GENERAL CONTROLS Flashcards
(34 cards)
GENERAL CONTROLS
General IT controls are the basic rules and checks that apply to all systems in the company which help make sure that the application controls can work properly by keeping the IT systems running properly and securely.
- If general controls are weak, all the systems might be at risk.
(1) SYSTEM DEVELOPMENT AND IMPLEMENTATION CONTROLS
the rules and checks that make sure new systems, or major changes to existing systems, are designed, built, and installed properly — with as few bugs, errors, or surprises as possible.
They must be properly developed, authorised and meet user’s needs.
there is SELF DEVELOPED SYSTEM OR PURCHASED PACKAGE
SELF DEVELOPED SYSTEM
a. Project authorisation and Management
To make sure the development of the system is officially approved and properly managed from start to finish.
- Was the system project formally approved?
- Is there a project manager?
- Is there a plan with deadlines, budgets, and responsibilities?
- Are progress and costs being monitored?
b. System specification and user needs
To make sure the new system is designed to meet actual business needs — not just what IT thinks is needed.
Two methods of specifying systems
1. Traditional - written system specifications by means of discussions between data processing department and users.
2. Prototype systems - Design a prototype then allow users to try it out and refine the system through a series of prototype
c. System design and Programming standards
To ensure the system is designed properly and that the code follows proper rules and standards and
- ensure new system work well with other systems already in use
- ensure system has built-in checks and controls
- ensure there is supervision over system design
- Ensure system complies with predetermined standards
- it should always be done on a program library and not live data.
d. Testing of new system
To make sure the system is fully tested before it goes live
1. program testing - checking if the system is doing what it is suppose to do and doesn’t do what is irrelevant and wrong
2. System testing - if all the parts of the system, which were built and tested individually, work together correctly as one full system.
3. Live Testing - the system is tested in real-life, working conditions, but in a controlled way to reduce risk.
- Parallel running: You run both the new system and the old system at the same time, for the same transactions to compare results and see if th new system works properly
Pilot running: You introduce the new system to a small portion
PURCHASED PACKAGE SYSTEM
a) Specification and selection of packages;
Discussions with other users, Observing operation of package.
QUESTIONS:
* Facilities offered by program;
* Freedom from program errors;
* Speed and efficiency;
* Ease of use;
* Quality of support.
b) Implementation and testing of packages.
Testing:
* Independent testing;
* Review of experiences of other users.
Implementation:
* Involvement of:
* User departments;
* Data processing;
* Management;
* Quality assurance.
PURCHASED SYSTEM
ANDVANTAGES AND DISADVANTAGES
ADVANTAGES:
* Less implementation time (immediate implementation);
* Lower cost and cost is predetermined;
* Tested thoroughly - thus very reliable.
DISADVANTAGES
* Dependent on vendors for maintenance;
* Too general /inflexible to cater for needs;
* Change maintenance difficult OR impossible;
* Written overseas (Vat and Tax differs).
SYSTEM CONVERSION
General controls during conversion to the new system (self developed / purchased) - consist of 6 sub-sections:
I. Planning and preparation;
Il. Control over conversion of data-by-data control group;
III. Update system documentation;
IV. Testing;
V. Backup of new system;
VI. Post-implementation review.
(1) PLANNING AND PREPARATION
- Prepare timetables for conversion;
- Define methods used (e.g. parallel / pilot);
- Determine cut-off dates;
- Prepare data files for conversion
- Training of staff;
- Balance files on old system ;
- Prepare premises (constant power / air-con).
(2) CONTROL OVER CONVERSION OF DATA-BY-DATA CONTROL GROUP
- Supervision by senior management;
- Auditor involvement.
(3) UPDATE SYSTEM DOCUMENTATION
- System flowcharts;
- System descriptions;
- Operating manuals.
(4) TESTING
- Balancing old files with new files;
- Third party confirmations;
- Follow up of exception reports;
- Comparison with data run on old system (parallel);
- Manual comparison of data;
- Approval by users.
- SYSTEM MAINTENANCE CONTROLS
To ensure changes to the system is authorised and meet the user’s needs.
System change controls ensure that all changes we make to our systems are:
* Complete;
* Valid;
* Properly tested;
* All information is backed-up and recovery procedures are in place.
- ORGANISATIONAL AND MANAGEMENT CONTROLS
focuses on how the structure and leadership of the IT function are designed to prevent chaos, ensure accountability, and support proper use of systems.
- Segregation of duties - Split responsibilities
- Written policies for System use, Password security, Data backups
CONTROLS AGAINST VIRUSES
STAFF - Inform them about dangers, limit the use of the computers and the reporting procedures in case of infection
SUPERVISION AND REVIEW - By CIS manager, divisional managers, System investigations by internal and external audit.
ACCESS CONTROLS
Restrict unauthorised access to terminals and data
- Terminals
- TINS
- Limited access to system
- Automatic log off after 5 minutes of non-use;
- Shut down after 3 unsuccessful login attempts;
- Limited to 1 workstation log on;
- Investigation into each disconnection;
- Simultaneous login prohibited.
- Identification of users
- User ID’s & passwords;
- Verify IP address;
- Magnetic cards;
- Voice recognition / fingerprints (use of biometric data).
- Authorisation of users
users are only allowed to access what they are authorised for.
- Monitor of Access and Processing
- Audit trails reviewed for daily activities;
- Console logs and activity registers;
- Application software (unauthorised access);
- Firewalls.
- Communication lines and networks
secure the connection between computers and servers, especially for remote access or across offices.
* Passwords;
* Dial & dial back;
* Identification data;
* Different routes for sensitive data;
* Encryption of data.
- Password controls
- Password strength:
- Not easily guessed not shown on screen
- Changed regularly;
- Automatic system request;
- Re-use of password prohibited.
- Confidentiality emphasised;
- Cancelled on resignation/ dismissal;
- Cancelled after period of inactivity;
- Used for authorisation;
- Limit access to part of system;
- Limit access to certain times of day;
- Authorisation levels linked.
- Program libraries
These are folders or databases where software programs and updates are stored.
* Access to backup programs controlled by access software;
* Passwords;
Updating of a backup authorised.
