Study unit 8.2 Flashcards
What is communication and enforcement of integrity and ethical values in the control environment of system development & implementation controls
Ethical culture in IT governance
Important, as IT personnel have access to confidential info opportunity to cause disruptions
Management should lead by example
Code of ethics: communicated, complied with by management, enforce remedial action
What is commitment to competence in the control environment of system development & implementation controls
Considerable demands with regards to skills and knowledge in the IT department
IT management committed to match attributes to an individual’s job description
Immense consequences of employee not being able to do their job
What is the organisational structure and assignment of authority and responsibility in the control environment of system development & implementation controls
Two major objectives: clear reporting lines & segregation of duties
Address segregation of IT & user department; segregation of duties within IT
CEO should appoint CIO - suitably qualified and experienced
*CIO should interact with board, steering and audit committees, executive management
Supervision, execution and review segregated as far as possible
Job descriptions, authority levels and assigned responsibilities documented
What is the IT management’s philosophy and operating style in the control environment of system development & implementation controls
Attitude towards controls
Actions set tone
What is the HR policies and practices in the control environment of system development & implementation controls
People = very important part of control system
*controls mean nothing if not adhered to
Honest, competence & trustworthiness
Good & proper policies & practices
*proper recruiting, background & qualification checks
*immediate exclusion from system upon resignation or dismissal
*compulsory leave
*training & development
*written HR policies
*rotation of duties
*strict policies with regards to private use of computer facilities
What is the physical access controls in the system development function
locked and secured to the desk
visible and not near window
locked at night and at weekend
What is the security policy in the system development function
Least privilege: employees who do not need any access to perform their functions, should not be given any access
Fail safe: wherever possible, if a control fails, whatever is being protected by that control should remain safe
Defence in depth: defence not dependent on one control, but a combination of controls
Logging: activities taking place should be recorded by the computer or system
*logging is not an effective control unless the logs are regularly and frequently reviewed and followed up
What is the logical access controls in the system development function
Authentication
*unique password
*one time pin
*entering a piece of information which an unauthorised individual would not know about the genuine user
*connecting a devise to the USB port of the terminal
Authorisation
*read access vs write access
*once the system has authenticated the user, access will only be given to those programmes and datafiles to which the user is authorised to have access, and as pointed out, this should be only to programmes and data the user requires to do his job
Root access/systemwide access/superuser
*given to limited IT personnel
Segregation of duties
*duties are split between personnel to help detect/prevent errors and irregularties
Identification/and access to toxic combinations
*user will not be granted access to load payments and authorise payments on EFT system
Logging
*recording access and violations for later investigations
Access tables
*All authorised PCs
*all authorised users
*all passwords
*all programs
*all modes of access read vs write
What controls should be over passwords in the system development function
Alphabet and numeric characters/symbols/upper and lower case Should be random - not easily guessed Only allow 3 attempts Log all failed attempts and should be reviewed Do not display on PCs Kept confidential Change regularly - monthly, quarterly Time out facility
What is other access control considerations in system development function
Data communication
*the implementation of specialized software which is responsible for - controlling access to the network, network management, data and file transmission, error detection and control and data security
*encryption of data which is being transmitted
*the protection of physical cabling
Firewalls
Libraries
*Physically access controlled
*the information on the storage device could also be password protected
*issue from the library should be authorised and recorded
*externally labelled
What is the program change controls control procedures
Program change standards must be adhered to
Requests for changes documented on prenumbered, preprinted forms and listed in register
Change requests should be evaluated and approved by
*used dept
*IT manager/CIO
*steering committee
Changes affected by programmers - not operators or users
Major change = mini project
Changes first made to development program and not production program
Changes tested by programmer and independent programmer
Changes tested by business users to perform acceptance tests and sign
Changes discussed with users and internal audit, sign change control form if approved
Documentation affected by change - updated, entire change documented
Amended program copied to live environment by independent technical administrator, all changes automatically logged by the computer
IT manager should review the log of changes and reconcile to change requests and register
What is the risk implications of program change controls
Changes in system = documented and versioned, to avoid risk of not being able to roll back a system in event of error, or go back to incorrect version
Risk of unauthorised changes if no/inadequate change management exists
No change management = no version control
Stakeholders initiate change by documenting requirements of change. Without change management, risk is that stakeholders may constantly change the requirements
What is the in-house development and implementation of systems of system development
Standards Project approval Project management User requirements Systems specifications & programming Testing Final approval Training Conversion *conversion project *data clean-up *conversion method *preparation & entry Post-implementation review Documentation
What is the risk implementations of system development
Cost
Design may not suit user requirements
Programs may contain errors & bugs
Financial reporting requirements not incorporated or understood by programmer
Poor functional and technical requirements
May not incorporate enough controls
Inappropriate vendor/package selection; inappropriate decision to build
New application/software not interface appropriately with existing software
Result in retiring of older applications & incorrect decommissioning of applications
users ability to use it
Inadequate skills and resources
Insufficient documentation
Failure to evaluate and record lessons learnt for future use
No SLA & OLA
Info transferred from old system may be erroneous, invalid or incomplete
What is end user computing risk implications
Data entry, logical & formula errors in spreadsheet, leading to incorrect output
Difficult to manage and enforce version control in end use developed applications
If application has not been sufficiently documented & not applied for what it was designed, unintentional errors may occur
Password protection
Doesn’t cater for backup and disaster recovery
Not always audited for completeness & accuracy
Backups not made