Methodology Assessment

Presence of a formal process

Process documentation – approved senior IT
leaders
Project Plan
Mandatory sign-offs at each stage gate
Required “go / no-go” decision points
Standard templates and forms
Standard naming conventions
Escalation processes

IT General Controls 121

Methodology Assessment
Exception protocols
Formalized testing methods
Source Control
Peer Review
Change control process
Standard project management templates / reports
Test environment separate from production
Formal reporting processes / templates
Consistent use of metrics (red, yellow, green)

IT General Controls 122

IT General Controls 61
 Methodology Assessment

Stakeholder involvement and engagement (legal,

security, finance, audit, etc.)

Issue and Action logs

Quality Review Board / Function

Defined Documents: Requirements, Design,

Testing, etc.

Centralized place for storing documents

IT General Controls 123

Methodology Assessment

Is based on
Provides
best practices
Provides sufficient
Exists, is • PM: PMBOK,
flexibility to structure to
adhered to PRINCE2, etc.
support help PMs and
and is used • Technical:
project sizes reduce the SDLCs, SEI, etc.
by all projects
and types risk of project • Regulatory and
failure Legal as required

Auditors should ensure the methodology

IT General Controls 124

IT General Controls 62
 Types of Project Engagements

Methodology Assessment

Project Risk Assessment

Readiness Assessment

Key Phase Review

Post-Implementation Review

Advisory Services

IT General Controls 125

Advisory Services

Ensure proper controls,

Why security, audit trails, etc. are
included

During all key phases of the

When project

Being involved with project,

How reviewing requirements, etc.

IT General Controls 126

IT General Controls 63
 Why Be Involved?

The utilization and reliance IT Auditing has evolved into

upon technology to manage a necessary requirement to
and support the business manage and govern an
has increased exponentially organization’s risk and
over the last two decades compliance posture

RISK
MANAGEMENT and
Companies continue to VALUE ADD
Proactive controls consulting
invest in technology to
will result in appropriate
reduce admin costs,
controls being implemented
increase efficiencies
early in the development
and achieve competitive
process
advantages

IT General Controls 127

Corporate Executive Board

Project Management is an audit area of concern
Financial Loss: late projects change cost-benefits, and could
harm company’s reputation

Failed business expansion: implementation failures may impact

income revenue stream and affect business partners / customers

Inadequate IT controls: technology upgrades are expensive and

can have adverse affects if not implemented properly

Misaligned strategy: projects not aligned with corporate strategy

may not add expected value

Repeated mistakes: failure to analyze completed projects cannot

rectify process inefficiencies in future projects

IT General Controls 128

IT General Controls 64
 SDLC Risks

Adoption of Inappropriate
Inadequate
inappropriate technology and Scope variations
controls in the
SDLC for the architecture
SDLC process
application

User requirements
Lack of
and objectives not Time and cost Inadequate quality
management
met by the over-runs of the application
support
application

Inadequate Insufficient
Inadequate project stakeholder attention to
management (including internal security and Inadequate testing
audit) involvement controls in the
application

IT General Controls 129

SDLC Risks

Insufficient
Performance Inappropriate attention to
Inadequate
criteria not resourcing / configuration
other
being met staffing model management
dependencies

Poor planning
Inadequate Insufficient Post cut-over
for data
disruption to
staffing skills documentation conversion and
business
cutover

Inadequate Inadequate No disaster

contractual adherence to Inadequate
recovery
protection chosen SDLC training
process

IT General Controls 130

IT General Controls 65
 Project Success Factors
1. User
2. Executive 3. Clear
Involvement:
Support: Business
Business and IT
Key executives Objectives:
users are
provide alignment Stakeholders
involved with key
with business understand the
consensus-
strategy, as well core value of the
building,
as financial, project and how it
decision-making,
emotional, and aligns with
and information-
conflict resolution business
gathering
support. strategy.
processes.

5. Emotional Maturity:
4. Agile Optimization:
Project manager directs
Project uses iterative development the emotions and actions
and optimization processes to of project stakeholders
avoid unnecessary features and and avoids ambition,
ensure critical features are arrogance, ignorance,
included. abstinence, and
fraudulence.

IT General Controls 131

Project Success Factors

6. Project
Management 8. Skilled
7. Financial
Expertise: Resources:
Management:
Organization uses Skilled project
Project manager is
project managers personnel are
able to manage
who understand acquired,
financial resources,
the basic skills and managed, retained,
account for project
practices, such as and controlled to
budget/costs, and
certified PM move forward in
demonstrate the
Professional from the face of turnover
value of the
the Project and other
project.
Management personnel hurdles.
Institute.

9. Formal Methodology: 10. Tools and Infrastructure:

There is a predefined set of
process-based techniques
that provide a road map on
when, how, and what
events should occur in what
order.
The project infrastructure is built
and managed with tools that enable
management of tasks, resources,
requirements, change, risks,
vendors, user acceptance, and
quality management.

