Professional Documents
Culture Documents
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 1
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Logistics
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 2
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Agenda
Topic Schedule
Approach and planning 9:30 - 10:30
Working Papers and controls 10:30 - 12:00
Study Case 13:00 - 16:00
Q&A 16:00 -
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 3
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
GITC Testing
Approach
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 4
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Planning
Agenda
Pbc‟s request
Planning memo
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 5
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
IRM involvement
Financial
Audit team IRM institutions
Audit Over
Lower does
Higher
1000 hours
Complexity
and Complexity
reviews
Listed IT critical
companies
IRM
specialist
can be
consulted
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 7
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Understanding of IT
IT budget
Example of understanding of IT
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 8
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
GITC Overview
8 6
Access to program and Program changes
data
General IT Controls
3 5
Program development Computer operations
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 9
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
ITGC on a page
Objective: To determine whether adequate controls for access to programs and data have been established to reduce the
risk of unauthorised/inappropriate access to the relevant information systems related to financial reporting.
Program changes Authorization development Migration of the production Configuration changes Emergency
testing and approval environment changes
Objective: To determine whether adequate controls for program changes have been established to ensure that changes to
existing systems/applications are authorised, tested, approved, properly implemented and documented.
Objective: To determine whether adequate controls for program development have been established to ensure that new
systems/applications which are developed or acquired are authorised, tested, approved, properly implemented
and documented.
Objective: To determine whether adequate controls for computer operations have been established to ensure that system/
application processing is appropriately authorized and scheduled and deviations from scheduled processing are
identified and resolved.
Higher risk area due to the potential impact on automated controls.
Higher risk when relevant, consider involving an IRM specialist
Lower risk area requiring less focus.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 10
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Access to programs and data
Information security The Company developed and implemented a formal Information Security
policy/ awareness Policy addressing the usage and security of the information resources.
Configuration of access Users‟ access rights to the financial applications are granted based on
rules user profile templates which have been approved by the Management.
Users‟ accounts for the network and the financial applications access are
User administration created, deleted, modified based on formal requests from business
Management.
Identification and Appropriate password rules are implemented for network and financial
authentication applications access.
The access to powerful user accounts defined for network and for the
Super users financial applications is restricted to a small group of personnel to preserve
accountability.
Monitoring of super
The activities performed by the super users are formally monitored.
users’ activity
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 11
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Program changes
Authorization, development,
Changes to the financial applications are documented and authorized by
testing and approval -
the appropriate level of management.
Initiation
Authorization, development, Changes to the financial applications are tested, validated and approved
testing and approval - Testing prior to being migrated to the production environment.
Authorization, development,
The Company uses development and test environments which are
testing and approval -
separated from the production environment.
Environments
Configuration changes System configuration changes are tested, validated and approved prior to
migration to live environment.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 12
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Program development
Methodology for New systems (in-house developed or acquired from external suppliers) are
development/ acquisition properly authorized by the business management.
Design, development, testing, Adequate tests for the new systems involved in the financial reporting are
approval and implementation in place at the Company.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 13
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Computer operations
Access to backup media The access to backup media is restricted only to designated personnel.
Incident and problem A formal incident and problem management procedure is implemented at
management procedures the Company.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 14
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Module 2
GITC Detailed
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 15
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Access to programs
and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 16
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Information security policy/ awareness
The Company developed and implemented a formal Information Security Policy addressing
the usage and security of the information resources.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 17
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Physical access
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 18
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Configuration of access rules
Users‟ access rights to the financial applications are granted based on user profile templates
which have been approved by the Management.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 19
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
User administration
Users‟ accounts for the network and the financial applications access are created, deleted,
modified based on formal requests from business management.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 20
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Identification and authentication
Appropriate password rules are implemented for network and financial applications access.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 21
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
User access review
A formal review of network and financial applications user accounts and user access rights is
regularly performed at the Company.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 22
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Super users
The access to powerful user accounts defined for network and for the financial applications
is restricted to a small group of personnel to preserve accountability.
Access
Computer programs
operations and data
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 23
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Monitoring of super users activity
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 24
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Program changes
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 25
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Authorization, development, testing and approval - Initiation
Changes to the financial applications are documented and authorized by the appropriate
level of management.
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 26
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Authorization, development, testing and approval - Testing
Changes to the financial applications are tested, validated and approved prior to being
migrated to the production environment.
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 27
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Authorization, development, testing and approval - Environments
Changes to the financial applications are tested, validated and approved prior to being
migrated to the production environment.
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 28
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Migration to the production environment
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 29
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Configuration changes
System configuration changes are tested, validated and approved prior to migration to live
environment.
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 30
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Emergency changes
The entity implemented appropriate controls in order to ensure that emergency changes are
properly handled.
Program
Computer changes
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 31
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Program development
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 32
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Methodology for development/ acquisition
New systems (in-house developed or acquired from external suppliers) are properly
authorized by the business management.
Program
Computer development
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 33
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Design, development, testing, approval and implementation
Adequate tests for the new systems involved in the financial reporting are in place at the
Company.
Program
Computer development
operations
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 34
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Data migration
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 35
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Computer operations
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 36
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Job processing
Implementation Effectiveness
• EOD/SOD completion
• EOD/SOD approvals
• Data transfer
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 37
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Backup and recovery process
The Company developed and implemented a formal backup and restoration procedure.
Computer
Program operations
development
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 38
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Access to backup media
Computer
Program operations
development
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 39
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Incident and problem management procedures
Computer
Program operations
development
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 40
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Antivirus protection
Computer
Program operations
development
Implementation Effectiveness
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 41
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Application level
controls
considerations
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 42
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Application Level Controls
Application controls are manual or automated procedures that typically operate at the process level
and apply to the processing of transactions by individual applications.
TOD TOE
Controls are properly Controls operated Identify controls
IT General Controls
Application Level
Perform test of design
Controls
NO NO and implementation
Perform test of operating
effectiveness
In scope applications
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 43
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Questions?
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated 44
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Gheorghe Vlad
Manager, Management Consulting