Introduction to IT General Controls

May 6, 2019

JKKT & Co.

Chartered Accountants

1
Information Technology General
Controls Review

Time to Take Control and Add Business Value

presented by

Kaushal R. Trivedi - Partner, Audit & Assurance

Presentation Outline

1. Information Technology (5-12)

2. ITGC - Background (14-22)

3. Quiz (23-24)
Section 1

Information Technology

An Introduction
Are You a Victim of…

Virus Attack

Laptop Theft

Data Corruption/ Loss!!

Data Theft
Threats Continue to Grow…

• Information on 167 million LinkedIn accounts and, in the following week,

360 million emails and passwords for MySpace users

• Axis and State Bank of India confirm loss of several Million Credit/ Debit
card users in August 2016 data theft

• Verizon Enterprise Solutions, which also deals with enterprise security,

was hit by a cyber-attack that led to the theft of details about 1.5 million
customers

• 2.6 TB Data on politicians, criminals, professionals athletes, etc leaked from

Professional firm Mossack Fonseca, including emails, contracts, scanned
documents, transcripts…

• 55M Philippines Commission on Elections data from COMELEC website

by Hackers from Anonymous, the entire database was stolen and posted
online.

• 49.6 M Turkish citizenship data was stolen and posted online

Threats Continue to Grow…

• 80M Records of Anthem the second largest healthcare service

provider in US records stolen

• 76M – JP Morgan Chase records stolen and lasted from June-July

2015 till that time the same was not discovered.

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Business Impact of DATA LOSS…

Business Loss

Loss of
Revenue Loss
Operations

Loss of Loss of
Clientele Reputation
Description of Global Risks and Trends 2016

Global Risk Description

Adverse consequences of Intended or unintended adverse consequences of
technological advances technological advances such as artificial intelligence,
geo-engineering and synthetic biology causing human,
environmental and economic damage.
Breakdown of critical Cyber dependency increases vulnerability to outage of
information critical information infrastructure (e.g. internet,
infrastructure and satellites, etc.) and networks causing widespread
Networks disruption.
Large-scale cyberattacks Large-scale cyberattacks or malware causing large
economic damages, geopolitical tensions or widespread
loss of trust in the Internet.
Massive incident of data Wrongful exploitation of private or official data that
fraud/theft takes place on an unprecedented scale.
Source: World Economic Form Global Risk 2016
Cyber Attack – Heat Map

Source: World Economic Form Global Risk 2016

Source: Executive Opinion Survey 2015, World Economic Forum.
Note: The darker colour, the higher the concern.
Information Systems Audit
Ensures if the Confidentiality, Availability and Integrity of the Information
systems are maintained.

Application Infrastructure
Layer Access Confidentiality Layer Access

INFORMATION
INFORMATION

Availability Integrity

Physical Layer Data in

Access Transit

Audit of Systems and Processes at Physical, Infrastructure, Network and

Application layers is done to ensure CIA.
IT Services Frameworks
Section 2

Information Technology General

Controls

The Background
Why are ITGCs important?

• Information Technology General Controls (ITGCs)can be defined as

internal controls that assure the secure, stable, and reliable performance of
computer hardware, software and IT personnel connected to financial
systems.

• ITGCs affect the ability to rely on application controls and IT dependent

manual controls.

• Without effective ITGCs, reliance cannot be placed on any application

controls or IT dependent manual controls unless additional procedures are
performed (e.g., benchmarking). Even these additional procedures limit the
ability to rely upon more than one application control at a time.

• ITGCs are an integral part of many different operational and regulatory

(federal and state) audits, including:
o IT operational reviews
o HIPAA assessments
o SSAE16 assessments
o PCI reviews/audits
o SOX assessments
ITGC Focus Areas:

The following areas are typically addressed as part of ITGC:

Access to Programs and Data
• Controls that prevent inappropriate and unauthorized use of the system
across all layers of systems, operating system, database and application.
- Security Policy, Password, Unique IDs, Authorized Administrators,
Users Access Provisioning, Users Access Reviews, Physical Security,
Firewall, Monitoring (i.e. invalid logins, audit trails)

Program Changes
• Controls may involve required authorization of change requests, review of
the changes, approvals, documentation, testing and assessment of changes
on other IT components and implementation protocols.
-Change Management Process for Regular and Emergency Changes
(i.e. infrastructure and software changes for all layers: O/S, database,
application)

Program Development
• Controls over development methodology, including system design and
implementation, that outline specific phases, documentation requirements,
change management, approvals and checkpoints to control the development
or maintenance of the project.
ITGC Focus Areas:

Program Development
• Controls over the effective acquisition, implementation and maintenance of
system software, database management, telecommunications software,
security software, and utilities.
-Software Development Life Cycle (SDLC)

Computer Operations
• Controls over the effective job configuration and scheduling, data center
operations, data backup and data recovery procedures.
-Backups, Restorations, Job Scheduling
ITGC Approach Across all Layers
Key Terms
SOX –Sarbanes-Oxley Act of 2002. U.S. federal legislation that establishes new or
enhanced requirements for financial reporting for all U.S. public company boards,
management, and public accounting firms.

PCAOB–Public Company Accounting Oversight Board. A private-sector, non-profit

corporation created by the Sarbanes-Oxley Act, to oversee the auditors of public companies.