IT General Controls 132

IT General Controls 66
 Selection of Engagements
Conduct a risk analysis to identify projects or initiatives
that present the greatest risk using enterprise resources:

Project Audit
Portfolio Company Services Corporate
Management Management Management Compliance
(PPM)
(PPM Mandates

Demand Regulatory
Management / Oversight
Risk Office -
Assessments Privacy
Business
Case

Risk Model

Engagement Selection

IT General Controls 133

Audit Approach

• Ensure proper controls

Review the are built in
SDLC process • Test on an annual basis

Perform Pre- • More time consuming

Implementation • Value add
Audits • Risk based approach

We do the first one annually. I have always believed that audit sb doing
more advisory work.
We need to ensure that the SDLC process is followed but more value
in the other. So, what are the phases and how much time?

IT General Controls 134

IT General Controls 67
 SDLC Phases

IT General Controls 135

Things to Look for….

• Analysis and programming

System • Data structures
Development • Security
Life Cycle
(SDLC) • Data Controls
processes • Documentation
• User procedures

IT General Controls 136

IT General Controls 68
 SDLC Methodology

Initiation & Planning

Analysis

Design

Implementation

Maintenance

IT General Controls 137

SDLC - Design

Controls need to be designed into the system

Security

Balancing

Edits

Quality Assurance

Output

Database Administration

IT General Controls 138

IT General Controls 69
 Things to Look for….

Points in the process

where authorizations are
required to go on to the Edits / Balancing
next step

Formal testing procedures

and user sign-off Security

Documented procedures
and User Training prior to Traceability
‘Go Live’

IT General Controls 139

Things to Look for….

Standard templates and Consistent use of metrics

forms (red, yellow, green)

Escalation process Issue and Risk logs

Change management Central documentation

processes repository

IT General Controls 140

IT General Controls 70
 System & User Acceptance Testing

IT General Controls 141

System & Acceptance Testing

IT G
General
al Controls 142

IT General Controls 71
 System & Acceptance Testing

• Deliverables:
• Sign-off for System Test
• Sign-off for Acceptance Test
• Updated test case artifacts

IT General Controls 143

Planning the Audit

Consideration of Purpose
• What is driving the need for the audit?
• Is it a regular audit plan?
• The need is usually directly associated with the primary objective of the
audit.

Consideration of Risk
• Identify risk associated with the application and its associated data,
sources, infrastructure and systems.
• Assess the impact on the audit objectives, audit plan, audit scope and
audit procedures.

Functionality
• Determine purpose of the application and verify functionality against
requirements
• Verify end-user acceptance for newly installed application
• Special considerations: Security, Operational controls, Financial controls
• Verify various scenarios to understand/test functionality?

IT General Controls 144

IT General Controls 72
 Planning the Audit
Consideration of the Control
Consideration of Scope
Environment
Determine relevant technologies and
controls associated with auditing the
applications

The audit plan should take into Interfaces to other applications

account the control environment
surrounding the application, within the
context of the audit purpose. Source systems

Target/destination systems
If the primary purpose of the audit is
auditing proper functionality, the
controls might be application
development controls or systems Infrastructure or components
development life cycle (SDLC)
controls. In particular, controls for
testing the application are important. Databases

Staging area/testing facility

IT General Controls 145

Determine Audit Objectives

• Development cost
• Operational
performance
• On going maintenance
• Meets information
requirements/functionality
• The original authorization
purpose
• Integration with other IT
areas / applications
• Operational performance

Efficiency Effectiveness

• Laws and regulations • Data integrity

• Contractual • End user controls
requirements
• Customer requirements

Financial
Compliance reporting
implications

IT General Controls 146

IT General Controls 73
 Map Systems and Data Flows
Relevant IT components (description)

The business owners or business lines

Change management policies and procedures

The role and impact of vendors

Business processes

Controls

Access and security administration

IT General Controls 147

Determine Risks
t.

IT General Controls 148

IT General Controls 74
 Identify Key Controls

Distinguish between customized controls and

those contained in vendor software

Ask management the specific nature of

controls expertise used during application
development process

Perform a walk-through to determine what

controls are actually in the application and
how they function

Determine the tests needed

IT General Controls 149

Key Controls
Access security

Logical segregation of duties (SoD)

Data validation / Data integrity

Coding

Input error correction

Batch controls (where applicable)

Disaster Recovery

IT General Controls 150

IT General Controls 75
 Key Controls

Typical process controls include: Typical output controls include:

The level of automation (e.g., fully

Reconciliations
automated, IT-dependent, fully manual)

Job scheduler dependencies (for job

Reviews
processing)

Job scheduler monitoring Approvals

Auto calculations Error detection/error reports or lists

Auto reconciliations Control over physical reports

Auto notifications

IT General Controls 151

End User Computing

Applications that Managed within

are part of a the business and
significant process not by IT

Actuarial Excel

Access
External Reporting
APL ( A Programming
Language)
Health Care VBA (Visual Basic for
Management Applications).

