SlideShare a Scribd company logo

IT General Controls Presentation at IIA Vadodara Audit Club

Kaushal Trivedi
Kaushal Trivedi

My presentation made at IIA - Vadodara Audit Club on August 24, 2018

Technology
1 of 31
Information Technology General Controls August 24, 2018 Kaushal R. Trivedi Director, Management Audit Vadodara Audit Club
Are You a Victim of… FEAR? Laptop Theft Virus Attack Data Theft Data Corruption/ Loss!!
Threats Continue to Grow… • Axis and State Bank of India confirm loss of several Million Credit/ Debit card users in August 2016 data theft • Verizon Enterprise Solutions, which also deals with enterprise security, was hit by a cyber-attack that led to the theft of details about 1.5 million customers • 55M Philippines Commission on Elections data from COMELEC website by Hackers from Anonymous, the entire database was stolen and posted online. • 49.6 M Turkish citizenship data was stolen and posted online • Australia Immigration Department an employee inadvertently send the details of passport numbers, visa details and personal identifiers of all world leaders attending the G20 Brisbane Summit to the Organizers of Asian Cup football tournament. Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, David Cameroon and many others…
Technological Global Risks & Trends 2018 4 Adverse consequences of technological advances • Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage Critical information infrastructure breakdown • Cyber dependency that increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread disruption Large-scale Cyberattacks • Large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread loss of trust in the internet Massive incident of data fraud/ theft • Wrongful exploitation of private or official data that takes place on an unprecedented scale Source: World Economic Forum – Global Risk Report 2018
Technological Global Risks & Trends 5 Source: World Economic Form Global Risk 2016 Source: Executive Opinion Survey 2015, World Economic Forum. Note: The darker colour, the higher the concern.
IT Service Frameworks 6
What is ITGC? 7 INFORMATION • Information Technology General Controls (ITGCs) can be defined as internal controls that assure the secure, stable, and reliable performance of computer hardware, software and IT personnel connected to financial systems. • ITGCs affect the ability to rely on application controls and IT dependent manual controls. • Without effective ITGCs, reliance cannot be placed on any application controls or IT dependent manual controls unless additional procedures are performed (e.g., benchmarking). Even these additional procedures limit the ability to rely upon more than one application control at a time. • ITGCs are an integral part of many different operational and regulatory (federal and state) audits, including: o IT operational reviews o HIPAA assessments o SSAE16 assessments/ SOC-2 o PCI-DSS reviews/audits o SOX assessments
Auditing Standards (SA 315) - INDIA 8 EDP/ IT Controls General Controls Admin Controls Discipline in routine Operations and Admin functions Sys. Dev. Controls Usage of updated technology with adequate People support (SOD) Application Controls Procedural Controls (Ensure Timely Processing) Manual Controls Automated Controls *SA 315 - Identifying and Assessing The Risk of Material Misstatement through Understanding the Entity and its Environment
IT Risk Assessment & Scoping 9 INFORMATION ► Significant accounts Business processes Business controls Applications STEP 1: validate understanding STEP 2: perform risk assessment at each layer STEP 3: Conclude: is it REASONABLY POSSIBLE a failure in this IT Process area could impact application controls & result in a material misstatement? Risk is not eliminated; is it reduced to a REASONABLE level. IT Process Controls: Change Mgt, Operations, Security ➢Application ➢Database ➢Operating System ➢Network
Test of Design vs. Test of Effectiveness 10 INFORMATION Test of Design Determines whether the controls, if operating properly, can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. • Procedures the auditor performs to test and evaluate design effectiveness include inquiry, observation, and inspection of relevant documentation. The procedures the auditor performs to test and evaluate design effectiveness might also provide evidence that can be used to test the effectiveness of the control. Was the control designed appropriately? Test of Effectiveness Involves evaluating whether internal control is operating as designed. • Procedures the auditor performs to test and evaluate test of operating effectiveness include inquiry, observation, and inspection of relevant documentation. Was the control consistently performed? Was the control performed by a person who had the necessary authority and qualifications to perform the control effectively?
Testing Methodology 11 INFORMATION Testing Method Definition Inquiry The auditor inquires (in writing or verbally) of the responsible individual as to what procedures are in place to address the control being tested. This is typically the first step in each test. Inspection The auditor inspects the evidence provided to ensure that it is accurate. Corroborative Inquiry The auditor inquires with one individual and corroborates the inquiry separately with another individual. System Query The auditor tests that automated controls within an IT application are operating as expected. Examples of these kinds of controls may be:-That a predefined exception will be identified appropriately by the system (this exception may be associated with completeness and/or accuracy of input, processing and output of the application)-That logical access configuration within the application are set in a way that establishes segregation of duties and otherwise provides for the authorization of transactions.
ITGC Focus – Background Info. 12 INFORMATION IT Organization (Employees & Third Party): • IT Steering Committee/ Business Management • IT Management • IT Operations • Security Management • Application Development IT Organization (SOD Examples): First Job Second Job Data Entry Quality Assurance System Administrator Database Administrator Security Administrator Application programmer Systems Programmer Security Administrator Help Desk Network Administrator Combined Yes No No No No
