IT General Controls - John Gatto (Part 1)

ITG General Controls / IT Risk Assessment –
Taking it to the Next Level

June 7, 2016
John A. Gatto, CISA, CRISC

President
JAG Associates
Port Charlotte, FL
IT General Controls 1
Agenda
1. Audit Structure
2. IT General Overview
3. IT General Controls
4. IT Risk Assessment & Audit Planning
Core Principles of IA 2016
For an internal audit function to be effective, all Principles should be
present and operating effectively. How IA activity demonstrates this may
be quite different from organization to organization, but failure to achieve
any of the Principles would imply that an internal audit activity was not as
effective as it could be in achieving internal audit’s mission.
n.
Aligns with the
Demonstrates Is objective and
strategies,
Demonstrates competence and free from undue
objectives, and
integrity due professional influence
risks of the
care (independent)
organization
Is appropriately Demonstrates
positioned and quality and Communicates Provides risk-
adequately continuous effectively based assurance
resourced improvement
Is insightful, Promotes
proactive, and organizational
future-focused improvement
Background
Audit departments are still structured into
Finance and IT
Teams rely on their counterparts without
understanding their scope
Automation of common activities / tests
isn’t always leveraged
Teams don’t know what their
counterparts are doing
Teams don’t communicate well
Teams blindly trust in some “controls”
Teams don’t know what IT General

Controls are protecting
Current State
Financial What’s
IT Audit
Audit Needed
Focuses on Directing non-IT
Focuses on end-
application controls Auditors to ask
user and manual
and general IT questions that will
processes
controls improve scope
Increasing the
knowledge of IT
controls
Bridging the
knowledge gaps to
cover more risk
Improvements
Financial and operational

controls now supported by We need to:
IT systems and system • Recognize what our systems can and
generated reports. cannot do
• Realize that some system controls can
be overridden or circumvented
• Understand the separation of
business/operational activities and IT
Reliance
Finance and IT rely on reports to validate the effectiveness of controls
Reports are generated based on query criteria or SQL; inaccuracies
in filter criteria may exist
Reports are pulled from various databases; the incorrect source of

record may be used:
Where is data being reported from?
Are the queries used appropriate?
At what intervals is data being propagated?
Review reconciliations between front-end and back-end systems
Review account reconciliations to identify discrepant processes
Agenda
1. Audit Structure
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
Major IT Challenges
1 2 3 4 5 6 7
Regulatory Compliance
Keeping up with the ever evolving
legislative and regulatory
requirements is time consuming
and expensive as IT must design
and maintain systems to comply
with these legislative and
regulatory requirements.
*ISACA: Top Business/Technology Issues Survey Results 2011
Major IT Challenges
1 2 3 4 5 6 7
IT Management & IT Governance

Considerations for security, shared
services, IT resource maximization
and governance concerns have
contributed to a growing focus on
enterprise-based IT management
and IT governance.
Major IT Challenges
1 2 3 4 5 6 7
Information Security Management

After many spectacular data
breaches and losses, and
enormous spending in state-of-the-
art security technologies,
organizations are finally realizing
that information security is all about
being able to manage it adequately.
Major IT Challenges
1 2 3 4 5 6 7
DR and BCP
Business continuity management
(BCM) proactively improves the
enterprise’s resilience against
operational disruptions and
provides the capability to
adequately react to these.
Major IT Challenges
1 2 3 4 5 6 7
Challenges of Managing IT Risks

IT’s pervasiveness and ubiquity
also bring about (sometimes
inconspicuously) significant risks
that, if realized, might jeopardize
the viability and success of the
enterprise.
Major IT Challenges
1 2 3 4 5 6 7
Vulnerability
y Management
ge
The process of vulnerability
management allows enterprises to
enhance the security of their
systems as well as meet their
regulatory requirements by
assessing and mitigating
vulnerabilities in their IT systems.
Major IT Challenges
1 2 3 4 5 6 7
Continuous Process Improvement

Modern enterprises now recognize
that “business processes are the
business” and that enterprise
success is dependent on
establishing the capabilities and
infrastructures to continually
improve business processes and
rapidly implement change.
2015 CEB IT Audit Hot Spots
Information Governance
Decentralization of
Growth in digital Lack of governance
Information includes data ownership,
universe as businesses prevents effective
data on customer increasing reliance on
created and used > 4.4 management and
behaviors and social data for decisions
trillion gigabytes of protection of this
media posts. requires information
data. information.
governance.
Advanced Persistent Threats (APTs)

