1. CS6-4: A Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT Framework v2 for SOX-404) Ed Hill, Managing Director, Protiviti Gene Kim, CTO, Tripwire June 2006
2.
3.
4.
5.
6. Vision: Create Equivalence to Nine Firm Document on IT Control Exceptions GAIT takes the approach used in the nine firm document. GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies , “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)
14. Identify key financial statement captions Identify the general ledger accounts related to the key financial statement accounts (significant account) Identify key transaction processes that affect the general ledger accounts Identify and understand related business processes Identify and understand applications and modules that support financially relevant business processes Analyze the risks within the integrated business process (Identify risks) Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls) Identify IT infrastructure elements which support the application (the rest of the stack) Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business Process Business and IT IT Identify and understand infrastructure that supports the business processes Validate IT entity and management level controls
15. Evaluate overall entity level controls Identify IT entity level elements and the demonstrated maturity of the process Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business and IT IT
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26. Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application ??? ??? ??? Database ??? ??? ??? Operating system ??? ??? ??? Network/infrastructure ??? ??? ???
27.
28. Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application Yes Yes Yes Database Yes No Yes Operating system No No Yes Network/infrastructure Yes Yes No
29. Evaluate the risks related to the IT processes Application layer: Change Management process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Unauthorized changes Inadequate or inappropriate code promotions Failed changes, unintended consequences from change … and so forth Change control team Bob, Director, Change Management RAP support team Frank Rap, Manager Production Migration team Betty Migration, Manager DBA team
30. Evaluate the risks related to the IT processes Application layer: Operations process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Interfaces could fail Incomplete or inaccurate interface process, due to abnormal end Inability to appropriately recover lost data, due to data backup and recovery failures Inability to appropriately recover lost data, due to data backup and recovery failures … and so forth RAP support team Frank Rap, Manager Data center operations team Bob, Manager
31. Evaluate the risks related to the IT processes Application layer: Security/logical access process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Add/change/delete data and code not in accordance with management’s intentions Inappropriate changes to data are made by system users (because access privileges are inappropriate – regular and privileged accounts) Inappropriate changes are made to application code Inappropriate or unauthorized transaction/data generation/approvals/deletions … and so forth User provisioning team Bob, Manager RAP application and data owners Support team DBA team Director of Security
Add the concept of identify entity and general control risks Where do you figure out significant locations?
Evaluate overall entity level controls Evaluate IT entity level elements Evaluate the risks related to the IT processes which manages the infrastructure