ITGC Focus – Background Info. 13 INFORMATION o Technology Overview – Software (by Key Application) • Application (Name & Version) • Owner/Support (Business & IT Contact Points) • Description (Modules or Business Function) • # Users • Database (Name & Version) • OS (Name & Version) • Hardware (Type & Quantity) • Location (Hardware) o Review of Network Infra (Wired/ Wireless/ WAN) o Remote access capabilities (Business purpose/ Authentication) o Firewalls utilized – Firewall (Hardware/ Software/ Combi?), Analyzer. o Products or Services offered via the Internet?
Network – Which is Better? 14 INFORMATION Solution: Application or Usage will decide the placing or Number of Equipment's
Network – Which is Better? 15 2 - TIER 3 - TIER
Network – VPN 16
Coverage/ Application of ITGC 17 INFORMATION Source: ISACA.org
ITGC – Security Management 18 INFORMATION Security Administration – Application, Database, Platform, Network 1. Users are granted access (business need) 2. Approval process exists (authorize in a timely manner) 3. Access privileges are reviewed and confirmed (periodically) 4. Controls are in place to support appropriate and timely responses (job changes) Security Configuration – Application, Database, Platform, Network 1. Security standards exist for each system or application. 2. Application Configuration (view, add, change, or delete data) 3. Password parameter settings for App/DB/OS/Network 4. Procedures for effectiveness of authentication and access mechanisms. 5. DBMS is appropriately configured (stored procedures) Security Monitoring – Application, Database, Platform, Network 1. Management logs and monitors security activity and security violations are promptly analyzed, reported and/or escalated.
ITGC – Security Management 19 INFORMATION Access related Questions? • Security Policy is Applicable to Employee or Third Party Or Both? • Characteristics of an Ideal Password? • Monitoring of Powerful User IDs (DB Admin/ Backup Admin/ Network Admin) • Users Access Reviews (One Time/ Periodic - Why?) • Physical Security (Guard/ Card Access/ Biometric/ ATM PIN) • Security Monitoring (i.e. left employees, invalid logins, audit trails)
ITGC – Change Management 20 INFORMATION Application Development Lifecycle 1. Organization SDLC considers security, availability, and processing integrity requirements 2. SDLC ensures Application controls that support complete, accurate, authorized, and valid transaction processing. Quality Assurance & Testing – Application, Database, Platform, Network 1. Testing strategy for changes 2. Testing is performed at the unit, system/integration, and user acceptance level 3. Load and stress testing is performed against test standards. 4. Integration test (for Interfaces with other systems/technology) 5. Conversion of data is tested - origin and its destination to confirm that it is complete, accurate, and valid (FA Invoice and FAR) Change Management Process – Application, Database, Platform, Network 1. Procedures for Installation and Maintenance 2. System maintenance, and supplier maintenance - Change Management procedures.
ITGC – Change Management 21 INFORMATION Change Management Process – Application, Database, Platform, Network 3. Procedures for emergency changes exist and are followed. 4. Emergency changes are approved, tested, documented, and monitored. 5. Procedures exist to ensure applications/databases/OS-system software can be returned to a previously known/stable state. 6. Systems are updated with updates/patches in a timely manner.
ITGC – Change Management 22 INFORMATION Change Management related Questions? • Firewall Software has an Update should that be subject to Change Management Process? • Invoicing for FG has stopped and IT Support personal in Night shift suggest a system restart to correct the Problem? • Management is launching a new Product tomorrow, however the new Module tested has not been tested in the Test Environment?
ITGC – Data Management 23 INFORMATION Data Backup, Storage, and Recovery 1. A strategy is defined for data backup type and frequency (including definition of data retention periods). 2. A media management strategy defines media rotation and destruction. 3. Procedures exist to periodically test the effectiveness of the restoration process and quality of backup media. 4. Procedures are defined and implemented to prevent access to sensitive information stored on off-line physical media.
ITGC – Change Management 24 INFORMATION Data Management related Questions? • Backup are Taken on Tape Drives but never tested? However IT Admin ensure the Tape Library does not give any error post Backup completion? • Backup are taken and placed at the Same location in a Dataline Fire proof safe which can with stand temperatures up to 1000 degree C for an hour and is earth-quake proof? • Backup are stored at Managing Director House in Mumbai and the Disaster Recovery Server is at Surat?
ITGC – Computer & Data Centre Operations 25 INFORMATION Incident and Problem Management 1. Defined and implemented an incident management system so that events that are not part of the standard operation are recorded, analyzed, escalated, resolved, and reported in a timely manner. 2. Management has defined and implemented problem management procedures to help ensure that the root cause of operational events that are not part of the standard operation are resolved in a timely manner. Production Monitoring 1. Management has established and documented standard procedures for IT operations, including managing, monitoring, and responding to security, availability, and processing integrity events. 2. Management has established appropriate metrics to effectively manage, monitor, and report on day-to-day operations. 3. System event data are sufficiently retained to provide chronological information and logs to enable the reconstruction, review, and examination of the time sequences of processing.
ITGC – Computer & Data Centre Operations 26 INFORMATION Data Centre related Questions? • Air Conditioning of the Server room is kept at 18 degree Centigrade? • The Server is having an Amber Light alert however is functioning correctly. • What is the above problem is complemented by frequent Restarts? • The Server room UPS system is out of Warranty? • Dell the Server Equipment Manufacturer have denied providing AMC as the Server has in the End of Life support list? • The Server room does not have Rodent Protection
ITGC – Computer & Data Centre Operations 27 INFORMATION Picture 1?
ITGC – Computer & Data Centre Operations 28 INFORMATION Picture 2?
ITGC – Computer & Data Centre Operations 29 INFORMATION Winner!
30 INFORMATION Questions?
Thank You. Kaushal R. Trivedi +91 9825154523 kaushal.trivedi@kcmehta.com