IT General Controls 152

IT General Controls 76
 EUC Control Framework

gy
Technology
Process
People
ople
Governance

• Define EUCs • Define Roles & • Define Risk • Define

• Establish Responsibilities Ranking Metrics technology

Peop
op
Policies & • Define levels of • Apply risk requirements
Procedures access ranking and • Determine
• Define • Define determine support strategy
Ownership applications in control scope • Implement
• Monitor & scope • Define and technology
Report apply specific
controls

IT General Controls 153

Management’s Role
Management must
define what constitutes
an EUC and compile a
list of applications used
by the user group
With full population of
EUCs, management
should determine which
of these is impacting the
organization

Management should
assess the usage of
these EUCs and
determine if standard
procedures are followed
Management should
develop comprehensive
policies and procedures

Management should
evaluate existing policies
and procedures and
work to establish an
organization wide
version

IT General Controls 154

IT General Controls 77
 End User Computing

The Low: Applications that facilitate the workflow

importance within the business process and have no direct
of the
application impact on the financial statement.
is
categorized
as: Moderate: Applications that typically don’t
directly feed the financial statement but could
impact decisions that ultimately have a
financial effect.
High: Applications that directly create
transactions which are transmitted / loaded
into the general ledger or the financial
statements.

IT General Controls 155

Types of Errors
Errors caused by data being incorrectly entered
Input errors into the application.
• Data import error.
• Manual entry error

Logic errors Errors caused by inaccurate calculations or coding

• Excel formulas
• VBA or ACL macros

Error caused by incorrectly importing or exporting

Interface errors data with other systems
• Errors in the import or export code
• Errors in the file itself

IT General Controls 156

IT General Controls 78
 Risks

End user programmers may not follow the same IT

procedural controls, introducing greater risks

Lack of control over downloads and spreadsheets

Results may differ from corporate results, causing

management decisions to be skewed

Storage of data

Transmission of data outside of the company

Use of PSDs: flash drives, CDs, etc.

IT General Controls 157

Key Facts

Number of
people with Usage
Input
access / (finance / Complexity Risks
Sources
admin operations)
rights

Owner(s) Users

Application Name

IT General Controls 158

IT General Controls 79
 Controls Required

Security and Input / Output

Segregation of Access
Integrity of Controls
Duties Controls
Data

Documentation Backups Version Control Change

Control

Archiving
Training

IT General Controls 159

Disaster Recovery

"Drive thy business or it

will drive thee."
—Benjamin Franklin
(1706-1790), American
entrepreneur, statesman,
scientist and philosopher

"It is your business when the wall

next door catches fire."
—Horatius (65-8 BC), Roman poet

IT General Controls 160

IT General Controls 80
 Definition from COBIT
Disaster Recovery Planning (DRP),
a key component of Business
DRP comprises consistent actions
Continuity Planning (BCP), refers to
to be undertaken prior to, during and
the technological aspect of BCP –
subsequent to a disaster. It is built
the advance planning and
from a comprehensive planning
preparations necessary to minimize
process, involving all of the
the loss and ensure continuity of
enterprise business processes.
business functions in the event of a
disaster.

Strategies include alternate site,

redundant data centers, reciprocal
agreements, telecommunication
links, disaster insurance, BIA and
legal liabilities.

IT General Controls 161

Protecting Your Assets

• BCP can be a long term competitive advantage

• BCP connects to the objectives of your organization
• What are the business plans for growth, restructuring, short/long
term strategies?
• A BCP plan should have the fullest possible understanding of
the important processes of the business and customers and
suppliers

IT General Controls 162

IT General Controls 81
 Purpose

• Ensure the recovery from short-term, localized

errors from data and equipment
• Identify processes necessary to allow the
corporation to live through a more disastrous
event

IT General Controls 163

Questions to Ask

What do you do if a business location is inoperable?

What do you do if an IT location is inoperable?

IT General Controls 164

IT General Controls 82
 Enterprise View

Enterprise Risk Management

Business Continuity
Management

Disaster Recovery

IT General Controls 165

Helpful Hints

Critical activities that

Review information on
satisfy customers’
the frequency, impact
expectations and
and causes of
support overall
downtime
business operations

Identify the critical

Identify and rank your
business information
most vulnerable
needed for these
business activities
activities to succeed

IT General Controls 166

IT General Controls 83
 Helpful Hints

Legacy systems must

Place business
be adequately
continuity and disaster
protected against
recovery on the board
hacker intrusion and
agenda
viruses
ruses

Maintain a functionall
Ensure change control
area checklist to
keeps your continuity
continue business
plan current with
effectively in the case
process and
of a disruption or
technology changes
emergency

IT General Controls 167

Business Continuity Plans

Have critical business functions been identified?