COBIT–Control Objectives for Information and Related Technology. A comprehensive

framework for management of the governance of risk and control of IT, comprising 5
domains, 37 IT processes and 210 control objectives. COBIT includes controls that address
all aspects of IT governance, but only those significant to financial reporting have been used
to develop this document.

COSO–Committee of Sponsoring Organizations of the Treadway Commission. A

private-sector initiative, formed in 1985 to identify the factors that cause fraudulent financial
reporting and to make recommendations to reduce its incidence. COSO has established a
common definition of internal controls, standards, and criteria against which companies and
organizations can assess their control systems.

ISACA–Information Systems Audit and Control Association. International professional

organization for information governance, control, security and audit professionals. Its
auditing and control standards are followed by practitioners worldwide.
COSO vs. COBIT

The most common framework used to evaluate ITGCs is the COBIT framework

COSO COBIT
• Established to provide a generic • Established by ISACA to be used
framework for evaluating internal for the IT component of
controls. documenting and testing internal
• SEC’s suggested Internal Controls controls.
Framework for Sarbanes Oxley. • Comprehensive framework for
• Addresses application controls and managing risk and control for IT.
general IT controls at a high level. • More detailed and IT specific.
• Does not dictate requirements for • Not a comprehensive Internal
control objectives and related Controls framework.
controls activity.

How COBIT is used for evaluating ITGCs:

• Since ITGCs affect the entire organization, COBIT is mapped to COSO.
• COBIT IT processes are identified as being relevant for the IT component
of internal controls. However, companies may add or remove other COBIT
processes based on the specific situation.
COBIT 4.1 mapped to COSO
The Control Objectives for Information and
related Technology (COBIT) defines an IT
governance framework.
Control Environment –The control
environment sets the tone of an organization,
influencing the control consciousness of its
people.
Risk Assessment–Every entity faces a variety
of risks from external and internal sources that
must be identified and analyzed at both the
entity and the activity level.
Control Activities–These policies and
procedures help ensure management directives
are carried out (e.g., preventive, detective, and
mitigating controls).
Information and Communication–Pertinent
information must be identified, captured, and
communicated in a manner and timeframe that
supports all other control components.
Monitoring–The monitoring process assesses
the quality of the system’s performance over
time by reviewing the output generated by
control activities and conducting special
evaluations.
ITGC Framework – COBIT 5 Overview
The focus of COBIT 5 is on processes, that are
split into governance and management areas.
These two areas contain a total of 5 domains:

Governance of Enterprise IT

Evaluate, Direct and Monitor (EDM) –Provides

direction to information security and monitoring
the outcome Management of Enterprise IT

Align, Plan and Organize (APO) –Provides

direction to solution delivery (BAI) and service
delivery (DSS),

Build, Acquire and Implement (BAI) –Provides the

solutions and passes them to be turned into
services,

Deliver, Service and Support (DSS)–Receives the

solutions and makes them usable for end users, Across these 5 domains, COBIT has
and identified 37 IT processes that are
generally used by an organization as
Monitor, Evaluate and Assess (MEA) –Monitors all well as specific practices.
processes to ensure that the direction provided
is followed.
Mapping PCAOB AS 5 to COBIT 5

Processes to Identify
Relevant ITGC controls

COBIT 5 processes mapped

to PCAOB Auditing Standard
No.5

Identifies ITGCs that have a

direct impact on the audit of
the effectiveness of internal
controls over financial
reporting (SOX section 404)
which can be used as a
baseline for non-public
organizations.
Quiz?
1.Which of the following would not be in scope in a general computer control
review?
a. Change Management
b. Operating System Security
c. The Financial Statement Close Process
d. Physical Security

2.Access to systems and data should be assigned on a need-to-know basis –True or

False?

3.Inquiry alone is a suitable way to test a control –True or False?

4.The appropriate sample size required to test a general computer control is always:
a. 1
b. 30
c. The entire population
d. None of the above

5.The programmer who developed a new piece of code is the most appropriate
individual to migrate that new code into the production environment –True or False?
Quiz Answers:
1.Which of the following would not be in scope in a general computer control
review?
a. Change Management
b. Operating System Security
c. The Financial Statement Close Process
d. Physical Security

2.Access to systems and data should be assigned on a need-to-know basis –True or

False?

3.Inquiry alone is a suitable way to test a control –True or False?

4.The appropriate sample size required to test a general computer control is always:
a. 1
b. 30
c. The entire population
d. None of the above

5.The programmer who developed a new piece of code is the most appropriate
individual to migrate that new code into the production environment –True or False?
Thank You.

Jigar K. Shah Kaushal R. Trivedi

Partner – Tax & Regulatory Partner – Audit & Assurance
[email protected] [email protected]
+91 98252 69935 +91 98251 54523

JKKT & Co. Moving soon to our new office premise:

Chartered Accountants
208, Shivalik-5, A810 - 811, Ratnakar 9 Square,
Mahalaxmi Cross Roads, Paldi, Opp. Keshavbaug Party Plot,
Ahmedabad – 380 007. Vastrapur,
Tel.: +91 79 26650366, 26650399 Ahmedabad - 380015.

25