TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS.

Slides:



Advertisements
Similar presentations
Software Quality Assurance Plan
Advertisements

General Ledger and Reporting System
Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Managing the Information Technology Resource Jerry N. Luftman
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Today’s Lecture application controls audit methodology.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Overview of Systems Audit
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Chapter 5 Internal Control over Financial Reporting
David N. Wozei Systems Administrator, IT Auditor.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Implications of Information Technology for the Audit Process
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S4: Understanding the IT environment of the entity.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Today’s Lecture Covers
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Chapter 8 Auditing in an E-commerce Environment
This Lecture Covers Roles of –Management –IT Personnel –Users –Internal Auditors –External Auditors.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
The Impact of Information Technology on the Audit Process
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Chapter 3-Auditing Computer-based Information Systems.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.
Welcome to the ICT Department Unit 3_5 Security Policies.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Stock, Payroll & Non –current assets
Internal Control.
Errors, Fraud, Risk Management, and Internal Controls
APPLICATION RISK AND CONTROLS
Processing Integrity and Availability Controls
Managing the IT Function
The Impact of Information Technology on the Audit Process
The Impact of Information Technology on the Audit Process
Internal controls 01-Nov-2017.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS

COMPONENTS OF GENERAL IT CONTROLS ORGANISATION AND MANAGEMENT CONTROLS SEGREGATION OF DUTIES PHYSICAL & LOGICAL ACCESS CONTROLS SYSTEMS DEVELOPMENT CONTROLS PROGRAM AMENDMENT CONTROLS BUSINESS CONTINUITY PLANNING CONTROLS

ORGANISATION & MANAGEMENT CONTROLS

TO ENSURE –ECONOMIC USE OF IT SYSTEMS –REFLECTION OF IT IN BUSINESS PLANS –DELIVERY OF THE SYSTEM IN A CONTROL -CONSCIOUS STRUCTURE –SYSTEM’S RESPONSE TO CHANGES

IT STRATEGY APPROPRIATE FORMULATION DOCUMENTED FOR THE NEXT 3 YEARS – COVER IT SYSTEMS TO BE DEVELOPED / ENHANCED IN LINE WITH BUSINESS STRATEGY CURRENT / APPROPRIATE DULY APPROVED BY BOARD

IT PLANNING AND MANAGEMENT GUIDED BY USER MANAGEMENT INVOLVE USERS &MANAGEMENT – THROUGH BOARD AGENDA / MINUTES, BUDGETS / FORECASTS THROUGH IT STEERING COMMITTEE USER INVOLVEMENT IN IT PLANNING GENERATION OF REPORTS AGAINST STRATEGY

IT SECURITY POLICY FORMALISED POLICY APPROVED BY BOARD OBJECTIVES WELL ESTABLISHED SCOPE AND EXTENT LAID DOWN ENABLE RESPONSIBILITY-FIXATION FOR UPDATING / MONITORING. DISTRIBUTTION TO STAFF. ENSURE CONFIDENTIALITY / SECURITY OF INFORMATION

END-USER COMPUTING POLICY AND PROCEDURES FOR –END-USER COMPUTING –SOFTWARE COPYRIGHTS –USING STANDARD SOFTWARE –ANTI-VIRUS PROCEDURES DISTRIBUTION TO THE STAFF.

INTERNAL AUDIT INVOLVEMENT IN –IT DEVELOPMENT –IT OPERATIONS. INVOLVEMENT VERIFIED FROM –THE TERMS OF REFERENCE –EXPERTISE IN IT

CONTROL CONSCIOUSNESS DEPENDS ON –MANAGEMENT ATTITUDE –ORGANISATION STRUCTURE. ASSESSED THROUGH –IT RISK ASSESSMENT –TREATMENT OF RISKS

DOCUMENT RETENTION –MANAGEMENT POLICY –PROCEDURES TO FORECAST NEEDS PERSONNEL –RECRUITMENT / HIRING POLICY –TRAINING TO THE USERS –EXPERIENCE OF STAFF –ASSESSMENT OF PERFORMANCE –DEPENDENCE ON KEY PERSONNEL

OUTSOURCING POLICY & DOCUMENTATION COVERED BY CONTRACTS SECURITY & CONFIDENTIALITY –DATA & PROGRAMS PERIODICAL REVIEW OF COSTS DEPENDENCE &REPORTING TO BOARD CONTROLS ON OUTSOURCED DATA

INVESTMENT PROPERLY LAID DOWN PROCEDURES FOR VALUATION OF ASSETS - HARDWARE AND SOFTWARE. CLEAR POLICY FOR TO CAPITALISE /CHARGE OFF SUCH COSTS.

