Internal Controls Over Information Systems

Internal Controls Over

Information Systems

Information Technology


Information Systems

• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)

Agenda

• Internal Controls

• Segregation of Duties

• System Development Lifecycle (SDLC)

• Change Management

• Security

Application/Platform

Logical Security

Physical Security

Agenda

• Security (continued)

Environmental Controls

Monitoring

Backup

Disaster Recovery

• Third Parties/Cloud Computing

• Prioritization

• Summary


Information Systems

Internal Controls

• Internal controls are established as mechanism to achieve desired business objectives

• Counter risks & threats, both external & internal, to business environment

• Ensure business requirements of quality, cost & delivery are met

• Resources are effectively & efficiently used

http://images.google.com/imgres?imgurl=http://www.thefinancialboutique.com/Portals/38551/images/Internal%2520Controls.jpg&imgrefurl=http://www.thefinancialboutique.com/blog/&usg=__Awi96k4djh7SRkOylkRG0hZh4l4=&h=192&w=208&sz=8&hl=en&start=60&zoom=1&itbs=1&tbnid=OZh3TQMskS7d1M:&tbnh=97&tbnw=105&prev=/search%3Fq%3Dinternal%2Bcontrols%26start%3D40%26hl%3Den%26sa%3DN%26biw%3D1259%26bih%3D826%26gbv%3D2%26ndsp%3D20%26tbm%3Disch&ei=IADgTa7tHoGosAOp972qBw

Internal Controls

• Confidentiality, integrity, availability (CIA) &

reliability of information are met, as well as comply

with statutory & regulatory requirements

• Our focus will be on the last one, (CIA), as it relates

to information systems & financial reporting

Confidentiality

Integrity

Availability


Internal Controls

• Internal controls over financial reporting (ICFR)

Focus is on financial data

• Internal controls over information systems

Information System controls typically apply to whole organization – Best Practices

Financial Audit - Focus is on financial applications


Information System Controls • Segregation of duties

• System development lifecycle (SDLC)

• Security

Logical

Physical

Environmental

Monitoring

Back up

Disaster recovery

• Third parties/cloud computing

Segregation of Duties

• Checks & balances

• Organizational structure

Who can submit invoices for payment?

Who can authorize?

Who reconciles bank statement?

• Very important especially for

Small organizations

Downsized organizations

http://images.google.com/imgres?imgurl=http://blogs.exact.com/products/wp-content/uploads/2009/11/rights1.gif&imgrefurl=http://blogs.exact.com/products/2009/11/how-to-give-users-rights-to-view-accounts-but-not-edit-them/&usg=__vHuEbI_1ra3Yomjh8xX1NNboYoY=&h=356&w=350&sz=24&hl=en&start=158&zoom=1&itbs=1&tbnid=Pxgx-vRlHIPnBM:&tbnh=121&tbnw=119&prev=/images%3Fq%3Dsegregation%2Bof%2Bduties%26start%3D140%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbm%3Disch&ei=FgHgTYfKEYW6sAOA7ICsBw

Segregation of Duties

• Information systems

What access do information systems personnel have?

Are their logs tracking activity?

Is someone reviewing logs?

• Controlled with logical security

Typically by role

http://images.google.com/imgres?imgurl=http://blogs.exact.com/products/wp-content/uploads/2009/11/rights1.gif&imgrefurl=http://blogs.exact.com/products/2009/11/how-to-give-users-rights-to-view-accounts-but-not-edit-them/&usg=__vHuEbI_1ra3Yomjh8xX1NNboYoY=&h=356&w=350&sz=24&hl=en&start=158&zoom=1&itbs=1&tbnid=Pxgx-vRlHIPnBM:&tbnh=121&tbnw=119&prev=/images%3Fq%3Dsegregation%2Bof%2Bduties%26start%3D140%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbm%3Disch&ei=FgHgTYfKEYW6sAOA7ICsBw

System Development Life Cycle

(SDLC)

System Development Life Cycle

(SDLC)

