The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
IT General Controls Presentation at IIA Vadodara Audit Club
1. Information Technology General Controls
August 24, 2018
Kaushal R. Trivedi
Director, Management Audit
Vadodara Audit Club
2. Are You a Victim of… FEAR?
Laptop Theft
Virus Attack
Data Theft
Data Corruption/ Loss!!
3. Threats Continue to Grow…
• Axis and State Bank of India confirm loss of several Million Credit/ Debit
card users in August 2016 data theft
• Verizon Enterprise Solutions, which also deals with enterprise security,
was hit by a cyber-attack that led to the theft of details about 1.5 million
customers
• 55M Philippines Commission on Elections data from COMELEC website
by Hackers from Anonymous, the entire database was stolen and posted
online.
• 49.6 M Turkish citizenship data was stolen and posted online
• Australia Immigration Department an employee inadvertently send the
details of passport numbers, visa details and personal identifiers of all world
leaders attending the G20 Brisbane Summit to the Organizers of Asian Cup
football tournament. Barack Obama, Vladimir Putin, Angela Merkel, Xi
Jinping, Narendra Modi, David Cameroon and many others…
4. Technological Global Risks & Trends 2018
4
Adverse consequences of technological advances
• Intended or unintended adverse consequences of technological advances such
as artificial intelligence, geo-engineering and synthetic biology causing human,
environmental and economic damage
Critical information infrastructure breakdown
• Cyber dependency that increases vulnerability to outage of critical information
infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread
disruption
Large-scale Cyberattacks
• Large-scale cyberattacks or malware causing large economic damages,
geopolitical tensions or widespread loss of trust in the internet
Massive incident of data fraud/ theft
• Wrongful exploitation of private or official data that takes place on an
unprecedented scale
Source: World Economic Forum – Global Risk Report 2018
5. Technological Global Risks & Trends
5
Source: World Economic Form Global Risk 2016
Source: Executive Opinion Survey 2015, World Economic Forum.
Note: The darker colour, the higher the concern.
7. What is ITGC?
7
INFORMATION
• Information Technology General Controls (ITGCs) can be defined as internal controls
that assure the secure, stable, and reliable performance of computer hardware, software
and IT personnel connected to financial systems.
• ITGCs affect the ability to rely on application controls and IT dependent manual controls.
• Without effective ITGCs, reliance cannot be placed on any application controls or IT
dependent manual controls unless additional procedures are performed (e.g.,
benchmarking). Even these additional procedures limit the ability to rely upon more than
one application control at a time.
• ITGCs are an integral part of many different operational and regulatory (federal and state)
audits, including:
o IT operational reviews
o HIPAA assessments
o SSAE16 assessments/ SOC-2
o PCI-DSS reviews/audits
o SOX assessments
8. Auditing Standards (SA 315) - INDIA
8
EDP/ IT Controls
General Controls
Admin Controls
Discipline in routine
Operations and
Admin functions
Sys. Dev. Controls
Usage of updated
technology with
adequate People
support (SOD)
Application Controls
Procedural Controls
(Ensure Timely
Processing)
Manual Controls Automated Controls
*SA 315 - Identifying and Assessing The Risk of Material Misstatement
through Understanding the Entity and its Environment
9. IT Risk Assessment & Scoping
9
INFORMATION
► Significant accounts
Business processes
Business controls
Applications
STEP 1:
validate
understanding
STEP 2: perform
risk assessment
at each layer
STEP 3: Conclude: is it REASONABLY POSSIBLE a failure in this IT Process area
could impact application controls & result in a material misstatement?
Risk is not eliminated; is it reduced to a REASONABLE level.
IT Process Controls:
Change Mgt, Operations, Security
➢Application
➢Database
➢Operating System
➢Network
10. Test of Design vs. Test of Effectiveness
10
INFORMATION
Test of Design
Determines whether the controls, if operating properly, can effectively prevent or
detect errors or fraud that could result in material misstatements in the financial
statements.
• Procedures the auditor performs to test and evaluate design effectiveness
include inquiry, observation, and inspection of relevant documentation. The
procedures the auditor performs to test and evaluate design effectiveness
might also provide evidence that can be used to test the effectiveness of
the control. Was the control designed appropriately?
Test of Effectiveness
Involves evaluating whether internal control is operating as designed.
• Procedures the auditor performs to test and evaluate test of operating
effectiveness include inquiry, observation, and inspection of relevant
documentation. Was the control consistently performed? Was the control
performed by a person who had the necessary authority and qualifications
to perform the control effectively?
11. Testing Methodology
11
INFORMATION
Testing Method Definition
Inquiry The auditor inquires (in writing or verbally) of the responsible
individual as to what procedures are in place to address the
control being tested. This is typically the first step in each test.
Inspection The auditor inspects the evidence provided to ensure that it is
accurate.
Corroborative Inquiry The auditor inquires with one individual and corroborates the
inquiry separately with another individual.
System Query The auditor tests that automated controls within an IT application
are operating as expected. Examples of these kinds of controls
may be:-That a predefined exception will be identified
appropriately by the system (this exception may be associated
with completeness and/or accuracy of input, processing and
output of the application)-That logical access configuration within
the application are set in a way that establishes segregation of
duties and otherwise provides for the authorization of
transactions.
