Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi) Flashcards Preview

CITP > Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi) > Flashcards

Flashcards in Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi) Deck (12):

Under "Change Management", what is included in "Policies and Procedures"?

- Version control,
release, distribution, implementation, testing
- Change process should be formalized and structured, begin w/ initiation of a change request and authorization of all changes
- ID proper authority for approving changes
- Include how to keep project sponsor informed about status
- At minimum, address key aspects: changes to apps and relevant hardware, OS, and configs.
- Address initiation, authorization, purchasing or developing, testing, deployment and maintenance


What factors should be considered under "Configuration Management"?

- Issue w/ Config Mgmt is it can interact w/ apps
- Objective is to control config changes to w/in formalized structure, whether automated or manual
- ERP generally are high-risk config's
- Config's should be
controlled and managed closely and generally in scope for IT/financial audit
- Requires subject-matter expert to audit/evaluate ERP config
- Consider same objectives for "Change Mgmt": Authorized changes, limited access, changes/setup doc, process for testing, and process for approving and managing changes
- COBIT equiv is “Manage the Configuration”


What factors should be considered under "Software Management"?

- Include apps entity used in its accounting
info sys, whether COTS, custom or both
- Ensure purchased from reliable vendors
- Guidance on software update w/ version changes and software maintenance
- If custom software, should document procedures to ensure risks of errors and fraud in development and deployment are mitigated


What factors should be considered under "O/S Management"?

- Consider issues and objectives similar to software (version control, updates, development control, testing before deployment
- Logical access control
- Settings and parameters of O/S and patches


What factors should be considered under "Network Management"?

- Include internal and external networks,
outsourcing, level of operating performance (availability), access controls (pw policy), and security


IT Governancetakes what 3 forms simultaneously and work together to result in effective Change Mgmt?

(1) Structure - includes roles and responsibilities, IT org structure, CIO, expert on BoD, IT strategy committee, and IT Steering committee
- Structure involves responsibility functions like IT execs and one or more IT committees.
(2) Processes - includes activities like strategic IT planning, Service Level Agreements (SLAs) w/ 3rd party IT providers, application of COBIT/ITIL/other applicable frameworks and best practices, alignment of IT w/ enterprise goals and objectives, and governance maturity models
- Processes ensure strategic decision making and monitoring of IT effectiveness and efficiency
(3) Monitoring - involves measuring IT performance using proprietary metrics.Measures are cost-benefit and ROI, balanced scorecard, and intangible performance factors


What are 2 main purposes of IT Governance?

(1) Effectively manage IT function (plan, organize and control IT activities)
(2) Effectively mitigate IT risks
- These purposes provide assurance about quality of IT overall and over aspects like change mgmt


What is "Vulnerability Mgmt"?

- Manage assurance that whole infrastructure and components functioning at level to minimize IT, business, and financial reporting risks associated w/ apps (same true for financial reporting process)
- Aspects of infrastructure subject to vulnerabilities that may arise
- Effective Vulnerability Mgmt involves watching for new vulnerabilities and timely patching
- Objects that may need vulnerability control include OS, general use commercial software, and internet technologies (routers, browsers)


Under "Vulnerability Mgmt", where does Vulnerability exist?

- In things that overlap w/ info security (malware), unauth access, and security risks
- In COTS software where upgrades made to correct vulnerability (email software, malware and DBMS and SQL injections)
- Ex: Vulnerabilities in DBMS, by nature, allow unauth access and provide way for malicious activities


What are "Application Control"?

- Control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events
- Embedded and specific to accounting applications
- Intended to provide controls for authorization, approval, delivery of product or service, transactional
recording, integrity of data and audit trail


Name the 5 Financial Transaction Functions:

(1) Initiation
(2) Authorization
(3) Record
(4) Process
(5) Report


Name example Application Controls associated w/ each of the 5 Financial Transaction Functions:

(1) Initiation
– Data transmission controls
– Input edits
– Validations
– Security
(2) Authorization
– Programmed transaction approvals
– Restricted access to information/data files
(3) Record
– Database updates
– Automated feeds
(4) Process
– Calculations and related tables
– File checking
– Automated restrictions to sensitive transactions
(5) Report
– Automated posting to subsidiary or general ledgers
– Automated reporting whether commercial application or “user-defined”