Professional Documents
Culture Documents
IT General Controls - John Gatto (Part 1)
IT General Controls - John Gatto (Part 1)
IT General Controls 1
Agenda
1. Audit Structure
2. IT General Overview
3. IT General Controls
IT General Controls 2
IT General Controls 1
Core Principles of IA 2016
For an internal audit function to be effective, all Principles should be
present and operating effectively. How IA activity demonstrates this may
be quite different from organization to organization, but failure to achieve
any of the Principles would imply that an internal audit activity was not as
effective as it could be in achieving internal audit’s mission.
n.
Aligns with the
Demonstrates Is objective and
strategies,
Demonstrates competence and free from undue
objectives, and
integrity due professional influence
risks of the
care (independent)
organization
Is appropriately Demonstrates
positioned and quality and Communicates Provides risk-
adequately continuous effectively based assurance
resourced improvement
Is insightful, Promotes
proactive, and organizational
future-focused improvement
IT General Controls 3
Background
Audit departments are still structured into
Finance and IT
Teams rely on their counterparts without
understanding their scope
Automation of common activities / tests
isn’t always leveraged
Teams don’t know what their
counterparts are doing
IT General Controls 4
IT General Controls 2
Current State
Financial What’s
IT Audit
Audit Needed
Focuses on Directing non-IT
Focuses on end-
application controls Auditors to ask
user and manual
and general IT questions that will
processes
controls improve scope
Increasing the
knowledge of IT
controls
Bridging the
knowledge gaps to
cover more risk
IT General Controls 5
Improvements
IT General Controls 6
IT General Controls 3
Reliance
Finance and IT rely on reports to validate the effectiveness of controls
Reports are generated based on query criteria or SQL; inaccuracies
in filter criteria may exist
IT General Controls 7
Agenda
1. Audit Structure
1. IT General Overview
3. IT General Controls
IT General Controls 8
IT General Controls 4
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
IT General Controls 9
Major IT Challenges
1 2 3 4 5 6 7
Regulatory Compliance
Keeping up with the ever evolving
legislative and regulatory
requirements is time consuming
and expensive as IT must design
and maintain systems to comply
with these legislative and
regulatory requirements.
IT General Controls 10
IT General Controls 5
Major IT Challenges
1 2 3 4 5 6 7
IT General Controls 11
Major IT Challenges
1 2 3 4 5 6 7
IT General Controls 12
IT General Controls 6
Major IT Challenges
1 2 3 4 5 6 7
DR and BCP
Business continuity management
(BCM) proactively improves the
enterprise’s resilience against
operational disruptions and
provides the capability to
adequately react to these.
IT General Controls 13
Major IT Challenges
1 2 3 4 5 6 7
IT General Controls 14
IT General Controls 7
Major IT Challenges
1 2 3 4 5 6 7
Vulnerability
y Management
ge
The process of vulnerability
management allows enterprises to
enhance the security of their
systems as well as meet their
regulatory requirements by
assessing and mitigating
vulnerabilities in their IT systems.
IT General Controls 15
Major IT Challenges
1 2 3 4 5 6 7
IT General Controls 16
IT General Controls 8
2015 CEB IT Audit Hot Spots
Information Governance
Decentralization of
Growth in digital Lack of governance
Information includes data ownership,
universe as businesses prevents effective
data on customer increasing reliance on
created and used > 4.4 management and
behaviors and social data for decisions
trillion gigabytes of protection of this
media posts. requires information
data. information.
governance.
IT General Controls 17
Business-Led IT
IT General Controls 18
IT General Controls 9
2015 CEB IT Audit Hot Spots
Legacy Systems
IT General Controls 19
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
IT General Controls 20
IT General Controls 10
Control Frameworks
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
IT General Controls 21
COSO
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
IT General Controls 22
IT General Controls 11
Sarbanes-Oxley (SOX)
Protect investors from
executive fraud
Public Company Accounting
Oversight Board (PCAOB)
External Auditor independence
rules
Audit Committee independence
requirements and oversight
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
IT General Controls 23
NAIC MAR
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
IT General Controls 24
IT General Controls 12
COBIT 5 Principles
Control Objectives for
Information and Related 1.
Technologies Meeting
Stakeholder
needs
5.
Separating 2.
Governance Covering the
from Enterprise
Managemen end to end
t
COBIT 5
Principles
3.
