Flashcards in Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi) Deck (12):
Under "Change Management", what is included in "Policies and Procedures"?
- Version control,
release, distribution, implementation, testing
- Change process should be formalized and structured, begin w/ initiation of a change request and authorization of all changes
- ID proper authority for approving changes
- Include how to keep project sponsor informed about status
- At minimum, address key aspects: changes to apps and relevant hardware, OS, and configs.
- Address initiation, authorization, purchasing or developing, testing, deployment and maintenance
What factors should be considered under "Configuration Management"?
- Issue w/ Config Mgmt is it can interact w/ apps
- Objective is to control config changes to w/in formalized structure, whether automated or manual
- ERP generally are high-risk config's
- Config's should be
controlled and managed closely and generally in scope for IT/financial audit
- Requires subject-matter expert to audit/evaluate ERP config
- Consider same objectives for "Change Mgmt": Authorized changes, limited access, changes/setup doc, process for testing, and process for approving and managing changes
- COBIT equiv is “Manage the Configuration”
What factors should be considered under "Software Management"?
- Include apps entity used in its accounting
info sys, whether COTS, custom or both
- Ensure purchased from reliable vendors
- Guidance on software update w/ version changes and software maintenance
- If custom software, should document procedures to ensure risks of errors and fraud in development and deployment are mitigated
What factors should be considered under "O/S Management"?
- Consider issues and objectives similar to software (version control, updates, development control, testing before deployment
- Logical access control
- Settings and parameters of O/S and patches
What factors should be considered under "Network Management"?
- Include internal and external networks,
outsourcing, level of operating performance (availability), access controls (pw policy), and security
IT Governancetakes what 3 forms simultaneously and work together to result in effective Change Mgmt?
(1) Structure - includes roles and responsibilities, IT org structure, CIO, expert on BoD, IT strategy committee, and IT Steering committee
- Structure involves responsibility functions like IT execs and one or more IT committees.
(2) Processes - includes activities like strategic IT planning, Service Level Agreements (SLAs) w/ 3rd party IT providers, application of COBIT/ITIL/other applicable frameworks and best practices, alignment of IT w/ enterprise goals and objectives, and governance maturity models
- Processes ensure strategic decision making and monitoring of IT effectiveness and efficiency
(3) Monitoring - involves measuring IT performance using proprietary metrics.Measures are cost-benefit and ROI, balanced scorecard, and intangible performance factors
What are 2 main purposes of IT Governance?
(1) Effectively manage IT function (plan, organize and control IT activities)
(2) Effectively mitigate IT risks
- These purposes provide assurance about quality of IT overall and over aspects like change mgmt
What is "Vulnerability Mgmt"?
- Manage assurance that whole infrastructure and components functioning at level to minimize IT, business, and financial reporting risks associated w/ apps (same true for financial reporting process)
- Aspects of infrastructure subject to vulnerabilities that may arise
- Effective Vulnerability Mgmt involves watching for new vulnerabilities and timely patching
- Objects that may need vulnerability control include OS, general use commercial software, and internet technologies (routers, browsers)
Under "Vulnerability Mgmt", where does Vulnerability exist?
- In things that overlap w/ info security (malware), unauth access, and security risks
- In COTS software where upgrades made to correct vulnerability (email software, malware and DBMS and SQL injections)
- Ex: Vulnerabilities in DBMS, by nature, allow unauth access and provide way for malicious activities
What are "Application Control"?
- Control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events
- Embedded and specific to accounting applications
- Intended to provide controls for authorization, approval, delivery of product or service, transactional
recording, integrity of data and audit trail
Name the 5 Financial Transaction Functions: