Internal Controls Over Information Systems
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Internal Controls Over Information Systems



Understanding how Internal Controls over Information systems support Internal Controls over Financial Reporting.

Understanding how Internal Controls over Information systems support Internal Controls over Financial Reporting.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Internal Controls Over Information Systems Presentation Transcript

  • 1. Internal Controls Over Information Systems
  • 2. Information Technology
  • 3. Internal Controls OverInformation Systems• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)
  • 4. Agenda• Internal Controls• Segregation of Duties• System Development Lifecycle (SDLC)• Change Management• Security  Application/Platform  Logical Security  Physical Security
  • 5. Agenda• Security (continued)  Environmental Controls  Monitoring  Backup  Disaster Recovery• Third Parties/Cloud Computing• Prioritization• Summary
  • 6. Internal Controls OverInformation Systems
  • 7. Internal Controls• Internal controls are established as mechanism to achieve desired business objectives• Counter risks & threats, both external & internal, to business environment• Ensure business requirements of quality, cost & delivery are met• Resources are effectively & efficiently used
  • 8. Internal Controls• Confidentiality, integrity, availability (CIA) & reliability of information are met, as well as comply with statutory & regulatory requirements• Our focus will be on the last one, (CIA), as it relates to information systems & financial reporting  Confidentiality  Integrity  Availability
  • 9. Internal Controls• Internal controls over financial reporting (ICFR)  Focus is on financial data• Internal controls over information systems  Information System controls typically apply to whole organization – Best Practices  Financial Audit - Focus is on financial applications
  • 10. Information System Controls• Segregation of duties• System development lifecycle (SDLC)• Security  Logical  Physical  Environmental  Monitoring  Back up  Disaster recovery• Third parties/cloud computing
  • 11. Segregation of Duties• Checks & balances• Organizational structure  Who can submit invoices for payment?  Who can authorize?  Who reconciles bank statement?• Very important especially for  Small organizations  Downsized organizations
  • 12. Segregation of Duties• Information systems  What access do information systems personnel have?  Are their logs tracking activity?  Is someone reviewing logs?• Controlled with logical security  Typically by role
  • 13. System Development Life Cycle(SDLC)
  • 14. System Development Life Cycle(SDLC) • Assess needs • Design specifications/Vendor Selection • Develop/test software • Implement systems – training, documentation • Support operations (maintenance) • Evaluate performance (monitor)
  • 15. Change Management• Change management  Subset of SDLC  Quarterly, annual upgrades  Should be formal process  Integrated testing  Training  Sign off  Documentation  Includes configuration & upgrades for firewalls, routers & VPN
  • 16. Security
  • 17. Application/Platform Security• Risk & vulnerability will vary based on:  Applications and platforms being used  Location of systems: Onsite vs. hosted  Access to source code
  • 18. Logical Security • Computer access  Access to only what they need to do their job System/network level Application level • Password management Are they complex? Do they have to be changed? Is there policy about not sharing, writing them down, etc. • Wireless – Secured, Segmented
  • 19. Logical SecurityAccess management• New hires• Job changes• Terminations  Timely• Access audits  Employees  Third parties
  • 20. Physical Security• Building  Proximity cards Access based on role Terminations Lost cards Access audits  Cameras  Who monitors?  Data retention
  • 21. Physical Security • Data center  Similar to building controls  What about vendors? • Work areas  Can computers be stolen?  Can data be stolen?  Can malicious software be uploaded? • Mobile devices
  • 22. Environmental Controls • Generator • UPS • Sensors  Heat  Moisture • Are they tested? • Is there routine maintenance?
  • 23. Monitoring• User access – failed login attempts• Unauthorized access attempts through firewalls, routers & VPN• System usage – thresholds• Is someone monitoring, reporting & remediating?• Is a problem & incident system in place?
  • 24. Backup• What’s backed up?• How often?• How long are they saved?• Where are they stored?• How do they get there?• Who has access to them?• Are they tested periodically?• Redundancy – to supplement backups
  • 25. Disaster Recovery• Disaster recovery plan  What’s the plan? Criticality matrix  Do key people know about plan?  Can key people get to plan?  Does it include an alternate location?  Periodic testing
  • 26. Third Parties• When you outsource services, you increase risk• They need to have same or better controls as your organization• New vendors  Did anyone look at risk?  Did anyone decide if it was acceptable?
  • 27. Third Parties• Current Vendors  Vendor Inventory – Assess risk• How do you know controls are in place?  Selection process  SSAE16 (previously SAS70)  Inspections  Performance reports
  • 28. Third Party• Cloud computing  Do you know who they are?  Additional risks to consider• Third-party access  VPN  Encrypted or password protected files
  • 29. Others Control Areas• Strategic Plan• IT Strategy – strategic plan that includes risk management• Organizational infrastructure  Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?  Current policies & procedures to prevent errors or disclosures
  • 30. Prioritization• How can we do all these things with our shrinking budgets?• Pick highest areas of risk & address first  Probability & impact analysis• Implement solutions based on size & complexity of your organization
  • 31. Summary Confidentiality – INTEGRITY – Availability Information System Controls C I A Segregation of Duties Y Y Y SDLC & Change Management Y Y Y Logical Security Y Y Y Physical Security Y Y Y Environmental Controls Y Monitoring Y Y Y Back Up Y Y Y Disaster Recovery Y Y Y Third Parties Y Y Y Internal Controls Over Financial Reporting Y
  • 32. SummaryInternal Controls over Information Systems  Ongoing process  Continually changing  Monitoring is key  Review periodically
  • 33. Contact Information Jeffrey Paulette BKD IT Risk Services 417.865.8701