Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. International Finance

KPMG - Department of Accounting and Information Systems ACIS

IT Auditor’s Perspective: An Overview
and Discussion of IT Controls
ADVISORY SERVICES
Learning Objectives
• Describe concepts related to internal controls from the perspective of the
•
IT auditor
Identify and distinguish Information Technology (IT) automated
application and general controls
Understand the relationship between types of controls and system layers
•
• Questions, Comments and General Discussion
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
2
Control Overview
Definition
• Control
• Dictionary Definition: To exercise authoritative or dominating
•
influence over; direct (Source: Dictionary.com; web address:
http://dictionary.reference.com/browse/control)
Auditor’s Definition: An activity that is performed to prevent or detect
an error or exception from entering or continuing in a process
• Internal Control
• A process, effected by an organization's people and IT systems,
designed to help the organization accomplish specific goals or
objectives (Source: Wikipedia; web address:
http://en.wikipedia.org/wiki/Internal_control)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
4
Common Generic Control Objectives and
Examples
•
Financial
•
Financial statements are presented in accordance with Generally Accepted
Accounting Principles (Financial Reporting Reliability)
•
Example:
•
•
Operational
•
•
Operational goals related to efficiency and effectiveness are achieved
Example:
•
•
The division of responsibilities such that a clerk responsible for processing
cash receipts does not have access to make, change, or delete
corresponding accounting entries within the financial system
Standard operating procedures, Quality Assurance (QA) checks
Regulatory
•
•
The organization complies with applicable laws and regulations
Example:
•
Logical security controls placed into operation to protect the confidentiality
of data covered by Payment Card Industry Data Security Standard (PCI –
DSS) or Health Insurance Portability and Accountability Act (HIPAA)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
5
Internal Control Concepts
• Key Concepts for Internal Control
• Internal control is a process.
• Internal control is affected by people. It’s not merely policy manuals
•
and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity’s management, board,
and other stakeholders.
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
6
Internal Control – A Renewed Focus
• Sarbanes-Oxley Act of 2002
• Intended to expand corporate governance, increase public
•
confidence in financial reporting information and strengthen
our capital markets systems
Effects of Sarbanes-Oxley
• Created the Public Company Accounting Oversight Board
(PCAOB)
Reinforces Auditor Independence
Strengthen Internal Control Structure with organizations
Upgrade Financial Disclosures
•
•
•
• Created Accountability at the Executive Level
• Protect Investors
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
7
Internal Control – A Renewed Focus
(continued)
• Payment Card Industry – Data Security Standard (PCI-DSS)
• Created to protect the financial data of consumers from loss
• Partially a response to the rise in identity theft awareness
• Partially a response to the rise in data exposure/breaches in the
•
marketplace
Designed to protect key financial data
• At rest
• Generally a requirement for access controls
• In transit
• Generally a requirement for encryption
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
8
Internal Control – A Renewed Focus
(continued)
Examples
Fidelity National Information Services (FIS)
Type of Breach: Hack
Cost: $13 million
After breaking in to FIS's network and gaining access to the company's database, a group of
criminals obtained 22 legitimate ATM cards. Copies of the cards were made and shipped to Greece,
Russia, Spain, Sweden, the Ukraine and the United Kingdom
Bank of America
Type of Breach: Insider Theft
Cost: $10 million
A Bank of America employee leaked customer information to members of an identity theft ring.
Customer names, Social Security numbers, driver's license numbers, bank account numbers, PINs,
account balances, dates of birth, addresses, and phone numbers were obtained.
Source: privacyrights.org
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
9
Application Controls: What Are They and Why They Matter
Overview of Application Controls
• What is a control (again)?
• An activity that is performed to prevent or detect an error or exception
•
from entering or continuing on in a process
What is application software?
• A subclass of computer software that employs the capabilities of a
computer directly and thoroughly to a task that the user wishes to
perform
• Examples: Word processors, spreadsheets, media players, Enterprise
Resource Planning (ERP) systems (e.g., SAP, Oracle, etc.)
