General Controls:

Organisational controls

1. Responsibility delegation
• Computer Generating Committee (CGC) – manage IT , communication channel
between IT users and departments
• Chief Info Officer (CIO) – responsible for IT direction and communication with CGC
• IT manager – day to-day IT
2. Segmentation of duties
By segregation entity could mitigate risk of:
• Unauthorised or inaccurate transactions
• Staff adjusting records to cover up falsified entries
• Staff falsifying records to conceal theft
NB! IT should only be able to work on the computers and not have ability to
influence or change any transaction or statements
Should segregate between departments operations and security function

3. Staff Practices
• Policies
• Process and employing staff
• Staff scheduling and rotation of duties
• Ongoing training of staff
• Continuous evaluation of staff
• Staff dismissals and resignation
4. Supervision and Review
• High level review : management review financial performance periodically
compared to expectations
• Analytical reviews and ratios : relationships between data sets analysed for
deviations
• Recon of data on system with data from external source: info confirmed with another
set of info
• Independent review: unusual transactions identified for investigation

System development and change controls (same as development cycle)

• System development – developed in-house
• System acquisition - new one required from vendor
• System development life cycle (SDLC)
(a) Request submission , needs assessment
➡ objects come from written user request or genuine business need
➡ Feasible study conducted including:
➡ Comprehensive needs assessment
➡ Investigate resources required
➡ Investigate alternative solutions
➡ Cost benefit analysis
➡ Time planner showing all deadlines

(b) Planning and design

➡ Project team manages the project in accordance with preditrend
accepted programming standards and control frameworks
➡ once project plan set business analyst must perform detailed investigation
into user needs which is used to develop the system. 


(c) System development and testing

➡ Development area – create versions of system
➡ Test area
➡ Program test
➡ String/series test
➡ System test
➡ Stress/ tension test
➡ User acceptance test












 ➡ Production area - made live, but undergoes final approval

(d) Implementation
➡ Conversion to new system and transfer of all data from old one to new
one
➡ Conversion methods
➡ Parallel processing - both old and new run
➡ Direct shut down – old one shut down new one are
implemented
➡ Modular (phased) implementation – Old one phased out section
by section

(e) Post implementation review and training

Couple of months later To determine:
➡ System meets user needs
➡ Necessary controls been implemented
➡ IT development was a success (effective)
➡ IT system docs and training is sufficient
Access Controls
✓ Prevent unauthorised persons from gaining access, limit the activities of authorised
persons to authorised areas
✓ Least privilege principle, access only to data and systems that are necessary for them
to perform their duties correctly
✓ Physical access controls control access from outside into the company, using walk-
through methodology
✓ Logical access controls electronic measures such as usernames, passwords and
advanced technologies such as encryption and firewalls. Logs + audit trails good tools
to identify
✓ Security management policy;
✓ Drive culture of security awareness, policy widely distributed, employees must
acknowledge and agree to comply
✓ Policy not adhered to, action to be taken
✓ Access to premises of IT department
✓ Restricting physical access
✓ Installing security gates and magnetic doors; use electronic tag, pin pad/
biometric identification.
✓ Security guards at all entrances and exits, no. of potential entry and exit points
minimum.
✓ Visitors sign register at reception, clearly identifiable by displaying visitor tag.
✓ Doors remained locked at all times, only opened by special key, magnetic card/
biometric system.
✓ Closed-circuit TV monitors
✓ Important hardware, docs, data and programs should be locked away in
dedicated room, cupboard/ safe.
✓ Physical logs/ registers maintained of all visitors, electronic log of movement of
visitors and personnel within premises frequently reviewed.
✓ Access to computer terminals:
Located in office/dedicated, lockable room one secure access point, away from
✓
general access. Important staff have way of identifying themselves.
✓ if impossible, management supervise activities.
✓ Limited to office hours, physically by locking, electronically by job scheduling
function.
✓ Computer securely fastened to table or desk, cannot be stolen or removed.
✓ Logs or activity registers should be maintained and reviewed frequently.
✓ Access to other sensitive information:
✓ Storing devices in separate place
✓ Sensitive stuff, employ a data librarian to keep track of use.
✓ Logical access controls:
✓ Implemented within system limits access to terminals, networks, data &
functionality (read, write, delete & change)
✓ Controls are written by the computer itself
✓ Assist in

 Identification (number/ username, magnetic cards, biometric techniques)

✓

authentication (“verify the identity of ”... uses unique password, specific

✓

question as identified by user, electronic key; magnetic card or USB

device, physical attribute i.e. fingerprint or face-scan, additional
password sent to users cell phone/ email account
✓ authorisation (could be granted general rights, or specific authorisation
for high risk transactions i.e. second staff member to authorise)
✓ Library function:
✓ data librarian responsible for securing and managing data, files,
documentation, programs and user rights.
✓ Data communication:
✓ Encryption (converts or encodes data, cannot be read unless encryption key)
✓ Firewalls (restricts inflow and outflow of information)
✓ Call back facility (system disconnects the device and reconnects to the device
using and identity number)
✓ Antivirus and malware programs (blocks viruses and malware from entering
computer)
✓ Assurance logos (Thawte/ Webtrust, showing company uses reliable, trustworthy
and well known security)

Business Continuity Controls

✴ Preventative: protect a company against non- physical and physical dangers
✴ Non-physical: relate to access to computer system
✴ Physical dangers:
✴ Fire (smoke detectors, air conditioning, temp at suitable level)
✴ Construction and location (be away from obvious hazards, fire doors with
automatic locks can also be used)
✴ Electricity (mechanism installed to protect company against power failures as
well as power surges)
✴ Water (situated away from taps and water)
✴ Environment (not have windows can be opened, climate controlled, no windows
that can be opened, neat, tidy and dust free)
✴ Time (regular maintenance, wear and tear)
✴ Theft
✴ Backups
✴ Formalised back up policy
✴ Regular backups... weekly of all data, monthly of operational and financial files,
quarterly of entire system.
✴ Backups stored in suitable location off-site, preferable fireproof
✴ Backup copies frequently tested
✴ Sufficient and appropriate insurance cover
✴ Written emergency recovery plan/ strategy document, list of data program files that
are key to operations
✴ Alternative processing facility should be in place
✴ Provision should be made for testing the emergency recovery plan to identify
weaknesses

Operational Controls
✤ Scheduling production runs and when processing takes place
✤ Setting standards for operating activities, maintenance and use of assets
✤ Maintaining logs and activity registers for use of software and hardware
✤ Ensuring library controls are in place to keep track of secure data, files, programs
and documentation