Presentation is loading. Please wait.

Presentation is loading. Please wait.

TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS.

Published byGriffin Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS."— Presentation transcript:

1

2

3 TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS

4 COMPONENTS OF GENERAL IT CONTROLS ORGANISATION AND MANAGEMENT CONTROLS SEGREGATION OF DUTIES PHYSICAL & LOGICAL ACCESS CONTROLS SYSTEMS DEVELOPMENT CONTROLS PROGRAM AMENDMENT CONTROLS BUSINESS CONTINUITY PLANNING CONTROLS

5 ORGANISATION & MANAGEMENT CONTROLS

6 TO ENSURE –ECONOMIC USE OF IT SYSTEMS –REFLECTION OF IT IN BUSINESS PLANS –DELIVERY OF THE SYSTEM IN A CONTROL -CONSCIOUS STRUCTURE –SYSTEM’S RESPONSE TO CHANGES

7 IT STRATEGY APPROPRIATE FORMULATION DOCUMENTED FOR THE NEXT 3 YEARS – COVER IT SYSTEMS TO BE DEVELOPED / ENHANCED IN LINE WITH BUSINESS STRATEGY CURRENT / APPROPRIATE DULY APPROVED BY BOARD

8 IT PLANNING AND MANAGEMENT GUIDED BY USER MANAGEMENT INVOLVE USERS &MANAGEMENT – THROUGH BOARD AGENDA / MINUTES, BUDGETS / FORECASTS THROUGH IT STEERING COMMITTEE USER INVOLVEMENT IN IT PLANNING GENERATION OF REPORTS AGAINST STRATEGY

9 IT SECURITY POLICY FORMALISED POLICY APPROVED BY BOARD OBJECTIVES WELL ESTABLISHED SCOPE AND EXTENT LAID DOWN ENABLE RESPONSIBILITY-FIXATION FOR UPDATING / MONITORING. DISTRIBUTTION TO STAFF. ENSURE CONFIDENTIALITY / SECURITY OF INFORMATION

10 END-USER COMPUTING POLICY AND PROCEDURES FOR –END-USER COMPUTING –SOFTWARE COPYRIGHTS –USING STANDARD SOFTWARE –ANTI-VIRUS PROCEDURES DISTRIBUTION TO THE STAFF.

11 INTERNAL AUDIT INVOLVEMENT IN –IT DEVELOPMENT –IT OPERATIONS. INVOLVEMENT VERIFIED FROM –THE TERMS OF REFERENCE –EXPERTISE IN IT

12 CONTROL CONSCIOUSNESS DEPENDS ON –MANAGEMENT ATTITUDE –ORGANISATION STRUCTURE. ASSESSED THROUGH –IT RISK ASSESSMENT –TREATMENT OF RISKS

13 DOCUMENT RETENTION –MANAGEMENT POLICY –PROCEDURES TO FORECAST NEEDS PERSONNEL –RECRUITMENT / HIRING POLICY –TRAINING TO THE USERS –EXPERIENCE OF STAFF –ASSESSMENT OF PERFORMANCE –DEPENDENCE ON KEY PERSONNEL

14 OUTSOURCING POLICY & DOCUMENTATION COVERED BY CONTRACTS SECURITY & CONFIDENTIALITY –DATA & PROGRAMS PERIODICAL REVIEW OF COSTS DEPENDENCE &REPORTING TO BOARD CONTROLS ON OUTSOURCED DATA

15 INVESTMENT PROPERLY LAID DOWN PROCEDURES FOR VALUATION OF ASSETS - HARDWARE AND SOFTWARE. CLEAR POLICY FOR TO CAPITALISE /CHARGE OFF SUCH COSTS.

16 PERIODICAL REVIEW BY THE MANAGEMENT, OF THE EXPECTED CHANGES / EXPENDITURE. MANAGEMENT REVIEW OF THE IMPACT OF NEW TECHNOLOGY.

17 INSURANCE INSURANCE OF IT ASSETS. INSURANCE POLICY FOR LOSS OF PROFITS / INCREASED COST OF WORKING. PRIOR ASSESSMENT OF COST OF RECOVERY

18 SEGREGATION OF DUTIES

19 OBJECTIVES TO HAVE REASONABLE SEGREGATION OF DUTIES WITHIN IT DEPARTMENT BETWEEN IT AND USER DEPARTMENTS TO PREVENT / DETECT ERRORS OR IRREGULARITIES.

20 ORGANISATION STRUCTURE APPROPRIATE ORGANISATION STRUCTURE. FORMAL RECOGNITION. APPROPRIATE REPORTING. SIZE / STYLE OF OPERATIONS SHOULD MATCH NEEDS.

