• Confidentiality, integrity, availability (CIA) &
reliability of information are met, as well as comply
with statutory & regulatory requirements
• Our focus will be on the last one, (CIA), as it relates
to information systems & financial reporting
Confidentiality
Integrity
Availability
Internal Controls
• Internal controls over financial reporting (ICFR)
Focus is on financial data
• Internal controls over information systems
Information System controls typically apply to whole organization – Best Practices
Financial Audit - Focus is on financial applications
Information System Controls • Segregation of duties
• System development lifecycle (SDLC)
• Security
Logical
Physical
Environmental
Monitoring
Back up
Disaster recovery
• Third parties/cloud computing
Segregation of Duties
• Checks & balances
• Organizational structure
Who can submit invoices for payment?
Who can authorize?
Who reconciles bank statement?
• Very important especially for
Small organizations
Downsized organizations
Segregation of Duties
• Information systems
What access do information systems personnel have?
Are their logs tracking activity?
Is someone reviewing logs?
• Controlled with logical security
Typically by role
System Development Life Cycle
(SDLC)
System Development Life Cycle
(SDLC)
• Assess needs
• Design specifications/Vendor Selection
• Develop/test software
• Implement systems – training, documentation
• Support operations (maintenance)
• Evaluate performance (monitor)
Change Management
• Change management
Subset of SDLC
Quarterly, annual upgrades
Should be formal process
Integrated testing
Training
Sign off
Documentation
Includes configuration & upgrades for firewalls, routers
& VPN
Security
Application/Platform Security
• Risk & vulnerability will vary based on:
Applications and platforms being used
Location of systems: Onsite vs. hosted
Access to source code
Logical Security • Computer access
Access to only what they need to do their job
System/network level
Application level
• Password management
Are they complex?
Do they have to be changed?
Is there policy about not sharing, writing them down, etc.
• Wireless – Secured, Segmented
Logical Security
Access management
• New hires
• Job changes
• Terminations
Timely
• Access audits
Employees
Third parties
Physical Security
• Building
Proximity cards
Access based on role
Terminations
Lost cards
Access audits
Cameras
Who monitors?
Data retention
Physical Security • Data center
Similar to building controls
What about vendors?
• Work areas
Can computers be stolen?
Can data be stolen?
Can malicious software be uploaded?
• Mobile devices
Environmental Controls
• Generator
• UPS
• Sensors
Heat
Moisture
• Are they tested?
• Is there routine maintenance?
Monitoring
• User access – failed login attempts
• Unauthorized access attempts through firewalls, routers & VPN
• System usage – thresholds
• Is someone monitoring, reporting & remediating?
• Is a problem & incident system in place?
Backup • What’s backed up?
• How often?
• How long are they saved?
• Where are they stored?
• How do they get there?
• Who has access to them?
• Are they tested periodically?
• Redundancy – to supplement backups
Disaster Recovery
• Disaster recovery plan
What’s the plan?
Criticality matrix
Do key people know about plan?
Can key people get to plan?
Does it include an alternate location?
Periodic testing
Third Parties
• When you outsource services, you increase risk
• They need to have same or better controls as your organization
• New vendors
Did anyone look at risk?
Did anyone decide if it was acceptable?
Third Parties
• Current Vendors
Vendor Inventory – Assess risk
• How do you know controls are in place?
Selection process
SSAE16 (previously SAS70)
Inspections
Performance reports
Third Party
• Cloud computing
Do you know who they are?
Additional risks to consider
• Third-party access
VPN
Encrypted or password protected files
Others Control Areas
• Strategic Plan
• IT Strategy – strategic plan that includes risk management
• Organizational infrastructure
Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?
Current policies & procedures to prevent errors or disclosures
Prioritization
• How can we do all these things with our shrinking budgets?
• Pick highest areas of risk & address first
Probability & impact analysis
• Implement solutions based on size & complexity of your organization
Summary
Confidentiality – INTEGRITY – Availability
Information System Controls C I A
Segregation of Duties Y Y Y
SDLC & Change Management Y Y Y
Logical Security Y Y Y
Physical Security Y Y Y
Environmental Controls Y
Monitoring Y Y Y
Back Up Y Y Y
Disaster Recovery Y Y Y
Third Parties Y Y Y
Internal Controls Over Financial Reporting Y
Summary
Internal Controls over Information Systems
Ongoing process
Continually changing
Monitoring is key
Review periodically
Contact Information
Jeffrey Paulette
BKD IT Risk Services
417.865.8701
jpaulette@bkd.com
www.bkd.com/services/it-risk-services/
top related