Maher Duessel Not-for-Profit Training July 2018 Agenda Review of - - PowerPoint PPT Presentation

Maher Duessel Not-for-Profit Training July 2018

Agenda

• Review of ITGCs
• Review of IT Checklist
• Other Security Issues
• Questions

2

Review of General Computer Controls –

3

ITGC – What is that? Information Technology General Controls:

• Logical access controls
• System development lifecycle controls
• Program change management
• Data Center Physical and Logical security
• System and data backup and recovery controls
• Computer Operation Controls

…….and sometimes IT entity level controls

4

Why does it matter?

• SAS No. 104-111 (the risk- based standards)

specifically requires ITGC to be addressed

• ITGC weaknesses have the potential to

increase the risk of material misstatement

• No opinion is provided on ITGC
• Cannot rely on IT systems or data without

effective IT controls

5

Logical Access Controls

• Only authorized persons have access to the

system(s) and they can only perform specifically authorized functions

• Segregation of incompatible duties exists

within logical access (access to assets vs. access to accounting records)

• For most organizations, lack of logical access

controls can result in control weaknesses that require reporting

6

System Development Lifecycle Controls

• Describes the process to plan, create, test, and

deploy an information system

• Details include preliminary analysis, systems

analysis and requirements, systems design, development, integration and testing, acceptance and installation, maintenance, evaluation, and disposal

• Generally applies to software developed in-house

and not necessarily relevant to purchased software, but could apply to spreadsheets

7

Program Change Management

• Changes to software and spreadsheets are authorized -

including upgrades, patches, and configuration changes

• Changes are tested
• Changes are approved
• Changes are monitored
• Segregation of incompatible duties exists (person

making the change shouldn’t approve the change)

• Lack of proper controls in this area could result in

errors and reportable control weaknesses

8

Data Center Physical Security

• Typically in reference to server/computer

room and data storage facility:

– Access only to appropriate IT staff – Appropriate/ redundant power and cooling – Appropriate fire prevention mechanism

9

System and data backup and recovery controls

• Backing up data requires copying and archiving

computer data so that it is accessible in case of data deletion or corruption-ransom

• Consider that data backup cannot always restore

all of a system’s data and settings. Servers may need additional forms of disaster recovery

• If you depend on being online all the time for

ticket sales, registration, etc., lack of adequate backup systems could result in reportable control weaknesses

10

Computer Operation Controls

• System startup procedures
• Emergency procedures
• System shutdown procedures
• System and job status reporting instructions
• Instructions re: console messages
• Copies of system flowcharts
• Maintenance of operating logs
• Logs may be necessary audit documentation that

should be retained

11

Review of IT Checklist –

12

IT Service Provider

13

IT Service Provider

• 1. Does the entity have an in-house IT person, or are IT services contracted? Who, or what company?
• 1a. If IT services are contracted, is there an agreement in place for the services to be provided, and what

would happen to any data maintained or services supported by the contracted service provider if the relationship were to end?

Do contracts include Cloud Services? Get a SOC2 Report Suggested procedure: If the client has a contract with significant IT services (i.e., outsources IT functions for security and back up), obtain a copy of the contract and review to verify that services outlined in this checklist are provided by the contractor. Pull the contract into the perm file.

IT Service Provider – (1. and 1a.)

What is important about these questions/what are we looking for? 1. Not specific ITGC, but provides an understanding of who is responsible for elements of the ITGC 2. We want to make certain that the vendor you are using has the correct understanding about the items contracted. For example, you think a vendor is updating your virus protecting, but they think they were only hired to do initial installation 3. We want to ensure the contract allows you ongoing access to your

• data. Cloud Services? Get a SOC2 Report

14

Accounting Software

ACCOUNTING SOFTWARE

• 2. Major accounting (and/or billing, membership, donor related) software used:

Note that QuickBooks and Peachtree are typically not part of a complex IT environment, but most other software types are complex and Question #11 (#12 for Gov. Binder) at A-08-01 Scoping should be answered " Yes."

• 3. Was this software purchased from a vendor, or created "in-house"? If it is "in-house," who created the

software, and who has current access to the software code? System Development and Change Controls

• 4. Who determines the level of software access that a particular user will receive?

15

Accounting Software – (2. 3. and 4.)

What is important about these questions/what are we looking for? 1. We are looking for a complete list of any software that is part of recording entries or completing financial statements 2. We want to understand any custom/aspects of the software (including spreadsheets) you are using 1. We want to make certain the right person determines who has access to each item

16

Accounting Software

• 5. Are user rights within the software documented, such as who has rights to what areas of the accounting

system (ex: A/R, A/P, GL, printing checks)?

