Maher Duessel Not-for-Profit Training July 2018
Agenda • Review of ITGCs • Review of IT Checklist • Other Security Issues • Questions 2
Review of General Computer Controls – 3
ITGC – What is that? Information Technology General Controls: • Logical access controls • System development lifecycle controls • Program change management • Data Center Physical and Logical security • System and data backup and recovery controls • Computer Operation Controls …….and sometimes IT entity level controls 4
Why does it matter? • SAS No. 104-111 (the risk- based standards) specifically requires ITGC to be addressed • ITGC weaknesses have the potential to increase the risk of material misstatement • No opinion is provided on ITGC • Cannot rely on IT systems or data without effective IT controls 5
Logical Access Controls • Only authorized persons have access to the system(s) and they can only perform specifically authorized functions • Segregation of incompatible duties exists within logical access (access to assets vs. access to accounting records) • For most organizations, lack of logical access controls can result in control weaknesses that require reporting 6
System Development Lifecycle Controls • Describes the process to plan, create, test, and deploy an information system • Details include preliminary analysis, systems analysis and requirements, systems design, development, integration and testing, acceptance and installation, maintenance, evaluation, and disposal • Generally applies to software developed in-house and not necessarily relevant to purchased software, but could apply to spreadsheets 7
Program Change Management • Changes to software and spreadsheets are authorized - including upgrades, patches, and configuration changes • Changes are tested • Changes are approved • Changes are monitored • Segregation of incompatible duties exists (person making the change shouldn’t approve the change) • Lack of proper controls in this area could result in errors and reportable control weaknesses 8
Data Center Physical Security • Typically in reference to server/computer room and data storage facility: – Access only to appropriate IT staff – Appropriate/ redundant power and cooling – Appropriate fire prevention mechanism 9
System and data backup and recovery controls • Backing up data requires copying and archiving computer data so that it is accessible in case of data deletion or corruption-ransom • Consider that data backup cannot always restore all of a system’s data and settings. Servers may need additional forms of disaster recovery • If you depend on being online all the time for ticket sales, registration, etc., lack of adequate backup systems could result in reportable control weaknesses 10
Computer Operation Controls • System startup procedures • Emergency procedures • System shutdown procedures • System and job status reporting instructions • Instructions re: console messages • Copies of system flowcharts • Maintenance of operating logs • Logs may be necessary audit documentation that should be retained 11
Review of IT Checklist – 12
IT Service Provider IT Service Provider 1. Does the entity have an in-house IT person, or are IT services contracted? Who, or what company? 1a. If IT services are contracted, is there an agreement in place for the services to be provided, and what would happen to any data maintained or services supported by the contracted service provider if the relationship were to end? Do contracts include Cloud Services? Get a SOC2 Report Suggested procedure: If the client has a contract with significant IT services (i.e., outsources IT functions for security and back up), obtain a copy of the contract and review to verify that services outlined in this checklist are provided by the contractor. Pull the contract into the perm file. 13
IT Service Provider – (1. and 1a.) What is important about these questions/what are we looking for? 1. Not specific ITGC, but provides an understanding of who is responsible for elements of the ITGC 2. We want to make certain that the vendor you are using has the correct understanding about the items contracted. For example, you think a vendor is updating your virus protecting, but they think they were only hired to do initial installation 3. We want to ensure the contract allows you ongoing access to your data. Cloud Services? Get a SOC2 Report 14
Accounting Software ACCOUNTING SOFTWARE 2. Major accounting (and/or billing, membership, donor related) software used: Note that QuickBooks and Peachtree are typically not part of a complex IT environment, but most other software types are complex and Question #11 (#12 for Gov. Binder) at A-08-01 Scoping should be answered " Yes." 3. Was this software purchased from a vendor, or created "in-house"? If it is "in-house," who created the software, and who has current access to the software code? System Development and Change Controls 4. Who determines the level of software access that a particular user will receive? 15
Accounting Software – (2. 3. and 4.) What is important about these questions/what are we looking for? 1. We are looking for a complete list of any software that is part of recording entries or completing financial statements 2. We want to understand any custom/aspects of the software (including spreadsheets) you are using 1. We want to make certain the right person determines who has access to each item 16
Accounting Software 5. Are user rights within the software documented, such as who has rights to what areas of the accounting system (ex: A/R, A/P, GL, printing checks)? 6. Please list all employees/positions with access to the accounting software ( including billing, membership, and donor software) , and whether or not that access is restricted at any level: Restriction level (full access, limited to AR/AP/HR/Payroll functions, Name and/or position etc.) Logical Access Controls Suggested procedure: Verify access controls via review of access levels onscreen with the Software Administrator or via review of access levels via printout. Verify there are no potential segregation of duties issues. Access to certain modules should be limited to their performed duties - cross-reference to the Internal Controls Narrative in the B-series. Also, be sure to document user access to other financial applications that are material to the financial statements (i.e., billing software that is separate from the financial accounting software). Investigate any Administrative, Guest, or similar user accounts for propriety. 17
Accounting Software – (5. and 6.) What is important about these questions/what are we looking for? 1. We are going to match the responses here to what is in the software 2. We are going to test for appropriate logical access controls/ segregation of duties 18
Appropriate Access Controls • No shared passwords or logins • Consider an agreement if third-party vendor has access ( HIPPA?) • Guest passwords should be temporary and only when on site with appropriate limits • IT shouldn’t be able to approve accounting transactions • Accounting shouldn’t have admin level IT access • What if we have to combine admin and accounting = keep a log so someone can review it and use different passwords for accounting vs. admin function (Admin can stop logging events, change passwords, give people access) • Same issues as in a paper system 19
Accounting Software 7. Is any financial reporting information (for example, Excel spreadsheets that detail fixed assets, loans information, etc.) maintained outside the accounting/ accounting related software, on the network? If so, is access to these folders/spreadsheets restricted at any level? Logical Access Controls Suggested procedure (Note: only for spreadsheets maintained out of the accounting system that have a material impact on the financial statements and where there is a risk of spreadsheet alteration by an unauthorized user): Observe where the spreadsheet is saved and verify user access. If access is not restricted, are there compensating controls in place that would detect significant alterations to the spreadsheet? 8. How is file and folder access determined on the network servers, and who defines who has access to what? Has a recent evaluation been performed of the access levels provided to various employees? Logical Access Controls 20
Accounting Software 9. Are logins and passwords used to access both computer terminals and the accounting software? If so, is the password sufficiently complex and required to be changed at intervals based on assessed level of risk? Logical Access Controls Suggested procedures: Observe a person without access to the accounting system attempt to log in and observe a person with access to the accounting system attempt to log in with the incorrect password. If the client asserts that the accounting system automatically changes passwords periodically, observe the Administrator pull up the specific property in the system to verify that automatic passwords are taking place. 10. Who maintains the master information for all user names and passwords, both with the network, and with the accounting software program? Logical Access Controls 21
Recommend
More recommend
