Sox Itgc PDF

IT Controls for auditors
19-26 July 2013

Introductory
remarks
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 1
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Logistics
Training‟s duration: 1 day
Agenda
Topic Schedule
Approach and planning 9:30 - 10:30
Working Papers and controls 10:30 - 12:00
Study Case 13:00 - 16:00
Q&A 16:00 -
GITC Testing
Approach
Planning
 Agenda
 Pbc‟s request
 Planning memo
IRM involvement
Financial
Audit team IRM institutions
Audit Over
Lower does
Higher
1000 hours
Complexity
and Complexity
reviews
Listed IT critical
companies
IRM
specialist
can be
consulted
* IRM involvement is agreed at planning

Module 1
GITC Overview
Understanding of IT
 Description of the IT Organization
 Main applications used
 Information services suppliers and contracts‟ SLAs
 IT strategy and IT budget
 IT budget
 Example of understanding of IT
GITC Overview
8 6
Access to program and Program changes
data
General IT Controls
3 5
Program development Computer operations
4 Control Areas with a total of 22 controls
ITGC on a page
Access to Information Physical Configuration Access Identification Monitoring Superusers

programs and Security access of access Administration and
data policy rules authorization
Objective: To determine whether adequate controls for access to programs and data have been established to reduce the
risk of unauthorised/inappropriate access to the relevant information systems related to financial reporting.
Program changes Authorization development Migration of the production Configuration changes Emergency
testing and approval environment changes
Objective: To determine whether adequate controls for program changes have been established to ensure that changes to
existing systems/applications are authorised, tested, approved, properly implemented and documented.
Program Methodology for Design, development, testing Data migration

development development approval & implementation
Objective: To determine whether adequate controls for program development have been established to ensure that new
systems/applications which are developed or acquired are authorised, tested, approved, properly implemented
and documented.
Computer Job processing Backup and recovery Incident and problem

operations procedures management procedures
Objective: To determine whether adequate controls for computer operations have been established to ensure that system/
application processing is appropriately authorized and scheduled and deviations from scheduled processing are
identified and resolved.
Higher risk area due to the potential impact on automated controls.
Higher risk when relevant, consider involving an IRM specialist
Lower risk area requiring less focus.
Access to programs and data
Information security The Company developed and implemented a formal Information Security
policy/ awareness Policy addressing the usage and security of the information resources.
Physical access The physical access to critical IT resources is appropriately controlled.
Configuration of access Users‟ access rights to the financial applications are granted based on
rules user profile templates which have been approved by the Management.
Users‟ accounts for the network and the financial applications access are
User administration created, deleted, modified based on formal requests from business
Management.
Identification and Appropriate password rules are implemented for network and financial
authentication applications access.
A formal review of network and financial applications user accounts and

Users’ access review user access rights is regularly performed at the Company.
The access to powerful user accounts defined for network and for the
Super users financial applications is restricted to a small group of personnel to preserve
accountability.
Monitoring of super
The activities performed by the super users are formally monitored.
users’ activity
Program changes
Authorization, development,
Changes to the financial applications are documented and authorized by
testing and approval -
the appropriate level of management.
Initiation
Authorization, development, Changes to the financial applications are tested, validated and approved
testing and approval - Testing prior to being migrated to the production environment.
Authorization, development,
The Company uses development and test environments which are
testing and approval -
separated from the production environment.
Environments
Migration to the production

Migration of changes to production environment is appropriately controlled.
environment
Configuration changes System configuration changes are tested, validated and approved prior to
migration to live environment.
The entity implemented appropriate controls in order to ensure that

Emergency changes
emergency changes are properly handled.
Program development
Methodology for New systems (in-house developed or acquired from external suppliers) are
development/ acquisition properly authorized by the business management.
Design, development, testing, Adequate tests for the new systems involved in the financial reporting are
approval and implementation in place at the Company.
Comprehensive conversion procedures have been established and

Data migration
followed in data migration.
Computer operations
Automated jobs, part of SOD procedure, are performed according to

Job processing previously established schedules and are monitored to ensure successful
run results.
The Company developed and implemented a formal backup and

