SU4 General controls

Question 1

What are the categories of a computerised environment and define each.

Answer 1

Camputerised environment are categorised as either IT General controls or Automated application controls.
IT general controls are those which establish an overall framework of control for computer activities.
Automated application controls are controls that are relevant to a specific task within a cycle of the accounting system.

Question 2

Benefits of IT controls (5) ?

Answer 2

1) Accurate complex calculations
2) Reduce risk of control override.
3) Proper controls are in place to ensure the validity, completeness and accuracy of the data.
4) Enhanced timeliness, availability and accuracy of info.
5) Improved security over systems and data and segregation of duties.

Question 3

Name the categories of the roadmap of general controls.

Answer 3

IT general controls (1)- CAP Bus.
1) Control environment
2) Access controls
3) Programme maintenance
4) Business continuity controls
5) System development and implementation controls
IT general controls (2).
6) System software operating controls
7) End user computing
8) Documentation

Question 4

Components of control environment

Answer 4

C- Communication and enforcement of integrity and ethical values
C- Commitment to competence
H- Human resources policies and practices
O- Organisational structure, assignment of authority and responsibility
M- Management philosophy and operating style
P- Participation by those charged with governance

Question 5

What are the Human resource policies?
(WRITLAU)

Answer 5

R- Proper recruiting policies
T- Training and career development
I- Rotation of IT staff (relief boredom, non reliance on 1 person)
L- Compulsory leave (unauthorised activity uncovered)
A- Cancellation of access rights on dismissal
W- Written formalization of human resource policies for guidance
U- Policy regarding private use of computer facilities

Question 6

Components of access control?

Answer 6

P- Physical access controls
O- Other access controls
L- Logical access controls
S- Security policy

Question 7

What are the principles of the security policy and explain each.

Answer 7

Least privilege- employees should be given access to only those aspects of the system which are necessary for the proper performance of their duties
Fail safe- if a control fails whatever is being protected by that control, should remain safe
Defence in depth- protection is not left up to one control, but rather to a combination of controls
Logging- computer’s ability to log activity which takes place on it, should be extensively incorporated.

Question 8

What are the two categories of physical access control?

Answer 8

Data centre
Work stations

Question 9

Physical access control to data centre.

Answer 9

Visit from outside the company to IT building should:
- Be required to have an official appointment to visit IT staff
- On arrival be cleared – phone IT dept
- Provide ID tag + escort
- Locked door – no access – must buzz
- Wait in reception/be met at the door
- Escorted out once finished with business
Company personnel other than IT personnel:
- Must be no need for other personnel to enter the data Centre
Physical entry to the data Centre
(if you do need to enter):
- Only authorized person gain entry to the data Centre
- Access points should be limited to one
- Access should be gained through locked door other than when people are entering & exiting e.g. not popped open by a wastepaper basket for people to come and go
- Locked door deactivated only by swipe card, entry of PIN ect.
- TV surveillance for entry/exit points
- There should be no need for other personnel to enter the data Centre room

Question 10

What are the physical access controls at remote workstations?

Answer 10

• Can be locked and secured to desk
• Placed where they are visible and not near a window
• Offices should be locked at night/weekends

Question 11

Principles of logical access controls?

Answer 11

Identification of users and computer resources:
- User ID
- Biometric data
- Magnetic card
- Terminal ID
Authentication to verify user of an ID is the owner:
- Unique password
- Information unauthorized user would not know
- One time pin send per sms to user or dongle
Authorisation granted to programmes and data the user requires to do his job:
- user granted read only
- user can read and write; add, create and delete
- terminal links to specific applications
Logging is recording access and access violation to follow up later.

Question 12

Principals of other access control?

Answer 12

1) Data communication- implementation of specialised software which:
- controls access to the network
- network management
- data and file transmission
- error detection and control
- data security
- encryption of transmitted data
- protection of physical cable
2) Firewalls- Combination of hardware and software that operates as access control gateways which restrict the traffic that can flow in and out.
3) Libraries- mobile storage devices must be physically access controlled:
- password protected
- externally labelled.

