Understanding IT General Controls

Presenter: Ben Miron

September 9, 2008
 Session Objectives
Session Objectives

• Understand the IT Environment
• Define and Identify IT General Controls
• Develop an understanding for the IT audit process
• Conduct an IT General Controls Walkthrough
• Example Tests of IT Controls 
• Conclude and Document our Results

2
 IT Environment
IT Environment
• Understand the IT Environment
• Purpose:
– Identify all significant applications and infrastructure
Identify all significant applications and infrastructure
– Relationship between process and applications
– Relationship between applications and infrastructure
p pp
– Indicate where we might want to rely on electronic 
audit evidence
– Identify areas on which to focus our review

3
 IT Environment
IT Environment

IT
Environment

Application Controls

IT General Controls

4
IT General Control Approach 
(COSO / Cobit Approach)

Objectives

Control Environment

Unitss
omponentts

Functions
Risk Assessment
Control Activities
Information and
Communication
Co

Monitoring

5
 Categories of Controls
Categories of Controls

Manual Controls
Manual
ontrol
Type Of Co

IT-Dependent Manual Controls

neral
Contrrols
A t
Automated
t d

IT Gen
Application Controls

Prevent Detect Support The Continued

Functioning Of Automated
Aspects Of Prevent And
Misstatement In The Financial Statements Detect Controls

Objective Of Control
6
Effect of ITGC on Application 
Controls
• Effective IT general controls:
– Help make sure that application controls function 
effectively over time
effectively over time
• Ineffective IT general controls:
–AApplication controls might still operate effectively 
li ti t l i ht till t ff ti l
– Affects both financial statement and internal control 
audit strategy such as the nature timing and extent
audit strategy, such as the nature, timing, and extent 
of tests of application controls

7
 IT General Control Objectives
IT General Control Objectives

• Change
Change Management:
Management:
– Only appropriately authorized, tested and approved 
changes are made
changes are made
• Logical Access:
– Only authorized persons have access to the system 
y p y
and they can only perform specifically authorized 
functions
• Other IT General Controls (including IT operations):
– Process to determining that IT resources and 
applications continue to function as intended over 
li ti ti t f ti i t d d
time 8
 Logical Access Controls
Logical Access Controls

• General
General system security settings are appropriate.
system security settings are appropriate
• Password settings are appropriate.
• Access to privileged IT functions is limited to appropriate 
p g pp p
individuals.
• Access to system resources and utilities is limited to 
appropriate individuals
appropriate individuals.
• User access is authorized and appropriately established.
• Physical access to computer hardware is limited to 
appropriate individuals.
i i di id l
• Logical access process is monitored.
• Segregation of incompatible duties exists within logical access 
Segregation of incompatible duties exists within logical access
environment.
9
 Other IT General Controls
Other IT General Controls
• Financial data has been backed‐up and is recoverable.
• Deviations from scheduled processing are identified and 
resolved in a timely manner.
• IT Operations problems or incidents are identified, 
resolved, reviewed, and analyzed in a timely manner.

10
Manage Change and Logical Access
Manage Change and Logical Access
 Manage Change
Manage Change 

• What is the manage change scope?
– New system implementations (SDLC)
– U
Upgrade of existing system
d f i ti t
– Addition of new functionality to an existing system
– New or changed interfaces connecting different
New or changed interfaces connecting different 
applications
– Minor enhancement
– Patch to an existing system
– Emergency changes
– Configuration changes
12
 Manage Change Controls
Manage Change Controls
• Changes are authorized.
• Changes are tested.
• Changes are approved.
• Changes are monitored.
• Segregation of incompatible duties exists within the 
manage change environment.
Meditech Change Process 1
Example:
Multiple Applications Lawson
with different change Change Process 2
processes P
PeopleSoft
l S ft

13
 Logical Access Process 
C
Components t

• User ID Logical Security • System Configurations

Maintenance
• Groups and Profiles
• System
y Settings
g • Super
p Users
Maintenance Procedures Configurations • Password Settings
• Monitoring • Segregation of
Duties
• And more • Logical
L i lA Access
Policies Path
• And more
• Securityy Policyy
• Confidentiality Policy
• Data Definition Policy
• Policy Awareness Programs
• And more 14
Conducting IT General Control 
Cond cting IT General Control
Walkthroughs
 Walkthroughs: The Purpose
Walkthroughs: The Purpose