• 6. Please list all employees/positions with access to the accounting software ( including billing, membership,

and donor software) , and whether or not that access is restricted at any level: Name and/or position Restriction level (full access, limited to AR/AP/HR/Payroll functions, etc.)

Logical Access Controls Suggested procedure: Verify access controls via review of access levels onscreen with the Software Administrator or via review of access levels via printout. Verify there are no potential segregation of duties issues. Access to certain modules should be limited to their performed duties - cross-reference to the Internal Controls Narrative in the B-series. Also, be sure to document user access to other financial applications that are material to the financial statements (i.e., billing software that is separate from the financial accounting software). Investigate any Administrative, Guest, or similar user accounts for propriety.

17

Accounting Software – (5. and 6.)

What is important about these questions/what are we looking for? 1. We are going to match the responses here to what is in the software 2. We are going to test for appropriate logical access controls/ segregation of duties

18

Appropriate Access Controls

• No shared passwords or logins
• Consider an agreement if third-party vendor has access

( HIPPA?)

• Guest passwords should be temporary and only when on

site with appropriate limits

• IT shouldn’t be able to approve accounting transactions
• Accounting shouldn’t have admin level IT access
• What if we have to combine admin and accounting = keep a

log so someone can review it and use different passwords for accounting vs. admin function (Admin can stop logging events, change passwords, give people access)

• Same issues as in a paper system

19

Accounting Software

• 7. Is any financial reporting information (for example, Excel spreadsheets that detail fixed assets, loans

information, etc.) maintained outside the accounting/ accounting related software, on the network? If so, is access to these folders/spreadsheets restricted at any level?

Logical Access Controls Suggested procedure (Note: only for spreadsheets maintained out of the accounting system that have a material impact on the financial statements and where there is a risk of spreadsheet alteration by an unauthorized user): Observe where the spreadsheet is saved and verify user access. If access is not restricted, are there compensating controls in place that would detect significant alterations to the spreadsheet?

• 8. How is file and folder access determined on the network servers, and who defines who has access to

what? Has a recent evaluation been performed of the access levels provided to various employees?

Logical Access Controls

20

Accounting Software

• 9. Are logins and passwords used to access both computer terminals and the accounting software? If so, is

the password sufficiently complex and required to be changed at intervals based on assessed level of risk?

Logical Access Controls Suggested procedures: Observe a person without access to the accounting system attempt to log in and observe a person with access to the accounting system attempt to log in with the incorrect password. If the client asserts that the accounting system automatically changes passwords periodically, observe the Administrator pull up the specific property in the system to verify that automatic passwords are taking place.

• 10. Who maintains the master information for all user names and passwords, both with the network, and with

the accounting software program?

Logical Access Controls

21

Accounting Software – (9. and 10.)

• NIST provides current guidance on best

practice for passwords

– Recommend phrases of 16 characters – Change when there is a breach or event – No repeat passwords – Lock out after certain number of attempts – Policy should be developed based on risk – No longer mandatory change of passwords at specific intervals

22

Accounting Software

• 11. What approvals are required for new, changed, or terminated passwords?
• 12. Is there a written acceptable usage policy that users must sign (network, email, Internet usage, etc.), and

can this be provided for our review? Are all employees required to sign at employment, or yearly, etc.? Entity Level Controls

• 13. What is the procedure for disabling and removing user accounts from the network as it relates to

termination of employment?

23

Disaster Contingency

DISASTER CONTINGENCY

• 14. Does a formal disaster contingency plan exist? Consider inquiring about whether Cybersecurity insurance

has been purchased as part of the plan. System and data backup and recovery controls

• 15. Is the disaster contingency plan tested on a regular basis? If yes, please explain how frequently. Can it be

provided for review?

More than just doing backups

24

Disaster Contingency – (14. and 15.)

• Components of a disaster contingency plan:

– Communication plan and role assignments – Plan for equipment (protect/replace) – Data continuity system – what do you need to be able to operate and related logistics – Backup check – Inventory of workstations, software, scanners, etc., needed on a daily basis (might include photos) – Vendor communication and service restoration plan

25

Backups

BACKUPS

• 16. How often are server backups performed (daily, weekly, etc.), and who performs the backup? Is this backup

file saved onsite, offsite, or online? When was the last time the backup was tested to ensure it was functioning as intended? System and data backup and recovery controls

• 17. If you use an online backup software/service, what is the software/service? Have you ever tested the service

to ensure all necessary items that are expected to be backed up actually are being backed up? If so when/how

• ften?
• 18. What would happen to old backup versions if you stop using the backup software/service - can they be

downloaded/still accessed, etc. Could they be transferred to another service provider?