• Assess needs

• Design specifications/Vendor Selection

• Develop/test software

• Implement systems – training, documentation

• Support operations (maintenance)

• Evaluate performance (monitor)

Change Management

• Change management

Subset of SDLC

Quarterly, annual upgrades

Should be formal process

Integrated testing

Training

Sign off

Documentation

Includes configuration & upgrades for firewalls, routers

& VPN

http://images.google.com/imgres?imgurl=http://www.ideasandtraining.com/images/ChangeMachine.gif&imgrefurl=http://www.ideasandtraining.com/Change-Management-Training.html&usg=__q4HUrpmg3jtZnzXPO-pEtfm9_5c=&h=413&w=493&sz=38&hl=en&start=64&zoom=1&itbs=1&tbnid=IQ0LBg1yoKaG3M:&tbnh=109&tbnw=130&prev=/images%3Fq%3Dchange%2Bmanagement%26start%3D60%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbm%3Disch&ei=xAXgTYz3B4T6swOS16i_Bw

Security

Application/Platform Security

• Risk & vulnerability will vary based on:

Applications and platforms being used

Location of systems: Onsite vs. hosted

Access to source code

Logical Security • Computer access

Access to only what they need to do their job

System/network level

Application level

• Password management

Are they complex?

Do they have to be changed?

Is there policy about not sharing, writing them down, etc.

• Wireless – Secured, Segmented

Logical Security

Access management

• New hires

• Job changes

• Terminations

Timely

• Access audits

Employees

Third parties

Physical Security

• Building

Proximity cards

Access based on role

Terminations

Lost cards

Access audits

Cameras

Who monitors?

Data retention

http://images.google.com/imgres?imgurl=http://www.dpair.com/wp-content/uploads/buildingSecurity-300x199.jpg&imgrefurl=http://www.dpair.com/building-management/building-security/&usg=__e0nU1i8h3Y07u4QWnfcM3e1Ada0=&h=199&w=300&sz=13&hl=en&start=97&sig2=7Rez0xCt1WKwFhzvaCJBAA&zoom=1&itbs=1&tbnid=HvnmCKzDUZMEoM:&tbnh=77&tbnw=116&prev=/search%3Fq%3Dbuilding%2Bsecurity%26start%3D80%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26biw%3D1259%26bih%3D596%26tbm%3Disch&ei=uXrdTaKOIqyP0QG07bTVDw

http://images.google.com/imgres?imgurl=http://www.howtovanish.com/images/surveillance-cameras.jpg&imgrefurl=http://www.howtovanish.com/2010/01/avoid-nosy-surveillance-cameras/&usg=__P4ZwqgGObsH_8e9tPKPyNOgreZs=&h=300&w=400&sz=22&hl=en&start=8&sig2=_pSnMcu3m2eT9IOVeTdLWg&zoom=1&itbs=1&tbnid=jYDxZO3VGkKKcM:&tbnh=93&tbnw=124&prev=/search%3Fq%3Dsecurity%2Bcameras%26hl%3Den%26biw%3D1250%26bih%3D818%26gbv%3D2%26tbm%3Disch&ei=WOzoTYHNKJC4sQPhu9D5DQ

Physical Security • Data center

Similar to building controls

What about vendors?

• Work areas

Can computers be stolen?

Can data be stolen?

Can malicious software be uploaded?

• Mobile devices

http://images.google.com/imgres?imgurl=http://www.popgadget.net/images/USB%2520pen.jpg&imgrefurl=http://www.popgadget.net/2006/12/usb_stylus_pen.php&usg=__iyV4_Qa5qt17VoSlqcCI09O53Eo=&h=292&w=300&sz=11&hl=en&start=65&sig2=w6oswxmn1Ba5tNLNNPPrqQ&zoom=1&itbs=1&tbnid=u69ttoVyk5vB8M:&tbnh=113&tbnw=116&prev=/search%3Fq%3Dusb%26start%3D60%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26biw%3D1259%26bih%3D596%26tbm%3Disch&ei=03ndTcHjM6rh0QHAr7z3Dw

