IT Controls for auditors 19-26 July 2013
Introductory remarks
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
1
Logistics
Training‟s duration: 1 day
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
2
Agenda
Topic
Schedule
Approach and planning
9:30 - 10:30
Working Papers and controls
10:30 - 12:00
Study Case
13:00 - 16:00
Q&A
16:00 -
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
3
GITC Testing Approach
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
4
Planning
Agenda
Pbc‟s request
Planning memo
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
5
IRM involvement
Audit team
Lower Complexity
IRM Audit does and reviews
Financial institutions
Over Higher 1000 hours Complexity Listed companies
IT critical
IRM specialist can be consulted * IRM involvement is agreed at planning ©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
6
Module 1 GITC Overview
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
7
Understanding of IT
Description of the IT Organization Main applications used Information services suppliers and contracts‟ SLAs IT strategy and IT budget
IT budget Example of understanding of IT
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
8
GITC Overview
6
8
Access to program and data
Program changes
General IT Controls
5
3 Program development
Computer operations
4 Control Areas with a total of 22 controls ©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
9
ITGC on a page
Access to programs and data
Information Security policy
Physical access
Configuration of access rules
Access Administration
Identification and authorization
Monitoring
Superusers
Objective: To determine whether adequate controls for access to programs and data have been established to reduce the risk of unauthorised/inappropriate access to the relevant information systems related to financial reporting. Program changes Objective:
Program development Objective:
Computer operations Objective:
Authorization development testing and approval
Migration of the production environment
Configuration changes
Emergency changes
To determine whether adequate controls for program changes have been established to ensure that changes to existing systems/applications are authorised, tested, approved, properly implemented and documented.
Methodology for development
Design, development, testing approval & implementation
Data migration
To determine whether adequate controls for program development have been established to ensure that new systems/applications which are developed or acquired are authorised, tested, approved, properly implemented and documented. Job processing
Backup and recovery procedures
Incident and problem management procedures
To determine whether adequate controls for computer operations have been established to ensure that system/ application processing is appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved. Higher risk area due to the potential impact on automated controls. Higher risk when relevant, consider involving an IRM specialist Lower risk area requiring less focus.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
10
Access to programs and data Information security policy/ awareness
The Company developed and implemented a formal Information Security Policy addressing the usage and security of the information resources.
Physical access
The physical access to critical IT resources is appropriately controlled.
Configuration of access rules
Users‟ access rights to the financial applications are granted based on user profile templates which have been approved by the Management.
User administration
Users‟ accounts for the network and the financial applications access are created, deleted, modified based on formal requests from business Management.
Identification and authentication
Appropriate password rules are implemented for network and financial applications access.
Users’ access review
A formal review of network and financial applications user accounts and user access rights is regularly performed at the Company.
Super users
The access to powerful user accounts defined for network and for the financial applications is restricted to a small group of personnel to preserve accountability.
Monitoring of super users’ activity
The activities performed by the super users are formally monitored.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
11
Program changes Authorization, development, testing and approval Initiation
Changes to the financial applications are documented and authorized by the appropriate level of management.
Authorization, development, testing and approval - Testing
Changes to the financial applications are tested, validated and approved prior to being migrated to the production environment.
Authorization, development, testing and approval Environments
The Company uses development and test environments which are separated from the production environment.
Migration to the production environment
Migration of changes to production environment is appropriately controlled.
Configuration changes
System configuration changes are tested, validated and approved prior to migration to live environment.
Emergency changes
The entity implemented appropriate controls in order to ensure that emergency changes are properly handled.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
12
Program development Methodology for development/ acquisition
New systems (in-house developed or acquired from external suppliers) are properly authorized by the business management.
Design, development, testing, approval and implementation
Adequate tests for the new systems involved in the financial reporting are in place at the Company.
Data migration
Comprehensive conversion procedures have been established and followed in data migration.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
13
Computer operations
Job processing
Automated jobs, part of SOD procedure, are performed according to previously established schedules and are monitored to ensure successful run results.
Backup and recovery process
The Company developed and implemented a formal backup and restoration procedure.
Access to backup media
The access to backup media is restricted only to designated personnel.
Incident and problem management procedures
A formal incident and problem management procedure is implemented at the Company.