Increasingly sophisticated APTs
Seventy percent of CISOs Shortfalls in information security
target specific vulnerabilities in
believe it is likely their talent and inadequate detection
organizational networks (using
organizations will be hit by an and response processes
techniques such as spear
advanced attack in the near exacerbate vulnerability to
phishing) to install malware and
future APTs.
exfiltrate organizational data.
Insecure Employee Behaviors
With information security The increased “datafication” of

breaches rising at an the work environment, plus
Last year, 48% of data
exponential rate, employee ineffective training and
breaches were caused by
error and misconduct have awareness programs,
human error.
been identified as the biggest undermine the value of the
root cause of control failures. employee security perimeter.
Business-Led IT
Risk is heightened by IT’s

Business leaders are
Businesses are reliant on limited visibility to these
increasingly procuring their own
increasingly powerful and often technologies and the 3rd party
IT solutions, but do not always
niche technology to increase relationships often have little
follow central security
productivity. regard for the appropriate
standards.
controls.
Legacy Systems
However, 93% of organizations These systems are often

Businesses’ reliance on
use older legacy systems, incompatible with up-to-date
technology requires continuous
which are not designed to cope security programs and can be
innovation and up-to-date,
with today’s complex digital costly to maintain while
increasingly advanced systems.
environment. hampering productivity.
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
Control Frameworks
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
COSO
COmmittee of Sponsoring Organizations

of the Treadway Commission
§ “Business Control Model”

§ Originally formed to study causal factors
of fraudulent financial reporting
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
Sarbanes-Oxley (SOX)
Protect investors from
executive fraud
Public Company Accounting
Oversight Board (PCAOB)
External Auditor independence
rules
Audit Committee independence
requirements and oversight
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
NAIC MAR
Similar to Sox Issued by the For non- Requires Requires

but less National publicly traded controls to be assertion by
stringent than Association of insurance in place and Management
Sox Insurance companies tested ensuring
Commissioners financial
(NAIC) reporting
accuracy and
integrity
Sarbanes-
COSO
Oxley
NAIC /
CobiT
MAR
COBIT 5 Principles
Control Objectives for
Information and Related 1.
Technologies Meeting
Stakeholder
needs
5.
Separating 2.
Governance Covering the
from Enterprise
Managemen end to end
t
COBIT 5
Principles
3.
4. Sarbanes-
Applying a COSO
Establishing Oxley
a Holistic Single
Approach Integrated
Framework NAIC /
CobiT
MAR
COBIT 5 Domains
Align, Plan and

Organize
Build, Acquire and

Implement
Deliver, Service and

Support
Monitor, Evaluate
and Assess
COBIT 5 - Snapshot
Align, Plan and Organize
Control Activities
Ensure Align business
Ensure IT
enterprise imperatives and
management
management and priorities with IT
contributes to:
key stakeholders: capabilities:
Are informed by IT on
the current
technology
Business strategy To establish
environment, possible
planning and enterprise priorities
future trends and
value opportunities
for the business
Discuss future Identifies capabilities

Include them in the IT
business directions available to support
strategic plan
and enterprise goal enterprise goals
IT General Overview
Major IT Challenges
Control Frameworks
IT Auditor
Competencies
Competencies
Common sense
Knowledge of area to be audited
Knowledge of Policies & Procedures
Flowcharting techniques
Core Audit Skills
Project Management
Competencies
Management concepts
Auditing concepts
Negotiating skills
Communication skills
Audit tools (CAATs)
Sense of humor
IT Competencies
§ Understanding of IT risks
§ Corporate strategic / operational plan
§ Information Technology operational plan
§ IT Organizational charts
§ Corporate Policies and Procedures
§ IT Infrastructure
§ Hardware
§ Applications
§ Networks
IT Risks
Information Data Leakage

Outsourcing
Security and Privacy
Exposures
Breaches Violations
Business Funding and IT

Human Resource
Enablement Governance
Shortcomings
Challenges Deficiencies
Regulatory Lost productivity

