Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota.

Slides:



Advertisements
Similar presentations
Audit of Autonomous District Councils (in an IT environment using FAAM)
Advertisements

Information Technology Control Day IV Afternoon Sessions.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Systems Analysis and Design in a Changing World, 6th Edition
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
General Ledger and Reporting System
MSF Testing Introduction Functional Testing Performance Testing.
Auditing Systems Development, Acquisition and Maintenance
Today’s Lecture application controls audit methodology.
Overview of Access and Information Protection
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Topics Covered: Data preparation Data preparation Data capturing Data capturing Data verification and validation Data verification and validation Data.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Computers Are Your Future Tenth Edition Chapter 12: Databases & Information Systems Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1.
Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.
Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.
V 0.1Slide 1 Security – System Configuration How to configure WebSAMS? Access Control Other Information Configuration  system customization  system configuration.
Chapter 16: Audit of Cash Balances
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
Implications of Information Technology for the Audit Process
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
SEC835 Practical aspects of security implementation Part 1.
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Information Systems Security Operational Control for Information Security.
Auditing Information Systems (AIS)
6 th Annual Focus Users’ Conference Manage Integrations Presented by: Mike Morris.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
I.Information Building & Retrieval Learning Objectives: the process of Information building the responsibilities and interaction of each data managing.
S4: Understanding the IT environment of the entity.
System Analysis and Design
Auditing: The Art and Science of Assurance Engagements
THE STUDY & EVALUATION OF INTERNAL CONTROL. Definition Professional Standards Data-Oriented  Small, simple systems  Weaker controls System-Oriented.
Module 15 Monitoring SQL Server 2008 R2 with Alerts and Notifications.
Chapter 10 THE ACQUISITION CYCLE— PURCHASE INVOICES AND PAYMENTS.
ITGS Databases.
Database Role Activity. DB Role and Privileges Worksheet.
Today’s Lecture Covers
AUDIT IN COMPUTERIZED ENVIRONMENT
Cmpe 471: Personnel and Legal Issues. Personnel Crime is a human issue not a technological one Hiring On-going management Unauthorised access Redundancy.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)
Introduction to Databases Dr. Osama AL Rababah. Objectives In this capture you will learn: Some common uses of database systems. The characteristics of.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota.
The Impact of Information Technology on the Audit Process
Module 7: Designing Security for Accounts and Services.
Use of Technology (ACL) in Audits. Agenda Overview of Generalized Audit Software Overview of Generalized Audit Software How to Get Started How to Get.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Review of IT General Controls
Chapter 08 Consideration of
Accounts Payable Workflow
Controlling Computer-Based Information Systems, Part II
Managing the IT Function
Computer-Based Processing: Developing an Audit Assessment Approach
PLANNING A SECURE BASELINE INSTALLATION
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota

Application Controls - Agenda Introduction 9:00 Input Controls 9:05 Interface Controls 9:35 Break10:05 Access Controls10:10 Audit Trails10:50

Introduction Why audit applications?

Application Risks - STRIDE Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of Priveldges

Application Security – Input & Interface Controls Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

Application Input Controls Controls imbedded in the application Used to control functional/business transactions Prevent or detect data integrity issues # 1 REVIEW AND EVALUATE DATA INPUT CONTROLS

Application Input Control Types - Edits Prevent input from being entered that may cause data-integrity problems

10 Common Input Edits 1.Numeric - alphanumeric restrictions 2.Dates and hour fields set to convert input into the correct format

10 Common Input Edits 3.Transaction "reasonableness" checks on inputs

10 Common Input Edits 4.Limited input fields prevent invalid entries –E.g. Drop Down Lists 5.Duplicate entries not allowed for data that is to be unique 6.“Logic" checks –E.g. Parts Not Greater than Sum

10 Common Input Edits 7. “Calculation" checks on inputs

10 Common Input Edits 8.Programmed cutoff dates –E.g. preventing wrong period inputs 9.Execution of a transaction not allowed until valid data entered into all required fields 10.Database operatives disallowed –E.g. * or =

Application Input Control Types – Error/Exception Reports Detects data inputted that may cause data- integrity problems Push vs. Pull Reports Input is not or cannot be prevented by edits #2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED.