• Contrasted with system software, which is any computer software
which manages and controls computer hardware so that application
software can perform a task (e.g. Unix, Windows)
(Source: Wikipedia; web address:
http://en.wikipedia.org/wiki/Application_software,
http://en.wikipedia.org/wiki/System_software)
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
11
Application Controls and IT General Controls
Significant
Accounts
/ Disclosures
in Financial
Statements
Significant
Accounts
in Financial
Statements
Balance
Balance
Sheet
Sheet
Income
Income
Statement
Statement
Cash
Flow
SCFP
Notes
Other
Classes of
of Transactions
Transactions
Classes
Business
Business Processes
Processes
Process
Process A
A
Process
Process B
B
Process
Process C
C
Financial
Financial Applications
Applications (application
(application controls)
controls)
Business
Events
Business
Events
and Transactions
And
Transactions
Financial
Financial Application
Application A
A
Application
Application B
B
And
Transactions
Business
Events
Business
Events
and Transactions
IT
Services
(general
controls)
IT General
ServicesControls
(general(Activities)
controls)
Plan
Program
Plan &
&
Organize
Development
Organize
Acquire
Program&
Acquire
&
Change
implement
implement
Deliver
Computer
Deliver &
&
Support
Operations
Support
Monitor
Access
Monitor
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
12
Information Technology Controls
– IT Application Controls
• IT Application Controls
• Apply to the processing of individual applications
• Help ensure that transactions occurred, are authorized, and are
•
completely and accurately recorded and processed
Examples
• Logical Access/Segregation of Duties
• System Configurations (e.g., three-way match)
• Key reports (exception/edit reports)
• Includes automated and manual controls with an IT component
• Dependent on the effectiveness of IT General Controls
• May be configurable parameters or hard-coded within the system
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
13
Application Control Categories
Control Categories
Manual Aspect
IT Aspect
Authorization
Signature Review
On line approval
Exception/Edit
Manual Reconciliation, Review
and Resolution
Program Development / Change control
access / Integrity of Exception-Edit Report
Interface/ Conversion
Manual Reconciliation and
Analysis
Automated Reconciliation
Management Review
Review and Analysis
Completeness and Accuracy of Reports
Manual Reconciliation
Automated Reconciliation / Completeness
and Accuracy of Reports
Job Functions
System Access /
Profiles / User Groups
Approvals / Termination
Review
Configurable System and Security Controls
Policy Approval / Ability to
override controls over
processes
System settings in accordance with policy /
Security change control
Reconciliation
Segregation of Duties
System Access
System Configuration /
Account Mapping
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
14
Types of Controls
• Preventive or Detective or Corrective
• Designed to prevent errors or exceptions from being introduced or
•
errors from occurring
Designed to detect errors or exceptions. A detective control is not
complete unless it includes corrective action
• Designed to correct errors or exceptions
• Manual or Automated or Combined
• Performed by one or more personnel
• Performed by an application or computer
• Performed by personnel in combination with an application or
computer system
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
15
When Should Application Controls Be
Considered…
….during development?
….during testing?
….after implementation?
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
16
When Should Application Controls Be
Considered… (continued)
Consideration throughout the project (beginning as early as possible) can help to
identify, evaluate, and integrate controls rather than identifying and remediating control
weakness afterwards thus helping to reduce the cost of control integration.
Cost of Controls ($)
•
Blueprint
Realization
Final Preparation
Go-Live
Post Go-Live
Project Lifecycle
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
17
IT General Controls: What They Are and Why They Matter
IT General vs. Application Controls
•
The effectiveness of application controls is dependent on general controls
Processes
Processes
Applications
Applications
Data/DBMS
Data/DBMS
Platforms
Platforms
Networks
Networks
Physical
Physical
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
19
Security Model Overview
Relationship of IT General and Application Controls
and Financial Reporting
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
20
IT General Controls
IT General Control (ITGC) Categories
• Access to Programs and Data
• Program Change
• Program Development
• Computer Operations
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
21
Access to Programs and Data
Control Components
• Consider the following access to programs and data components:
• Information security policy / user awareness
• Configuration of access rules
• Access administration
• Identification and authentication
• Monitoring
• ‘Super users’
• Physical access
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
22
Program Changes Workflow
Change is
requested
Analyzed, Recorded
and Approved
Prioritized and
Scheduled
Change ticket
is closed
Ownership, Tracking and Monitoring
Developed
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
Migrated
Tested, validated
and Approved
23
Program Development
Control Components
• Systems Development Life Cycle (SDLC)
• Consider the following program development components:
• Methodology for development / acquisition
• Design, development, testing, approval, and implementation
• Data migration
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
24
ITGC — Computer Operations
Control Components
• Consider the following computer operations components:
• Job processing
• Backup and recovery procedures
• Incident and problem management procedures
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
25
Summary of Key Points
• Internal control:
• Is a process, affected by an organization's people and IT, designed to help
•
•
the organization accomplish specific goals or objectives
IT application controls:
• Help ensure that transactions occurred, are authorized, and are completely
and accurately recorded and processed
IT general controls:
• Policies and procedures that relate to many applications and support the
effective functioning of application controls and manual controls with an IT
component
• These concepts are relevant!
• Almost every position in any career field deals with controls in some
•
capacity
When you think about the security of your own personal information, you’re
actually thinking about control
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
26
Questions, Comments and General Discussion
•
•
•
•
•
•
•
© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All
rights reserved. 33179WDC
The information contained herein is of a general nature and is not intended to address
the circumstances of any particular individual or entity. Although we endeavour to provide
accurate and timely information, there can be no guarantee that such information is accurate
as of the date it is received or that it will continue to be accurate in the future. No one should
act on such information without appropriate professional advice after a thorough examination
of the particular situation.
© 2008 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. FOR INTERNAL USE ONLY. All rights reserved.
Related documents
Randy Green KPMG 2015 SMU Bio
Randy Green KPMG 2015 SMU Bio
See slides
See slides
Joseph Shaveb is a senior associate in KPMG's Mergers
Joseph Shaveb is a senior associate in KPMG's Mergers
Graduate - Summer Intern Application form 2016-2017
Graduate - Summer Intern Application form 2016-2017
Tim Bentsen Bio
Tim Bentsen Bio
Slide pack - WTC Twente
Slide pack - WTC Twente
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
Associates to KPMG Deal Advisory starting in 2016
Associates to KPMG Deal Advisory starting in 2016
Download