• Why do we perform walkthroughs?
• To confirm:
– Our understanding of the processing procedures
– Our understanding of the relevant controls
– That relevant controls have been placed in operation 
and are operating effectively
– Our documentation 
Our documentation

16
 Walkthroughs: The Methods
Walkthroughs: The Methods
• Methods of gathering evidence during walkthroughs:
e ods o ga e g e de ce du g a oug s
– Inquiring of a client to corroborate our understanding
– Selecting an item over which the controls are 
g
designed to operate and inspecting evidence of the 
operation of the controls on that item
– Examining the client’s documentation of the control’s 
design
– Examining reports used to monitor the controls
reports used to monitor the controls
– Observing whether the process owner or others act 
upon the results of the controls
upon the results of the controls

17
 Walkthroughs: The Results
Walkthroughs: The Results

• Following our walkthrough, we make a preliminary 
evaluation of the effectiveness of controls
• The preliminary evaluation is made for each IT 
general control

18
Tests of Controls
 Tests of Controls
Tests of Controls

• Determine whether the controls:
– Operated as we understood they would operate
– Were applied throughout the period of 
intended reliance
– Were applied on a timely basis
Were applied on a timely basis
– Encompassed applicable transactions
– Were based on reliable information
Were based on reliable information
– Resulted in the timely correction of any errors 
identified

20
 Tests of Controls Nature
Tests of Controls –

• What are the different ways we can 
test controls?
– IInquiry
i
– Observation
– Inspection
– Re‐performance
• Inquiry
Inquiry alone does not provide sufficient evidence 
alone does not provide sufficient evidence
that the control operated throughout the period of 
intended reliance.
intended reliance.
21
 Tests of Controls Exceptions
Tests of Controls –

• What is an exception? 
p
• An internal control exception occurs when we find 
that the control we are testing did not operate as 
g p
intended. We investigate all internal control 
exceptions to determine:
– Our understanding is correct
– Their causes and implications
– The potential effects on other audit procedures
– The appropriate reporting to management and the 
audit committee
dit itt
22
 Tests of Controls Example
Tests of Controls ‐
Program Changes:
• Program change requests from the business line filter through the Business System 
CM 1 Administrator, who determines if the change is valid. Emails the request to IT and a 
CM.1 Ad i i h d i if h h i lid E il h IT d
completed Issue Tracker form to the email account. 
• The Issue Tracker form lists the requestor’s name and details the problem encountered. The 
request is then input into an Access Database and assigned a ticket number for tracking 
purposes. 
p p
• Changes to application source code must be done by the vendor.  Accordingly, requested 
changes are input to a Web‐ based application tracker. 
• Manager meetings are held bi‐weekly to review, update, and prioritize issues. Any planned 
system downtime is communicated to users via email notifications. 
• Ch
Changes are initially applied in the test environment where they are validated by both IT 
i iti ll li d i th t t i t h th lid t d b b th IT
CM.2 and the requestor. Test documentation is produced and stored with the Change Request 
Form. 
• Approvals for change migrations to production are emailed to the assigned Developer by 
CM.3 the requestor after successful testing is performed by the requestor and another assign 
analyst. 
• Weekly team meetings are held in which it is determined which changes will be moved into 
CM.4 production for that week. Standard, non‐code migration changes are moved into 
production daily. The application owner Initials all Change Request Forms before migration. 
The ticket owner (analyst) is ultimately responsible for making the change and moving it
The ticket owner (analyst) is ultimately responsible for making the change and moving it 
into production by compiling / rebuilding the change in the production environment. 