Recommended

IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 

Recommended

IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdfssuser918e9d1
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 

More Related Content

What's hot

03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 

What's hot (20)

5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Security audit
Security auditSecurity audit
Security audit
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 

Similar to IT General Controls Presentation at IIA Vadodara Audit Club

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 
Conducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfConducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfsavassociates1
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
20 IT Auditor questions.pdf
20 IT Auditor questions.pdf20 IT Auditor questions.pdf
20 IT Auditor questions.pdfinfosec train
 
Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docxMARRY7
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Why Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfWhy Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfaotmp2600
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 

Similar to IT General Controls Presentation at IIA Vadodara Audit Club (20)

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 
Conducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfConducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdf
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
20 IT Auditor questions.pdf
20 IT Auditor questions.pdf20 IT Auditor questions.pdf
20 IT Auditor questions.pdf
 
Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Why Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfWhy Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdf
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT Audit
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

IT General Controls Presentation at IIA Vadodara Audit Club

  • 1. Information Technology General Controls August 24, 2018 Kaushal R. Trivedi Director, Management Audit Vadodara Audit Club
  • 2. Are You a Victim of… FEAR? Laptop Theft Virus Attack Data Theft Data Corruption/ Loss!!
  • 3. Threats Continue to Grow… • Axis and State Bank of India confirm loss of several Million Credit/ Debit card users in August 2016 data theft • Verizon Enterprise Solutions, which also deals with enterprise security, was hit by a cyber-attack that led to the theft of details about 1.5 million customers • 55M Philippines Commission on Elections data from COMELEC website by Hackers from Anonymous, the entire database was stolen and posted online. • 49.6 M Turkish citizenship data was stolen and posted online • Australia Immigration Department an employee inadvertently send the details of passport numbers, visa details and personal identifiers of all world leaders attending the G20 Brisbane Summit to the Organizers of Asian Cup football tournament. Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, David Cameroon and many others…
  • 4. Technological Global Risks & Trends 2018 4 Adverse consequences of technological advances • Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage Critical information infrastructure breakdown • Cyber dependency that increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread disruption Large-scale Cyberattacks • Large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread loss of trust in the internet Massive incident of data fraud/ theft • Wrongful exploitation of private or official data that takes place on an unprecedented scale Source: World Economic Forum – Global Risk Report 2018
  • 5. Technological Global Risks & Trends 5 Source: World Economic Form Global Risk 2016 Source: Executive Opinion Survey 2015, World Economic Forum. Note: The darker colour, the higher the concern.
  • 7. What is ITGC? 7 INFORMATION • Information Technology General Controls (ITGCs) can be defined as internal controls that assure the secure, stable, and reliable performance of computer hardware, software and IT personnel connected to financial systems. • ITGCs affect the ability to rely on application controls and IT dependent manual controls. • Without effective ITGCs, reliance cannot be placed on any application controls or IT dependent manual controls unless additional procedures are performed (e.g., benchmarking). Even these additional procedures limit the ability to rely upon more than one application control at a time. • ITGCs are an integral part of many different operational and regulatory (federal and state) audits, including: o IT operational reviews o HIPAA assessments o SSAE16 assessments/ SOC-2 o PCI-DSS reviews/audits o SOX assessments
  • 8. Auditing Standards (SA 315) - INDIA 8 EDP/ IT Controls General Controls Admin Controls Discipline in routine Operations and Admin functions Sys. Dev. Controls Usage of updated technology with adequate People support (SOD) Application Controls Procedural Controls (Ensure Timely Processing) Manual Controls Automated Controls *SA 315 - Identifying and Assessing The Risk of Material Misstatement through Understanding the Entity and its Environment