Cybersecurity
Concerns from IT downtime
Inability to defend
lawsuits due to poor
record keeping
Agenda
1. Audit Structure
IT Controls
Definition of Fundamental
Internal Concepts
Control
Components of Control
Internal Classifications
Control
Definition of Internal
Definition ControlControl
of Internal
According to COSO
Operations Reporting Compliance
A process affected by an
organization’s board of
directors, management Compliance
and other personnel, Efficiency and Reliability of with
designed to provide Effectiveness Financial Applicable
reasonable assurance of Operations Reporting Laws and
regarding the Regulations
achievements of objectives
in the these categories:
Safeguarding of assets
Understanding IT Controls
IT control is a process that
provides assurance for information
and information services, and
helps to mitigate risks associated
with use of technology.
•Two components
•Automation of business controls
•Control of IT
Importance of IT Controls
IT controls are needed to:

• monitor and control cost
• remain competitive
• protect information assets
• comply with laws and regulation
Implementing effective IT controls will:
• improve efficiency
• increase reliability
• provide flexibility
• increase availability of assurance evidence
Fundamental Concepts
Affected by
people - Impacts all
A means to Dynamic not just levels of
an end not static policies the
and Company
procedures
Internal Controls is a PROCESS
Fundamental Concepts
Internal control provides

reasonable assurance,
not absolute assurance
• Achieving absolute assurance
is not possible and costly
• Attempting to achieve absolute
assurance is cost-prohibitive
for most entities
Components of Internal Control
Control
Environment
Monitoring Risk Assessment
Information and
Control Activities
Communication
Risk Management
Employees at all levels use risk management. It applies to all
departments and environments across the entire organization.
Defined Principles
§ Risk management is the process of § Integrating risk management into
identifying, assessing, and controlling planning, preparation, and execution.
risks arising from operational factors § Making risk decisions at the
and making decisions that balance appropriate level in the organization.
risk costs with benefits.
§ Accepting no unnecessary risk.
§ The total process of identifying,
controlling, and minimizing
information system related risks to a
level commensurate with the value of
the assets protected
Risk Appetite
In our dynamic world, risks are constantly changing…
The existing level

Acceptable
and distrbution of
Existing Risk levels of
risks across risk
Risk Tolerance variation an
categories (e.g.
Profile organization is
financial, market,
willing to accept
operational,
around specific
reputation, etc.)
objectives
Determination
of Risk
Appetite
The maximum risk What is the

an organization desired
Risk Desired
may bear and risk/return
remain solvent Capacity Level of
level
Risk
Components of Internal Controls
Risk Information and Control

Control Environment Monitoring
Assessment Communication Activities
Feedback on
Identify and Systems Ensure
strengths and
Tone of the analyze relevant supporting the management
weaknesses in
organization risks to achieve exchange of directives
system of internal
of objectives information are carried out
control
Form and time Approvals, Includes:

Foundation of all Basis for how frame enabling Authorizations, Performance
other components of the risks are people to carry Reconciliation, measured to detect
internal control managed out their Security, problems early
responsibilities Segregation of
Duties
Includes: Annual Includes regular Management
Includes: integrity, risk assessment, reporting, ensures that
ethics, role and mid-year update, Policies & internal controls are
involvement of Board on going risk Procedures, effective and
of Directors monitoring Intranet sites efficient
Controls Life Cycle
Design
Monitoring Implementation
Operational
Effectiveness
Agenda
1. Audit Structure
IT General Controls
Change &
Release
Strategic
Operat
Operations Management
Planning
Man
Manage
Management
Infrastructure /
Physical
Security Risk
Management
ion
Organization
& IT
Management
General
Controls Incident
Management
Policy
Management
SDL
SDLC
DR & Application
End Control
Business
User Review
Continuity
Computing
Policy Management
Define elements of an IT control environment aligned

with the enterprise’s management philosophy and
operating style
Develop and maintain a set of policies to support IT

strategy - relevance confirmed and approved
regularly
Deploy and enforce IT policies to all staff so they

become an integral part of enterprise operations
Disseminate awareness and understanding of business

and IT objectives and direction to appropriate
stakeholders and users throughout the enterprise
Policy Life Cycle
Update Plan
Monitor
Mo Design
gn
Operate Implement
Policy Life Cycle - Plan
Establishes the foundation for a policy
framework by covering the stakeholders
and goals dimensions defined previously
Identifying gaps between the governance

principles and current, valid policies helps
to redesign and improve the policy
framework in use
Define a logical structure of

documentation that will support and clarify
policy principles
The goal is to improve clarity of policy

principles and support their
implementation
Policy Life Cycle - Design
Policy Structure
Setup
Definition
Draft: Identify individuals responsible for
Identification of policies needed
researching and writing policies
Review: Identify individuals responsible

