“Information Technology

Controls”

by Jose F. Sabater Jr.

 Topic Guide
• Controls, Objectives and Risks
• Controls Classification
• IT General and Application Controls Examples
• Overall IS Audit Steps
• Testing General & Application Controls
• COSO and COBIT
• IT Governance, Structure and Roles
 Control & Control Objective
What is an objective ?
The purpose that one’s effort or action are intended to attain or
accomplish to address risks.
What is a control ?
A step taken by management or employees to accomplish an objective.
The organization & management are responsible for implementing and
maintaining effective controls.
Information Systems (IS) Control Objectives :
“Control objectives in an information systems environment remain
unchanged from those of a manual environment. However, control
features may be different. The internal control objectives, thus need,
to be addressed in a manner specific to IS-related processes.”
 Control & Control Objective
IS Control Objectives cover areas such as:
• Safeguarding of assets
• Assuring integrity of general operating system
environments
• Assuring the integrity of sensitive and critical application
system environments through:
– Authorization of the input
– Accuracy and completeness of processing of transactions
– Accuracy, completeness and security of the output
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures, and
applicable laws
• Developing business continuity and disaster recovery plans
 Risk Definition and Examples
• Risk is the threat that an event, action, or non-action
will adversely affect an organization’s ability to achieve
its business objectives and execute its strategies
successfully.
• “Risk is the hazard or possibility of loss.”
• Examples of IT risks
 technical failure of computer servers
 human error in input of data
 communication infrastructure failure
 physical threat and theft
 electronic & malicious threats (e.g. hacking)
 IS Risk Management
 IS/IT Risk management is the process of
identifying vulnerabilities and threats to
the information resources used by an
organization in achieving business
objectives.
 A summary of this concept is shown in
the following equation:
 Total risk = Threats x Vulnerability x
Asset value
 IS Risk Management
• Once risks have been identified, existing controls
can be evaluated or new controls designed to
reduce the vulnerabilities to an acceptable level
of risk. These controls are referred to as
“countermeasures”.
• a successful program requires the integration of
risk management within all levels of the
organization. Operations staff and board
members should assist the risk management
committee in identifying risks and developing
suitable loss control and intervention strategies.
Risk and Control
Overall Controls Classification
General and Application Controls
 IT General Controls
• IT general controls are broad controls over general IT activities,
such as security and access, computer operations, and systems
development and system changes. General controls are
embedded in IT processes and services.
IT General Controls Categories :
• Security and Access Controls
Security and access controls are controls over operating
systems, critical applications, supporting databases, and
networks that help ensure that access to applications and data
is restricted to authorized personnel.
 IT General Controls
• Computer Operations Controls
Relate to day-to-day operations and help ensure that computer
operational activities are performed as intended, processing
errors are identified and corrected in a timely manner, and
continuity of financial reporting data is maintained through
effective data backup and recovery procedures.
• Systems Development and System Changes Controls
Are controls over systems selection, design, implementation,
and configuration changes that help ensure that new systems
are appropriately developed, configured, approved, and
migrated into production, and controls over changes (whether
to applications, supporting databases, or operating systems)
that help to ensure that those changes are properly authorized
and approved, tested, and implemented.
 IT General Controls
support Business
Processes …
• IT provides services (development and operational IT
processes), usually in a shared service to many
business processes in the whole enterprise. The IT
infrastructure is provided as a common service
(networks, databases, operating systems and storage).
• The reliable operation of these general controls is
necessary for reliance to be placed on application
controls. For example, poor change management could
accidentally or deliberately jeopardize the reliability of
automated application controls such as integrity
checks.
 Application Controls
• Application controls are automated or IT-
dependent controls intended to help ensure that
transactions are properly initiated, authorized,
recorded, processed, and reported.
• In simple terms, automated control procedures
or manual controls that are dependent on IT.
• Application controls are embedded in business
process applications.
 Application Controls at
Business Process Level …
• Application controls are applied
at the business process level or to
to specific business activities.
• Most business processes are automated and
integrated with IT application systems, resulting in
many of the controls being automated as well.
• Some controls within the business process remain as
manual procedures such as manual authorization of
transactions, separation of duties and reconciliations.
• Therefore controls at the business process level are a
combination of manual and automated application
controls.
 Common Application Controls Areas
• Input and access controls
– Data checks and validations
– Automated authorization, approval, and SOD
• File and data transmission controls
• Processing controls
– Automated file identification and validation
– Automated functionality and calculations
– Audit trails and overrides
– Interface balancing
• Output controls
– Report distribution
– Balancing and reconciling
– Output error handling
 Application Controls - examples
• For example, in a three-way match process, received
vendor invoices are entered into the system, which
matches them automatically to the purchase order and
goods receipt based on the document reference
numbers, price, and quantity. The system's
simultaneous matching of the information within the
three documents upon their entry to authorize a
payment to the vendor is an automated application
control.
• Management's review and reconciliation of an
exception report generated by the system is an
example of an IT-dependent manual control.
Application Controls - examples
 Segregation of IS Duties Matrix

