In business and accounting, advice technology controls (or IT controls) are specific activities performed by bodies or systems advised to ensure that business objectives are met. They are a subset of an enterprise's centralized control. IT ascendancy objectives chronicle to the confidentiality, integrity, and availability of abstracts and the all-embracing administration of the IT action of the business enterprise. IT controls are generally declared in two categories: IT accepted controls ITGC and IT appliance controls. ITGC cover controls over the advice technology (IT) environment, computer operations, admission to programs and data, affairs development and affairs changes. IT appliance controls accredit to transaction processing controls, sometimes alleged "input-processing-output" controls. Advice technology controls accept been accustomed added bulge in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework (Control Objectives for Advice Technology) is a broadly acclimated framework promulgated by the IT Governance Institute, which defines a array of ITGC and appliance ascendancy objectives and recommended appraisal approaches. IT departments in organizations are generally led by a arch advice administrator (CIO), who is amenable for ensuring able advice technology controls are utilized.
Wednesday, 21 March 2012
IT application controls
IT appliance or affairs controls are absolutely automatic (i.e., performed automatically by the systems) advised to ensure the complete and authentic processing of data, from ascribe through output. These controls alter based on the business purpose of the specific application. These controls may aswell advice ensure the aloofness and aegis of abstracts transmitted amid applications. Categories of IT appliance controls may include:
Completeness checks - controls that ensure all annal were candy from admission to completion.
Validity checks - controls that ensure alone accurate abstracts is ascribe or processed.
Identification - controls that ensure all users are abnormally and absolutely identified.
Affidavit - controls that accommodate an affidavit apparatus in the appliance system.
Authorization - controls that ensure alone accustomed business users accept admission to the appliance system.
Ascribe controls - controls that ensure abstracts candor fed from upstream sources into the appliance system.
Completeness checks - controls that ensure all annal were candy from admission to completion.
Validity checks - controls that ensure alone accurate abstracts is ascribe or processed.
Identification - controls that ensure all users are abnormally and absolutely identified.
Affidavit - controls that accommodate an affidavit apparatus in the appliance system.
Authorization - controls that ensure alone accustomed business users accept admission to the appliance system.
Ascribe controls - controls that ensure abstracts candor fed from upstream sources into the appliance system.
Internal control frameworks
COBIT
COBIT is a broadly activated framework absolute best practices for both ITGC and appliance controls. It consists of domains and processes. The basal anatomy indicates that IT processes amuse business requirements, which is enabled by specific IT ascendancy activities. It aswell recommends best practices and methods of appraisal of an enterprise's IT controls
.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies 5 apparatus of centralized control: ascendancy environment, accident assessment, ascendancy activities, advice and advice and monitoring, that charge to be in abode to accomplish banking advertisement and acknowledgment objectives; COBIT accommodate a agnate abundant advice for IT, while the commutual Val IT concentrates on higher-level IT babyminding and value-for-money issues. The 5 apparatus of COSO can be visualized as the accumbent layers of a three-dimensional cube, with the COBIT cold domains-applying to anniversary alone and in aggregate. The four COBIT above domains are: plan and organize, access and implement, bear and support, and adviser and evaluate.
COBIT is a broadly activated framework absolute best practices for both ITGC and appliance controls. It consists of domains and processes. The basal anatomy indicates that IT processes amuse business requirements, which is enabled by specific IT ascendancy activities. It aswell recommends best practices and methods of appraisal of an enterprise's IT controls
.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies 5 apparatus of centralized control: ascendancy environment, accident assessment, ascendancy activities, advice and advice and monitoring, that charge to be in abode to accomplish banking advertisement and acknowledgment objectives; COBIT accommodate a agnate abundant advice for IT, while the commutual Val IT concentrates on higher-level IT babyminding and value-for-money issues. The 5 apparatus of COSO can be visualized as the accumbent layers of a three-dimensional cube, with the COBIT cold domains-applying to anniversary alone and in aggregate. The four COBIT above domains are: plan and organize, access and implement, bear and support, and adviser and evaluate.
IT controls and the Sarbanes-Oxley Act (SOX)
SOX requires the arch controlling and arch banking admiral of accessible companies to adjure to the accurateness of banking letters (Section 302) and crave accessible companies to authorize able centralized controls over banking advertisement (Section 404). Passage of SOX resulted in an added focus on IT controls, as these abutment banking processing and accordingly abatement into the ambit of management's appraisal of centralized ascendancy beneath Section 404 of SOX.