26

Backups – (16. 17. and 18.)

• We want to make certain that backups of

crucial data are occurring

• We want to make certain that backup files are

accessible and usable when needed

27

Backups

• 19. Is there a backup solely for the accounting/ accounting related systems (other than the server backup)? Is

this an onsite/offsite/online backup?

• 20. How are files on individual computers backed up (such as Excel spreadsheets)?

28

Security

SECURITY

• 21. Describe the physical security of the data center (i.e., server/server room), including how access is gained

(physical key, fob, door code, etc.), and who determines access. Is there a procedure in place in the event a key is lost, or if a code is used: Data Center Physical security

• 22. Are Anti-malware systems (Norton, McAfee, etc.) in place? How is the software updated and how often?

Who handles any issues that arise? Data Center Logical Access controls and Computer Operation Controls- virus protection

• 23. Are controls over perimeter and network security in place? Such controls may include firewalls, routers,

terminal service devices, wireless security, intrusion detection, and vulnerability assessments and encrypting data, where appropriate.

Data Center Logical Access

29

Perimeter Security

• What resources need to be protected

– Servers, workstations websites – Credit cards, PII, HIPPA, financial data

• Who are you protecting them against
• Outside attacker – servers/website
• Inside attacker
• What are your business needs

– Cost – Website needed for daily transactions?

30

Perimeter

31

Security

Basics

• Firewall - a physical device or set of related programs located at a network

gateway server that protects the resources of the network from outside users (Strainer). Needs to be configured and password

• Router - a networking device that forwards data packets between

computer networks (Traffic Cop). Needs to be properly configured with appropriate password protection

• Terminal Service Devices - hardware device or server that provides

terminals (PCs, printers) with a common connection point to a network

32

Current News

33

During May 2018, the FBI made an urgent request for anyone using internet routers to turn them off and back on again. The FBI was attempting to thwart a sophisticated malware system linked to Russia.

Other Security Issues

• Intrusion detection
• Intrusion Prevention
• Vulnerability assessments – identifying

quantifying, and prioritizing system vulnerabilities

• Penetration testing – Try to exploit any

weaknesses (hack in) These items are important, especially if reliant on website and/or internet sales

34

Other Security Issues

• Wireless (WiFi) security – Are you using

encryption and authentication procedures? Do you have Guest WiFi and, if so, which systems can be accessed?

• Cell Phone- what if a cell phone is lost?
• Ipads- What if Ipad is lost? Privacy issues?
• Remote Access – VPN – or Virtual Network

Secure encrypted access to an organization’s network via internet

35

Other Security Issues

• Encryption- do you have PII or HIPPA issues?
• Policy- do you have an employee policy

regarding data?

• Training- do you train your staff about risks of

clicking on emails, downloading items?

• Phishing attempts- do you practice phishing

inhouse to determine compliance with policies?

36

Evaluation

Evaluation Note that a "NO" answer above does not necessarily mean a comment needs carried to A-09 as a potential ML comment, or to A-08-6 as a risk. It is important that the answers to all of the above questions be evaluated in the aggregate, along with activity controls at other B narratives. A client could have four "NO" answers above, but all of these could be mitigated by controls noted at the other B

• narratives. If this is the case, it is recommended that the reasoning be documented at this wp.

A different client could have a single “NO" answer above, but due to a lack of other controls, that single "NO" answer would be significant in evaluating internal controls.

37

IT controls are deemed adequate based upon the size and nature of the client. IT controls have deficiencies as noted above, and carried to A-09. However, these items are considered advisory in nature, and are not deemed to be major deficiencies of the system. IT controls have deficiencies as noted above, and carried to A-09. These items are considered to be deficiencies within the system, and have been carried to the A-08-06 wp as a risk, and will be responded to at that wp.

Questions? Contact Me!

Pittsburgh | Harrisburg | Butler | State College | Erie | Lancaster www.md-cpas.com

38

3003 North Front Street Suite 101 Harrisburg, PA 17110

717-232-1230 Lritter@md-cpas.com

Lisa Ritter, CPA, CFE, CITP