Backup and recovery process
restoration procedure.
Access to backup media The access to backup media is restricted only to designated personnel.
Incident and problem A formal incident and problem management procedure is implemented at
management procedures the Company.
Antivirus protection Appropriate antivirus protection is implemented at the Company.
Module 2
GITC Detailed
Access to programs
and data
Information security policy/ awareness
The Company developed and implemented a formal Information Security Policy addressing
the usage and security of the information resources.
Access
Computer programs
operations and data
Test of Design Test of Program Program

development changes
& Operating
Implementation Effectiveness
a. Existence of Information a. Information Security Policy

Security Policy accesible to all employees
b. Information Security Policy‟s b. Employees sign the
content is appropriate Information Security Policy
for acknowledgment
• Information Security Policy • Information Security Policy published

• Acknowledgment forms
Physical access
The physical access to critical IT resources is appropriately controlled.

Access
Computer programs
operations and data

development changes
& Operating
a. Existence of a Physical Access a. List with employees

Procedure authorized to access critical
IT resources
b. Visit at the server room to
verify that controls are in
place
• Physical Access Procedure • Authorized employees‟ list

• Authorized employees‟ list extracted
from the control system
Configuration of access rules
Users‟ access rights to the financial applications are granted based on user profile templates
which have been approved by the Management.
Access
Computer programs
operations and data

development changes
& Operating
a. Existence of user profile a. Users‟ Profiles implemented

template in applications
b. Profiles approval/
authorization
c. Profiles modifications
requests
• Users Profiles • Applications‟ users profiles

• Profile modifications requests
User administration
Users‟ accounts for the network and the financial applications access are created, deleted,
modified based on formal requests from business management.
Access
Computer programs
operations and data

development changes
& Operating
a. Existence of a User a. List of employees hired/ that

Administration Procedure left the organization
b. Description of the user creation/ b. Sample from the list of
modification/ deletion flow employees hired/leaved
based on discussion with c. User creation/ modification/
responsible persons deletion forms, emails or
ticketing application
• Users Administration Procedure • Users creation request example 1

• Users creation request example 2
• Users deletion forms
Identification and authentication
Appropriate password rules are implemented for network and financial applications access.
Access
Computer programs
operations and data

development changes
& Operating
a. Existence of a Password Policy/ a. Printscreen with password

Procedure rules at network level
b. Authentication based on
username/ password b. Printscreen with password
c. Existence of applications‟ rules at application level
passwords rules based on
inquire with responsible persons
• Password Policy • Password rules at network level

• Password rules at application level
User access review
A formal review of network and financial applications user accounts and user access rights is
regularly performed at the Company.
Access
Computer programs
operations and data

development changes
& Operating
a. User Review Policy/Procedure a. Evidence of user review,

(usually included in the User email, forms, files
Administration Procedure)
b. User review process description
• User Administration Procedure • User review example
Super users
The access to powerful user accounts defined for network and for the financial applications
is restricted to a small group of personnel to preserve accountability.
Access
Computer programs
operations and data

development changes
& Operating
a. Policies/ procedures to access a. Printscreen with the

super users accounts members of Domain Admins
for networks based on Active
b. List of authorized employees to Directory
access super users accounts b. Printscreen with
administrative/ super user
accounts for applications
• Authorized list of super users • Domain Admins members

accounts • Application administrators
Monitoring of super users activity
The activities performed by the super users are formally monitored.

Access
Computer programs
operations and data

development changes
& Operating
a. Policies/ procedures regarding a. Printscreens from monitoring

monitoring of super users applications such as
activity (very rare) ArcSight, InTrust or activity
b. Process description of the logs
monitoring of super users b. Reports with super users‟
activity activities
• Log management policy • Monitoring of super users activity
Program changes
Authorization, development, testing and approval - Initiation
Changes to the financial applications are documented and authorized by the appropriate
level of management.
Program
Computer changes
operations
Test of Design Test of Program

Access
programs and
development
& Operating data
a. Change management a. List of changes

procedure b. Change request approval
(sample)
b. Change management
process description
• Change management procedure • Example of change requests
Authorization, development, testing and approval - Testing
Changes to the financial applications are tested, validated and approved prior to being
migrated to the production environment.
Program
Computer changes
operations

Access
programs and
development
& Operating data
a. Change management a. Test scenarios

procedure b. Testing, documentation: can
be forms, emails or ticketing
b. Testing process description applications
• Change management procedure •Test scenarios

• Example of change
Authorization, development, testing and approval - Environments
Changes to the financial applications are tested, validated and approved prior to being
migrated to the production environment.
Program
Computer changes
operations