PERIODICAL REVIEW BY THE MANAGEMENT, OF THE EXPECTED CHANGES / EXPENDITURE. MANAGEMENT REVIEW OF THE IMPACT OF NEW TECHNOLOGY.

INSURANCE INSURANCE OF IT ASSETS. INSURANCE POLICY FOR LOSS OF PROFITS / INCREASED COST OF WORKING. PRIOR ASSESSMENT OF COST OF RECOVERY

SEGREGATION OF DUTIES

OBJECTIVES TO HAVE REASONABLE SEGREGATION OF DUTIES WITHIN IT DEPARTMENT BETWEEN IT AND USER DEPARTMENTS TO PREVENT / DETECT ERRORS OR IRREGULARITIES.

ORGANISATION STRUCTURE APPROPRIATE ORGANISATION STRUCTURE. FORMAL RECOGNITION. APPROPRIATE REPORTING. SIZE / STYLE OF OPERATIONS SHOULD MATCH NEEDS.

SEGREGATION OF DUTIES - IT FOR IT STAFF. FOR PROGRAMMERS. FOR OPERATORS. FOR NETWORK ADMINISTRATORS. FOR SECURITY.

SEGREGATION OF IT & USERS THROUGH LIMITATION OF RESPONSIBILITIES. THROUGH POWERFUL ID s. FIXATION OF RESPONSIBILITY TO INITIATE OR AUTHORISE TRANSACTIONS.

REGULATE AMENDMENTS TO MASTER FILES / OTHER DATA. ENABLE CORRECTION OF INPUT ERRORS.

LOGICAL ACCESS CONTROLS

OBJECTIVES PREVENTION OF UNAUTHORISED ACCESS TO SENSITIVE DATA OR PROGRAMS. PROTECTION OFDATA /SYSTEM CONFIDENTIALITY, INTEGRITY AND RELIABILITY OF DATA /

IDENTIFICATION OF SENSITIVE DATA / APPLICATIONS PROCEDURES LAID DOWN TO IDENTIFY SENSITIVE DATA / APPLICATIONS. THROUGH SECURITY POLICY. THROUGH RISK ASSESSMENT PROCESS.

DESIGN OF USER ACCESS RESTRICTIONS THROUGH UNIQUE USER IDS / PASSWORDS. THROUGH MENU FACILITIES. MANAGEMENT APPROVAL FOR THE MENU OPTIONS.

EFFECTIVENESS OF USER ACCESS RESTRICTIONS THROUGH REGULAR CHANGE OF PASSWORDS. THROUGH PROTECTION OF PASSWORD. THROUGH REPORTS ON SECURITY BREACHES.

IT ACCESS PREVENTION OF SYSTEMS DEVELOPMENT STAFF FROM DATA/PROGRAM ACCESS IN PRODUCTION ENVIRONMENT. PROPER PROCEDURES TO EFFECT EMERGENCY CHANGES

CONTROL OVER POWERFUL IDs/ UTILITIES ADEQUATE CONTROL OF THE ALLOCATION/AUTHORISATION AND USE OF POWERFUL USER IDS/ PASSWORDS. REGULAR REPORT ON BREACHES..

PHYSICAL ACCESS CONTROLS

OBJECTIVES MINIMISATION OF POTENTIAL RISK OF ACCIDENT OR MALICIOUS DAMAGE TO IT ASSETS PREVENTION OF THEFT OF IT ASSETS.

PHYSICAL SECURITY ADEQUATE PHYSICAL SECURITY TO COVER THE IT ASSETS. PROPER DOCUMENTATION..

SYSTEMS DEVELOPMENT, MAINTENANCE AND CHANGE CONTROLS

OBJECTIVES USERS’ SATISFACTION THROUGH AVAILABILITY& PERFORMANCE OF SYSTEMS. SYSTEM RELIABILITY, CONTROLLABILITY COST EFFECTIVENESS. DATA INTEGRITY CONTROLS

IN-HOUSE DEVELOPMENT PROPER METHODOLOGY FOR IN-HOUSE DEVELOPMENT, WITH INBUILT CONTROLS. PROPER PROGRAMMING STANDARDS LAID DOWN.

PACKAGE SUPPORT ADEQUATE VENDOR SUPPORT MAINTENANCE THROUGH CONTRACTS / AGREEMENTS. TESTING OF CHANGES AND UPGRADES BEFORE INSTALLATION. SOURCE CODE PROVIDED.

THIRD PARTY DEVELOPMENT / MAINTENANCE ASSURANCE ON QUALITY AND COSTS/BENEFITS OBTAINED. GOOD REPUTATION OF VENDOR WITH KNOWLEDGE OF COST MANAGEMENT. EXISTENCE OF STANDARDS TO CHECK WITH ACTUALS.