Have alternate worksites been identified?

Are all procedures documented, reviewed and

tested?

Have call-out lists been created and updated?

Have technical components been identified – PCs,

Ha
phones, supplies, ?

Has a “dry run” been executed recently?

IT General Controls 168

IT General Controls 84
 Disaster Recovery Plans

Are there short-term

Are there regular
backup copies of data
backups at scheduled
to enable recovery from
intervals?
a processing failure?

Are there full system

Are there multiple
backups for the
generations of
operating system and
backups?
application systems?

Are the backups stored

properly?
• Off-site
• Vaults

IT General Controls 169

Audit Focus

Policies & Exercise

Exercises
Procedures Documentation

Goals &
Updated Frequency Objectives

Approaches

Complete Scope Assumptions

Participants

Approved Reporting
Evaluation

IT General Controls 170

IT General Controls 85
 Audit Focus

Were the goals and

objectives met?

What to do
differently next time

Issue Logs reviewed

and answered

Action items
identified

Evaluation

IT General Controls 171

What Is IAM?
Identity and Access Management (IAM) attempts to
address three important questions:

Who has access to Is the access Is the access and

what information? appropriate for the activity monitored,
job being logged, and
performed? reported
appropriately?

IT General Controls 172

IT General Controls 86
 Why Implement IAM?

Reduce IT Improve Increase

Improve Reduced operating operating effectiveness
Improve user
regulatory information and efficiencies of key
satisfaction
compliance security risk development and business
costs transparency initiatives

Identity and Access Management

IT General Controls 173

Concepts Related to IAM Process

The elements
used to uniquely
describe a person or The rights
machine. that the identity
was granted.

IT General Controls 174

IT General Controls 87
 Concepts Related to IAM Process

Provisioning Administration Enforcement

• Refers to an • Includes • Includes

identity’s establishment authentication,
creation, of IAM strategy, authorization,
change, monitor the and logging of
termination, provisioning identities as
validation, process, they are used
approval, manage within the
propagation, passwords, etc. organization’s
and IT systems.
communication.

IT General Controls 175

Diagram of a Provisioning Process

IT General Controls 176

IT General Controls 88
 Enforcement Process

IT General Controls 177

The Role of Internal Auditors

Identify certain key elements when assessing a
company’s IAM posture.

Aligning business Understanding Establishing

and management existing laws and budgets
units regulations

Developing Defining how

achievable technology can enable
implementation plans a more effective
control environment

IT General Controls 178

IT General Controls 89
 Auditing IAM
Assess the organization’s
• IAM strategy
• provisioning process
• enforcement process
Document identities, identity repositories, and
identity lifecycle components

Determine controls within identity lifecycle process

Document access right, its repositories

Determine controls related access rights

Test the process especially terminations

IT General Controls 179

Testing IAM

New Users / Modifications Removals

• Get a system-generated • Get a list (population) of

list (population) of
change requests
• Select a sample (usually
20-50 changes or 10-
20%, whichever is
smaller)
• Request change forms
and review them for
evidence of key controls
terminated employees
• Select a sample (usually
20-50 changes or 10-
20%, whichever is
smaller)
• Observe system and
determine if the user
accounts are disabled
or removed
• Ensure timeliness
meets company
standards

IT General Controls 180

IT General Controls 90
 User Recertification
Regularly re-validate
all users’ access
levels on all systems
• Excessive levels of
access
• Terminated users
• Potential process
problems
IT General Controls
Access Management
Does everyone have access to what
they need for their jobs and can
unmanaged devices attach to our
network?
Principle of least privilege
Centralized user directory
Access reviews
Password management
Lock screens
Multi-factor authentication
Port security
IT General Controls
IT General Controls
Detective control thru
out the year
• Ensure it is done
• Ensure the
population is
complete
181
How do we secure new systems
before adding to the network; is there
production data in non-production
systems?
System hardening process
Software Development Lifecycle
(SDLC)
Change control procedures and
Change Approval Board (CAB)
Vulnerability management
procedures
Development, QA, Production
Scan EVERYTHING (hosts,
databases, apps)
Penetration testing (validate your
controls)
182
91
 IAM Risks

Periodic
Provisioning Removal
Review
Complex and
decentralized
Lack of evidence environments create
supporting system level challenges to properly Reliability on manual
access with review access controls
authorizati0ns

Managers just “signing off”

without a detailed review

Insufficient monitoring
Lack of guidance when
procedures to
provisioning user access
Processes are compensate for reliance
leading to SOD issues
inconsistent and not on manual controls
properly documented

IT General Controls 183

IT General Controls 92