System Analyst
Control Group

Administrator

Administrator

Administrator

Administrator
Support Mgr.
Programmer

Programmer
Help Desk &

Data Entry
Application

Assurance
End User

Computer
Operator

Librarian
Network

Security
System

System

Quality
Tape
DB
Control Group X x x x x x x x x

System Analyst x x x x
x
Application Programmer X X X X X X
x
Help Desk & Support Mgr x x x x x x x
X X X
End User x x X X X
X X
Data Entry x x x x x x
X
Computer Operator x x x x x
X X X X X
DB Administrator

Network Administrator x
X X X X X
System Administrator x x
X X X X
Security Administrator x x
X X X
Tape Librarian x
X X X X X X
System Programmer x
X X X X X X X X X
Quality Assurance x x
X X X
 Performing an IS Audit
• General audit steps
 Understanding of the audit area/subject
 Risk assessment and general audit plan
 Detailed audit planning
 Preliminary review of audit area/subject
 Evaluating audit area/subject
 Compliance testing
 Substantive testing
 Reporting(communicating results)
 Follow-up
Risk-based Auditing
 Testing IT General Controls
• Tests of security and access controls could
include evaluating the general system security
settings and password parameters; evaluating the
process for adding, deleting, and changing
security access; and evaluating the access
capabilities of various types of users.
• Tests of controls over computer operations could
include evaluating the backup and recovery
processes, reviewing the process of identifying
and handling operational problems, and, if
applicable, assessing control over job scheduling.
 Testing IT General Controls
• Examples of possible tests of controls over
systems development and system changes
include examining the processes for selecting,
acquiring, and installing new software;
evaluating the process for implementing
software upgrades or patches; determining
whether upgrades and patches are authorized
and implemented on a timely basis; and
assessing the process for testing new
applications and updates.
 Testing Application Controls
• Regardless of the complexity of the IT environment,
the audit plan for testing application controls could
include a combination of inquiry, observation,
document inspection, and re-performance of the
controls.
• Efficiencies can be achieved through altering the
nature, timing, and extent of testing procedures
performed related to automated and IT-dependent
application controls if IT general controls are designed
and operating effectively.
• In some situations, benchmarking of certain automated
controls might be an appropriate audit strategy.
 Testing Application Controls
Procedures for testing & evaluating include:
– Flow-charting techniques for documenting automated
applications and business process
– “Test of one” to see all aspects of the control operate
(“walkthrough”)
– Executing samples of transactions and comparing to
expected results
– Evaluating the logic of the program through the inspection
of system configuration or vendor documentation
– Use of generalized audit software to survey the contents
of data files
 COSO Framework
The process to determine
whether internal control is
adequately designed, executed
effective and adaptive