Risk-based approach is used that
for providing independent review of
addresses policy principles
policies
Procedures to obtain final policy

Set deadlines and priorities for their approval from authorized individuals;
creation determine policy communication and
training
ng strategy
egy
Define writing quality standards,
including document format, font,
Set deadlines for review and approval
language style, glossary and document
structure
Policy Life Cycle – Implement / Operate
• Getting the policies active

• Enforcing them
Implement • Defining the activities to assist the
organization in transitioning from a
noncompliant to a compliant state
• An effective policy should be part of the

organization’s DNA
• Building an accountable culture and using
Operate policies in daily operations ensures that
the organization’s goals are met
• Organizations should “walk the talk” of
policy principles
Policy Life Cycle – Evaluate / Update
• Confirms that policy requirements are

Evaluate / properly implemented
monitor • The organization is operating effectively
• Reviewed for updating or removal

• Adjusts the phases defined previously to
Update / maintain or improve the maturity of the
dispose policy framework
• Policies to be reviewed on a regular basis,
typically every 12 months
Things to Look For…..
Defining the role of IT
IT management (including goals and objectives)
Adequacy of policies and procedures
Compliance with policies and procedures
Policies defining levels of security and privacy required:

• Rights off access to
t specific
ific ttypes off info
information
atio (HIPAA
regulations)
• Ownership of information
• Processes and procedures for employment in sensitive
areas
Things to Look For….

Policy Management
Evergreen Process – timing and approvals
Cross referencing
Standards and procedures aligned with policy
Policy Review Board
Policy Control Matrix
Control Objective ABC Control Activity
Short
Process Long Description Description Risk
Description
Communicate IT Policy and Define the elements of a control The Policy Management team has developed a framework that Lack of a policy for internal
Management Control environment for IT, aligned with the defines the requirements for creating, maintaining and reviewing ITG controls could result in the
Aims and Environment enterprise’s management philosophy policies. In addition, the framework defines the policy exception organization not being able to
Direction and operating style. process including when it is used and how it is executed. The Policy identify irregularities in a
Owner (VP or above) approves the framework as changes occur. timely manner.
Communicate IT Policies Develop and maintain a set of policies A process exists to manage policies and standards. The Policy Lack of a process for
Management Management to support IT strategy. Their relevance Management organization facilitates the review of all policies on a maintaining policies could
Aims and should be confirmed and approved rotating, at least once every 2 years or as needed with the applicable result in the business not
Direction regularly. process owners to ensure the policy's appropriateness. The Policy being prepared for changes
Owner reviews and approves his or her respective policy once the in the business environment.
review is complete.
A review of all Standards occurs at least once every 2 years or as

needed by the Standards Owner (Director or above). Evidence of the
review is documented and retained.
Communicate Policy, Standard Roll out and enforce IT policies to all Function / Process Owners develop an implementation approach in If appropriate resources are
Management and Procedures relevant staff, so they are built into and response to policy/standards modifications or creation of new not in place, excessive time
Aims and Rollout are an integral part of enterprise policies/standards. lags could occur between the
Direction operations. development, documentation,
The Policy Management organization facilitates the review and and
approval of all modified or new policies/standards with the applicable communication of policies,
stakeholders to ensure appropriateness. The Policy Owner (VP or standards, and procedures.
above) reviews and approves his or her respective policy one the
review is complete. The Standards Owner (Director or above) reviews
and approves his or her respective standard once the review is
complete.
Communicate IT Policies Develop and maintain a set of policies The Policy Management organization receives policy exception Lack of a process for
Management Management to support IT strategy. Their relevance requests. Each request is reviewed to assess the risks associated maintaining policies could
Aims and should be confirmed and approved with the exception. The stakeholders review the exception request result in the business not
Direction regularly. and the Policy Owner approves or rejects each policy exception being prepared for changes
request prior to the exception event occurring. in the business environment.
Policy Test Matrix