12. ITGC Focus – Background Info.
12
INFORMATION
IT Organization (Employees & Third Party):
• IT Steering Committee/ Business Management
• IT Management
• IT Operations
• Security Management
• Application Development
IT Organization (SOD Examples):
First Job Second Job
Data Entry Quality Assurance
System Administrator Database Administrator
Security Administrator Application programmer
Systems Programmer Security Administrator
Help Desk Network Administrator
Combined
Yes
No
No
No
No
13. ITGC Focus – Background Info.
13
INFORMATION
o Technology Overview – Software (by Key Application)
• Application (Name & Version)
• Owner/Support (Business & IT Contact Points)
• Description (Modules or Business Function)
• # Users
• Database (Name & Version)
• OS (Name & Version)
• Hardware (Type & Quantity)
• Location (Hardware)
o Review of Network Infra (Wired/ Wireless/ WAN)
o Remote access capabilities (Business purpose/ Authentication)
o Firewalls utilized – Firewall (Hardware/ Software/ Combi?), Analyzer.
o Products or Services offered via the Internet?
14. Network – Which is Better?
14
INFORMATION
Solution:
Application or Usage will
decide the placing or
Number of Equipment's
18. ITGC – Security Management
18
INFORMATION
Security Administration – Application, Database, Platform, Network
1. Users are granted access (business need)
2. Approval process exists (authorize in a timely manner)
3. Access privileges are reviewed and confirmed (periodically)
4. Controls are in place to support appropriate and timely responses (job
changes)
Security Configuration – Application, Database, Platform, Network
1. Security standards exist for each system or application.
2. Application Configuration (view, add, change, or delete data)
3. Password parameter settings for App/DB/OS/Network
4. Procedures for effectiveness of authentication and access mechanisms.
5. DBMS is appropriately configured (stored procedures)
Security Monitoring – Application, Database, Platform, Network
1. Management logs and monitors security activity and security violations are
promptly analyzed, reported and/or escalated.
19. ITGC – Security Management
19
INFORMATION
Access related Questions?
• Security Policy is Applicable to Employee or Third Party Or Both?
• Characteristics of an Ideal Password?
• Monitoring of Powerful User IDs (DB Admin/ Backup Admin/
Network Admin)
• Users Access Reviews (One Time/ Periodic - Why?)
• Physical Security (Guard/ Card Access/ Biometric/ ATM PIN)
• Security Monitoring (i.e. left employees, invalid logins, audit
trails)
20. ITGC – Change Management
20
INFORMATION
Application Development Lifecycle
1. Organization SDLC considers security, availability, and processing integrity
requirements
2. SDLC ensures Application controls that support complete, accurate,
authorized, and valid transaction processing.
Quality Assurance & Testing – Application, Database, Platform, Network
1. Testing strategy for changes
2. Testing is performed at the unit, system/integration, and user acceptance level
3. Load and stress testing is performed against test standards.
4. Integration test (for Interfaces with other systems/technology)
5. Conversion of data is tested - origin and its destination to confirm that it is
complete, accurate, and valid (FA Invoice and FAR)
Change Management Process – Application, Database, Platform, Network
1. Procedures for Installation and Maintenance
2. System maintenance, and supplier maintenance - Change Management
procedures.
21. ITGC – Change Management
21
INFORMATION
Change Management Process – Application, Database, Platform, Network
3. Procedures for emergency changes exist and are followed.
4. Emergency changes are approved, tested, documented, and monitored.
5. Procedures exist to ensure applications/databases/OS-system software can
be returned to a previously known/stable state.
6. Systems are updated with updates/patches in a timely manner.
22. ITGC – Change Management
22
INFORMATION
Change Management related Questions?
• Firewall Software has an Update should that be subject to Change
Management Process?
• Invoicing for FG has stopped and IT Support personal in Night shift
suggest a system restart to correct the Problem?
• Management is launching a new Product tomorrow, however the new
Module tested has not been tested in the Test Environment?
23. ITGC – Data Management
23
INFORMATION
Data Backup, Storage, and Recovery
1. A strategy is defined for data backup type and frequency (including definition
of data retention periods).
2. A media management strategy defines media rotation and destruction.
3. Procedures exist to periodically test the effectiveness of the restoration
process and quality of backup media.
4. Procedures are defined and implemented to prevent access to sensitive
information stored on off-line physical media.
24. ITGC – Change Management
24
INFORMATION
Data Management related Questions?
• Backup are Taken on Tape Drives but never tested? However IT Admin
ensure the Tape Library does not give any error post Backup
completion?
• Backup are taken and placed at the Same location in a Dataline Fire
proof safe which can with stand temperatures up to 1000 degree C for
an hour and is earth-quake proof?
• Backup are stored at Managing Director House in Mumbai and the
Disaster Recovery Server is at Surat?
25. ITGC – Computer & Data Centre Operations
25
INFORMATION
Incident and Problem Management
1. Defined and implemented an incident management system so that events that
are not part of the standard operation are recorded, analyzed, escalated,
resolved, and reported in a timely manner.
2. Management has defined and implemented problem management procedures
to help ensure that the root cause of operational events that are not part of the
standard operation are resolved in a timely manner.
Production Monitoring
1. Management has established and documented standard procedures for IT
operations, including managing, monitoring, and responding to security,
availability, and processing integrity events.
2. Management has established appropriate metrics to effectively manage,
monitor, and report on day-to-day operations.
3. System event data are sufficiently retained to provide chronological
information and logs to enable the reconstruction, review, and examination of
the time sequences of processing.
26. ITGC – Computer & Data Centre Operations
26
INFORMATION
Data Centre related Questions?
• Air Conditioning of the Server room is kept at 18 degree Centigrade?
• The Server is having an Amber Light alert however is functioning
correctly.
• What is the above problem is complemented by frequent Restarts?
• The Server room UPS system is out of Warranty?
• Dell the Server Equipment Manufacturer have denied providing AMC as
the Server has in the End of Life support list?
• The Server room does not have Rodent Protection
27. ITGC – Computer & Data Centre Operations
27
INFORMATION
Picture 1?
28. ITGC – Computer & Data Centre Operations
28
INFORMATION
Picture 2?
29. ITGC – Computer & Data Centre Operations
29
INFORMATION
Winner!