IT RISKS AND INTERNAL CONTROL Flashcards
Five components of internal control - CRIM C
Control environment Risk assessment Information and Communication Monitoring Control Activities
Reliable system?
sb capable of operating
without material error, fault, or failure
during a specified period
in a specified environment
AICPA Trust Services
developed a framework for a reliable system
using 5 principles
5 Principles of a reliable system - PASCO
Processing integrity Availability Security Confidentiality Online Privacy
Security?
protect the system
against unauthorized access
both physical and logical
Security Risks
physical and logical access risks
Physical access security risks
Failure results in damage to the system
from:
weather
acts of war
disgruntled employees
Logical access
Failure results in
malicious or accidental alteration, damage
to files and/or system
computer-based fraud
unauthorized access to confidential data
Availability control
system available for operation
use as committed or agreed
in conformity with entity’s policies
Availability failure results in
interruption of business operations
loss of data
Processing integrity?
complete system processing
accurate, timely, authorized
Failure of processing integrity control results in
invalid, inaccurate, incomplete
data input and output
data processing
master file
Online privacy?
all personal information collected used disclosed retained as agreed
Failure of online privacy control results in
compromise of customers’ personal information
Confidentiality?
keep information confidential and protected as agreed
Failure of confidentiality control results in
disclosure of confidential transactions data
business plans
banking and legal docs
confidential operations
5 components of internal control
- Control environment - principles?
commitment to integrity and ethical values
board independence and oversight
appropriate structures, reporting lines, authorities and responsibilities
commitment to attract, develop, and retain competent personnel
hold individuals accountable for internal control responsibilities
2 distinct functions of the information systems department
systems development
data processing
Steps in SD life cycle
Software concept - identify the need
Requirements analysis - need of users
Architectural design- resources-hardware, software, people needed
Coding and Debugging - acquiring and testing
System testing - testing and evaluation
Organization Structure of the Information System
Segregate the functions of:
systems development manager - information systems department
data processing manager - user department
Information systems department
Cannot initiate or authorize transactions
Minimum segregation of duties:
Operations
Programming
Library
Organization structure in detail
Information Systems Manager
Systems development manager
Data processing manager
Systems development manager systems analysis systems programming applications programming database administration
Data processing manager
data preparation
operations
data library
data control
Systems Analyst Duties
analyze the present user environment and requirements
recommend specific changes
recommend purchasing of a new system
design a new information system
constant contact with users and programming staff
to ensure user’s actual and ongoing needs are met
create a systems flowchart - defines the systems requirements
Systems Programmer/Systems Engineer duties
implement, modify, debug
software to make the hardware work
create designs used by programmers
Applications Programmer
writing, testing, debugging
the applications program
from the specifications
provided by the systems analyst
Use program flowchart - defines the program logic
Database administrator
maintain database
restrict access to authorized personnel
Data preparation
data prepared by user departments
input by key to storage devices
Operations - The Operator
daily computer operations
of hardware and software
supervises operations
on the operator’s console
accepts input
distributes output
maintains a run manual to document running of the program
SHOULD NOT HAVE DETAILED PROGRAM INFORMATION!!!
