IT Controls

Overview
Northern Arizona University
Compliance, Controls & Business Services
December 2011
 IT Controls
• Introduction
• What are IT Controls?
 General Controls
 Application Controls
• Why are IT Controls Important?
• Who is responsible for IT Controls?
• Where are IT Controls Applied?
 IT Controls - Introduction
“IT controls are fundamental to the reliability
and integrity of the information processed by
the automated systems on which most
organizations are dependent for their business
and financial transaction processing — and
overlooking or minimizing their importance
creates a significant risk.”

- CICA Information Technology Advisory Committee (2004)

 What are IT Controls?
Controls over computer-based systems are broken down
into two major categories – general and application
controls.
• General controls apply to all systems components,
processes, and data for a given organization or
systems environment
• Application controls (a.k.a. business process controls)
pertain to the scope of individual business processes
or application systems
 Internal Control Classifications
Controls may be classified
to help understand their
purposes and where they
fit into the overall system
of internal controls.
 What are General IT Controls?
• By definition, General Computer Controls are
control activities performed within the IT
organization or the technology that they support
that can be applied to every system that the
organization relies upon;
• They are designed to encompass an organization’s IT
infrastructure rather than specific applications.
General controls help ensure confidentiality,
integrity, and availability; contribute to safeguarding
of data; and promote regulatory compliance.
Why are IT General Controls Important?

IT systems support many of the university’s business

processes, such as these below…

Purchasing Accounts Payable

Inventory Payroll
Why are IT General Controls Important?

… AND
Without effective General Controls, reliance on
these IT systems may not be possible
Why are IT General Controls Important?

• If general controls are ineffective, there may

be potential for material misstatement in each
computer-based accounting application.
 General Controls
Include:
• Organization Controls
 Policies and Procedures
 Segregation of Duties

• Access Controls
 Physical Security
 Logical Access

• Change Management Controls

• Business Continuity Controls
 Disaster Recovery
 Fault Tolerant Systems
 Backup
Organization Controls – Policies & Procedures

• A clear, concise, and well-written set of information

technology policies, procedures, and control
documentation is a strategic link between the university’s
vision and its day-to-day operations. 
• These documents are critical to the university because
they provide guidelines for faculty/staff/students and
enable the smooth functioning of the computer
operations function without constant management
intervention. 
Organization Controls – Segregation of Duties

• The functions of initiating, authorizing, inputting, processing, and checking

data should be separated to ensure no individual can both create an error,
omission, or other irregularity and authorize it and/or obscure the
evidence.
• Controls are provided by granting access privileges only in accordance with
job requirements for processing functions and accessing sensitive
information.
• Inadequate segregation of duties increases the risk of errors being made
and remaining undetected; it also may lead to fraud and the adoption of
inappropriate working practices.
• Sarbanes-Oxley provided a compelling case for the implementation and
maintenance of appropriate segregation of duties at the organizational,
manual process and system level.
 Access Controls - Physical Security
What is Physical Security?
Measures used to protect its
facilities, resources, or proprietary
data stored on physical media.
Examples:
• Facility monitoring (surveillance
systems, cameras, guards, exterior
lighting)
• Access controls to facilities/data
center/computers (access cards)
• Alarm systems (fire, burglar, water,
humidity, power fluctuations)
• Shred sensitive documents
• Proper storage/disposal of hard drives
and other electronic storage media
• Secure storage of back-up copies of
data and master copies of critical
software
 Access Controls – Logical Access
What is Logical Access?
Limit access to system and
information to authorized individual
Examples:
• Passwords
• System authentication
• Logs of logon attempts
• Application-level firewalls
• Antivirus and anti-spyware software
should be installed and up to date
• Intrusion detection systems which
would identify suspicious network
activity
• Encryption for sensitive data
• File shares should be adequately
restricted to appropriate users
• Patches/system updates should be
applied timely
 Protect & Use Strong Passwords
• Don't use passwords that are based on personal
information that can be easily accessed or guessed.
• Don't use words that can be found in any dictionary of
any language.
• Develop a mnemonic for remembering complex
passwords.
• Use both lowercase and capital letters.
• Use a combination of letters, numbers, and special
characters.
• The longer the password, the tougher it is to crack. 
Use at least 10 characters.
• Use different passwords on different systems.
• Keep your passwords in a secure place, out of plain
sight
• Don’t share passwords on the phone, in texts or by
email.
 Change Management Controls
Change Management Control Objectives include:
• To manage the IT change process such that
introduction of errors and incidents related to
change are minimized.
• To ensure that standard methods and procedures are
used so that changes can be addressed expediently
and with the lowest impact on service quality.
 Change Management Control - Examples