4. Sarbanes-
Applying a COSO
Establishing Oxley
a Holistic Single
Approach Integrated
Framework NAIC /
CobiT
MAR
IT General Controls 25
COBIT 5 Domains
Monitor, Evaluate
and Assess
IT General Controls 26
IT General Controls 13
COBIT 5 - Snapshot
IT General Controls 27
IT General Controls 28
IT General Controls 14
Control Activities
Ensure Align business
Ensure IT
enterprise imperatives and
management
management and priorities with IT
contributes to:
key stakeholders: capabilities:
Are informed by IT on
the current
technology
Business strategy To establish
environment, possible
planning and enterprise priorities
future trends and
value opportunities
for the business
IT General Controls 29
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
IT General Controls 30
IT General Controls 15
Competencies
Common sense
Flowcharting techniques
Project Management
IT General Controls 31
Competencies
Management concepts
Auditing concepts
Negotiating skills
Communication skills
Sense of humor
IT General Controls 32
IT General Controls 16
IT Competencies
§ Understanding of IT risks
§ Corporate strategic / operational plan
§ Information Technology operational plan
§ IT Organizational charts
§ Corporate Policies and Procedures
§ IT Infrastructure
§ Hardware
§ Applications
§ Networks
IT General Controls 33
IT Risks
Inability to defend
lawsuits due to poor
record keeping
IT General Controls 34
IT General Controls 17
Agenda
1. Audit Structure
2. IT General Overview
3. IT General Controls
IT General Controls 35
IT Controls
Definition of Fundamental
Internal Concepts
Control
Components of Control
Internal Classifications
Control
IT General Controls 36
IT General Controls 18
Definition of Internal
Definition ControlControl
of Internal
According to COSO
Operations Reporting Compliance
A process affected by an
organization’s board of
directors, management Compliance
and other personnel, Efficiency and Reliability of with
designed to provide Effectiveness Financial Applicable
reasonable assurance of Operations Reporting Laws and
regarding the Regulations
achievements of objectives
in the these categories:
Safeguarding of assets
IT General Controls 37
Understanding IT Controls
IT control is a process that
provides assurance for information
and information services, and
helps to mitigate risks associated
with use of technology.
•Two components
•Automation of business controls
•Control of IT
IT General Controls 38
IT General Controls 19
Importance of IT Controls
IT General Controls 39
Fundamental Concepts
Affected by
people - Impacts all
A means to Dynamic not just levels of
an end not static policies the
and Company
procedures
Internal Controls is a PROCESS
IT General Controls 40
IT General Controls 20
Fundamental Concepts
IT General Controls 41
Control
Environment
Information and
Control Activities
Communication
IT General Controls 42
IT General Controls 21
Risk Management
Employees at all levels use risk management. It applies to all
departments and environments across the entire organization.
Defined Principles
§ Risk management is the process of § Integrating risk management into
identifying, assessing, and controlling planning, preparation, and execution.
risks arising from operational factors § Making risk decisions at the
and making decisions that balance appropriate level in the organization.
risk costs with benefits.
§ Accepting no unnecessary risk.
§ The total process of identifying,
controlling, and minimizing
information system related risks to a
level commensurate with the value of
the assets protected
IT General Controls 43
Risk Appetite
In our dynamic world, risks are constantly changing…
IT General Controls 44
IT General Controls 22
Components of Internal Controls
Feedback on
Identify and Systems Ensure
strengths and
Tone of the analyze relevant supporting the management
weaknesses in
organization risks to achieve exchange of directives
system of internal
of objectives information are carried out
control
IT General Controls 45
Design
Monitoring Implementation
Operational
Effectiveness
IT General Controls 46
IT General Controls 23
Agenda
1. Audit Structure
2. IT General Overview
3. IT General Controls
IT General Controls 47
IT General Controls
Change &
Release
Strategic
Operat
Operations Management
Planning
Man
Manage
Management
Infrastructure /
Physical
Security Risk
Management
ion
Organization
& IT
Management
General
Controls Incident
Management
Policy
Management
SDL
SDLC
DR & Application
End Control
Business
User Review
Continuity
Computing
IT General Controls 48
IT General Controls 24
Policy Management
IT General Controls 49
Update Plan
Monitor
Mo Design
gn
Operate Implement
IT General Controls 50
IT General Controls 25
Policy Life Cycle - Plan
Establishes the foundation for a policy
framework by covering the stakeholders
and goals dimensions defined previously
IT General Controls 51
Policy Structure
Setup
Definition
Draft: Identify individuals responsible for
Identification of policies needed
researching and writing policies
IT General Controls 52
IT General Controls 26
Policy Life Cycle – Implement / Operate
IT General Controls 53
IT General Controls 54
IT General Controls 27
Things to Look For…..
Defining the role of IT
IT General Controls 55
Cross referencing
IT General Controls 56
IT General Controls 28
Policy Control Matrix
Control Objective ABC Control Activity
Short
Process Long Description Description Risk
Description
Communicate IT Policy and Define the elements of a control The Policy Management team has developed a framework that Lack of a policy for internal
Management Control environment for IT, aligned with the defines the requirements for creating, maintaining and reviewing ITG controls could result in the
Aims and Environment enterprise’s management philosophy policies. In addition, the framework defines the policy exception organization not being able to
Direction and operating style. process including when it is used and how it is executed. The Policy identify irregularities in a
Owner (VP or above) approves the framework as changes occur. timely manner.
Communicate IT Policies Develop and maintain a set of policies A process exists to manage policies and standards. The Policy Lack of a process for
Management Management to support IT strategy. Their relevance Management organization facilitates the review of all policies on a maintaining policies could
Aims and should be confirmed and approved rotating, at least once every 2 years or as needed with the applicable result in the business not
Direction regularly. process owners to ensure the policy's appropriateness. The Policy being prepared for changes
Owner reviews and approves his or her respective policy once the in the business environment.
review is complete.
IT General Controls 57
IT General Controls 58
IT General Controls 29
IT Organization & Management
Why is the organization of the IT group
so important?
IT General Controls 59
IT General Controls 60
IT General Controls 30