Description Test
The Policy Management team has developed a 1.Obtain the current policy manual and
framework that defines the requirements for creating, TOC
maintaining and reviewing ITG policies. In addition, the 2.Obtain the exception process log and
framework defines the policy exception process select 25 exceptions and:
including when it is used and how it is executed. The a. Ensure the submission was timely
Policy Owner (VP or above) approves the framework b. Ensure the justification was
as changes occur. reasonable
c. Validate that approvals were
appropriate and timely
A process exists to manage policies and standards. 1. Obtain the evergreen procedures and
The Policy Management organization facilitates the perform the following:
review of all policies on a rotating, at least once every 2 a. Select 25 policies and determine when
years or as needed with the applicable process owners they were issued and last revised
to ensure the policy's appropriateness. The Policy b. Ensure the Policy Manual contains the
Owner reviews and approves his or her respective latest version of the policy
policy once the review is complete. c. Ensure appropriate signatures were
obtained and maintained
A review of all Standards occurs at least once every 2
years or as needed by the Standards Owner (Director
or above). Evidence of the review is documented and
retained.
IT Organization & Management
Why is the organization of the IT group
so important?
Ensures alignment with the

business
Defines lines of reporting and

responsibility
Allows the implementation of

control systems
Business Alignment - WHY
A winning business strategy requires

IT capabilities are an important
the assessment of market forces,
component of an organization’s
competitive challenges,
capabilities and business
organizational strengths and
expectations for IT are rising.
weaknesses, and customer needs.
Business processes are enabled by Process changes are virtually

computer systems, and there are no impossible without the corresponding
fall back paper processes. technology changes.
High levels of availability, reliability

and security are needed for key
business systems.

IT General Controls - John Gatto (Part 1)

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT General Controls - John Gatto (Part 1)

Uploaded by

Copyright:

Available Formats

ITG General Controls / IT Risk Assessment –

Taking it to the Next Level

John A. Gatto, CISA, CRISC

4. IT Risk Assessment & Audit Planning

Teams don’t communicate well

Teams blindly trust in some “controls”

Teams don’t know what IT General

Financial and operational

Reports are pulled from various databases; the incorrect source of

Where is data being reported from?

Are the queries used appropriate?

At what intervals is data being propagated?

Review reconciliations between front-end and back-end systems

Review account reconciliations to identify discrepant processes

4. IT Risk Assessment & Audit Planning

*ISACA: Top Business/Technology Issues Survey Results 2011

IT Management & IT Governance

Information Security Management

Challenges of Managing IT Risks

Continuous Process Improvement

Advanced Persistent Threats (APTs)

2015 CEB IT Audit Hot Spots

Insecure Employee Behaviors

With information security The increased “datafication” of

Risk is heightened by IT’s

However, 93% of organizations These systems are often

COmmittee of Sponsoring Organizations

§ “Business Control Model”

Similar to Sox Issued by the For non- Requires Requires

Align, Plan and

Build, Acquire and

Deliver, Service and

Align, Plan and Organize

Discuss future Identifies capabilities

Knowledge of area to be audited

Knowledge of Policies & Procedures

Core Audit Skills

Audit tools (CAATs)

Information Data Leakage

Business Funding and IT

Regulatory Lost productivity

4. IT Risk Assessment & Audit Planning

IT controls are needed to:

Internal control provides

Components of Internal Control

Monitoring Risk Assessment

The existing level

The maximum risk What is the

Risk Information and Control

Form and time Approvals, Includes:

Controls Life Cycle

4. IT Risk Assessment & Audit Planning

Define elements of an IT control environment aligned

Develop and maintain a set of policies to support IT

Deploy and enforce IT policies to all staff so they

Disseminate awareness and understanding of business

Policy Life Cycle

Identifying gaps between the governance

Define a logical structure of

The goal is to improve clarity of policy

Policy Life Cycle - Design

Review: Identify individuals responsible

Procedures to obtain final policy