23
 Tests of Controls Example 
‐ Cont.
Test Objective and Scope To verify that changes are authorized, tested and approved by 
the business prior to implementation to production
the business prior to implementation to production.
Test Population Source of Data Extracted data from 
Sample Selection Process Random / Haphazard
Control Effective Date January 1, 2008
Conclusion Effective

Control ID Control Description Frequency Type

CM 1
CM.1 Prior to development,
development all changes must be Event Driven Preventative
authorized by IT and business management.
CM.2 Changes are applied in the test environment where Event Driven Preventative
they are validated by both IT and the requestor.
CM 1
CM.1 Approvals
A l ffor change
h migrations
i ti tto production
d ti are E
Event
t Driven
Di P
Preventative
t ti
emailed to the assigned Developer by the requestor
after successful testing is performed by the
requestor and another assign analyst.
CM.4 The application owner Initials all Change Request Event Driven Preventative
Forms before migration.

24
 Tests of Controls Example –
Test Matrix

Item ID Item Description Evidence Ref Control ID

CM 1
CM.1 CM 2
CM.2 CM 3
CM.3 CM 4
CM.4
1 Code change 1 CM‐T‐01
3 3 3 3

2 Code change 2 CM‐T‐02
3 3 3 3

3 Code change 3
Code change 3 CM T 03
CM‐T‐03
3 3 X 3

25
Evaluating Control Deficiencies
Evaluating Control Deficiencies
 Tests of Controls: Evaluate
Tests of Controls: Evaluate

• When we have an exception, we must:
– Consider the results of the tests in relation to our 
preliminary evaluation of the controls to determine
preliminary evaluation of the controls to determine 
whether it is still appropriate. In some instances, the 
assessment is no longer appropriate.
g pp p
– Reconsider our combined risk assessment and our 
audit approach.

27
 Tests of Controls: 
Documentation
Should include:
h ld l d
• A detailed description of the specific controls tested
• The procedures used to test the controls
The procedures used to test the controls
• The number of times each control will be tested
• The method used to select the items tested
e et od used to se ect t e te s tested
• A list of the items tested
• A list of any exceptions, their causes, and implications
• Any changes to our strategy resulting from our tests
We carry this forward in years that we rotate 
our tests (NA under Integrated Audit).
t t (NA d I t t d A dit)
28
 Components of a Finding
Components of a Finding

• Observation
• Standard/Leading Practice
• Cause
• Business Risk/Effect
• Recommendation

29
 Summary

• Identify ITGCs in the IT environment
• Document and walkthrough controls
• Perform Tests of Controls
• Describe how we evaluate the results of our tests to 
arrive at a conclusion
• Document test procedures and deficiencies

30
Questions?
THANK YOU!!!
Appendix - Common IT Definitions
 Elements in the IT 
Infrastructure
Network Elements
k l
– LAN/WAN
– Router
Router 
– Switch
– Firewall
– Modem
– Remote Access Server
– Intrusion Detection 
Intrusion Detection
Devices (IDS)

34
 Common IT Terms
Common IT Terms

• Operating System
i – An operating system (OS) is the program 
( ) h
that, controls the hardware and acts as the intermediary 
between the application(s) and the hardware. Common OS 
pp ()
are Windows(2000, XP, NT), UNIX, Novell and OS400  
• Hardware – Hardware is the physical aspect of computers, 
t l
telecommunications, and other information technology 
i ti d th i f ti t h l
devices.
• Application
pp – An application is any program designed to 
pp yp g g
perform a specific function directly for the user or, in some 
cases, for another application program.

35
 Common IT Terms (cont )
Common IT Terms (cont.)

• LLocal Area Network
lA N t k – A local area network (LAN) is a group of 
Al l t k (LAN) i f
computers and associated devices that share a common 
communications line or wireless link and typically share the 
resources of a single processor or server within a small 
f i l ithi ll
geographic area.
• Wide Area Network – A wide area network (WAN) is a 
geographically dispersed telecommunications network. The 
term distinguishes a broader telecommunication structure 
from a LAN.

36
 Common IT Terms (cont )
Common IT Terms (cont.)

• Virtual Private Network
i l i k – A virtual private network (VPN) is a 
l k( )
way to use a public telecommunication infrastructure, such as 
the Internet, to provide remote offices or individual users 
p
with secure encrypted access to their organization's network. 
• Server – A server is a computer program that contains 
programs that provides services to other computer programs 
th t id i t th t
in the same or other computers. (e.g. file server, print server, 
application server, etc.)

