Вы находитесь на странице: 1из 18

IT General Controls

Charles Broom IS Assurance Manager cbroom@bdo.com

ALASBO 12/11/2013 Page 1

IT General Controls Charles Broom IS Assurance Manager cbroom@bdo.com ALASBO 12/11/2013 Page 1

Agenda

What are IT General Controls? Why should an accountant/business professional care? Common issues found Encryption Questions

Why should an accountant/business professional care? Common issues found Encryption Questions ALASBO 12/11/2013 Page 2
Why should an accountant/business professional care? Common issues found Encryption Questions ALASBO 12/11/2013 Page 2

ALASBO 12/11/2013 Page 2

Why should an accountant/business professional care? Common issues found Encryption Questions ALASBO 12/11/2013 Page 2

What are IT General Controls?

Areas of ITGC testing:

Program Change Management

Logical Access

Layers

Computer Operations

Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 3
Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 3

ALASBO 12/11/2013 Page 3

Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 3

Program Change Management

Who authorizes the changes? Who tests the changes (or are the tested)? Who approves the change? How do you know that all the changes went through the process? How do you know a change did not undo a previous change?

the changes went through the process? How do you know a change did not undo a
the changes went through the process? How do you know a change did not undo a

ALASBO 12/11/2013 Page 4

the changes went through the process? How do you know a change did not undo a

Logical Access – Layers

Operating System

Application

Operating System Application Database

Database

Logical Access – Layers Operating System Application Database ALASBO 12/11/2013 Page 5
Logical Access – Layers Operating System Application Database ALASBO 12/11/2013 Page 5

ALASBO 12/11/2013 Page 5

Logical Access – Layers Operating System Application Database ALASBO 12/11/2013 Page 5

Logical Access – Layers

N e t w o r k
N e t w o r k
N e t w o r k
N e t w o r k
N e t w o r k
N e t w o r k
N e t w o r k
N e t w o r k

N

e

t

w

o

r

k

Logical Access – Layers N e t w o r k ALASBO 12/11/2013 Page 6
Logical Access – Layers N e t w o r k ALASBO 12/11/2013 Page 6

ALASBO 12/11/2013 Page 6

Logical Access – Layers N e t w o r k ALASBO 12/11/2013 Page 6

Logical Access - Layers

Controls exist at each layer • Network

 

-

Firewall

-

Remote Access

-

Antivirus

-

Wireless

OS

-

Password settings (why is this such a big deal?)

-

Administrative access

  OS - Password settings (why is this such a big deal?) - Administrative access ALASBO
  OS - Password settings (why is this such a big deal?) - Administrative access ALASBO

ALASBO 12/11/2013 Page 7

  OS - Password settings (why is this such a big deal?) - Administrative access ALASBO

Logical Access - Layers

Controls exist at each layer (cont)

Application

-

Password settings

-

Segregation of duties

Database

-

Access to change outside the application

-

Monitoring

of duties •   Database - Access to change outside the application - Monitoring ALASBO 12/11/2013
of duties •   Database - Access to change outside the application - Monitoring ALASBO 12/11/2013

ALASBO 12/11/2013 Page 8

of duties •   Database - Access to change outside the application - Monitoring ALASBO 12/11/2013

Passwords – a short deviation into math (aka how long would it take to guess your password)

Length of

Just letters

Letters &

Letters, numbers & symbols

password

numbers

3

0.006 seconds

0.01 seconds

0.03 seconds

4

0.292 seconds

0.91 seconds

3.26 seconds

6

13.2 minutes

1.20 hours

8.17 hours

8

24.7 days

7.93 months

8.41 years

9

3.53 years

44.9 years

799 years

10

183 years

3,100 years

75,900 years

11

9,530 years

214,000 years

7,215,000 years

12

496,000 years

14,772,000 years

685,388,000 years

Between 6,000 and 200,000 years

12 496,000 years 14,772,000 years 685,388,000 years Between 6,000 and 200,000 years ALASBO 12/11/2013 Page 9
12 496,000 years 14,772,000 years 685,388,000 years Between 6,000 and 200,000 years ALASBO 12/11/2013 Page 9

ALASBO 12/11/2013 Page 9

12 496,000 years 14,772,000 years 685,388,000 years Between 6,000 and 200,000 years ALASBO 12/11/2013 Page 9

Computer Operations

What happens automatically? Batch processing

Transfers between systems

How is that controlled?

Who can touch the servers? (Ignorance is not a control)

between systems How is that controlled? Who can touch the servers? (Ignorance is not a control)
between systems How is that controlled? Who can touch the servers? (Ignorance is not a control)

ALASBO 12/11/2013 Page 10

between systems How is that controlled? Who can touch the servers? (Ignorance is not a control)

Why should an accountant/business professional care?

Risk Assessment Standards (AU 314)

Sarbanes-Oxley Act of 2002

professional care? Risk Assessment Standards (AU 314) Sarbanes-Oxley Act of 2002 ALASBO 12/11/2013 Page 11
professional care? Risk Assessment Standards (AU 314) Sarbanes-Oxley Act of 2002 ALASBO 12/11/2013 Page 11

ALASBO 12/11/2013 Page 11

professional care? Risk Assessment Standards (AU 314) Sarbanes-Oxley Act of 2002 ALASBO 12/11/2013 Page 11

AU 314

The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

to error or fraud, and to design the nature, timing, and extent of further audit procedures.
to error or fraud, and to design the nature, timing, and extent of further audit procedures.

ALASBO 12/11/2013 Page 12

to error or fraud, and to design the nature, timing, and extent of further audit procedures.

SOX § 404 (b)

INTERNAL CONTROL EVALUATION AND REPORTING. —With respect to the internal control assessment required by subsection(a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

ALASBO 12/11/2013 Page 13

adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Why should you care?

So, just because the standards require that you care?

Why should you care? So, just because the standards require that you care? ALASBO 12/11/2013 Page
Why should you care? So, just because the standards require that you care? ALASBO 12/11/2013 Page

ALASBO 12/11/2013 Page 14

NO

Why should you care? So, just because the standards require that you care? ALASBO 12/11/2013 Page

Why should you care?

Impact of different areas:

Program Change Management

Logical Access

Layers

Computer Operations

Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 15
Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 15

ALASBO 12/11/2013 Page 15

Change Management • Logical Access • Layers • Computer Operations ALASBO 12/11/2013 Page 15

Common issues

Administrative Access Who is good?

Who is bad?

Databases Monitoring

Program Change • Policies

Access

Monitoring

•   Monitoring Program Change •   Policies •   Access •   Monitoring ALASBO 12/11/2013
•   Monitoring Program Change •   Policies •   Access •   Monitoring ALASBO 12/11/2013

ALASBO 12/11/2013 Page 16

•   Monitoring Program Change •   Policies •   Access •   Monitoring ALASBO 12/11/2013

Encryption

Hardware vs. Software based

Symmetrical vs. Asymmetrical

Good enough?

Encryption Hardware vs. Software based Symmetrical vs. Asymmetrical Good enough? ALASBO 12/11/2013 Page 17
Encryption Hardware vs. Software based Symmetrical vs. Asymmetrical Good enough? ALASBO 12/11/2013 Page 17

ALASBO 12/11/2013 Page 17

Encryption Hardware vs. Software based Symmetrical vs. Asymmetrical Good enough? ALASBO 12/11/2013 Page 17

Questions

Questions ALASBO 12/11/2013 Page 18
Questions ALASBO 12/11/2013 Page 18
Questions ALASBO 12/11/2013 Page 18

ALASBO 12/11/2013 Page 18

Questions ALASBO 12/11/2013 Page 18