Operator restrictions
CANNOT HAVE DETAILED PROGRAM INFORMATION
Data librarian
Custody of removable media
Maintain program and system documentation
Data Controller
control group
acts as a liaison
between users and processing center
records input data in a control log
follows the progress
distributes output
ensures compliance with control totals
Electronic commerce web related positions
Web administrator/ manager Web master Web designer - visual content Web coordinator - daily operations Internet developer Intranet/Extranet developer
Web master
website development
expertise, leadership
design, analysis, security
maintenance, content development
Internet developer
writing programs for commercial use
Intranet/Extranet developer
writing programs for company use
Web administrator/ manager
overseeing
development, planning and implementation
of the website
2 Risk Assessment
5 components of internal control
assess the risk of improper financial reporting
5 components of internal control
3 Information and communication
involves the decision of which system to use
small computers - use off the shelf software
complex mainframe system - internally developed software
Controls needed for small computer systems
use off the shelf software
controls are already well-known prior to testing
analysis of exception reports
generated during processing is needed
Controls needed for mainframe systems
software is internally developed (significant portion)
controls are unknown to the auditor
prior to testing
analysis of exception reports is important
more thorough testing needed
in the generation of exception reports
4 Monitoring
5 Components of Internal Control
adequate computer skills required for proper monitoring
review system access log
to monitor inappropriate access
constant evaluation of data and transactions
highlight inconsistent items
capture samples of items for audit review
5 Control Activities
5 Components of Internal Control
General control activities
Computer application control activities
Programmed application control activities
Manual follow up of computer exception reports
User control activities
Control activities flowchart
Computer general control activities
Programmed control activities -
1. Computer exception reports
-Manual follow up of exception reports
2. Output reporting computer processed
transactions
- User control activities to test the
completeness and accuracy of
computer processed transactions
4 types of general controls
Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations
#1 type of General Control Developing new programs and systems process
SEGREGATION OF CONTROLS
User dept participates in the systems design
Users and IT personnel both test the new system
Management, users, IT personnel approve new system before placed into operation
Control all master and transaction file conversions to prevent changes and to verify the accuracy of results
Document all programs and systems
Computer hardware controls during development of new programs
parity check echo check diagnostic routines boundary protection periodic maintenance
Parity check
a special bit is added to each character
to detect if hardware loses a bit during internal movement of character
Echo check
used in telecommunications transmission
During the sending and receiving process
the receiver repeats back to the sender what it received and sender resends back to the receiver anby character incorrectly received
Diagnostic routines
hardware or software
supplied by the manufacturer
to check the internal operations and devices
within the computer system
Boundary protection
ensure that simultaneous jobs being processed do not destroy or change the memory of another job
Periodic maintenance
system should be examined periodically by a qualified service technician
Documentation of developed systems and programs
Detailed system specification documents showing
performance levels reliability security privacy constraints and limitations functional capabilities data structure and elements
2 Type of General Control
Changing existing programs and systems
Use change request log when making suggestions for changes
Modified program sb tested
All changes documented
Use code comparison program
Code comparison program
compare source and object codes
of a controlled copy of a program
with the program currently being used to process data
- to identify unauthorized changes
3 General control activities
Controlling access to programs and data while developing the programs and systems
Program documentation access - limit only to those who need it in the performance of their duties
Files and programs access - only to individuals authorized to process data
Computer hardware access - only to authorized individuals like computer operators and supervisors
Physical access to computer facility use visitor entry logs
Hardware and software controls -
use unique passwords
call back method
encryption
3 General control activities
Controlling computer operations
Operators should have access only to operations manual that contains instructions for
processing programs
solving routine operational program issues
BUT NOT DETAILED PROGRAM DOCUMENTATION!
Control group monitors the operator’s activities and jobs sb scheduled
Other controls:
backup and recovery
contingency processing
internal and external labels
Contingency processing
detailed contingency processing plans
detail responsibilities of individuals
alternate processing sites sb utilized
use backup facility with a vendor
Internal labels
identifies the file thru the use of machine readable identification in the first record of a file
External labels
gummed paper labels attached to storage media in order to identify the file
FIVE COMPONENTS OF INTERNAL CONTROL - CRIM C
Control environment
Risk assessment
Information and Communication
Monitoring
Control Activities
General control activities
Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations
Computer application control activities
Programmed application control activities
Input Controls
Overall controls
Input validation (edit) controls
Processing controls
Manual follow up of computer exception reports
User control activities
Disaster Recovery and Business Continuity
Overall controls
inputs properly authorized and approved
verify all significant data fields
used to record information
control the conversion of data into machine readable form and verified for accuracy
FIVE COMPONENTS OF INTERNAL CONTROL - CRIM C
Control environment
Risk assessment
Information and Communication
Monitoring
Control Activities
General control activities
Developing new programs and systems
Changing existing programs and systems
Controlling access to programs and data
Controlling computer operations
Computer application control activities
Programmed application control activities
Input Controls
Overall controls
Input validation (edit) controls
Processing controls
Manual follow up of computer exception reports
User control activities
Disaster Recovery and Business Continuity
Input validation controls
preprinted form check digit control, batch, and proof total hash total record count limit (reasonableness) test menu driven input field check validity check missing data check field size check logic check redundant data check closed loop verification