Access
programs and
development
& Operating data
a. Change management a. Printscreens with production/

procedure development/ testing
b. Description of different environments
environments used (should
be separated)
• Change management procedure • Environments
Migration to the production environment
Migration of changes to production environment is appropriately controlled.
Program
Computer changes
operations

Access
programs and
development
& Operating data
a. Change management a. Approvals/ acceptance before

procedure migration in production of the
changes selected – forms,
b. Description of the migration emails, ticketing application
process (not data migration!!)
• Change management procedure • Acceptance forms
Configuration changes
System configuration changes are tested, validated and approved prior to migration to live
environment.
Program
Computer changes
operations

Access
programs and
development
& Operating data
a. Patch/ updates a. Usually a centralized

policies/procedures (rare) infrastructure is used for
Windows (Windows Server
b. Description of the patch/ Update Service - WSUS)
update process b. Evidence of testing before
deployment in
production(rare)
• Patch procedure • WSUS settings

• Updates testing evidence
Emergency changes
The entity implemented appropriate controls in order to ensure that emergency changes are
properly handled.
Program
Computer changes
operations

Access
programs and
development
& Operating data
a. Emergency changes process a. List of emergency changes

is usually included in the during the audited period
Change management (very rare)
procedure b. Evidence of documentation
b. Description of the and approval of emergency
emergency changes process changes
• Change management procedure
Program development
Methodology for development/ acquisition
New systems (in-house developed or acquired from external suppliers) are properly
authorized by the business management.
Program
Computer development
operations

Access
programs and
changes
& Operating data
a. Development/ acquisition a. In case of new systems

policy/ procedure implemented, evidence of
projects initiation, approvals,
b. Description of the project plan, etc
development/ acquisition
process
• Development/ acquisition procedure • Approvals of acquisition
Design, development, testing, approval and implementation
Adequate tests for the new systems involved in the financial reporting are in place at the
Company.
Program
operations

Access
programs and
changes
& Operating data
a. Development/ acquisition a. In case of new systems

policy/ procedure implemented, functional
specification, evidence of
b. Description of the projects acquisition/
development/ acquisition development, testing,
process migration into production
• Development/ acquisition procedure • Functional specifications

• Testing
• Migration to production
Data migration
Comprehensive conversion procedures have been established and followed in data

migration.
Program
operations

Access
programs and
changes
& Operating data
a. Migration procedures a. In case of new systems

implemented, evidence of the
b. Description of the migration success of data migration,
process tests, acceptance
• Migration plan • Data migration tests
Computer operations
Job processing
The Company developed and implemented formal procedures to ensure accuracy,

completeness, and timely processing of system jobs.
Computer
Program operations
development

Access
programs and
changes
& Operating data
a. EOD/SOD procedures – a. Evidence with the success of

used in Banks EOD/SOD procedures for
b. Description of the various Banks or execution logs for
system jobs that are other system jobs
executed (data transfers) b. Evidence of the system jobs
monitoring, error
management completion
• EOD/SOD completion
• EOD/SOD approvals
• Data transfer
Backup and recovery process
The Company developed and implemented a formal backup and restoration procedure.
Computer
Program operations
development

Access
programs and
changes
& Operating data
a. Backup and recovery a. Printscreens with backup

policy/procedure settings
b. Description of the backup b. Execution logs of the backup
process in terms of job
frequency, type c. Evidence of backup
restoration testing
• Backup Policy • Backup settings

• Backup Procedure • Restoration testing reports
Access to backup media
The access to backup media is restricted only to designated personnel.
Computer
Program operations
development

Access
programs and
changes
& Operating data
a. Physical Access Procedure a. List with employees

authorized to access critical
b. Backup media could be on IT resources – including
tapes, hard disks, DVDs backups
b. Visit at the location where the
backup are stored
• Physical Access Procedure • Backup settings
Incident and problem management procedures
A formal incident and problem management procedure is implemented at the Company.
Computer
Program operations
development

Access
programs and
changes
& Operating data
a. Incident and problem a. List with the incidents/

management problems recorded – usually
policies/procedures in a ticketing application
b. Description of the incident b. Verify a sample of incidents
and problem management for the solutions provided
process
• Incidents and problem management • Printscreen form ticketing application:

procedure • Overall view
• Sample of incidents
Antivirus protection
Appropriate antivirus protection is implemented at the Company.
Computer
Program operations
development