http://images.google.com/imgres?imgurl=http://www.charleskingconsulting.com/images/DataCenter.jpg&imgrefurl=http://www.charleskingconsulting.com/&usg=__WsAXtxR2d-3-p6M-dtZLB6dZNn4=&h=1054&w=1208&sz=339&hl=en&start=123&sig2=5ZgaFeEc9wTfddvCFPyzMQ&zoom=1&itbs=1&tbnid=Q0N9_-EV7eUzTM:&tbnh=131&tbnw=150&prev=/search%3Fq%3Ddata%2Bcenter%26start%3D120%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26biw%3D1259%26bih%3D596%26tbm%3Disch&ei=wH7dTYv1I8rL0QHY043LCw

http://images.google.com/imgres?imgurl=http://askbobrankin.com/laptop-security-cable.jpg&imgrefurl=http://askbobrankin.com/laptop_security.html&usg=__c_3qvzm2BlE5jq7_mzsfQPESIKE=&h=240&w=300&sz=15&hl=en&start=10&sig2=-hmdbz6SrrEnEltFkIiHTg&zoom=1&itbs=1&tbnid=DmfE8LM4QMI4bM:&tbnh=93&tbnw=116&prev=/search%3Fq%3Dphysical%2Bsecurity%2Bfor%2Bcomputers%26hl%3Den%26biw%3D1259%26bih%3D596%26gbv%3D2%26tbm%3Disch&ei=knfdTcuUFuLd0QHC_4TmDw

Environmental Controls

• Generator

• UPS

• Sensors

Heat

Moisture

• Are they tested?

• Is there routine maintenance?

http://images.google.com/imgres?imgurl=http://www.unitiv.com/Portals/51762/images/fan_data_center.jpg&imgrefurl=http://www.unitiv.com/it-solutions-blog/bid/55985/Data-Center-Cooling-Challenges&usg=__WpcmRi-S44lRiSxz-z5Iqp7q2gU=&h=263&w=350&sz=25&hl=en&start=104&sig2=i9ie5uAlpzURtDyiDkO5Rw&zoom=1&itbs=1&tbnid=BgSo2dS9n2HkAM:&tbnh=90&tbnw=120&prev=/search%3Fq%3Ddata%2Bcenter%26start%3D100%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D20%26biw%3D1259%26bih%3D596%26tbm%3Disch&ei=gX7dTdTcA-rf0QH9hczVDw

Monitoring

• User access – failed login attempts

• Unauthorized access attempts through firewalls, routers & VPN

• System usage – thresholds

• Is someone monitoring, reporting & remediating?

• Is a problem & incident system in place?

Backup • What’s backed up?

• How often?

• How long are they saved?

• Where are they stored?

• How do they get there?

• Who has access to them?

• Are they tested periodically?

• Redundancy – to supplement backups

http://images.google.com/imgres?imgurl=http://listsoplenty.com/blog/wp-content/uploads/2011/01/backup-data.jpg&imgrefurl=http://listsoplenty.com/blog/%3Fp%3D11801&usg=__1thDRZmpAAloDFjz54qqpZfSwss=&h=228&w=333&sz=32&hl=en&start=15&sig2=QffvvNRQOhKf_3xeoJpxyg&zoom=1&itbs=1&tbnid=d5Y2nD1zxs27tM:&tbnh=81&tbnw=119&prev=/search%3Fq%3Dbackup%2Bdata%26hl%3Den%26biw%3D1250%26bih%3D818%26gbv%3D2%26tbm%3Disch&ei=D-joTc71IobAsAP-z9HjDQ

Disaster Recovery

• Disaster recovery plan

What’s the plan?

Criticality matrix

Do key people know about plan?

Can key people get to plan?

Does it include an alternate location?

