to ensure the efficient & effective development / maintenance of it systems proper...

• TO ENSURETHE EFFICIENT & EFFECTIVE

DEVELOPMENT / MAINTENANCE OF IT SYSTEMS

PROPER IMPLEMENTATION OF IT SYSTEMS

PROTECTION OF DATA AND PROGRAMS

COMPONENTS OF GENERAL IT CONTROLS

• ORGANISATION AND MANAGEMENT CONTROLS

• SEGREGATION OF DUTIES• PHYSICAL & LOGICAL ACCESS CONTROLS• SYSTEMS DEVELOPMENT CONTROLS• PROGRAM AMENDMENT CONTROLS• BUSINESS CONTINUITY PLANNING

CONTROLS

ORGANISATION &

MANAGEMENT CONTROLS

ORGANISATION & MANAGEMENT CONTROLS

• TO ENSURE– ECONOMIC USE OF IT SYSTEMS

– REFLECTION OF IT IN BUSINESS PLANS

– DELIVERY OF THE SYSTEM IN A CONTROL -CONSCIOUS STRUCTURE

– SYSTEM’S RESPONSE TO CHANGES

IT STRATEGY • APPROPRIATE FORMULATION • DOCUMENTED FOR THE NEXT 3

YEARS– COVER IT SYSTEMS TO BE

DEVELOPED / ENHANCED• IN LINE WITH BUSINESS STRATEGY• CURRENT / APPROPRIATE• DULY APPROVED BY BOARD

IT PLANNING AND MANAGEMENT

• GUIDED BY USER MANAGEMENT• INVOLVE USERS &MANAGEMENT

– THROUGH BOARD AGENDA / MINUTES, BUDGETS / FORECASTS

• THROUGH IT STEERING COMMITTEE• USER INVOLVEMENT IN IT PLANNING• GENERATION OF REPORTS AGAINST

STRATEGY

IT SECURITY POLICY

• FORMALISED POLICY• APPROVED BY BOARD • OBJECTIVES WELL ESTABLISHED• SCOPE AND EXTENT LAID DOWN• ENABLE RESPONSIBILITY-FIXATION

FOR UPDATING / MONITORING.• DISTRIBUTTION TO STAFF.• ENSURE CONFIDENTIALITY / SECURITY

OF INFORMATION

END-USER COMPUTING

• POLICY AND PROCEDURES FOR– END-USER COMPUTING

– SOFTWARE COPYRIGHTS

– USING STANDARD SOFTWARE

– ANTI-VIRUS PROCEDURES

• DISTRIBUTION TO THE STAFF.

INTERNAL AUDIT

• INVOLVEMENT IN– IT DEVELOPMENT

– IT OPERATIONS.

• INVOLVEMENT VERIFIED FROM

– THE TERMS OF REFERENCE

– EXPERTISE IN IT

CONTROL CONSCIOUSNESS

• DEPENDS ON – MANAGEMENT ATTITUDE

– ORGANISATION STRUCTURE.

• ASSESSED THROUGH – IT RISK ASSESSMENT

– TREATMENT OF RISKS

• DOCUMENT RETENTION – MANAGEMENT POLICY– PROCEDURES TO FORECAST

NEEDS • PERSONNEL

– RECRUITMENT / HIRING POLICY– TRAINING TO THE USERS– EXPERIENCE OF STAFF– ASSESSMENT OF PERFORMANCE – DEPENDENCE ON KEY PERSONNEL

OUTSOURCING• POLICY & DOCUMENTATION

• COVERED BY CONTRACTS

• SECURITY & CONFIDENTIALITY – DATA & PROGRAMS

• PERIODICAL REVIEW OF COSTS

• DEPENDENCE &REPORTING TO BOARD

• CONTROLS ON OUTSOURCED DATA

INVESTMENT

• PROPERLY LAID DOWN PROCEDURES FOR VALUATION OF ASSETS - HARDWARE AND SOFTWARE.

• CLEAR POLICY FOR TO CAPITALISE /CHARGE OFF SUCH COSTS.

• PERIODICAL REVIEW BY THE MANAGEMENT, OF THE EXPECTED CHANGES / EXPENDITURE.

• MANAGEMENT REVIEW OF THE IMPACT OF NEW TECHNOLOGY.

INSURANCE

• INSURANCE OF IT ASSETS .

• INSURANCE POLICY FOR LOSS OF PROFITS / INCREASED COST OF WORKING.

• PRIOR ASSESSMENT OF COST OF RECOVERY

SEGREGATION OF DUTIES

OBJECTIVES

TO HAVE REASONABLE SEGREGATION OF DUTIES

• WITHIN IT DEPARTMENT

• BETWEEN IT AND USER DEPARTMENTS

• TO PREVENT / DETECT ERRORS OR IRREGULARITIES.