21 SEGREGATION OF DUTIES - IT FOR IT STAFF. FOR PROGRAMMERS. FOR OPERATORS. FOR NETWORK ADMINISTRATORS. FOR SECURITY.

22 SEGREGATION OF IT & USERS THROUGH LIMITATION OF RESPONSIBILITIES. THROUGH POWERFUL ID s. FIXATION OF RESPONSIBILITY TO INITIATE OR AUTHORISE TRANSACTIONS.

23 REGULATE AMENDMENTS TO MASTER FILES / OTHER DATA. ENABLE CORRECTION OF INPUT ERRORS.

24 LOGICAL ACCESS CONTROLS

25 OBJECTIVES PREVENTION OF UNAUTHORISED ACCESS TO SENSITIVE DATA OR PROGRAMS. PROTECTION OFDATA /SYSTEM CONFIDENTIALITY, INTEGRITY AND RELIABILITY OF DATA /

26 IDENTIFICATION OF SENSITIVE DATA / APPLICATIONS PROCEDURES LAID DOWN TO IDENTIFY SENSITIVE DATA / APPLICATIONS. THROUGH SECURITY POLICY. THROUGH RISK ASSESSMENT PROCESS.

27 DESIGN OF USER ACCESS RESTRICTIONS THROUGH UNIQUE USER IDS / PASSWORDS. THROUGH MENU FACILITIES. MANAGEMENT APPROVAL FOR THE MENU OPTIONS.

28 EFFECTIVENESS OF USER ACCESS RESTRICTIONS THROUGH REGULAR CHANGE OF PASSWORDS. THROUGH PROTECTION OF PASSWORD. THROUGH REPORTS ON SECURITY BREACHES.

29 IT ACCESS PREVENTION OF SYSTEMS DEVELOPMENT STAFF FROM DATA/PROGRAM ACCESS IN PRODUCTION ENVIRONMENT. PROPER PROCEDURES TO EFFECT EMERGENCY CHANGES

30 CONTROL OVER POWERFUL IDs/ UTILITIES ADEQUATE CONTROL OF THE ALLOCATION/AUTHORISATION AND USE OF POWERFUL USER IDS/ PASSWORDS. REGULAR REPORT ON BREACHES..

31 PHYSICAL ACCESS CONTROLS

32 OBJECTIVES MINIMISATION OF POTENTIAL RISK OF ACCIDENT OR MALICIOUS DAMAGE TO IT ASSETS PREVENTION OF THEFT OF IT ASSETS.

33 PHYSICAL SECURITY ADEQUATE PHYSICAL SECURITY TO COVER THE IT ASSETS. PROPER DOCUMENTATION..

34 SYSTEMS DEVELOPMENT, MAINTENANCE AND CHANGE CONTROLS

35 OBJECTIVES USERS’ SATISFACTION THROUGH AVAILABILITY& PERFORMANCE OF SYSTEMS. SYSTEM RELIABILITY, CONTROLLABILITY COST EFFECTIVENESS. DATA INTEGRITY CONTROLS

36 IN-HOUSE DEVELOPMENT PROPER METHODOLOGY FOR IN-HOUSE DEVELOPMENT, WITH INBUILT CONTROLS. PROPER PROGRAMMING STANDARDS LAID DOWN.

37 PACKAGE SUPPORT ADEQUATE VENDOR SUPPORT MAINTENANCE THROUGH CONTRACTS / AGREEMENTS. TESTING OF CHANGES AND UPGRADES BEFORE INSTALLATION. SOURCE CODE PROVIDED.

38 THIRD PARTY DEVELOPMENT / MAINTENANCE ASSURANCE ON QUALITY AND COSTS/BENEFITS OBTAINED. GOOD REPUTATION OF VENDOR WITH KNOWLEDGE OF COST MANAGEMENT. EXISTENCE OF STANDARDS TO CHECK WITH ACTUALS.

39 PROJECT REVIEW BY MANAGEMENT REVIEW BY MANAGEMENT ON THE COST & PROGRESS OF NEW DEVELOPMENTS. PROPER REPORTING LINES. THROUGH BUDGETS. EFFECTIVE COST ACCOUNTING AND CONTROLS.

40 USER INVOLVEMENT IN DEVELOPMENT USER INVOLVEMENT. USERS’ SIGN OFF OF SPECS. USER TESTING FOR ACCEPTANCE. PROPER TRAINING OF USERS. PROVISION OF USER MANUALS.