Periodic testing

http://images.google.com/imgres?imgurl=http://www.reittechnologies.com/images/disaster_recovery.jpg&imgrefurl=http://www.reittechnologies.com/disaster_recovery_planning.html&usg=__4daPiKN07aVKEABoTSvhiYRDp8I=&h=202&w=286&sz=18&hl=en&start=24&sig2=vbfJ6ZOt1sYX9AJldF1i8Q&zoom=1&itbs=1&tbnid=iC9pmK0WADBNkM:&tbnh=81&tbnw=115&prev=/search%3Fq%3Ddisaster%2Brecovery%26start%3D20%26hl%3Den%26sa%3DN%26biw%3D1250%26bih%3D818%26gbv%3D2%26ndsp%3D20%26tbm%3Disch&ei=SOHoTaTSA4eisAOc3fX0DQ

Third Parties

• When you outsource services, you increase risk

• They need to have same or better controls as your organization

• New vendors

Did anyone look at risk?

Did anyone decide if it was acceptable?

http://images.google.com/imgres?imgurl=http://imgs.sfgate.com/blogs/images/sfgate/ybenjamin/2009/09/02/question-cloud.jpg&imgrefurl=http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail%3Fentry_id%3D47136&usg=__TdNZprQ6HcTRt4Juqq5HT9FpMEs=&h=450&w=285&sz=16&hl=en&start=10&sig2=rY09JKtclil71LT7gGVsgg&zoom=1&itbs=1&tbnid=Ig_-jR6lezW4EM:&tbnh=127&tbnw=80&prev=/search%3Fq%3Dcloud%2Bcomputing%26hl%3Den%26gbv%3D2%26biw%3D1259%26bih%3D596%26tbm%3Disch&ei=GIDdTdOZHIXv0gHh49z7Dw

Third Parties

• Current Vendors

Vendor Inventory – Assess risk

• How do you know controls are in place?

Selection process

SSAE16 (previously SAS70)

Inspections

Performance reports


Third Party

• Cloud computing

Do you know who they are?

Additional risks to consider

• Third-party access

VPN

Encrypted or password protected files


Others Control Areas

• Strategic Plan

• IT Strategy – strategic plan that includes risk management

• Organizational infrastructure

Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?

Current policies & procedures to prevent errors or disclosures

Prioritization

• How can we do all these things with our shrinking budgets?

• Pick highest areas of risk & address first

Probability & impact analysis

• Implement solutions based on size & complexity of your organization

http://images.google.com/imgres?imgurl=http://ttoes.files.wordpress.com/2011/04/budget_cutting_hg_clr1.gif&imgrefurl=http://ttoes.wordpress.com/2011/04/12/how-to-cut-the-budget/&usg=__i2dvg_KvpFt1hhfw653k6K8P6Dk=&h=416&w=416&sz=290&hl=en&start=4&sig2=mjHgF4Nt9FOgcUA-mWrUNQ&zoom=1&itbs=1&tbnid=ts5hEu1csqOJIM:&tbnh=125&tbnw=125&prev=/search%3Fq%3Dbudget%26hl%3Den%26biw%3D1250%26bih%3D818%26gbv%3D2%26tbm%3Disch&ei=GOvoTcmyB4j4swPa0uHeDQ

Summary

Confidentiality – INTEGRITY – Availability

Information System Controls C I A

Segregation of Duties Y Y Y

SDLC & Change Management Y Y Y

Logical Security Y Y Y

Physical Security Y Y Y

Environmental Controls Y

Monitoring Y Y Y

Back Up Y Y Y

Disaster Recovery Y Y Y

Third Parties Y Y Y

Internal Controls Over Financial Reporting Y

Summary

Internal Controls over Information Systems

Ongoing process

Continually changing

Monitoring is key

Review periodically

Contact Information

Jeffrey Paulette

BKD IT Risk Services

417.865.8701

[email protected]

www.bkd.com/services/it-risk-services/

mailto:[email protected]

http://www.bkd.com/services/it-risk-services/





Internal Controls Over Information Systems

Technology

Transcript of Internal Controls Over Information Systems