PROJECT REVIEW BY MANAGEMENT REVIEW BY MANAGEMENT ON THE COST & PROGRESS OF NEW DEVELOPMENTS. PROPER REPORTING LINES. THROUGH BUDGETS. EFFECTIVE COST ACCOUNTING AND CONTROLS.

USER INVOLVEMENT IN DEVELOPMENT USER INVOLVEMENT. USERS’ SIGN OFF OF SPECS. USER TESTING FOR ACCEPTANCE. PROPER TRAINING OF USERS. PROVISION OF USER MANUALS.

BUSINESS CONTINUITY PLANNING CONTROLS

OBJECTIVES MINIMISATION OF CHANCES OF MAJOR FAILURES TO ENSURE EARLY RESUMPTION OF BUSINESS, IN CASE OF NON-RELIABILITY OF THE SYSTEMS OR FACILITIES.

RISK ASSESSMENT - BUSINESS DISRUPTION PRIOR IDENTIFICATION OF THE CRITICAL SYSTEMS. DETERMINATION OF THE PERIOD FOR CONTINUANCE OF BUSINESS OPERATIONS WITHOUT THE CRITICAL IT SYSTEMS.

BUSINESS CONTINUITY PLANS FOR BUSINESS CONTINUITY LAID DOWN. REGULAR REVIEW/ UPDATING OF PLANS. USER PROCEDURES. BOARD APPROVAL FOR THE PLANS.

BACK-UP FREQUENCY PERIODIC DATA BACK-UP. MORE BACK-UP FREQUENCY. DEPEND ON CRITICALITY OF PROCEDURES / CHANGES.

BACK-UP COMPOSITION DATA FILES, PROGRAMS AND SYSTEM SOFTWARE. DOCUMENTATION SUCH AS USER MANUALS, SYSTEMS MANUAL ETC., SHOULD ALSO BE BACKED UP.

BACK-UP SECURITY / LOCATION SECURED BACK-UP IN AN OFF- SITE LOCATION. MAINTENANCE OF PROMPT AND PROPER RECORD OF MEDIA MOVEMENT. PROPER AUTHORISATION OF MEDIA MOVEMENTS.

TESTING REGULAR TESTING OF BACK- UP AND RECOVERY. DETERMINATION OF RECOVERY TIME TESTING AFTER CHANGES TO SYSTEMS / PROGRAMS. LOG OF TESTS CONDUCTED.

APPLICATION CONTROLS

APPLICATIONS PROGRAMS TO HANDLE ORGANISATIONAL FUNCTIONS LIKE – –PRODUCTION –FINANCE/COST ACCOUNTS –MATERIALS MANAGEMENT –PAYROLL –LIBRARY MANAGEMENT –SHARE TRADING –CUSTOMER SERVICE IN BANKS

CONTROL OBJECTIVES FOR INPUT TO ENSURE –EXISTENCE OF PROPER AUTHORITY –UNIQUENESS –ACCURACY –COMPLETENESS

OBJECTIVES FOR DATA PROCESSING TO ENSURE –COMPLETENESS –ACCURACY –UNIQUENESS –VALIDITY –ACCEPTABILITY

OBJECTIVES FOR OUTPUT TO ENSURE –COMPLETENESS –ACCURACY –CONTROL OVER THE PLANNED DISTRIBUTION OF OUTPUT

OBJECTIVES TO ENSURE –ACCEPTANCE OF EVERY INPUT INTO THE SYSTEM, ONLY ONCE –ACCURATE RECORDING OF INPUT

AGREEMENT OF TRANSACTION TOTALS, IN BATCH INPUTS WITH A MANUAL TOTAL MANUAL TOTALS ARE PRE- RECORDED IN BATCH HEADER DOCUMENTS TOTALS BE ENTERED WELL AHEAD OF COMMENCEMENT OF PROCESSING

USER- DEVISED MECHANISM TO CONTROL PROCESSING ALL BATCHES. LOGGING & REVIEW OF THE CONTROL MECHANISM ON BATCH PROCESSING.

DEVISING INBUILT VALIDITY CHECKS TO CHECK THE ACCURACY OF INPUT. EXAMPLE – A CHECK ON THE CUSTOMER CODE AND ITS FORMAT AND A CHECK THAT THE CODE IS VALID).

REJECTION, BY THE SYSTEM, OF INPUTS THAT FAIL VALIDITY TESTS GENERATION OF EXCEPTION REPORTS KEEPING ALL INVALID TRANSACTIONS, IN SUSPENSE ACCOUNTS, FOR ACTION BY USERS.

IN CASE OF CRITICAL AND SMALL VOLUME INPUT, RESORTING TO ‘ONE-TO-ONE INPUT CHECKING’ COULD BE EFFECTIVE

OBJECTIVES TO ENSURE COMPLETE & PROPER PROCESSING OF DATA. TO CHECK AGAINST DUPLICATE PROCESSING. TO ENSURE APPLICATION OF ALL APPROPRIATE PROCESSES ON THE CORRECT DATA.