41 BUSINESS CONTINUITY PLANNING CONTROLS

42 OBJECTIVES MINIMISATION OF CHANCES OF MAJOR FAILURES TO ENSURE EARLY RESUMPTION OF BUSINESS, IN CASE OF NON-RELIABILITY OF THE SYSTEMS OR FACILITIES.

43 RISK ASSESSMENT - BUSINESS DISRUPTION PRIOR IDENTIFICATION OF THE CRITICAL SYSTEMS. DETERMINATION OF THE PERIOD FOR CONTINUANCE OF BUSINESS OPERATIONS WITHOUT THE CRITICAL IT SYSTEMS.

44 BUSINESS CONTINUITY PLANS FOR BUSINESS CONTINUITY LAID DOWN. REGULAR REVIEW/ UPDATING OF PLANS. USER PROCEDURES. BOARD APPROVAL FOR THE PLANS.

45 BACK-UP FREQUENCY PERIODIC DATA BACK-UP. MORE BACK-UP FREQUENCY. DEPEND ON CRITICALITY OF PROCEDURES / CHANGES.

46 BACK-UP COMPOSITION DATA FILES, PROGRAMS AND SYSTEM SOFTWARE. DOCUMENTATION SUCH AS USER MANUALS, SYSTEMS MANUAL ETC., SHOULD ALSO BE BACKED UP.

47 BACK-UP SECURITY / LOCATION SECURED BACK-UP IN AN OFF- SITE LOCATION. MAINTENANCE OF PROMPT AND PROPER RECORD OF MEDIA MOVEMENT. PROPER AUTHORISATION OF MEDIA MOVEMENTS.

48 TESTING REGULAR TESTING OF BACK- UP AND RECOVERY. DETERMINATION OF RECOVERY TIME TESTING AFTER CHANGES TO SYSTEMS / PROGRAMS. LOG OF TESTS CONDUCTED.

49 APPLICATION CONTROLS

50 APPLICATIONS PROGRAMS TO HANDLE ORGANISATIONAL FUNCTIONS LIKE – –PRODUCTION –FINANCE/COST ACCOUNTS –MATERIALS MANAGEMENT –PAYROLL –LIBRARY MANAGEMENT –SHARE TRADING –CUSTOMER SERVICE IN BANKS

51 CONTROL OBJECTIVES FOR INPUT TO ENSURE –EXISTENCE OF PROPER AUTHORITY –UNIQUENESS –ACCURACY –COMPLETENESS

52 OBJECTIVES FOR DATA PROCESSING TO ENSURE –COMPLETENESS –ACCURACY –UNIQUENESS –VALIDITY –ACCEPTABILITY

53 OBJECTIVES FOR OUTPUT TO ENSURE –COMPLETENESS –ACCURACY –CONTROL OVER THE PLANNED DISTRIBUTION OF OUTPUT

54

55 OBJECTIVES TO ENSURE –ACCEPTANCE OF EVERY INPUT INTO THE SYSTEM, ONLY ONCE –ACCURATE RECORDING OF INPUT

56 AGREEMENT OF TRANSACTION TOTALS, IN BATCH INPUTS WITH A MANUAL TOTAL MANUAL TOTALS ARE PRE- RECORDED IN BATCH HEADER DOCUMENTS TOTALS BE ENTERED WELL AHEAD OF COMMENCEMENT OF PROCESSING

57 USER- DEVISED MECHANISM TO CONTROL PROCESSING ALL BATCHES. LOGGING & REVIEW OF THE CONTROL MECHANISM ON BATCH PROCESSING.

58 DEVISING INBUILT VALIDITY CHECKS TO CHECK THE ACCURACY OF INPUT. EXAMPLE – A CHECK ON THE CUSTOMER CODE AND ITS FORMAT AND A CHECK THAT THE CODE IS VALID).

59 REJECTION, BY THE SYSTEM, OF INPUTS THAT FAIL VALIDITY TESTS GENERATION OF EXCEPTION REPORTS KEEPING ALL INVALID TRANSACTIONS, IN SUSPENSE ACCOUNTS, FOR ACTION BY USERS.

60 IN CASE OF CRITICAL AND SMALL VOLUME INPUT, RESORTING TO ‘ONE-TO-ONE INPUT CHECKING’ COULD BE EFFECTIVE

61

62 OBJECTIVES TO ENSURE COMPLETE & PROPER PROCESSING OF DATA. TO CHECK AGAINST DUPLICATE PROCESSING. TO ENSURE APPLICATION OF ALL APPROPRIATE PROCESSES ON THE CORRECT DATA.

63 RUN-TO-RUN TOTALS PRIOR IDENTIFICATION OF RUN-TOTALS AGREEMENT OF RUN-TOTALS WITH THE TOTALS OF THE SYSTEM, AFTER DATA PROCESSING.