ORGANISATION STRUCTURE

• APPROPRIATE ORGANISATION STRUCTURE.

• FORMAL RECOGNITION.

• APPROPRIATE REPORTING .

• SIZE / STYLE OF OPERATIONS SHOULD MATCH NEEDS.

SEGREGATION OF DUTIES - IT

• FOR IT STAFF.

• FOR PROGRAMMERS.

• FOR OPERATORS.

• FOR NETWORK ADMINISTRATORS.

• FOR SECURITY.

SEGREGATION OF IT & USERS

• THROUGH LIMITATION OF RESPONSIBILITIES.

• THROUGH POWERFUL IDs.

• FIXATION OF RESPONSIBILITY TO INITIATE OR AUTHORISE TRANSACTIONS.

• REGULATE AMENDMENTS TO MASTER FILES / OTHER DATA.

• ENABLE CORRECTION OF INPUT ERRORS.

LOGICAL ACCESS CONTROLS

OBJECTIVES

• PREVENTION OF UNAUTHORISED ACCESS TO SENSITIVE DATA OR PROGRAMS.

• PROTECTION OFDATA /SYSTEM CONFIDENTIALITY, INTEGRITY AND RELIABILITY OF DATA /

IDENTIFICATION OF SENSITIVE DATA / APPLICATIONS

• PROCEDURES LAID DOWN TO IDENTIFY SENSITIVE DATA / APPLICATIONS.

• THROUGH SECURITY POLICY.

• THROUGH RISK ASSESSMENT PROCESS.

DESIGN OF USER ACCESS RESTRICTIONS

• THROUGH UNIQUE USER IDS / PASSWORDS.

• THROUGH MENU FACILITIES.

• MANAGEMENT APPROVAL FOR THE MENU OPTIONS.

EFFECTIVENESS OF USER ACCESS RESTRICTIONS

• THROUGH REGULAR CHANGE OF PASSWORDS.

• THROUGH PROTECTION OF PASSWORD .

• THROUGH REPORTS ON SECURITY BREACHES.

IT ACCESS

• PREVENTION OF SYSTEMS DEVELOPMENT STAFF FROM DATA/PROGRAM ACCESS IN PRODUCTION ENVIRONMENT.

• PROPER PROCEDURES TO EFFECT EMERGENCY CHANGES

CONTROL OVER POWERFUL IDs/ UTILITIES

• ADEQUATE CONTROL OF THE ALLOCATION/AUTHORISATION AND USE OF POWERFUL USER IDS/ PASSWORDS.

• REGULAR REPORT ON BREACHES..

PHYSICAL ACCESS CONTROLS

OBJECTIVES

• MINIMISATION OF POTENTIAL RISK OF ACCIDENT OR MALICIOUS DAMAGE TO IT ASSETS

• PREVENTION OF THEFT OF IT ASSETS.

PHYSICAL SECURITY

• ADEQUATE PHYSICAL SECURITY TO COVER THE IT ASSETS.

• PROPER DOCUMENTATION..

SYSTEMS DEVELOPMENT,

MAINTENANCE AND CHANGE CONTROLS

OBJECTIVES

• USERS’ SATISFACTION THROUGH AVAILABILITY& PERFORMANCE OF SYSTEMS .

• SYSTEM RELIABILITY, CONTROLLABILITY COST EFFECTIVENESS.

• DATA INTEGRITY CONTROLS

IN-HOUSE DEVELOPMENT

• PROPER METHODOLOGY FOR IN-HOUSE DEVELOPMENT, WITH INBUILT CONTROLS.

• PROPER PROGRAMMING STANDARDS LAID DOWN.

PACKAGE SUPPORT

• ADEQUATE VENDOR SUPPORT

• MAINTENANCE THROUGH CONTRACTS / AGREEMENTS.

• TESTING OF CHANGES AND UPGRADES BEFORE INSTALLATION.

• SOURCE CODE PROVIDED.

THIRD PARTY DEVELOPMENT / MAINTENANCE

• ASSURANCE ON QUALITY AND COSTS/BENEFITS OBTAINED.

• GOOD REPUTATION OF VENDOR WITH KNOWLEDGE OF COST MANAGEMENT.

• EXISTENCE OF STANDARDS TO CHECK WITH ACTUALS.

PROJECT REVIEW BY MANAGEMENT

• REVIEW BY MANAGEMENT ON THE COST & PROGRESS OF NEW DEVELOPMENTS.

• PROPER REPORTING LINES.

• THROUGH BUDGETS .• EFFECTIVE COST

ACCOUNTING AND CONTROLS.

USER INVOLVEMENT IN DEVELOPMENT

• USER INVOLVEMENT.

• USERS’ SIGN OFF OF SPECS.