RUN-TO-RUN TOTALS PRIOR IDENTIFICATION OF RUN-TOTALS AGREEMENT OF RUN-TOTALS WITH THE TOTALS OF THE SYSTEM, AFTER DATA PROCESSING.

WHEN TWO TOTALS CAN BE RELATED, CONTROLLING FROM THAT POINT FORWARD, BY MEANS OF THE SECOND TOTAL.

EXAMPLE – USING PIVOT TOTAL IN TIME RECORDING / PAYROLL SYSTEM –REGULATING GROSS PAY WITH REGARD TO HOURS WORKED –ITS ADOPTION FOR FURTHER PROCESSING.

INDEPENDENT CONTROL ACCOUNT TO PREDICT PROCESSING RESULTS TO HIGHLIGHT AN UNEXPECTED RESULT HERE, CONTROL ACCOUNT POSTED FROM AN INDEPENDENT SOURCE IS USED

HELPS IN FLAGGING ERRORS CAUSED BY EXTRANEOUS FACTORS, LIKE ---- – USE OF AN INCORRECT LEDGER/ FILE DURING DATA PROCESSING

OBJECTIVES TO ENSURE INPUT-OUTPUT CONSISTENCY COST-EFFECTIVE DISTRIBUTION OF OUTPUT

COMPLETENESS OF PRINCIPAL REPORTS PRIOR ESTABLISHMENT OF TOTALS OF THE DESIRED OUTPUT PRINTING OF TOTALS ON PRINTING OF THE OUTPUT

COMPARISON OF THESE TOTALS WITH INDEPENDENT CONTROL ACCOUNT TOTALS. COMPARISON OF THESE TOTALS WITH PRE-COMPUTED TOTALS AS PER UPDATE REPORTS.

COMPLETENESS OF SELECTIVE REPORTS NOT POSSIBLE TO AGREE WITH PRINCIPAL REPORTS DUE TO ITS NATURE.

THE TOTALS CAN BE PRINTED ON THESE REPORTS TO CONFIRM ADDRESSING ALL DATA RECORDS WHILE MAKING THE SELECTION.

CAN BE INSTALLED DIFFICULT TO IMPLEMENT MANY CONTROL PROCEDURES REQUIRED FOR MANAGEMENT AUDITORS –(UNLIKE IN BATCH PROCESSING)

POSSIBLE CONTROL MEASURES ONLY IN-BUILT PREVENTIVE CONTROLS LIKE PASSWORD PROTECTION CONVERSATIONAL EDITING LOG FILES TO MINIMISE THE RISKS TO SYSTEMS

ONE- TO -ONE CHECKING EXCEPTION REPORTING REPORT ON SUSPENSE ACCOUNT POSTING & RECONCILIATION OF DATA TO AN INDEPENDENT REAL CONTROL ACCOUNT.

CONTROL PROBLEMS AS IN REAL TIME SYSTEMS. MORE RELIANCE ON THE GENERAL IT CONTROLS. COMPLETENESS OF REPORTS HINGES ON ACCURACY OF THE DATA MORE THAN PROGRAMS.

POSSIBLE CONTROL MEASURES ALL REPORTS TREATED AS EXCEPTION REPORTS COMPLETENESS OF REPORTS SHOULD BE PROVED. INTEGRITY CHECKING BY ADMINISTRATORS TO CHECK & CONTROL ERRORS.

IDENTIFY MAIN INPUTS. TEST-CHECK THE PROCEDURES FOR INPUT- AUTHORISATION VERIFY THE ADEQUACY OF CHECKS FOR DATA VALIDATION

VERIFY THE ADEQUACY OF PROCEDURES TO ENSURE COMPLETENESS OF DATA VERIFY THE PROCEDURES TO HANDLE INCORRECT DATA.

CHECK THE CONTROLS, AT EACH STAGE OF PROCESSING FOR –DATA VALIDATION –DATA COMPLETENESS –DATA ACCURACY CHECK ERROR- HANDLING PROCEDURES AT EACH STAGE OF PROCESSING.

CHECK THE CONTROLS FOR ACCURACY AND ADEQUACY OF INPUTS (BY RECONCILING OUTPUT WITH INPUTS) CHECK THE CONTROLS TO PROTECT OUTPUT BEFORE DISTRIBUTION

CHECK THE CONTROLS OVER THE ISSUE OF FINANCIAL STATIONERY. CHECK THE EFFECTIVENESS OF –ACCESS RESTRICTION –SECURITY OVER SENSITIVE INFORMATION –PASSWORD MANAGEMENT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.