Access
programs and
changes
& Operating data
a. Antivirus protection a. Sample of workstations to

policy/procedure verify the antivirus settings –
protection enabled, updated,
b. Description of the antivirus can not be disabled by users
protection implemented b. Scanning reports
c. Settings of antivirus server
• Incidents and problem management • Antivirus settings on workstations

procedure • Antivirus server settings
• Antivirus settings on Windows based
servers
Application level
controls
considerations
Application Level Controls
Application controls are manual or automated procedures that typically operate at the process level
and apply to the processing of transactions by individual applications.
TOD TOE
Controls are properly Controls operated  Identify controls
IT General Controls
designed and YES effectively during the YES  Perform walkthrough

implemented? audited period?
Application Level
 Perform test of design
Controls
NO NO and implementation
 Perform test of operating
effectiveness
Identify compensating Extend sample or

controls or conclude conclude
In scope applications
Questions?
Gheorghe Vlad
Manager, Management Consulting
KPMG Romania SRL gvlad@kpmg.com

DN1, Sos. Bucuresti - Ploiesti
No. 69 – 71, P.O. Box 18 - 191 Mobile +40 747 333 034
Bucharest, 013685 Fax +40 372 377 700
© 2013 KPMG Romania S.R.L., a Romanian limited

liability company and a member firm of the KPMG
network of independent member firms affiliated with
KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
Printed in Romania.
The KPMG name, logo and „cutting through

complexity‟ are registered trademarks or trademarks
of KPMG International Cooperative (KPMG
International).

Sox Itgc PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sox Itgc PDF

Uploaded by

Copyright:

Available Formats

IT Controls for auditors

19-26 July 2013

Training‟s duration: 1 day

* IRM involvement is agreed at planning

 Description of the IT Organization

 Main applications used

 Information services suppliers and contracts‟ SLAs

 IT strategy and IT budget

4 Control Areas with a total of 22 controls

Access to Information Physical Configuration Access Identification Monitoring Superusers

Program Methodology for Design, development, testing Data migration

Computer Job processing Backup and recovery Incident and problem

Physical access The physical access to critical IT resources is appropriately controlled.

A formal review of network and financial applications user accounts and

Migration to the production

The entity implemented appropriate controls in order to ensure that

Comprehensive conversion procedures have been established and

Automated jobs, part of SOD procedure, are performed according to

The Company developed and implemented a formal backup and

Antivirus protection Appropriate antivirus protection is implemented at the Company.

Test of Design Test of Program Program

a. Existence of Information a. Information Security Policy

• Information Security Policy • Information Security Policy published

The physical access to critical IT resources is appropriately controlled.

Test of Design Test of Program Program

a. Existence of a Physical Access a. List with employees

• Physical Access Procedure • Authorized employees‟ list

Test of Design Test of Program Program

a. Existence of user profile a. Users‟ Profiles implemented

• Users Profiles • Applications‟ users profiles

Test of Design Test of Program Program

a. Existence of a User a. List of employees hired/ that

• Users Administration Procedure • Users creation request example 1

Test of Design Test of Program Program

a. Existence of a Password Policy/ a. Printscreen with password

• Password Policy • Password rules at network level

Test of Design Test of Program Program

a. User Review Policy/Procedure a. Evidence of user review,

b. User review process description

• User Administration Procedure • User review example

Test of Design Test of Program Program

a. Policies/ procedures to access a. Printscreen with the

• Authorized list of super users • Domain Admins members

The activities performed by the super users are formally monitored.

Test of Design Test of Program Program

a. Policies/ procedures regarding a. Printscreens from monitoring

• Log management policy • Monitoring of super users activity

Test of Design Test of Program

a. Change management a. List of changes

• Change management procedure • Example of change requests

Test of Design Test of Program

a. Change management a. Test scenarios

• Change management procedure •Test scenarios

Test of Design Test of Program

a. Change management a. Printscreens with production/

• Change management procedure • Environments

Migration of changes to production environment is appropriately controlled.

Test of Design Test of Program

a. Change management a. Approvals/ acceptance before

• Change management procedure • Acceptance forms

Test of Design Test of Program

a. Patch/ updates a. Usually a centralized

• Patch procedure • WSUS settings