  • 9. IT Risk Assessment & Scoping 9 INFORMATION ► Significant accounts Business processes Business controls Applications STEP 1: validate understanding STEP 2: perform risk assessment at each layer STEP 3: Conclude: is it REASONABLY POSSIBLE a failure in this IT Process area could impact application controls & result in a material misstatement? Risk is not eliminated; is it reduced to a REASONABLE level. IT Process Controls: Change Mgt, Operations, Security ➢Application ➢Database ➢Operating System ➢Network
  • 10. Test of Design vs. Test of Effectiveness 10 INFORMATION Test of Design Determines whether the controls, if operating properly, can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. • Procedures the auditor performs to test and evaluate design effectiveness include inquiry, observation, and inspection of relevant documentation. The procedures the auditor performs to test and evaluate design effectiveness might also provide evidence that can be used to test the effectiveness of the control. Was the control designed appropriately? Test of Effectiveness Involves evaluating whether internal control is operating as designed. • Procedures the auditor performs to test and evaluate test of operating effectiveness include inquiry, observation, and inspection of relevant documentation. Was the control consistently performed? Was the control performed by a person who had the necessary authority and qualifications to perform the control effectively?
  • 11. Testing Methodology 11 INFORMATION Testing Method Definition Inquiry The auditor inquires (in writing or verbally) of the responsible individual as to what procedures are in place to address the control being tested. This is typically the first step in each test. Inspection The auditor inspects the evidence provided to ensure that it is accurate. Corroborative Inquiry The auditor inquires with one individual and corroborates the inquiry separately with another individual. System Query The auditor tests that automated controls within an IT application are operating as expected. Examples of these kinds of controls may be:-That a predefined exception will be identified appropriately by the system (this exception may be associated with completeness and/or accuracy of input, processing and output of the application)-That logical access configuration within the application are set in a way that establishes segregation of duties and otherwise provides for the authorization of transactions.
  • 12. ITGC Focus – Background Info. 12 INFORMATION IT Organization (Employees & Third Party): • IT Steering Committee/ Business Management • IT Management • IT Operations • Security Management • Application Development IT Organization (SOD Examples): First Job Second Job Data Entry Quality Assurance System Administrator Database Administrator Security Administrator Application programmer Systems Programmer Security Administrator Help Desk Network Administrator Combined Yes No No No No
  • 13. ITGC Focus – Background Info. 13 INFORMATION o Technology Overview – Software (by Key Application) • Application (Name & Version) • Owner/Support (Business & IT Contact Points) • Description (Modules or Business Function) • # Users • Database (Name & Version) • OS (Name & Version) • Hardware (Type & Quantity) • Location (Hardware) o Review of Network Infra (Wired/ Wireless/ WAN) o Remote access capabilities (Business purpose/ Authentication) o Firewalls utilized – Firewall (Hardware/ Software/ Combi?), Analyzer. o Products or Services offered via the Internet?
  • 14. Network – Which is Better? 14 INFORMATION Solution: Application or Usage will decide the placing or Number of Equipment's
  • 15. Network – Which is Better? 15 2 - TIER 3 - TIER
  • 17. Coverage/ Application of ITGC 17 INFORMATION Source: ISACA.org
  • 18. ITGC – Security Management 18 INFORMATION Security Administration – Application, Database, Platform, Network 1. Users are granted access (business need) 2. Approval process exists (authorize in a timely manner) 3. Access privileges are reviewed and confirmed (periodically) 4. Controls are in place to support appropriate and timely responses (job changes) Security Configuration – Application, Database, Platform, Network 1. Security standards exist for each system or application. 2. Application Configuration (view, add, change, or delete data) 3. Password parameter settings for App/DB/OS/Network 4. Procedures for effectiveness of authentication and access mechanisms. 5. DBMS is appropriately configured (stored procedures) Security Monitoring – Application, Database, Platform, Network 1. Management logs and monitors security activity and security violations are promptly analyzed, reported and/or escalated.
