The Detroit Chapter of the IIA Presents

Application Controls and

Data Reliability

Jeff Sisolak, CISM, CISA

2© Copyright 2017 Securely Yours LLC

If You Have Questions…

If you have questions during the webcast:

– If necessary,exit Full Screen Viewby pressing the Esc key

– Submit questionsthrough theAsk a question button

Earning CPE Credit

In order to receive CPE credit for this webcast, participants must:

– Attend the webcast on individual computers (one person per computer)

– Answer polling questions asked throughout the webcast

When answering polling questions, select your answer and the click “Vote” button (next to the “Ask a Question” button) to submit / save your answer.

CPE certificates will be sent to the e-mail address on your BrightTALK account within two weeks of this webinar.

A) Member Detroit Chapter

B) Member – Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing)

C) Member – Other District

D) Non-member

Please tell us your member status

© Copyright 2017 Securely Yours LLC 6

Jeff Sisolak, CISA, CISM [email protected]

Why are we here?

• The role of Information Technology in business processes has evolved from non-existent to supportive to essential over the past 25 years.

• Today it is difficult to find a core business process that doesn’t rely on IT.

• Performance/ business auditors regularly depend on output from computer systems and must assess data reliability.


The good news: This should look very familiar.

• Application controls are essentially manual business process controls that have been automated.

• Evaluating the reliability of a computer generated report is not unlike evaluating the reliability of paper based evidence.

• Performance auditors are generally not expected to understand the intricacies of Unix or program in Perl or audit an enterprise firewall.

When it comes to auditing applications, understanding the business process is often more important than understanding the tech.


Benefits of Application Controls vs. Manual Controls

• Reliability– Reduces the likelihood of errors due to human intervention

• Benchmarking– Effective IT general controls can lead to concluding the application controls

are effective year to year without re-testing (assuming no changes)

• Additional time and cost savings – Typically application controls take less time to test and only require testing

once as long as the IT general controls are effective

This webinar is about de-mystifying IT audit and providing the language and techniques for effective IT auditing.


Controls Landscape

10

Manual Controls

AutomatedControlsIT-Manual

Controls

AutomatedControls

Manual Controls

Application Controls

IT-DependentManual Controls

IT General Controls

Not application specific:. Data backup and recovery. Batch processing. Database access

Application specific:. User input validation. Application calculations. Application access

Manual processes that utilize technology (email, shared folders, spreadsheets, etc.

© Copyright 2017 Securely Yours LLC

The Technology “Stack”

Application

Database

Operating System

11

Examples Typical Users

ServiceNow, SAP, Photoshop,

Candy Crush

End User, Super User

Oracle, SQL Server, MySQL,

Access

DatabaseAdministrator or

DBA

Windows, Unix, Linux, DOS, Android, IOS

System Admin or SysAdmin

Controls must be effective at all layers to be secure. Access controls are required at all three layers


Knowledge Check #1


How to think about Application Controls


ApplicationAccess

Controls


Key Components for Access Control

• Identification: A method to uniquely identify an individual. Examples could be Drivers License number, SSN, or a User ID

• Authentication: A method to verify the individual is in fact who he or she is claiming to be

• Authorization: Assigning rights or privileges to the individual

15

Identification, Authentication, and Authorization have to occur in that order.


Testing Access Control

• Ensure the application has a unique identifier and an effective method of authentication

• Verify the application has appropriate password controls

• Ensure that users are automatically logged off after a period of inactivity

• Ensure the process for authorizing access is based on need-to-know. Especially consider super-users or privileged users

• Verify authorization is working as intended including any segregation of duties requirements

• Review the process for provisioning and deprovisioning


Knowledge Check #2

True or False: the three steps for access control (in order) are Identification, Authentication, and Authorization.


Input Controls


Types of Input Controls

• Data editing is the activity aimed at detecting and correcting errors in data– Basic Validation edits

• Blank fields, letters in a numeric field, etc.– Range edits – Verify a data item value falls inside an acceptable

range• Hours expended in a day cannot be more than 24• Payments may not exceed $1000• A person’s height cannot be negative or zero• Even free-form text fields need input controls

– Logical edits - Ensure that two or more data items do not have contradictory values


Example – simple user input validation

Valid SSN (all digits and 9

digits)?(BP1.5)

Valid date? Valid range? (BP1.5)

Is this a valid county in the county table?

Is this a valid User ID in the users

table?