• USER TESTING FOR ACCEPTANCE.

• PROPER TRAINING OF USERS.

• PROVISION OF USER MANUALS.

BUSINESS CONTINUITY

PLANNING CONTROLS

OBJECTIVES

• MINIMISATION OF CHANCES OF MAJOR FAILURES

• TO ENSURE EARLY RESUMPTION OF BUSINESS , IN CASE OF NON-RELIABILITY OF THE SYSTEMS OR FACILITIES.

RISK ASSESSMENT - BUSINESS DISRUPTION

• PRIOR IDENTIFICATION OF THE CRITICAL SYSTEMS .

• DETERMINATION OF THE PERIOD FOR CONTINUANCE OF BUSINESS OPERATIONS WITHOUT THE CRITICAL IT SYSTEMS.

BUSINESS CONTINUITY

• PLANS FOR BUSINESS CONTINUITY LAID DOWN.

• REGULAR REVIEW/ UPDATING OF PLANS.

• USER PROCEDURES.

• BOARD APPROVAL FOR THE PLANS.

BACK-UP FREQUENCY

• PERIODIC DATA BACK-UP.

• MORE BACK-UP FREQUENCY.

• DEPEND ON CRITICALITY OF PROCEDURES / CHANGES.

BACK-UP COMPOSITION

• DATA FILES, PROGRAMS AND SYSTEM SOFTWARE .

• DOCUMENTATION SUCH AS USER MANUALS, SYSTEMS MANUAL ETC., SHOULD ALSO BE BACKED UP.

BACK-UP SECURITY / LOCATION

• SECURED BACK-UP IN AN OFF-SITE LOCATION.

• MAINTENANCE OF PROMPT AND PROPER RECORD OF MEDIA MOVEMENT .

• PROPER AUTHORISATION OF MEDIA MOVEMENTS.

TESTING

• REGULAR TESTING OF BACK-UP AND RECOVERY .

• DETERMINATION OF RECOVERY TIME

• TESTING AFTER CHANGES TO SYSTEMS / PROGRAMS.

• LOG OF TESTS CONDUCTED.

APPLICATION CONTROLS

APPLICATIONS• PROGRAMS TO HANDLE

ORGANISATIONAL FUNCTIONS LIKE –– PRODUCTION– FINANCE/COST ACCOUNTS– MATERIALS MANAGEMENT– PAYROLL– LIBRARY MANAGEMENT– SHARE TRADING– CUSTOMER SERVICE IN BANKS

CONTROL OBJECTIVES

FOR INPUT• TO ENSURE

– EXISTENCE OF PROPER AUTHORITY

– UNIQUENESS

– ACCURACY

– COMPLETENESS

OBJECTIVES

FOR DATA PROCESSING

• TO ENSURE– COMPLETENESS– ACCURACY– UNIQUENESS– VALIDITY – ACCEPTABILITY

OBJECTIVESFOR OUTPUT

• TO ENSURE

–COMPLETENESS–ACCURACY – CONTROL OVER THE

PLANNED DISTRIBUTION OF OUTPUT

OBJECTIVES

• TO ENSURE

– ACCEPTANCE OF EVERY INPUT INTO THE SYSTEM, ONLY ONCE

– ACCURATE RECORDING OF INPUT

• AGREEMENT OF TRANSACTION TOTALS, IN BATCH INPUTS WITH A MANUAL TOTAL

• MANUAL TOTALS ARE PRE-RECORDED IN BATCH HEADER DOCUMENTS

• TOTALS BE ENTERED WELL AHEAD OF COMMENCEMENT OF PROCESSING

• USER- DEVISED MECHANISM TO CONTROL PROCESSING ALL BATCHES.

• LOGGING & REVIEW OF THE CONTROL MECHANISM ON BATCH PROCESSING.

• DEVISING INBUILT VALIDITY CHECKS TO CHECK THE ACCURACY OF INPUT.

• EXAMPLE– A CHECK ON THE CUSTOMER

CODE AND ITS FORMAT AND A CHECK THAT THE CODE IS VALID).

• REJECTION, BY THE SYSTEM, OF INPUTS THAT FAIL VALIDITY TESTS

• GENERATION OF EXCEPTION REPORTS

• KEEPING ALL INVALID TRANSACTIONS, IN SUSPENSE ACCOUNTS, FOR ACTION BY USERS.

• IN CASE OF CRITICAL AND SMALL VOLUME INPUT, RESORTING TO ‘ONE-TO-ONE INPUT CHECKING’ COULD BE EFFECTIVE

OBJECTIVES

• TO ENSURE COMPLETE & PROPER PROCESSING OF DATA.

• TO CHECK AGAINST DUPLICATE PROCESSING.

• TO ENSURE APPLICATION OF ALL APPROPRIATE PROCESSES ON THE CORRECT DATA.