  • 19. ITGC – Security Management 19 INFORMATION Access related Questions? • Security Policy is Applicable to Employee or Third Party Or Both? • Characteristics of an Ideal Password? • Monitoring of Powerful User IDs (DB Admin/ Backup Admin/ Network Admin) • Users Access Reviews (One Time/ Periodic - Why?) • Physical Security (Guard/ Card Access/ Biometric/ ATM PIN) • Security Monitoring (i.e. left employees, invalid logins, audit trails)
  • 20. ITGC – Change Management 20 INFORMATION Application Development Lifecycle 1. Organization SDLC considers security, availability, and processing integrity requirements 2. SDLC ensures Application controls that support complete, accurate, authorized, and valid transaction processing. Quality Assurance & Testing – Application, Database, Platform, Network 1. Testing strategy for changes 2. Testing is performed at the unit, system/integration, and user acceptance level 3. Load and stress testing is performed against test standards. 4. Integration test (for Interfaces with other systems/technology) 5. Conversion of data is tested - origin and its destination to confirm that it is complete, accurate, and valid (FA Invoice and FAR) Change Management Process – Application, Database, Platform, Network 1. Procedures for Installation and Maintenance 2. System maintenance, and supplier maintenance - Change Management procedures.
  • 21. ITGC – Change Management 21 INFORMATION Change Management Process – Application, Database, Platform, Network 3. Procedures for emergency changes exist and are followed. 4. Emergency changes are approved, tested, documented, and monitored. 5. Procedures exist to ensure applications/databases/OS-system software can be returned to a previously known/stable state. 6. Systems are updated with updates/patches in a timely manner.
  • 22. ITGC – Change Management 22 INFORMATION Change Management related Questions? • Firewall Software has an Update should that be subject to Change Management Process? • Invoicing for FG has stopped and IT Support personal in Night shift suggest a system restart to correct the Problem? • Management is launching a new Product tomorrow, however the new Module tested has not been tested in the Test Environment?
  • 23. ITGC – Data Management 23 INFORMATION Data Backup, Storage, and Recovery 1. A strategy is defined for data backup type and frequency (including definition of data retention periods). 2. A media management strategy defines media rotation and destruction. 3. Procedures exist to periodically test the effectiveness of the restoration process and quality of backup media. 4. Procedures are defined and implemented to prevent access to sensitive information stored on off-line physical media.
  • 24. ITGC – Change Management 24 INFORMATION Data Management related Questions? • Backup are Taken on Tape Drives but never tested? However IT Admin ensure the Tape Library does not give any error post Backup completion? • Backup are taken and placed at the Same location in a Dataline Fire proof safe which can with stand temperatures up to 1000 degree C for an hour and is earth-quake proof? • Backup are stored at Managing Director House in Mumbai and the Disaster Recovery Server is at Surat?
  • 25. ITGC – Computer & Data Centre Operations 25 INFORMATION Incident and Problem Management 1. Defined and implemented an incident management system so that events that are not part of the standard operation are recorded, analyzed, escalated, resolved, and reported in a timely manner. 2. Management has defined and implemented problem management procedures to help ensure that the root cause of operational events that are not part of the standard operation are resolved in a timely manner. Production Monitoring 1. Management has established and documented standard procedures for IT operations, including managing, monitoring, and responding to security, availability, and processing integrity events. 2. Management has established appropriate metrics to effectively manage, monitor, and report on day-to-day operations. 3. System event data are sufficiently retained to provide chronological information and logs to enable the reconstruction, review, and examination of the time sequences of processing.
  • 26. ITGC – Computer & Data Centre Operations 26 INFORMATION Data Centre related Questions? • Air Conditioning of the Server room is kept at 18 degree Centigrade? • The Server is having an Amber Light alert however is functioning correctly. • What is the above problem is complemented by frequent Restarts? • The Server room UPS system is out of Warranty? • Dell the Server Equipment Manufacturer have denied providing AMC as the Server has in the End of Life support list? • The Server room does not have Rodent Protection
  • 27. ITGC – Computer & Data Centre Operations 27 INFORMATION Picture 1?
  • 28. ITGC – Computer & Data Centre Operations 28 INFORMATION Picture 2?
  • 29. ITGC – Computer & Data Centre Operations 29 INFORMATION Winner!
  • 31. Thank You. Kaushal R. Trivedi +91 9825154523 kaushal.trivedi@kcmehta.com