General Control

Zaldy Adrianto

Definition
• Risk assessment of the risks related
to the IT organization, security, acquisition, development and maintenance, computer operations.

Objectives
• To provide a comprehensive
framework of internal controls for IT activities and to provide a certain level of assurance that the overall internal control objectives can be achieved.
According to Indonesian Auditing Standards (PSA No. 60 / SA Seksi 314)

General Control Elements
• Organizational and Managerial • System Development and Maintenance • Operating System • Software • Data Entry and Program • Backup and Recovery
According to PSA No. 60 / SA Seksi 314

Organizational and Managerial Control
• Untuk memberikan keyakinan bahwa
• •
struktur organisasi dan manajemen telah diciptakan untuk memiliki internal kontrol yang memadai, diantaranya dengan memiliki:
Kebijakan dan prosedur yang berkaitan dengan fungsi pengendalian. Pemisahan semestinya fungsi yang tidak sejalan (seperti penyiapan transaksi masukan, pemograman dan operasi komputer).

Perubahan terhadap sistem aplikasi. . Akses terhadap dokumentasi sistem. implementasi dan dokumentasi sistem baru atau sistem yang direvisi. termasuk kedalamnya adalah: Pengujian. Pemerolehan sistem aplikasi dan listing program dari pihak ketiga.• Untuk memberikan keyakinan bahwa • • • • System Development and Maintenance Control pengembangan dan pemeliharaan sistem telah dilakukan dengan cara yang efisien dan melalui proses otorisasi yang semestinya. perubahan.

Operating System Control • Telah adanya pengendalian terhadap • • • • operasi sistem untuk memberikan keyakinan bahwa: Sistem digunakan hanya untuk tujuan yang telah diotorisasi Akses ke operasi komputer dibatasi hanya bagi karyawan yang telah mendapat otorisasi Hanya program yang telah diotorisasi yang digunakan. Kekeliruan pengolahan dapat dideteksi dan dikoreksi .

Software Control • Telah adanya pengendalian terhadap perangkat • • lunak aplikasi telah didesain. implementasi dan dokumentasi perangkat lunak sistem baru dan modifikasi perangkat lunak sistem Pembatasan akses terhadap perangkat lunak dan dokumnetasi sistem hanya bagi karyawan yang telah mendapatkan otorisasi . pengesahan. pengujian. diperoleh dan dikembangkan dengan cara yang efisien dan melalui proses otorisasi semestinya: Otorisasi.

Backup and Recovery Procedure • Telah adanya jaminan terhadap kelangsungan proses • • • pengolahan sistem informasi dan ketersediaan informasi. Prosedur pemulihan untuk digunakan jika terjadi pencurian. kerugian atau penghancuran data baik yang disengaja maupun yang tidak disengaja Penyediaan pengolahan di lokasi di luar perusahaan dalam hal terjadi bencana. . Meliputi: Pembuatan cadangan data program komputer di lokasi yang berbeda dengan lokasi utama pengolahan data.

Akses ke data dan program dibatasi hanya bagi karywan yang telah mendapatkan otorisasi .Data Entry and Program Control • Telah adanya pengendalian terhadap • • proses data entry dan kontrol program untuk memberikan keyakinan bahwa: Struktur otorisasi telah diterapkan atas transaksi yang dimasukan ke dalam sistem.

General Control Illustration Development Testing Logical Access Control Production Output Process Input Program Change Control Physical Access Control Policy and Standard Operating Procedures .

IT Planning and Organization • Strategic Plan (3-5 years) • Current information assessment • Strategic directions • Development strategy • Progress reports • Initiative to be undertaken • Implementation schedule • Operational Plan (1-3 years) .

IT Plan Review • Auditors evaluate whether top management has formulated a highquality information systems plan appropriate to the needs of their organization. .

going concern issues and lack of competitive advantages. insufficient resources to provide the required IT functions / availability.Example of risks caused by poor planning • declining efficiency and effectiveness of IT functions. .

.Organization • Organizational controls ensure the alignment of IT facilities with the business needs and the proper management of these facilities.

unsatisfied staff.Key risks • IT does not support business needs • Loss of efficiency. untimely problem solving. no improvements • Unwanted combination of functions • Untimely management reporting • High dependence on one/few persons .

• Planning and budgeting • Quality and quantity of staff • Segregation of duties or close supervision Key controls • Efficient use of IT • Procedures and documentation .

Profit center. Investment center and Hybrid center .Organizational issues • Position of IT department in organization • Planning and reporting • Centralization or decentralization of tasks • Functions and task descriptions of IT staff • Quality and quantity of staff • Cost center.

Change Management • Change management procedures ensure that changes not negatively controls. • in the IT hardware and software do • affect the general and application .

Key risks • Loss of effectiveness of IT controls • Loss of valuable hardware during changes needs • IT no longer meets the business .

and software documentation • User involvement in initiating and approving changes .Key controls • Use of a development and programming standards • Proper testing by the users • Up-to-date hard.