Antivirus protection
Appropriate antivirus protection is implemented at the Company.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
14
Module 2 GITC Detailed
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
15
Access to programs and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
16
Information security policy/ awareness
The Company developed and implemented a formal Information Security Policy addressing the usage and security of the information resources. Computer operations
Test of Design & Implementation
a. Existence of Information Security Policy b. Information Security Policy‟s content is appropriate
• Information Security Policy
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Information Security Policy accesible to all employees b. Employees sign the Information Security Policy for acknowledgment
• Information Security Policy published • Acknowledgment forms
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
17
Physical access
The physical access to critical IT resources is appropriately controlled. Computer operations
Test of Design & Implementation
a. Existence of a Physical Access Procedure
• Physical Access Procedure
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. List with employees authorized to access critical IT resources b. Visit at the server room to verify that controls are in place • Authorized employees‟ list • Authorized employees‟ list extracted from the control system
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
18
Configuration of access rules Users‟ access rights to the financial applications are granted based on user profile templates which have been approved by the Management. Computer operations
Test of Design & Implementation
a. Existence of user profile template
• Users Profiles
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Users‟ Profiles implemented in applications b. Profiles approval/ authorization c. Profiles modifications requests • Applications‟ users profiles • Profile modifications requests
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
19
User administration Users‟ accounts for the network and the financial applications access are created, deleted, modified based on formal requests from business management. Computer operations
Test of Design & Implementation
a. Existence of a User Administration Procedure b. Description of the user creation/ modification/ deletion flow based on discussion with responsible persons
• Users Administration Procedure
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. List of employees hired/ that left the organization b. Sample from the list of employees hired/leaved c. User creation/ modification/ deletion forms, emails or ticketing application
• Users creation request example 1 • Users creation request example 2 • Users deletion forms
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
20
Identification and authentication
Appropriate password rules are implemented for network and financial applications access. Computer operations
Test of Design & Implementation
a. Existence of a Password Policy/ Procedure b. Authentication based on username/ password c. Existence of applications‟ passwords rules based on inquire with responsible persons • Password Policy
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Printscreen with password rules at network level b. Printscreen with password rules at application level
• Password rules at network level • Password rules at application level
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
21
User access review
A formal review of network and financial applications user accounts and user access rights is regularly performed at the Company. Computer operations
Test of Design & Implementation
a. User Review Policy/Procedure (usually included in the User Administration Procedure)
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Evidence of user review, email, forms, files
b. User review process description
• User Administration Procedure
• User review example
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
22
Super users
The access to powerful user accounts defined for network and for the financial applications is restricted to a small group of personnel to preserve accountability. Computer operations
Test of Design & Implementation
a. Policies/ procedures to access super users accounts b. List of authorized employees to access super users accounts
• Authorized list of super users accounts
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Printscreen with the members of Domain Admins for networks based on Active Directory b. Printscreen with administrative/ super user accounts for applications • Domain Admins members • Application administrators
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
23
Monitoring of super users activity
The activities performed by the super users are formally monitored. Computer operations
Test of Design & Implementation
a. Policies/ procedures regarding monitoring of super users activity (very rare) b. Process description of the monitoring of super users activity • Log management policy
Test of Operating Effectiveness
Program development
Access programs and data
Program changes
a. Printscreens from monitoring applications such as ArcSight, InTrust or activity logs b. Reports with super users‟ activities • Monitoring of super users activity
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
24
Program changes
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
25
Authorization, development, testing and approval - Initiation
Changes to the financial applications are documented and authorized by the appropriate level of management. Computer operations
Test of Design & Implementation
a. Change management procedure
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. List of changes b. Change request approval (sample)
b. Change management process description
• Change management procedure
• Example of change requests
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
26
Authorization, development, testing and approval - Testing
Changes to the financial applications are tested, validated and approved prior to being migrated to the production environment. Computer operations
Test of Design & Implementation
a. Change management procedure b. Testing process description
• Change management procedure
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. Test scenarios b. Testing, documentation: can be forms, emails or ticketing applications
•Test scenarios • Example of change
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
27
Authorization, development, testing and approval - Environments
Changes to the financial applications are tested, validated and approved prior to being migrated to the production environment. Computer operations
Test of Design & Implementation
a. Change management procedure b. Description of different environments used (should be separated)
• Change management procedure
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. Printscreens with production/ development/ testing environments
• Environments
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
28
Migration to the production environment
Migration of changes to production environment is appropriately controlled. Computer operations
Test of Design & Implementation
a. Change management procedure b. Description of the migration process (not data migration!!)