Check for input approvals where appropriate

DATA INPUT FORM:Project Description: ______________Requested Amount: ______________Requesting Agency: ______________Project Owner User ID: ______________

DATA INPUT APPROVAL:Project Description: ______________Requested Amount: ______________Requesting Agency: ______________Project Owner User ID: ______________

Submit

Approve Reject

Validate this screen can only be accessed by users with the role ‘supervisor’


Ensure appropriate error messages

DATA INPUT FORM:Project Description: ______________Requested Amount: ______________Requesting Agency: ______________Project Owner User ID: ______________

Submit

abc123

ERROR: abc123 is not a valid agency

ERROR on line 2312: agency_name‘abc123’ cannot be found in the table ‘agency’;

Good Error Messages Risky Error Message


How to audit input controls

• Understand the process flows and information flows

• Understand any source documents that are used for input. Are they retained and therefore available for testing?

• Understand the business rules around information, including what is valid / invalid

• Verify that invalid data is rejected or edited upon entry– Testing the system by running a transaction through or recreating the

calculations performed by a system– Reviewing data for validity, accuracy, and completeness– Code review


Knowledge Check #3

Why should an auditor be concerned about an error message with unnecessary techno-jargon?

A. Segregation of duties

B. System Usability

C. Reveals information to hackers

D. It is not a concern for audit


Processing Controls


Processing Controls• An IT application can contain thousands of calculations. Choose processing

controls for testing carefully based on risk.– Regulatory and other mandated calculations– Calculations which major financial impact– Calculations subject to change– Calculations which are complicated and, thus, prone to error

• Examples of calculations:– Calculating food stamp benefit payments– Calculating principle, interest, penalties on a loan – Operational checks for duplicate records

• Techniques for testing calculations are: – Re-performance– Identifying exceptions in existing data– Code review (uncommon)


Data Output Controls

FISCAM BP-3. Transaction data output is complete, accurate, valid, and confidential


Testing Output Controls• Outputs are appropriately defined and approved by management

– Are ad hoc reports used for ongoing operations?

• Output access and distribution are aligned with the reporting strategy and operating effectively.

– Access to view?– Access to print or export?– Watermarking?

• System generated outputs/reports are reviewed to reasonably assure the integrity of production data and transaction processing.

•

– Re-performance– Identifying exceptions in existing data– Code review (uncommon)


Catch errors early. Validation during input or processing is preferred where feasible.

Data Reliability

Ensuring sufficient reliability in computer generated reports


No “Leap of Faith”

• Computer systems are integral to many of today’s business processes

• An auditor can not just assume the veracity of a computer generated report

• Common errors:– Report has the wrong date(s) or

other wrong parameters– Information is wrong or not what

you understand it to be– Software bug


Techniques for Assessing Data Reliability

1. Assessing the design of the report.

2. Comparing reports to expected or known values or distributions.

3. Comparing reports to external data.

4. Assessing quality assurance controls performed by the business unit.

31

Whenever a computer generated report is used, an auditor should assess data reliability


Know your population, and be skeptical

32

0

5

10

15

20

25

30

5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 800

5

10

15

20

25

30

5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80

0

5

10

15

20

25

30

5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 800

5

10

15

20

25

30

5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80


Knowledge Check #4


True or False: An auditor should assess data reliability whenever a computer generated report is used.

Good Resources on Application Controls


GTAG 8 GTAG 14COBIT FISCAM

The End!

Contact:Jeff [email protected]



Jeff Sisolak, CISA, CISM [email protected]

��The Detroit Chapter of the IIA Presents�Application Controls and Data ReliabilityIf You Have Questions…Earning CPE CreditPlease tell us your member statusSlide Number 6Why are we here?The good news: �This should look very familiar.Benefits of Application Controls vs. Manual ControlsControls LandscapeThe Technology “Stack”Knowledge Check #1How to think about Application ControlsApplication�Access ControlsKey Components for Access ControlTesting Access ControlKnowledge Check #2Input �ControlsTypes of Input ControlsExample – simple user input validationCheck for input approvals where appropriateEnsure appropriate error messagesHow to audit input controlsKnowledge Check #3Processing ControlsProcessing ControlsData Output ControlsTesting Output ControlsData ReliabilityNo “Leap of Faith”Techniques for Assessing Data ReliabilityKnow your population, and be skepticalKnowledge Check #4Good Resources on Application ControlsThe End!Slide Number 36

The Detroit Chapter of the IIA Presents · Performance/ business auditors regularly depend on...

Documents

Transcript of The Detroit Chapter of the IIA Presents · Performance/ business auditors regularly depend on...