Change Management Controls could include:

• Monitoring and logging of all changes
• Steps to detect unauthorized changes
• Confirmation of testing
• Authorization for moving changes to production
• Tracking movement of hardware and other infrastructure components
• Periodic review of logs
• Back out plans
• User training
• Specific defined and followed procedures for emergency changes
Too bad they didn’t have change
management controls in place…
 Business Continuity Controls
• Definition
 A comprehensive approach to ensuring normal
operations despite interruptions.
• Components
 Disaster Recovery
 Fault Tolerant Systems
 Backup and Recovery
 Disaster Recovery

• A documentation of the procedures to ensure that the

organization continues to operate by providing the ability to
successfully recover computer services in the event of a disaster.
• Must ensure that plans are comprehensive, up-to-date, and
approved by key organizational, management, and executive
personnel.
• Must test the plans regularly and document the results.
• NAU’s Business Continuity and Disaster Recovery Site webpage:
http://home.nau.edu/comptr/businesscontinuity.asp
You know you are in trouble when…
 Fault Tolerant System
• The ability of a system to respond gracefully to
an unexpected hardware or software failure.
• There are many levels of fault tolerance, the
lowest being the ability to continue operation
in the event of a power failure. Many fault-
tolerant computer systems mirror all
operations -- that is, every operation is
performed on two or more duplicate systems,
so if one fails the other can take over.
 Backup and Recovery
• Requirements should be defined for backup of
critical date (type and frequency).
• ITS provides a 12GB Home Drive (Bonsai)
• Procedures should be in place to periodically
validate recovery process.
 What are IT Controls?
Controls over computer-based systems are broken down
into two major categories – general and application
controls.
• General controls apply to all systems components,
processes, and data for a given organization or
systems environment
• Application controls (a.k.a. business process controls)
pertain to the scope of individual business processes
or application systems
 Application Controls
Include:
• Input controls
• Processing controls
• Output controls
 Input Controls
Input Control objectives:
• All transactions are initially and completely
recorded
• All transactions are completely and accurately
entered into the system
• All transactions are entered only once
 Input Controls - Examples
Controls in this area may include:
• Pre-numbered documents
• Control total reconciliation
• Data validation
• Activity logging
• Document scanning
• Access authorization
• Document cancellation
 Processing Controls
Processing control objectives:
• Approved transactions are accepted by the
system and processed
• All rejected transactions are reported, corrected,
and re-input
• All accepted transactions are processed only once
• All transactions are accurately processed
• All transactions are completely processed
 Processing Controls - Examples
Controls over processing may include:
• Control totals
• Programmed balancing
• Segregation of duties
• Restricted access
• File labels
• Exception reports
• Error logs
• Reasonableness tests
• Concurrent update control
 Output Controls
Output control objectives:
• Assurance that the results of input and
processing are output
• Output is available only to authorized
personnel
• The most important output control is review
of the data for reasonableness.
 Output Control - Examples
Output controls could include:
• Complete audit trail
• Output distribution logs
• Output reports
 Why are IT Controls Important?
• IT controls are essential to protect assets,
customers and sensitive information;
demonstrate safe, efficient and ethical
behavior; and preserve brand, reputation and
trust.
• IT controls support business management and
governance as well as provide general and
technical controls over IT infrastructures.
Who is responsible for IT Controls?
Everybody!
• But control ownership must be specified otherwise no one is
responsible.
• Many institutions have allocated the responsibility of information
controls to the Information Technology management, in effect
making this IT’s responsibility.
• In fact, the security of information, whether written, verbal, or
physical, is a much broader responsibility. Regulations also require
controls that are outside the purview of IT. If only IT is seen as
responsible, other technical related requirements can easily slip
through the cracks.
 Where are IT Controls Applied?

Everywhere!
• IT includes technology components,
processes, people, organization, and
architecture (infrastructure) – as well as the
information itself.
 References
• Global Technology Audit Guide – Information Technology Controls. D.
Richards, A. Oliphant, C. LeGrand
• Five Questions to Ask About Information Technology Controls and Security –
Berry Dunn:
http://consulting.berrydunn.com/content/five-questions-ask-about-informatio
n-technology-controls-and-security
• Information Technology Audit –General Principals:
http://www.intosaiitaudit.org/india_generalprinciples.pdf
• Auditor’s Guide to Information systems auditing – Richard Cascarino
• Information Technology General Control Considerations and Implications –
Clifton Gunderson
• IT For Non-IT Auditors – Matt Hicks UCOP