• Change management procedure
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. Approvals/ acceptance before migration in production of the changes selected – forms, emails, ticketing application
• Acceptance forms
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
29
Configuration changes
System configuration changes are tested, validated and approved prior to migration to live environment. Computer operations
Test of Design & Implementation
a. Patch/ updates policies/procedures (rare) b. Description of the patch/ update process
• Patch procedure
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. Usually a centralized infrastructure is used for Windows (Windows Server Update Service - WSUS) b. Evidence of testing before deployment in production(rare) • WSUS settings • Updates testing evidence
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
30
Emergency changes
The entity implemented appropriate controls in order to ensure that emergency changes are properly handled. Computer operations
Test of Design & Implementation
a. Emergency changes process is usually included in the Change management procedure b. Description of the emergency changes process
Test of Operating Effectiveness
Program development
Program changes
Access programs and data
a. List of emergency changes during the audited period (very rare) b. Evidence of documentation and approval of emergency changes
• Change management procedure
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
31
Program development
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
32
Methodology for development/ acquisition
New systems (in-house developed or acquired from external suppliers) are properly authorized by the business management. Computer operations
Test of Design & Implementation
a. Development/ acquisition policy/ procedure b. Description of the development/ acquisition process • Development/ acquisition procedure
Test of Operating Effectiveness
Program changes
Program development
Access programs and data
a. In case of new systems implemented, evidence of projects initiation, approvals, project plan, etc
• Approvals of acquisition
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
33
Design, development, testing, approval and implementation
Adequate tests for the new systems involved in the financial reporting are in place at the Company. Computer operations
Test of Design & Implementation
a. Development/ acquisition policy/ procedure b. Description of the development/ acquisition process • Development/ acquisition procedure
Test of Operating Effectiveness
Program changes
Program development
Access programs and data
a. In case of new systems implemented, functional specification, evidence of projects acquisition/ development, testing, migration into production • Functional specifications • Testing • Migration to production
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
34
Data migration
Comprehensive conversion procedures have been established and followed in data migration. Computer operations
Test of Design & Implementation
a. Migration procedures b. Description of the migration process
• Migration plan
Test of Operating Effectiveness
Program changes
Program development
Access programs and data
a. In case of new systems implemented, evidence of the success of data migration, tests, acceptance
• Data migration tests
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
35
Computer operations
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
36
Job processing
The Company developed and implemented formal procedures to ensure accuracy, completeness, and timely processing of system jobs. Program development
Test of Design & Implementation
a. EOD/SOD procedures – used in Banks b. Description of the various system jobs that are executed (data transfers)
Test of Operating Effectiveness
Program changes
Computer operations
Access programs and data
a. Evidence with the success of EOD/SOD procedures for Banks or execution logs for other system jobs b. Evidence of the system jobs monitoring, error management completion • EOD/SOD completion • EOD/SOD approvals • Data transfer
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
37
Backup and recovery process
The Company developed and implemented a formal backup and restoration procedure. Program development
Test of Design & Implementation
a. Backup and recovery policy/procedure b. Description of the backup process in terms of frequency, type
• Backup Policy • Backup Procedure
Test of Operating Effectiveness
Program changes
Computer operations
Access programs and data
a. Printscreens with backup settings b. Execution logs of the backup job c. Evidence of backup restoration testing • Backup settings • Restoration testing reports
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
38
Access to backup media
The access to backup media is restricted only to designated personnel. Program development
Test of Design & Implementation
a. Physical Access Procedure b. Backup media could be on tapes, hard disks, DVDs
• Physical Access Procedure
Test of Operating Effectiveness
Program changes
Computer operations
Access programs and data
a. List with employees authorized to access critical IT resources – including backups b. Visit at the location where the backup are stored • Backup settings
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
39
Incident and problem management procedures
A formal incident and problem management procedure is implemented at the Company. Program development
Test of Design & Implementation
a. Incident and problem management policies/procedures b. Description of the incident and problem management process • Incidents and problem management procedure
Test of Operating Effectiveness
Program changes
Computer operations
Access programs and data
a. List with the incidents/ problems recorded – usually in a ticketing application b. Verify a sample of incidents for the solutions provided
• Printscreen form ticketing application: • Overall view • Sample of incidents
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
40
Antivirus protection
Appropriate antivirus protection is implemented at the Company. Program development
Test of Design & Implementation
a. Antivirus protection policy/procedure b. Description of the antivirus protection implemented
• Incidents and problem management procedure
Test of Operating Effectiveness
Program changes
Computer operations
Access programs and data
a. Sample of workstations to verify the antivirus settings – protection enabled, updated, can not be disabled by users b. Scanning reports c. Settings of antivirus server • Antivirus settings on workstations • Antivirus server settings • Antivirus settings on Windows based servers
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
41
Application level controls considerations
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
42
Application Level Controls
TOD
TOE
Controls are properly designed and implemented?
Controls operated effectively during the audited period?
YES
NO
Identify controls YES
NO
Identify compensating controls or conclude
Extend sample or conclude
Application Level Controls
IT General Controls
Application controls are manual or automated procedures that typically operate at the process level and apply to the processing of transactions by individual applications.
Perform walkthrough Perform test of design and implementation Perform test of operating effectiveness
In scope applications
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
43
Questions?
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
44
Gheorghe Vlad Manager, Management Consulting KPMG Romania SRL DN1, Sos. Bucuresti - Ploiesti No. 69 – 71, P.O. Box 18 - 191 Bucharest, 013685
© 2013 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Romania. The KPMG name, logo and „cutting through complexity‟ are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).
[email protected] Mobile Fax
+40 747 333 034 +40 372 377 700