Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi)

Question 1

Under “Change Management”, what is included in “Policies and Procedures”?

Answer 1

• Version control,
  release, distribution, implementation, testing
• Change process should be formalized and structured, begin w/ initiation of a change request and authorization of all changes
• ID proper authority for approving changes
• Include how to keep project sponsor informed about status
• At minimum, address key aspects: changes to apps and relevant hardware, OS, and configs.
• Address initiation, authorization, purchasing or developing, testing, deployment and maintenance

Question 2

What factors should be considered under “Configuration Management”?

Answer 2

• Issue w/ Config Mgmt is it can interact w/ apps
• Objective is to control config changes to w/in formalized structure, whether automated or manual
• ERP generally are high-risk config’s
• Config’s should be
  controlled and managed closely and generally in scope for IT/financial audit
• Requires subject-matter expert to audit/evaluate ERP config
• Consider same objectives for “Change Mgmt”: Authorized changes, limited access, changes/setup doc, process for testing, and process for approving and managing changes
• COBIT equiv is “Manage the Configuration”

Question 3

What factors should be considered under “Software Management”?

Answer 3

• Include apps entity used in its accounting
  info sys, whether COTS, custom or both
• Ensure purchased from reliable vendors
• Guidance on software update w/ version changes and software maintenance
• If custom software, should document procedures to ensure risks of errors and fraud in development and deployment are mitigated

Question 4

What factors should be considered under “O/S Management”?

Answer 4

• Consider issues and objectives similar to software (version control, updates, development control, testing before deployment
• Logical access control
• Settings and parameters of O/S and patches

Question 5

What factors should be considered under “Network Management”?

Answer 5

• Include internal and external networks,

outsourcing, level of operating performance (availability), access controls (pw policy), and security

Question 6

IT Governancetakes what 3 forms simultaneously and work together to result in effective Change Mgmt?

Answer 6

SPM

(1) Structure - includes roles and responsibilities, IT org structure, CIO, expert on BoD, IT strategy committee, and IT Steering committee
- Structure involves responsibility functions like IT execs and one or more IT committees.
(2) Processes - includes activities like strategic IT planning, Service Level Agreements (SLAs) w/ 3rd party IT providers, application of COBIT/ITIL/other applicable frameworks and best practices, alignment of IT w/ enterprise goals and objectives, and governance maturity models
- Processes ensure strategic decision making and monitoring of IT effectiveness and efficiency
(3) Monitoring - involves measuring IT performance using proprietary metrics.Measures are cost-benefit and ROI, balanced scorecard, and intangible performance factors

Question 7

What are 2 main purposes of IT Governance?

Answer 7

(1) Effectively manage IT function (plan, organize and control IT activities)
(2) Effectively mitigate IT risks
- These purposes provide assurance about quality of IT overall and over aspects like change mgmt

Question 8

What is “Vulnerability Mgmt”?

Answer 8

• Manage assurance that whole infrastructure and components functioning at level to minimize IT, business, and financial reporting risks associated w/ apps (same true for financial reporting process)
• Aspects of infrastructure subject to vulnerabilities that may arise
• Effective Vulnerability Mgmt involves watching for new vulnerabilities and timely patching
• Objects that may need vulnerability control include OS, general use commercial software, and internet technologies (routers, browsers)

Question 9

Under “Vulnerability Mgmt”, where does Vulnerability exist?

Answer 9

• In things that overlap w/ info security (malware), unauth access, and security risks
• In COTS software where upgrades made to correct vulnerability (email software, malware and DBMS and SQL injections)
• Ex: Vulnerabilities in DBMS, by nature, allow unauth access and provide way for malicious activities

Question 10

What are “Application Control”?

Answer 10

• Control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events
• Embedded and specific to accounting applications
• Intended to provide controls for authorization, approval, delivery of product or service, transactional
  recording, integrity of data and audit trail

Question 11

Name the 5 Financial Transaction Functions:

Answer 11

(1) Initiation
(2) Authorization
(3) Record
(4) Process
(5) Report

Question 12

Name example Application Controls associated w/ each of the 5 Financial Transaction Functions:

Answer 12

(1) Initiation
– Data transmission controls
– Input edits
– Validations
– Security
(2) Authorization
– Programmed transaction approvals
– Restricted access to information/data files
(3) Record
– Database updates
– Automated feeds
(4) Process
– Calculations and related tables
– File checking
– Automated restrictions to sensitive transactions
(5) Report
– Automated posting to subsidiary or general ledgers
– Automated reporting whether commercial application or “user-defined”