Error/Exception Report Considerations Who is reviewing the log? –Confirm review documentation What activity/data is logged? –Log Size –Reviewing Time

Application Input Control Auditing Automated (application) controls: confirm operating effectively –Test data –Sample of one Reports: confirm creation and review –Test generation as automated (application) control –Larger sample of report reviews – or written confirmation

Group Activity – Identify Expected Edits and Report Controls

Scenario: Edits & Reports Testing eChecks AR/AP Application What edits or reports would you expect to see?

Scenario: Edits & Reports Testing eChecks AR/AP Application What are the top controls you want to test?

Interface Controls Defined Controls ensuring proper transfer of data between systems Controls around both source and downstream systems #3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.

Common Interface Types 1.Automated interface –Batch Processing (i.e. automated jobs) –Manual kickoff 2.Manual - Typing Interface

Automated Interface - Batch Processing Multiple places batches/jobs can be ran from: –Separate shared job scheduler E.g. Autosys –Operating system Cron jobs –Database SQL Agent tool –Application directly

Automated Batch Components Batch/Job schedules –List of what jobs will run when –May include automated and manual Job dependencies Operator access (if applicable) Job managing software (if separate)

Auditing Automated Batches Access to batch schedules Batch schedule change procedures Batch dependencies noted Notifications if automated job abends –Confirm operator call list/operator monitoring –Confirm call is automated

Common Interface Controls 1.Transfer Failure Notification/Reporting –Timely and to appropriate individuals 2.Control totals and accompanying reporting –Record Counts –Total Amounts –Hash Totals

Common Interface Controls 3.Header Footer Checks –Interchange Control Envelope ISA - IEA 4.Reconciliation reports –Review of control totals and/or discrepancies

Common Interface Controls 5.Transfers should be secured throughout process –Corruption and viewing –Source system security –File creation and storage –Network security

Common Interface Controls 6.Input controls into the system where valid – interface edit –Example: duplicate transaction flag review or prevent for a credit card company

Interface Synchronization Data synchronization if multiple sets stored Determine source of truth Review synchronization process and test data #4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.

Interface Example

Application Security – Audit Trails Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

Application Audit Trails Value Show detail of end user activity –Troubleshooting –Identify breaches –Prevent repudiation #5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.

Auditing Application Audit Trails Obtain sample evidence of the audit trail and review End users and developers cannot edit the audit trail –Users MAY view –Stored on DB or OS Pragmatic and useful –Expensive

Data Flow Traceability Data should be traceable through the entire system Confirm via audit trail and related controls #6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.

Application Audit Trail Example

Application Controls – Access Controls Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota

Authentication – Who are you? #7. DOES AN AUTHENTICATION METHOD EXIST? What are some ways that users can be authenticated?

Authentication – Who are you? Passwords Multifactor Single Sign on –Log on to OS –Log on to CAH –Lon on to TFA server

Passwords #12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE? What password controls do you expect to find?

Password Controls Length Complexity Change Interval History

UMN Password Standard Password must be used for all devices 8 or more characters long Changed at least annually Must be complex A minimum of three types of characters Account lockout required Do not share passwords

Activity - Passwords You have received evidence of the password settings for the application. Based on the evidence: Does the Bookstore application meet UMN password standards? What questions do you have of the admin?

Application Administration Add/Delete users/groups Change users/groups Audit trail Reporting #9. IS THE ADMIN FUNCTION ADEQUATE?

User Provisioning Add/Delete users/groups Change users/groups Audit trail Reporting #13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?

User De-Provisioning User quits or is fired User changes jobs User goes on leave #11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?

Authorization – What are you allowed to do? Access Data (Read/Write) Access Transactions (Execute) Read (Display/Print/Copy) Write (Create/Modify/Delete) #8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?

Transaction Approval EXAMPLES - Transactions limited by dollar amount Access requests Move to production Record of review #10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?

Session Timeout Password protected screen savers Required by UMN for HIPAA data 30 minutes or less #14. ARE USERS LOGGED OUT WHEN INACTIVE?

Data Encryption HTTPS/SSL PKI Whole Disk Record/field level #15. IS DATA PROTECTED IN TRANSIT AND AT REST?

Developer Access Segregation of Duties Unauthorized changes Disruption of service Unauthorized transactions #16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?

Activity – User Rights You have requested a list of users and roles for the application. Based on the evidence: What issues do you have with the access list? What questions do you have of the admin?