Integrated Audit Approach with the Systems Development Life Cycle Feasibility Study Information Analysis System Design Program Development Procedures and forms development Acceptance Testing Conversion Operation & Maintenance .

write and delete access rights for developers Use access rights for developers and users Use access rights for users Test and acceptance Development Production Software library Read access for librarian .Software Change Process Read.

• Technical feasibility: • • Preliminary study • Operational feasibility: Is the available Technology sufficient to support the proposed project? Can the technology be acquired or developed? Can the input data be collected for the system? Is the output usable? • Economic feasibility: • Do the benefits of the system exceed the cost? • Behavioral feasibility: • What impact will the system have on the users’ quality of working life? .

Type of Testing • Program Testing • System Testing • User Testing • Quality Assurance Testing .

minis & micros Peripherals: online/offline Storage Media Data / Information Logical Software Application System .Physical Security How we secure our assets? Personnel Hardware Physical Facilities Documentation Assets Supplies Mainframe.

.Definition • Physical security of computer hardware covers all controls to prevent damage to or loss of valuable assets and data on systems.

water) • Disturbances caused by power fluctuations .Key risks • Loss of valuable hardware • Tampering or damage to hardware • Damage by external influences (fire.

Key controls • Locked and dedicated computer room • Availability of back-up power supply • Fire and water detector • No potentially dangerous situations (sprinklers. etc. computer room on ground floor.) .

• Water. • Power supply fluctuations and failures. • Misuse. • Theft. • Pollution. Examples of physical threats .• Fire and smoke. • Structural Damage.

Facilities must be designed to withstand structural damage Pollution. reliable fire• • • • extinguishing tools Water. smoke and fire detectors.Voltage regularities. facilities must be designed and sited to mitigate losses from water damage Energy variations. Regular cleaning of facilities and equipment should occur . water detectors.Control mitigating the threats • Fire. circuit breakers and UPS Structural Damage.

Up-to-date virus • Theft.Control mitigating the threats (cont’d) • Viruses and worms. scanning software. labeling and locking. . prevent use of virusinfected programs and to close security loopholes that allow worms to propagate.

Picture example of Physical Security .

.Logical Access Control • Logical Access Security covers the controls to restrict access to information systems and data to authorized users.

Key risks • Potential for fraud and misuse of systems and data • Loss of information confidentiality .

Key controls • Up-to-date user access list • Use of unique user-id and password • Periodic review of list by management • Regular change of passwords • Clean desk .

Authentication Process User Profiles Identification Authentication Authorization Audit log Report writer Security reports Access control files Database Software Library .

Recovery and Contingency • Back up controls and business continuity planning cover all procedures to ensure the availability of computer systems and data.Backup. .

etc.Key risks • Data cannot be recovered (in time) after system failure • Back up tapes are damaged or lost or cannot be used • Loss of valuable business information • Business cannot be continued after disaster (fire.) .

preferably in fireproof vault and externally tapes • Periodically testing of restore of back up • Preparation of Business Continuity Plan (not limited to IT!) .Key controls • Regular back up’s. preferably daily • Safe storage of tapes.

Arrangements with another company for provision of staff Hardware. Inventory of documentation stored securely on site and offsite . Arrangements with another company for provision of facilities Documentation. Training and rotation of duties among information systems staff so they can take the place of others. Arrangements with another company for provision of hardware Facilities.Backup Strategy for critical IT Resources • • • • • • • • Personnel.

Backup Strategy for critical IT Resources (cont’d) • • • • • • • • Supplies. Inventory of systems software stored securely on site and off site . Inventory of files stored securely on site and off site Applications software. Inventory of application software stored securely on site and off site System Software. Inventory of critical supplies stored securely on site and off site Data / Information.

Disaster Recovery Plan (DRP) • IT Disaster Recovery Plan forms one part of the overall BCP • Limited use to the business if IT is saved but the rest of the business is lost .

.What Is a Disaster? • A "Disaster" Is Any Event Which Disables or Interrupts Your Client’s Ability to Maintain a Business-AsUsual Environment for a Period of Time That Adversely Affects Ongoing Operations.

Services Business Continuity Plan (BCP) • Safeguards vital corporate assets • Ensures continued availability of Critical • Minimizes the effect of a disaster • Considers the entire business including IT ..• A Process which ..

inclement weather .negligence Is your Business safe ? TECHNOLOGICAL .blackmail MISCELLANEOUS .earthquakes/volcanoes .network outage .loss of power .terrorist attack .software /hardware breakdown .electrical .loss of key supplier .fire .hazardous substances HUMAN.DELIBERATE .Business Continuity Planning example SAFETY .loss of key staff .industrial action .Year 2000 NATURAL .legal/regulatory requirements .

or cold standby • Personnel resources available • Single point of failure will fail ! • Regular testing required . off-site contingency planning • Hot.Some issues regarding BCP • On-site vs.

EXAMPLE PICTURE OF BCP STRATEGY BACKUP TAPE BACKUP STORAGE .

POWER REGULATOR .

Find the issues in the next 5 slides .

.

.

.

.

.

How many did you find? Was IT OK? .

? .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.