Download presentation
Presentation is loading. Please wait.
Published byClinton Eaton Modified over 9 years ago
1
IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011
2
A GENDA What are IT General Controls? 5 Areas for Review Case Study
3
What are IT General Controls (ITGC)? What is a “control”? Process developed by management Provides reasonable assurance: Operations – effective & efficient Reliable financial reporting Compliance – laws & regulations
4
What are IT General Controls (ITGC)? Used to manage risks “control someone’s behavior” Examples: Policies & procedures Approvals Reconciliations SoD (Segregation of Duties)
5
What are IT General Controls (ITGC)? Process developed by management Provides reasonable assurance that: Operations – effective & efficient Reliable financial reporting Compliance – laws & regulations Used to manage technology risks
6
What are IT General Controls (ITGC)? What’s the difference???
7
What are IT General Controls (ITGC)? ITGC affect everything based on technology Passwords Program Changes / System updates Roles / SoD Backups / Recovery 3 rd -party providers
8
What are IT General Controls (ITGC)? ITGC are part of the entire system of internal control
9
What are IT General Controls (ITGC)? 3 main technology areas: 1.System (servers) 2.Network 3.Applications
10
What are IT General Controls (ITGC)? ITGC provide assurance that information systems are working as intended Rely on the information Legal / regulatory compliance Effective / efficient operations
11
What are IT General Controls (ITGC)? Center for Internet Security Applying ITGC consistently Protects against 85%+ of top vulnerabilities reported by: NIST FBI SANS Institute Computer Security Institute
12
What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Financial statements schemes Asset misappropriation schemes Fraudulent disbursements Theft of assets/inventory Bribery / Conflicts of interest
13
What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Theft of Intellectual Property Financial Institution Fraud Check & Credit Card Fraud Insurance Fraud Health Care Fraud Securities Fraud
14
What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Consumer Fraud – Identity Theft Computer / Internet Fraud Public Sector Fraud
15
What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Almost everywhere since we use technology Store information Make decisions
16
5 Areas for Review 1.IT Entity-Level 2.Change Management 3.Information Security 4.Backup and Recovery 5.3 rd -party IT Providers
17
5 Areas for Review Normally done by IT Auditors Technology skills/background Can be performed by Operational/financial auditors IT Security / Compliance
18
5 Areas for Review Need to determine the “key information technology risks” Framework (NIST, COBIT) IT Management
19
5 Areas for Review What 3-5 things keep them awake at night?
20
5 Areas for Review 1.IT Entity-Level Need to understand IT involvement Assess IT complexity Low – COTS, 1 server, 1-15 users High – ERP and/or customized, 4+ servers, 30+ users
21
5 Areas for Review 1.IT Entity-Level Impact to the system? Mitigating controls?
22
5 Areas for Review 1.IT Entity-Level Policies & procedures Acceptable Use Found in Employee Manual
23
5 Areas for Review What about … USB Thumb Drives Your data has legs!
24
5 Areas for Review What about … Smartphones Your data has legs!
25
5 Areas for Review What about … Rogue wireless access points Your network is OPEN!
26
5 Areas for Review Acceptable Use Information Security responsibilities YOU are responsible for your company’s data!
27
5 Areas for Review 1.IT Entity-Level Annual Technology Plan Annual Budget Prioritization of IT projects
28
5 Areas for Review 2. Change Management All changes to system Properly authorized Securely implemented SoD is important!
29
5 Areas for Review 2. Change Management Vendor does changes Access always on? Logging access times? Review key reports before/after changes?
30
5 Areas for Review 2. Change Management Key Spreadsheets Locked down? Protected formulas? Restricted access?
31
5 Areas for Review Impact of Spreadsheet Errors Data entry error of $118,000 $11M severance error $30M spreadsheet error $644M misstatement Statistics from 2006 ACL White Paper – Spreadsheets
32
5 Areas for Review 3. Information Security Physical Security Passwords User IDs Roles in the system Administrators / Super Users Logging Encryption
33
5 Areas for Review 3. Information Security Wireless Access
34
5 Areas for Review 3. Information Security Physical Security
35
5 Areas for Review 3. Information Security Password best practices (NIST) Password length - 8 Complex passwords – 2/4 Upper / lower case Numeric (0-9) Special (!,@,#,$)
36
5 Areas for Review 3. Information Security Password best practices (NIST) Password history – 90 days Suspended after 3 tries Change initial password Password history – 8
37
5 Areas for Review 3. Information Security Password best practices (NIST) Mitigating controls No dictionary words Regular training / awareness
38
5 Areas for Review 3. Information Security User IDs No sharing No generic IDs (i.e. Clerk1) No default IDs/passwords CIRT.net – 444 vendors, 1800+ passwords
39
5 Areas for Review 3. Information Security Roles in the system Simplify security administration Regularly reviewed?
40
5 Areas for Review 3. Information Security Administrators / Super Users “Keys to the Kingdom”
41
5 Areas for Review 3. Information Security Administrators / Super Users Limited number Required for job duties Audit trail / logging Use only when necessary Periodic review
42
5 Areas for Review 3. Information Security Logging Slows down system Critical changes/info Protected from Admins Regularly reviewed
43
5 Areas for Review 3. Information Security Encryption Data at rest WHY? Hacked Internal theft Backups are compromised
44
5 Areas for Review 3. Information Security Encryption Data in transit WHY? Packet sniffing - Wire theft War driving
45
5 Areas for Review 3. Information Security Wireless Access Wireless Access Policy Encryption MAC Address filtering
46
5 Areas for Review 4. Backup and Recovery Encrypted? Limited access
47
5 Areas for Review 5. 3 rd -party IT Providers “Data in the Cloud”
48
5 Areas for Review 5. 3 rd -party IT Providers Outsource anything Servers (Data Center) Virtual Servers on demand Applications Virus scanning
49
5 Areas for Review 5. 3 rd -party IT Providers SAS70 Replaced by SSAE16 Type 2 Effective June 15, 2011 Financial Reporting
50
5 Areas for Review 5. 3 rd -party IT Providers SOC 2 Security Availability Processing integrity Confidentiality Privacy Risk-based control framework
51
Case Study Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag. Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme Detected through manual reconciliation & computer exception report
52
Case Study $7,148 check cleared the bank but not an outstanding check Uncashed check of $7,148 to a vendor was found in his office Clerk noticed missing exception reports Looked at IT system changes for days w/missing reports
53
Case Study Staff cuts left him as the authorized person for changes IT discovered 2 inactive, unauthorized program changes $215,846 $13,930
54
Case Study What went wrong?
55
Case Study Weak IT Entity-Level controls Improper SoD Poor change management Weak controls in payment dept
56
Questions
57
Contact Information ed.tobias@hillsclerk.com http://www.linkedin.com/in/ed3200
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.