 Management Analysis
 Disclosure Committee
 Internal Audits

The process which ensures

that relevant information is The policies and procedures
identified and communicated that help ensure that actions
in a timely manner are identified to manage risk
 Messages from Senior Management are executed and timely
 Policies and Procedures  Delegation of Authority
 Training  Approvals
 Code of Ethics
 Common Processes/Systems
 Segregation of Duties
The evaluation of internal
 Account Reconciliations
and external factors that
impact an organization’s  Information Tech. Controls
performance
The control conscience of
 Business Risk Management an organization. The
"tone at the top"
 Process Risk Management
 Code of Ethics
 Internal Audit Risk Assessment
 Documented Policies and Procedures

 Cultural Assessment
 Control Ojectives for IT
CobiT® – Control Objectives for Information and Related
Technology
– COBIT is the generally accepted internal control framework
for IT
– A framework with 34 high-level control objectives
 Planning and organization
 Acquisition and implementation
 Delivery and support
 Monitoring and evaluation
– Use of 40 major IT related standards and regulations (such as
COSO, ITIL, ISO/IEC 27000, SEI CMM, etc)
 IT Governance
IT governance is a structure of relationships:
IT Value
Delivery

Strategic Stakeholders Risk

Alignment Value Drivers Management

Performance
Measurement
IT Governance
 IT Governance
IT Governance encompasses:
• Information systems
• Technology
• Communication
 IT Governance helps ensure the alignment of IT and enterprise
objectives.
 Fundamentally IT governance is concerned with two issues:
• IT delivers value to the business:
 driven by strategic alignment of IT with the business.
• IT risks are mitigated.
driven by embedding accountability into the
enterprise.
 IT Governance is the responsibility of the board of directors
and executive management
 IT Governance Structure
• The Board
– Overall responsibility for IT governance
• Board steering & strategy committees
– IT governance principles and decision-making hierarchy
– IT strategy and architecture
– IT risk management
– IT services, performance and requirements
– IT investment criteria
– IT project governance
– Information security
– IT regulatory compliance
• Executive IT management
– CIO, CISO
 IT Governance Roles
• IT governance structure starts at Board level to ensure adequate
board control over the decisions, directions and performance of
IT, so it supports the organization’s strategies and objectives.
• Typically, the executive director, with the board of directors, sets
the tone for the risk management program. Operations staff and
board members should assist the risk management committee in
identifying risks and developing suitable loss control and
intervention strategies.
• IT governance is an inclusive term that encompasses information
systems, technology and communication; business, legal and
other issues; and all concerned stakeholders - directors, senior
management, process owners, IT suppliers, users and auditors.
• IS department management along with the IS steering committee
and the strategy committee, which provides valuable strategic
input related to stakeholder’s value, plays a key role in IT Strategic
Plan development and implementation.
 IT Governance Roles
IT Strategy committee :
• Is a mechanism for incorporating IT governance into
enterprise governance
• As a committee of the board, it assists the board on
overseeing the enterprise’s IT related matters by ensuring
that the board has the internal and external information IT
requires for effective IT governance decision making
• Organizations have had steering committees at an executive
level to deal with IT issues that are relevant organization-
wide. There should be a clear understanding of both the IT
strategy and steering levels. The ITGI issued a document
where a clear analysis is made between them.
 IT Governance Roles
Audit Role in IT Governance:
• Audit plays a significant role in a successful
implementation of IT governance. Audit is best positioned
to provide leading practice recommendations to help
improve the quality and effectiveness of the IT governance
initiatives implemented.
• Audit helps ensure compliance with IT governance
initiatives implemented within an organization. IT
governance initiatives requires an independent and
balanced view to ensure a qualitative assessment that
subsequently facilitates the qualitative improvement of IT
processes and associated IT governance initiatives.
 Closing Quotes …
“IT Governance is no longer some stand-alone function, but
is an integral part of any organization’s overall corporate
governance. If your organization cannot survive as a
competitive player without IT, then your Board cannot
apply acceptable corporate governance without overt IT
Governance.”
“It is not simply a case of having a set of procedures and
processes, nor is it just about having controls in place.
Reliance on a poor control is often worse than having no
control at all.”
“If management is about running the business, governance
is about seeing that it is run properly.”
Questions ...