RUN-TO-RUN TOTALS

• PRIOR IDENTIFICATION OF RUN-TOTALS

• AGREEMENT OF RUN-TOTALS WITH THE TOTALS OF THE SYSTEM, AFTER DATA PROCESSING.

• WHEN TWO TOTALS CAN BE RELATED, CONTROLLING FROM THAT POINT FORWARD, BY MEANS OF THE SECOND TOTAL.

• EXAMPLE– USING PIVOT TOTAL IN

TIME RECORDING / PAYROLL SYSTEM

–REGULATING GROSS PAY WITH REGARD TO HOURS WORKED

–ITS ADOPTION FOR FURTHER PROCESSING.

INDEPENDENT CONTROL ACCOUNT

• TO PREDICT PROCESSING RESULTS

• TO HIGHLIGHT AN UNEXPECTED RESULT

• HERE, CONTROL ACCOUNT POSTED FROM AN INDEPENDENT SOURCE IS USED

• HELPS IN FLAGGING ERRORS CAUSED BY EXTRANEOUS FACTORS, LIKE ----– USE OF AN INCORRECT

LEDGER/ FILE DURING DATA PROCESSING

OBJECTIVES

• TO ENSURE•INPUT-OUTPUT CONSISTENCY

• COST-EFFECTIVE DISTRIBUTION OF OUTPUT

COMPLETENESS OF PRINCIPAL REPORTS

• PRIOR ESTABLISHMENT OF TOTALS OF THE DESIRED OUTPUT

• PRINTING OF TOTALS ON PRINTING OF THE OUTPUT

• COMPARISON OF THESE TOTALS WITH INDEPENDENT CONTROL ACCOUNT TOTALS.

• COMPARISON OF THESE TOTALS WITH PRE-COMPUTED TOTALS AS PER UPDATE REPORTS.

COMPLETENESS OF SELECTIVE REPORTS

• NOT POSSIBLE TO AGREE WITH PRINCIPAL REPORTS DUE TO ITS NATURE.

• THE TOTALS CAN BE PRINTED ON THESE REPORTS TO CONFIRM ADDRESSING ALL DATA RECORDS WHILE MAKING THE SELECTION.

• CAN BE INSTALLED

• DIFFICULT TO IMPLEMENT MANY CONTROL PROCEDURES REQUIRED FOR MANAGEMENT AUDITORS

– (UNLIKE IN BATCH PROCESSING)

POSSIBLE CONTROL MEASURES

• ONLY IN-BUILT PREVENTIVE CONTROLS LIKE PASSWORD PROTECTION

• CONVERSATIONAL EDITING

• LOG FILES TO MINIMISE THE RISKS TO SYSTEMS

• ONE-TO-ONE CHECKING• EXCEPTION REPORTING• REPORT ON SUSPENSE

ACCOUNT • POSTING & RECONCILIATION

OF DATA TO AN INDEPENDENT REAL CONTROL ACCOUNT.

• CONTROL PROBLEMS AS IN REAL TIME SYSTEMS.

• MORE RELIANCE ON THE GENERAL IT CONTROLS.

• COMPLETENESS OF REPORTS HINGES ON ACCURACY OF THE DATA MORE THAN PROGRAMS.

POSSIBLE CONTROL MEASURES

• ALL REPORTS TREATED AS EXCEPTION REPORTS

• COMPLETENESS OF REPORTS SHOULD BE PROVED .

• INTEGRITY CHECKING BY ADMINISTRATORS TO CHECK & CONTROL ERRORS.

• IDENTIFY MAIN INPUTS.• TEST-CHECK THE

PROCEDURES FOR INPUT-AUTHORISATION

• VERIFY THE ADEQUACY OF CHECKS FOR DATA VALIDATION

• VERIFY THE ADEQUACY OF PROCEDURES TO ENSURE COMPLETENESS OF DATA

• VERIFY THE PROCEDURES TO HANDLE INCORRECT DATA.

• CHECK THE CONTROLS, AT EACH STAGE OF PROCESSING FOR – DATA VALIDATION – DATA COMPLETENESS– DATA ACCURACY

• CHECK ERROR- HANDLING PROCEDURES AT EACH STAGE OF PROCESSING.

• CHECK THE CONTROLS FOR ACCURACY AND ADEQUACY OF INPUTS (BY RECONCILING OUTPUT

WITH INPUTS)• CHECK THE CONTROLS TO

PROTECT OUTPUT BEFORE DISTRIBUTION

• CHECK THE CONTROLS OVER THE ISSUE OF FINANCIAL STATIONERY.

• CHECK THE EFFECTIVENESS OF

– ACCESS RESTRICTION

– SECURITY OVER SENSITIVE INFORMATION

– PASSWORD MANAGEMENT