Question 13

Describe password controls

Answer 13

The user should:
- not use obvious or easily guessed passwords
- minimum length (6 characters)
- not write down the password
- change the password regularly
- confidentiality (disciplinary steps if disclosed to other)
The system should:
- enable users to choose their own passwords
- mixture of alphabetical and numeric characters
- minimum characters
- not allow to reuse an old password within 12 months
- forced by system to change regularly every 30 days.
3) When logging on to the system:
- not show on the screen
- allow only 3 attempts
- not allow users to log on at more than one terminal at time
- terminal disconnects after a period of inactivity
- logged attempts for unauthorized access

Question 14

Change management controls

Answer 14

1. Program change standards (ISO 9000) must be adhere to
2. Request for changes should be documented on a Pre-numbered, pre-printed changed control forms
3. Approval of program change requests [users (application changes)/CIO (application & system changers) &
   IT steering committee(more major changes]
4. Affected by programmers
   - Program changes should be affected by programmers
   - Major changes should be seen as a mini-project (see system development)
   - Changes should be made to development program and not production program (not live data)
5. Changes should be tested by programmer & independent snr programmer (debug techniques)
   As well as tested by users (user acceptance tests) & signed off
6. Changes should be discussed& approved by users and internal audit (sign off control form)
   7 All documentation affected by change should be updated (doc change)
   And amended program should be copies to live environment by independent technical administrator

Question 15

Define continuity of operations

Answer 15

These are controls aimed at protecting computer from natural disasters as well as attack or abuse by unauthorized people

Question 16

Principals of the continuity of operations
Back RODES

Answer 16

BACK- Backup strategies
R- Risk assessment
O- Other controls
D- Disaster recovery
E- Environmental controls
S- social media controls

Question 17

Describe the continuity of operations principals. (BACK RODES)

Answer 17

1) Backup strategies
Follow 3-2-1 backup approach
- At least THREE copies of your data
- Backed-up data on TWO different storage type
- At least ONE copy of the data offsite
Back up of all significant accounting data should be carried out regularly
3 generations of backup
Most recent backup stored off site
All back up maintained in fireproof safes (away from computer facilities)
Critical data copied in real-time to a “mirror site”/cloud

2) Risk assessment
1. Identify risk by:
- Risk assessment committee
- with appropriate level experience & knowledge
- meets regularly, but is also available for unexpected IT risk
- Recognise all types of threat relating to it
(fraud, virus, non-comply with IT laws, physical damage)
- Risk assessment protocol are followed
2. Assess IT risk as an integral part of company
Assessment are document & reported to the Board
3. Address - Responses to risk are recorded, implemented and monitored

3) Other controls
Adequate Insurance cover to provide funds to replace equipment
Anti-virus software & use of firewalls
Avoidance of undue reliance on key personnel by maintaining documentation & staff training
Regular maintenance and servicing of equipment to prevent failure

4) Disaster recovery
Disaster recovery plan:
- Written document which lists procedures that should be carried out in the event of a disaster
- Plan should be widely available
- Plan should address priorities – order in which files or programs should be reconstructed
- Plan should be tested
- Detail alternative processing arrangements which have been agree upon in the event of a disaster

5) Environmental controls
Controls to protect facilities against natural & environmental hazards

physical location of data centre
- data center away from obvious hazards eg. River banks, factory
Protection for fire and flood
- Fire extinguisher
Protection against power surges
- Back up generators
Protection against heat and humidity
- Air conditioning

6) Social media controls
Detective controls
- regular name searches
- regular company logo searches
Preventative controls
- social media policy document
- social media response team
-social media response sessions
- trend analysis
- simulations to test responses
- define a social media crisis
- social media training

Question 18

2 system development options?

Answer 18

In-house development and purchased

Question 19

What are the system development and implementation controls? (SAM US TACT PD)

Answer 19

1) Standards - ISO 9000
2) Project approval
3) Project management
4) User requirements
5) Systems specifications and programming
6) Testing
7) Final approval
8) Conversion
9) Training
10) Post-implementation review
11) Documentation

Question 20

Conversion - controls over preparation and entry of data

Answer 20

1. Comparisons between old and new files & resolve discrepancies
2. Use of control totals to reconcile between the old & new data files
3. Follow up of items appearing on exception reports
4. Obtain user approval for data converted in respect of each user department
5. Obtain direct confirmation from customers or suppliers of balances reflected on new system

Question 21

Advantages (5) and disadvantages (2) of packaged software.

Answer 21

Advantages:
- Lower cost
- Project completed quicker
- Can be demonstrated up front
- Technical support
- Ongoing upgrades
Disadvantages:
- May not meet requirements
- Changes can’t be made

Question 22

Risks of in-house developed systems (5)

Answer 22

• Cost
• Design may not suit user requirements
• Programs may contain errors and bugs
• Poor functional and technical requirements
• May not incorporate enough controls

Question 23

What is the importance of documentation?

Answer 23

• improving overall operating efficiency
• providing audit evidence in respect of computer-related controls
• improving communication at all levels
• avoiding undue reliance on key personnel
• training of users when systems are initially implemented

Question 24

Documentation standards requirements.

Answer 24

• general system descriptions
• detailed descriptions of program logic
• operator and user instructions including error recovery procedures
• back-up and disaster recovery procedures
• security procedures/ policy
• user training
• implementation and conversion of new systems