Internal Controls Over Information Systems


Published on

Understanding how Internal Controls over Information systems support Internal Controls over Financial Reporting.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internal Controls Over Information Systems

  1. 1. Internal Controls Over Information Systems
  2. 2. Information Technology
  3. 3. Internal Controls OverInformation Systems• Objective – Understand how Internal Controls over Information systems support Internal Controls over Financial Reporting (ICFR)
  4. 4. Agenda• Internal Controls• Segregation of Duties• System Development Lifecycle (SDLC)• Change Management• Security  Application/Platform  Logical Security  Physical Security
  5. 5. Agenda• Security (continued)  Environmental Controls  Monitoring  Backup  Disaster Recovery• Third Parties/Cloud Computing• Prioritization• Summary
  6. 6. Internal Controls OverInformation Systems
  7. 7. Internal Controls• Internal controls are established as mechanism to achieve desired business objectives• Counter risks & threats, both external & internal, to business environment• Ensure business requirements of quality, cost & delivery are met• Resources are effectively & efficiently used
  8. 8. Internal Controls• Confidentiality, integrity, availability (CIA) & reliability of information are met, as well as comply with statutory & regulatory requirements• Our focus will be on the last one, (CIA), as it relates to information systems & financial reporting  Confidentiality  Integrity  Availability
  9. 9. Internal Controls• Internal controls over financial reporting (ICFR)  Focus is on financial data• Internal controls over information systems  Information System controls typically apply to whole organization – Best Practices  Financial Audit - Focus is on financial applications
  10. 10. Information System Controls• Segregation of duties• System development lifecycle (SDLC)• Security  Logical  Physical  Environmental  Monitoring  Back up  Disaster recovery• Third parties/cloud computing
  11. 11. Segregation of Duties• Checks & balances• Organizational structure  Who can submit invoices for payment?  Who can authorize?  Who reconciles bank statement?• Very important especially for  Small organizations  Downsized organizations
  12. 12. Segregation of Duties• Information systems  What access do information systems personnel have?  Are their logs tracking activity?  Is someone reviewing logs?• Controlled with logical security  Typically by role
  13. 13. System Development Life Cycle(SDLC)
  14. 14. System Development Life Cycle(SDLC) • Assess needs • Design specifications/Vendor Selection • Develop/test software • Implement systems – training, documentation • Support operations (maintenance) • Evaluate performance (monitor)
  15. 15. Change Management• Change management  Subset of SDLC  Quarterly, annual upgrades  Should be formal process  Integrated testing  Training  Sign off  Documentation  Includes configuration & upgrades for firewalls, routers & VPN
  16. 16. Security
  17. 17. Application/Platform Security• Risk & vulnerability will vary based on:  Applications and platforms being used  Location of systems: Onsite vs. hosted  Access to source code
  18. 18. Logical Security • Computer access  Access to only what they need to do their job System/network level Application level • Password management Are they complex? Do they have to be changed? Is there policy about not sharing, writing them down, etc. • Wireless – Secured, Segmented
  19. 19. Logical SecurityAccess management• New hires• Job changes• Terminations  Timely• Access audits  Employees  Third parties
  20. 20. Physical Security• Building  Proximity cards Access based on role Terminations Lost cards Access audits  Cameras  Who monitors?  Data retention
  21. 21. Physical Security • Data center  Similar to building controls  What about vendors? • Work areas  Can computers be stolen?  Can data be stolen?  Can malicious software be uploaded? • Mobile devices
  22. 22. Environmental Controls • Generator • UPS • Sensors  Heat  Moisture • Are they tested? • Is there routine maintenance?
  23. 23. Monitoring• User access – failed login attempts• Unauthorized access attempts through firewalls, routers & VPN• System usage – thresholds• Is someone monitoring, reporting & remediating?• Is a problem & incident system in place?
  24. 24. Backup• What’s backed up?• How often?• How long are they saved?• Where are they stored?• How do they get there?• Who has access to them?• Are they tested periodically?• Redundancy – to supplement backups
  25. 25. Disaster Recovery• Disaster recovery plan  What’s the plan? Criticality matrix  Do key people know about plan?  Can key people get to plan?  Does it include an alternate location?  Periodic testing
  26. 26. Third Parties• When you outsource services, you increase risk• They need to have same or better controls as your organization• New vendors  Did anyone look at risk?  Did anyone decide if it was acceptable?
  27. 27. Third Parties• Current Vendors  Vendor Inventory – Assess risk• How do you know controls are in place?  Selection process  SSAE16 (previously SAS70)  Inspections  Performance reports
  28. 28. Third Party• Cloud computing  Do you know who they are?  Additional risks to consider• Third-party access  VPN  Encrypted or password protected files
  29. 29. Others Control Areas• Strategic Plan• IT Strategy – strategic plan that includes risk management• Organizational infrastructure  Adequate number of trained personnel to support systems. Can they do their jobs without causing errors that impact financial data?  Current policies & procedures to prevent errors or disclosures
  30. 30. Prioritization• How can we do all these things with our shrinking budgets?• Pick highest areas of risk & address first  Probability & impact analysis• Implement solutions based on size & complexity of your organization
  31. 31. Summary Confidentiality – INTEGRITY – Availability Information System Controls C I A Segregation of Duties Y Y Y SDLC & Change Management Y Y Y Logical Security Y Y Y Physical Security Y Y Y Environmental Controls Y Monitoring Y Y Y Back Up Y Y Y Disaster Recovery Y Y Y Third Parties Y Y Y Internal Controls Over Financial Reporting Y
  32. 32. SummaryInternal Controls over Information Systems  Ongoing process  Continually changing  Monitoring is key  Review periodically
  33. 33. Contact Information Jeffrey Paulette BKD IT Risk Services 417.865.8701