Computer controls Flashcards
Nature:
Necessary:
- Highly complex transactions
- Large volume of transactions
- No audit trail
- System generated transactions
- Wish to place reliance on manual dependant and programme controls
- Computer controls relate to identified significant risk
Possible:
- Do general IT controls exist to ensure VAC
- Can we place reliance on automated and manual dependant controls
- Can we test logic of computer
- Do we have sufficient staff and resources
Desirable:
- Cost-benefit
- Opportunity for value added
- Staff training opportunities
- Client expectation/request
- Specific weakness in general IT environment were noted in previous audit and client
has under taken to amend them - Need to audit CG statement on effectiveness of internal controls
- Can rely on prior years’ work if
System/ personnel have not changed
Tested within previous three years
Not over a significant risk
Controls were found to be effective
- Timing
- Roll forward- tight deadlines
- Concurrent testing
- Availability of data especially if outsourced
- Extent
- Risk equation
- If system changes during year may need to test up to there
- CAATS may allow test of a whole population
V- Valid , Authorised
A- Accurate
C- ALL
IPCs = Automated + Manual
Purpose of I.T
What should be in Place
General + IPC’s
Whole computer
Access controls
Physical access controls
- separate building or wing of a building I.T
-Identification of users and computer resources
– Users: examples
o user identification, (user IDs)
o magnetic card or tag
o biometric data, for example thumbprint, facial recognition.
– Terminals: some examples
o terminal identification (system recognises terminal ID number or name).
Security policy
Management computer controls
-Least privilege
- Fail safe
-Defence in depth
-Logging
Management to set policies over password confidentiality
Management to grant access to modules/functions on least
privileged basis
Management to review the following and follow up on any
unusual
items:
* Audit trails
* Exception reports (see below)
* Activity reports (all objectives)
* Access violation reports
Exception reports may include reports of:
o Duplicate entries
o Negative amounts
o Zero amounts
o Missing sequence numbers
o Access outside normal hours
o Transactions outside established ranges
o Minimum<rates>maximum
o Minimum<quantity>maximum
Management to train all staff on the use of computers
Management to provide staff with help manuals</quantity></rates>
Access controls
The following physical access controls should be implemented over the premises in which
computer facilities are housed:
- Security checks should be performed on all visitors before they are allowed to
enter
- All visitors are logged and given an identification tag
- All doors to buildings and rooms should be locked, with only authorised personnel
having keys
- CCTV should monitor all activity
* All systems should be protected the following logical access controls:
- Users are required to enter user ID and password before being granted access
- All sensitive data is encrypted
- Use of firewalls and anti-virus programmes (these should also be updated
regularly)
Access controls
Logical access controls
- Access to be restricted in terms of access tables at both
system and application level based on least privileged
basis
- All terminals and sensitive applications to require ID and
passwords to be entered
o Passwords must be unique
o Passwords to consist of mixture of numbers and
letters
o Password files to be encrypted
o Password required to be changed every 90 days
o Password should never be shown on screen
- Application or interface should automatically log out if left
idle for longer than 10 minutes
- Terminal should be automatically blocked if the incorrect
password is entered more than three times:
Access violations to be logged automatically
- Firewalls should be in place to prevent unauthorised
access through internet
- All sensitive data should be encrypted
- Anti-virus software to be installed on all terminals
- Assurance logos to be shown on websites
Minimising human input
Minimum keying
Accuracy
Human input should be minimised using the following:
- Scanners
- Drop down menus
- Touch screens
Edit-validation checks
Missing sequence number checks (completeness)
- Limit and range checks (accuracy)
- Alpha-numeric checks (accuracy)
- Duplicate checks (validity)
- Sequence checks (completeness)
- Verification checks against masterfile data
(Validity/accuracy)
Masterfile update controls
Management should authorise all amendments prior to
implementation
All amendments should be automatically logged
o Management to review log on regular basis and follow up
on unauthorised changes
Logical access controls should be in place to ensure that only
authorised persons can amend the masterfile (see detail under
‘access controls’)
Edit-validation checks should be programmed into the masterfile
to prevent errors (see detail under ‘edit-validation’)