37
 Common IT Terms (cont )
Common IT Terms (cont.)

• Remote Access ‐ Remote access is the ability to get 
access to a computer or a network from a remote 
location.
location
• Direct Dial‐up ‐ Dial‐up pertains to a telephone 
connection. A dial‐up connection is established and 
maintained for a limited time duration.
• Gateway Server ‐ A gateway is a network point that acts 
as an entrance to another network. 
h k

38
 Common IT Terms (cont )
Common IT Terms (cont.)

• Application Server
li i ‐ An application server is a server program 
l
in a computer in a distributed network that provides the 
business logic for an application program. 
g pp p g
• Infrastructure – In information technology and on the 
Internet, infrastructure is the physical hardware used to 
i t
interconnect computers and users.
t t d
• Firewall – A firewall is a physical device or set of related 
p g
programs, located at a network gateway server, that protects 
, g y , p
the resources of a private network from users from other 
networks. 

39
 Common IT Terms (cont )
Common IT Terms (cont.)

• ERP – ERP (Enterprise resource planning) is an industry 
( )
term for the broad set of activities supported by multi‐
module application software that helps a manufacturer
module application software that helps a manufacturer 
or other business manage the important parts of its 
business. (e.g. SAP, PeopleSoft, etc.)
• Database – A database is a collection of data that is 
organized so that its contents can easily be accessed, 
managed and updated
managed, and updated.

40
 Common IT Terms (cont )
Common IT Terms (cont.)

• Backup
k – The act of storing data from one system to another 
h f d f h
system or to a form of electronic media (i.e. tape, CD). 
Backups are generally performed on a regular basis and can 
p g yp g
be full, incremental, or differential.
• Recovery – The act of applying stored data to a system in 
order to allow it to resume normal operations.
d t ll it t l ti
• UPS – Uninterruptible Power Supply.  A battery device that 
allows the systems on a network to continue operating for a 
y p g
limited time after a power failure.  This permits an orderly 
shutdown of the servers and limits the risk of data loss.

41
 Common IT Terms (cont )
Common IT Terms (cont.)

• Business Continuity Plan
i i i l – A business level plan that 
b l l l h
describes how and where the business will prioritize its 
recovery from an unforeseen event and how it will restore 
y
and continue its operations.
• Disaster Recovery Plan – An IT level plan that describes how 
and where the IT department will prioritize the system and 
d h th IT d t t ill i iti th t d
network recovery from an unforeseen event and how the 
department will restore and continue its operations (a 
Disaster Recovery Plan is part of an overall Business 
Continuity Plan and the two must be in sync).

42
 Logical Access Path (LAP)
Logical Access Path (LAP)

• How individuals get beyond 
logical security to the desired  User

data
• Designed for the structured 
assessment of risks and related
assessment of risks and related 
security measures in complex  Data

computer systems
p y

43
 Logical Access Path Overview
Logical Access Path Overview

User

• Transports data between • Divides the available

the components of a processing time among
network (e.g.,
(e g end users
users’ the active users and
terminals) and system Data Communication Software programs.
software in the Transactions (e.g., a
transaction software menu option) can be
layer composed of multiple
Transaction Software programs
• Controls within
applications aimed at the
security of logical data Application Software
• Access methods and
database management
• A shell that surrounds all
Data Access Methods controls that manage
system software layers.
which parts of the data
Each piece of software
the application can
on each of the layers has
access and in what
an interface with the
Operating way
operating system Data
System
44
 Logical Access Path 
(Three‐Tier)
User

User Interface
Data Communication Software
Output
O t t Data
D t Output
O t t Data
D t
Input Data
to User to User
From User Transaction Software

Central Central
DB Buffer DB Buffer Application Software

Data Access Methods

Application Server

Operating Data
Reading Database System
and
Updating Main Stores all Data and
Buffer DB Application Programs

Database Server

45
 Where To Find IT Terms & 
Acronyms
• There are multiple web‐sites on the Internet that can 
be used to explain IT terms & acronyms. Some good‐
ones are:
ones are:
– www.whatis.techtarget.com
– www.howstuffworks.com
www howstuffworks com
– www.google.com
• Your
Your TSRS co‐workers are also a great source for 
TSRS co workers are also a great source for
understanding terminology

46