64 WHEN TWO TOTALS CAN BE RELATED, CONTROLLING FROM THAT POINT FORWARD, BY MEANS OF THE SECOND TOTAL.

65 EXAMPLE – USING PIVOT TOTAL IN TIME RECORDING / PAYROLL SYSTEM –REGULATING GROSS PAY WITH REGARD TO HOURS WORKED –ITS ADOPTION FOR FURTHER PROCESSING.

66 INDEPENDENT CONTROL ACCOUNT TO PREDICT PROCESSING RESULTS TO HIGHLIGHT AN UNEXPECTED RESULT HERE, CONTROL ACCOUNT POSTED FROM AN INDEPENDENT SOURCE IS USED

67 HELPS IN FLAGGING ERRORS CAUSED BY EXTRANEOUS FACTORS, LIKE ---- – USE OF AN INCORRECT LEDGER/ FILE DURING DATA PROCESSING

68

69 OBJECTIVES TO ENSURE INPUT-OUTPUT CONSISTENCY COST-EFFECTIVE DISTRIBUTION OF OUTPUT

70 COMPLETENESS OF PRINCIPAL REPORTS PRIOR ESTABLISHMENT OF TOTALS OF THE DESIRED OUTPUT PRINTING OF TOTALS ON PRINTING OF THE OUTPUT

71 COMPARISON OF THESE TOTALS WITH INDEPENDENT CONTROL ACCOUNT TOTALS. COMPARISON OF THESE TOTALS WITH PRE-COMPUTED TOTALS AS PER UPDATE REPORTS.

72 COMPLETENESS OF SELECTIVE REPORTS NOT POSSIBLE TO AGREE WITH PRINCIPAL REPORTS DUE TO ITS NATURE.

73 THE TOTALS CAN BE PRINTED ON THESE REPORTS TO CONFIRM ADDRESSING ALL DATA RECORDS WHILE MAKING THE SELECTION.

74

75 CAN BE INSTALLED DIFFICULT TO IMPLEMENT MANY CONTROL PROCEDURES REQUIRED FOR MANAGEMENT AUDITORS –(UNLIKE IN BATCH PROCESSING)

76 POSSIBLE CONTROL MEASURES ONLY IN-BUILT PREVENTIVE CONTROLS LIKE PASSWORD PROTECTION CONVERSATIONAL EDITING LOG FILES TO MINIMISE THE RISKS TO SYSTEMS

77 ONE- TO -ONE CHECKING EXCEPTION REPORTING REPORT ON SUSPENSE ACCOUNT POSTING & RECONCILIATION OF DATA TO AN INDEPENDENT REAL CONTROL ACCOUNT.

78

79 CONTROL PROBLEMS AS IN REAL TIME SYSTEMS. MORE RELIANCE ON THE GENERAL IT CONTROLS. COMPLETENESS OF REPORTS HINGES ON ACCURACY OF THE DATA MORE THAN PROGRAMS.

80 POSSIBLE CONTROL MEASURES ALL REPORTS TREATED AS EXCEPTION REPORTS COMPLETENESS OF REPORTS SHOULD BE PROVED. INTEGRITY CHECKING BY ADMINISTRATORS TO CHECK & CONTROL ERRORS.

81

82 IDENTIFY MAIN INPUTS. TEST-CHECK THE PROCEDURES FOR INPUT- AUTHORISATION VERIFY THE ADEQUACY OF CHECKS FOR DATA VALIDATION

83 VERIFY THE ADEQUACY OF PROCEDURES TO ENSURE COMPLETENESS OF DATA VERIFY THE PROCEDURES TO HANDLE INCORRECT DATA.

84 CHECK THE CONTROLS, AT EACH STAGE OF PROCESSING FOR –DATA VALIDATION –DATA COMPLETENESS –DATA ACCURACY CHECK ERROR- HANDLING PROCEDURES AT EACH STAGE OF PROCESSING.

85 CHECK THE CONTROLS FOR ACCURACY AND ADEQUACY OF INPUTS (BY RECONCILING OUTPUT WITH INPUTS) CHECK THE CONTROLS TO PROTECT OUTPUT BEFORE DISTRIBUTION

86 CHECK THE CONTROLS OVER THE ISSUE OF FINANCIAL STATIONERY. CHECK THE EFFECTIVENESS OF –ACCESS RESTRICTION –SECURITY OVER SENSITIVE INFORMATION –PASSWORD MANAGEMENT

Download ppt "TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
General Ledger and Reporting System

General Ledger and Reporting System
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.

INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.

Similar presentations

Ads by Google