Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011.

Published byClinton Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011."— Presentation transcript:

1 IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011

2 A GENDA What are IT General Controls? 5 Areas for Review Case Study

3 What are IT General Controls (ITGC)? What is a “control”? Process developed by management Provides reasonable assurance: Operations – effective & efficient Reliable financial reporting Compliance – laws & regulations

4 What are IT General Controls (ITGC)? Used to manage risks “control someone’s behavior” Examples: Policies & procedures Approvals Reconciliations SoD (Segregation of Duties)

5 What are IT General Controls (ITGC)? Process developed by management Provides reasonable assurance that: Operations – effective & efficient Reliable financial reporting Compliance – laws & regulations Used to manage technology risks

6 What are IT General Controls (ITGC)? What’s the difference???

7 What are IT General Controls (ITGC)? ITGC affect everything based on technology Passwords Program Changes / System updates Roles / SoD Backups / Recovery 3 rd -party providers

8 What are IT General Controls (ITGC)? ITGC are part of the entire system of internal control

9 What are IT General Controls (ITGC)? 3 main technology areas: 1.System (servers) 2.Network 3.Applications

10 What are IT General Controls (ITGC)? ITGC provide assurance that information systems are working as intended Rely on the information Legal / regulatory compliance Effective / efficient operations

11 What are IT General Controls (ITGC)? Center for Internet Security Applying ITGC consistently Protects against 85%+ of top vulnerabilities reported by: NIST FBI SANS Institute Computer Security Institute

12 What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Financial statements schemes Asset misappropriation schemes Fraudulent disbursements Theft of assets/inventory Bribery / Conflicts of interest

13 What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Theft of Intellectual Property Financial Institution Fraud Check & Credit Card Fraud Insurance Fraud Health Care Fraud Securities Fraud

14 What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Consumer Fraud – Identity Theft Computer / Internet Fraud Public Sector Fraud

15 What are IT General Controls (ITGC)? Without effective ITGC, where is the fraud … Almost everywhere since we use technology Store information Make decisions

16 5 Areas for Review 1.IT Entity-Level 2.Change Management 3.Information Security 4.Backup and Recovery 5.3 rd -party IT Providers

17 5 Areas for Review Normally done by IT Auditors Technology skills/background Can be performed by Operational/financial auditors IT Security / Compliance

18 5 Areas for Review Need to determine the “key information technology risks” Framework (NIST, COBIT) IT Management

19 5 Areas for Review What 3-5 things keep them awake at night?

20 5 Areas for Review 1.IT Entity-Level Need to understand IT involvement Assess IT complexity Low – COTS, 1 server, 1-15 users High – ERP and/or customized, 4+ servers, 30+ users

21 5 Areas for Review 1.IT Entity-Level Impact to the system? Mitigating controls?

22 5 Areas for Review 1.IT Entity-Level Policies & procedures Acceptable Use Found in Employee Manual

23 5 Areas for Review What about … USB Thumb Drives Your data has legs!

24 5 Areas for Review What about … Smartphones Your data has legs!

25 5 Areas for Review What about … Rogue wireless access points Your network is OPEN!

26 5 Areas for Review Acceptable Use Information Security responsibilities YOU are responsible for your company’s data!

27 5 Areas for Review 1.IT Entity-Level Annual Technology Plan Annual Budget Prioritization of IT projects

28 5 Areas for Review 2. Change Management All changes to system Properly authorized Securely implemented SoD is important!

29 5 Areas for Review 2. Change Management Vendor does changes Access always on? Logging access times? Review key reports before/after changes?

30 5 Areas for Review 2. Change Management Key Spreadsheets Locked down? Protected formulas? Restricted access?

31 5 Areas for Review Impact of Spreadsheet Errors Data entry error of $118,000 $11M severance error $30M spreadsheet error $644M misstatement Statistics from 2006 ACL White Paper – Spreadsheets

32 5 Areas for Review 3. Information Security Physical Security Passwords User IDs Roles in the system Administrators / Super Users Logging Encryption

33 5 Areas for Review 3. Information Security Wireless Access

34 5 Areas for Review 3. Information Security Physical Security

35 5 Areas for Review 3. Information Security Password best practices (NIST) Password length - 8 Complex passwords – 2/4 Upper / lower case Numeric (0-9) Special (!,@,#,$)

36 5 Areas for Review 3. Information Security Password best practices (NIST) Password history – 90 days Suspended after 3 tries Change initial password Password history – 8

37 5 Areas for Review 3. Information Security Password best practices (NIST) Mitigating controls No dictionary words Regular training / awareness

38 5 Areas for Review 3. Information Security User IDs No sharing No generic IDs (i.e. Clerk1) No default IDs/passwords CIRT.net – 444 vendors, 1800+ passwords

39 5 Areas for Review 3. Information Security Roles in the system Simplify security administration Regularly reviewed?

40 5 Areas for Review 3. Information Security Administrators / Super Users “Keys to the Kingdom”

41 5 Areas for Review 3. Information Security Administrators / Super Users Limited number Required for job duties Audit trail / logging Use only when necessary Periodic review

42 5 Areas for Review 3. Information Security Logging Slows down system Critical changes/info Protected from Admins Regularly reviewed

43 5 Areas for Review 3. Information Security Encryption Data at rest WHY? Hacked Internal theft Backups are compromised

44 5 Areas for Review 3. Information Security Encryption Data in transit WHY? Packet sniffing - Wire theft War driving

45 5 Areas for Review 3. Information Security Wireless Access Wireless Access Policy Encryption MAC Address filtering

46 5 Areas for Review 4. Backup and Recovery Encrypted? Limited access

47 5 Areas for Review 5. 3 rd -party IT Providers “Data in the Cloud”

48 5 Areas for Review 5. 3 rd -party IT Providers Outsource anything Servers (Data Center) Virtual Servers on demand Applications Virus scanning

49 5 Areas for Review 5. 3 rd -party IT Providers SAS70 Replaced by SSAE16 Type 2 Effective June 15, 2011 Financial Reporting

50 5 Areas for Review 5. 3 rd -party IT Providers SOC 2 Security Availability Processing integrity Confidentiality Privacy Risk-based control framework

51 Case Study Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag. Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme Detected through manual reconciliation & computer exception report

52 Case Study $7,148 check cleared the bank but not an outstanding check Uncashed check of $7,148 to a vendor was found in his office Clerk noticed missing exception reports Looked at IT system changes for days w/missing reports

53 Case Study Staff cuts left him as the authorized person for changes IT discovered 2 inactive, unauthorized program changes $215,846 $13,930

54 Case Study What went wrong?

55 Case Study Weak IT Entity-Level controls Improper SoD Poor change management Weak controls in payment dept

56 Questions

57 Contact Information ed.tobias@hillsclerk.com http://www.linkedin.com/in/ed3200

Download ppt "IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Internal Controls What Are They And Why Should I Care? 1.

Internal Controls What Are They And Why Should I Care? 1.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.

Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google