6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA

Page 2 6/11/2016 Filename Agenda Overview of control theory and controls found in practice Control objectives, risk mitigation and the practical design of an internal control framework Application of control theory to IT audit engagements

Page 3 6/11/2016 Filename Introduction and Overview Before we discuss internal controls, we first need to understand why we need to consider their use. In all aspects of our lives and business we have objectives. Examples are: –making it to work on-time –producing goods or services that meet our customer requirements –meeting earning expectations of shareholders

Page 4 6/11/2016 Filename Introduction and Overview As we attempt to reach these goals there are risks to us achieving these stated objectives and avoid undesirable outcomes. Risk

Page 5 6/11/2016 Filename Introduction and Overview Type of Internal Controls (the optimum definition) –Preventive controls are established to reasonably assure the prevention or deterrence of undesired outcomes and the attainment of established goals. –Detective controls are established to reasonably assure the prompt detection of the occurrence of the undesirable event or failure to to meet an objective at a point that it can be corrected.

Page 6 6/11/2016 Filename Quiz What type of controls are these? –Enable BIOS passwords –Enable boot loader passwords –Security logs for unsuccessful login attempts –Data Field mask for SSN –Event triggers –IT Security Training –Disaster Recovery Testing Preventive Preventive and Detective Detective

Page 7 6/11/2016 Filename COSO Per the COSO Enterprise Risk Framework, an Internal control is defined designed to provide reasonable assurance for the achievement of following objectives in the following categories: –Effectiveness and efficiency of operations. –Reliability of financial reporting. –Compliance with applicable laws and regulations.

Page 8 6/11/2016 Filename COSO Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective- setting processes.

Page 9 6/11/2016 Filename COSO Risk Assessment - “...the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. ” Risk Response – “Management selects risk responses – avoiding, accepting, reducing,or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.”

Page 10 6/11/2016 Filename COSO Control Environment - awareness of internal controls and is the cornerstone of any system of controls Integrity –Ethics –Competence of employees –Management's philosophy and operating style –Assignment of authority, and responsibility, and organisation –Attention and direction provided by the board of directors.

Page 11 6/11/2016 Filename COSO Control Activities - Policies and procedures, that occur throughout the organisation, at all levels and in all functions. –Segregation of duties. –Approvals and Authorisations –Verifications and reconciliations –Reviews of operating performance –Security of assets

Page 12 6/11/2016 Filename COSO Information and Communication –Pertinent information identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. –Effective communication also must occur in a broader sense, flowing down, across and up the organisation.

Page 13 6/11/2016 Filename COSO Monitoring-a process that assesses the quality of the internal controls performance over time through: –Ongoing monitoring activities, –Separate evaluations –Combination of the two.

Page 14 6/11/2016 Filename CobIT CobIT combines the principles in COSO and other existing reference models: –Quality –Cost –Delivery

Page 15 6/11/2016 Filename CobIT –Effectiveness and Efficiency of operations –Reliability of Information –Compliance with laws and regulations –Confidentiality –Integrity –Availability

Page 16 6/11/2016 Filename CobIT Four Domains: –Planning and Organisation –Acquisition and Implementation –Delivery and Support –Monitoring 34 IT processes of the Framework Control Objectives are associated with each of the 34 IT processes of the Framework, there are from three to 30 detailed control objectives, for a total of 318.

Page 17 6/11/2016 Filename CobIT

Page 18 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Internal controls fall within the following categories –Confidentiality –Integrity –Availability – –Effectiveness – –Efficiency – –Compliance – –Reliability COSO and CobIT

Page 19 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework First we must always determine the business objectives that have originated the need for an IT resource under review: –Manufacture or produce goods or services, i.e. telecom for a call center or CAD/CAM programs for an assembly line. –Accurate recording and reporting of financial data

Page 20 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Next complete a walkthrough of the business process and identify the risks and document the respective internal controls. –CAD/CAM drawing releases process allows read/write capability to engineers and machinists authenticated to the network. Risk? –The company procurement buyer has Accounts Payable access that allows for acceptance of invoices and authorisation of payment. Risk?

Page 21 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Testing of internal controls Case One - The SDLC review –You are assigned to audit the development and implementation of a major Financial system. Where do you start? Using the control objective approach we can focus on Planning and Organisation and Acquisition and Implementation domains.

Page 22 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case One - The SDLC review Examples of control objectives: –PO4 Define the Information Technology Organisation and Relationships 4.14 Contracted Staff Policies and Procedures Management should define and implement relevant policies and procedures for controlling the activities of consultants and other contract personnel by the IT function to assure the protection of the organisation's information assets.

Page 23 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case One - The SDLC review Examples of control objectives: AI1 Identify Automated Solutions –1.9 Cost-Effective Security Controls “Management should ensure that the costs and benefits of security are carefully examined in monetary and non-monetary terms to guarantee that the costs of controls do not exceed benefits. The decision requires formal management sign-off. All security requirements should be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.…”

Page 24 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case Two - Disaster Recovery and Business Continuity Review Examples of control objectives: DS04 Ensure Continuous Service –4.3 IT Continuity Plan Contents: IT management should ensure that a written plan is developed containing the following: Guidelines on how to use the continuity plan Emergency procedures to ensure the safety of all affected staff members Response procedures meant to bring the business back to the state it was in before the incident or disaster

Page 25 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements Thinking outside of the box. You are assigned to audit an MVS mainframe environment and note the following: –Supervisor Calls (SVC) 50 can not be explained by the system programmer. IBM Proprietary and installed under service contract

Page 26 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements You are assigned to audit an MVS mainframe environment and note the following: –Duplicate Authorized Program Facility (APF) You found these conditions because you reviewed existing system requirements for the LPAR under review (CobIT DS09 Manage Configuration) Could indicate malicious code

Page 27 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements You are reviewing the provisioning process for the network accounts and notice: –The meta-directory application is quite old and support only LDAP release 2. Does not support encrypted transmission of passwords and is probably not supported by the vendor

Page 28 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements –User accounts are processed manually (new, transfers, and terminations). You found these conditions because you reviewed existing system planning and security processes (CobIT PO3 IT Directions and DS05 Security) High degree of risk for outdated or incorrect access rights.

Page 29 6/11/2016 Filename Summary Well established and internationally accepted internal control frameworks are available for use by the IT assurance professional. These frameworks embody the essence of what internal controls are and why management and stakeholders within an organisation need to ensure their implementation. Provide a disciplined approach to identifying objectives, risks, and, internal controls or lack of internal controls.

Page 30 6/11/2016 Filename Summary Provide a disciplined approach to identifying objectives, risks, and internal controls (or lack of internal controls).

Page 31 6/11/2016 Filename Questions Jeff Roth, CISA