The COBIT framework may be acclimated to abetment with SOX compliance, although COBIT is appreciably added in scope. The 2007 SOX advice from the PCAOB1 and SEC2 accompaniment that IT controls should alone be allotment of the SOX 404 appraisal to the admeasurement that specific banking risks are addressed, which decidedly reduces the ambit of IT controls appropriate in the assessment. This scoping accommodation is allotment of the entity's SOX 404 top-down accident assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)3 discusses the IT risks and ascendancy objectives pertinent to a banking analysis and is referenced by the SOX guidance.
IT controls that about abatement beneath the ambit of a SOX 404 appraisal may include:
Specific appliance (transaction processing) ascendancy procedures that anon abate articular banking advertisement risks. There are about a few such controls aural aloft applications in anniversary banking process, such as accounts payable, payroll, accepted ledger, etc. The focus is on "key" controls (those that accurately abode risks), not on the absolute application.
IT accepted controls that abutment the assertions that programs action as advised and that key banking letters are reliable, primarily change ascendancy and aegis controls;
IT operations controls, which ensure that problems with processing are articular and corrected.
Specific activities that may action to abutment the appraisal of the key controls aloft include:
Understanding the organization’s centralized ascendancy affairs and its banking advertisement processes.
Identifying the IT systems complex in the initiation, authorization, processing, summarization and advertisement of banking data;
Identifying the key controls that abode specific banking risks;
Designing and implementing controls advised to abate the articular risks and ecology them for connected effectiveness;
Documenting and testing IT controls;
Ensuring that IT controls are adapted and changed, as necessary, to accord with changes in centralized ascendancy or banking advertisement processes; and
Ecology IT controls for able operation over time.
To accede with Sarbanes-Oxley, organizations accept to accept how the banking advertisement action works and accept to be able to analyze the areas area technology plays a analytical part. In because which controls to cover in the program, organizations should admit that IT controls can accept a absolute or aberrant appulse on the banking advertisement process. For instance, IT appliance controls that ensure abyss of affairs can be anon accompanying to banking assertions. Access controls, on the added hand, abide aural these applications or aural their acknowledging systems, such as databases, networks and operating systems, are appropriately important, but do not anon adjust to a banking assertion. Appliance controls are about accumbent with a business action that gives acceleration to banking reports. While there are abounding IT systems operating aural an organization, Sarbanes-Oxley acquiescence alone focuses on those that are associated with a cogent annual or accompanying business action and abate specific actual banking risks. This focus on accident enables administration to decidedly abate the ambit of IT accepted ascendancy testing in 2007 about to above-mentioned years.
The COBIT framework may be acclimated to abetment with SOX compliance, although COBIT is appreciably added in scope. The 2007 SOX advice from the PCAOB1 and SEC2 accompaniment that IT controls should alone be allotment of the SOX 404 appraisal to the admeasurement that specific banking risks are addressed, which decidedly reduces the ambit of IT controls appropriate in the assessment. This scoping accommodation is allotment of the entity's SOX 404 top-down accident assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)3 discusses the IT risks and ascendancy objectives pertinent to a banking analysis and is referenced by the SOX guidance.
IT controls that about abatement beneath the ambit of a SOX 404 appraisal may include:
Specific appliance (transaction processing) ascendancy procedures that anon abate articular banking advertisement risks. There are about a few such controls aural aloft applications in anniversary banking process, such as accounts payable, payroll, accepted ledger, etc. The focus is on "key" controls (those that accurately abode risks), not on the absolute application.
IT accepted controls that abutment the assertions that programs action as advised and that key banking letters are reliable, primarily change ascendancy and aegis controls;
IT operations controls, which ensure that problems with processing are articular and corrected.
Specific activities that may action to abutment the appraisal of the key controls aloft include:
Understanding the organization’s centralized ascendancy affairs and its banking advertisement processes.
Identifying the IT systems complex in the initiation, authorization, processing, summarization and advertisement of banking data;
Identifying the key controls that abode specific banking risks;
Designing and implementing controls advised to abate the articular risks and ecology them for connected effectiveness;
Documenting and testing IT controls;
Ensuring that IT controls are adapted and changed, as necessary, to accord with changes in centralized ascendancy or banking advertisement processes; and
Ecology IT controls for able operation over time.
To accede with Sarbanes-Oxley, organizations accept to accept how the banking advertisement action works and accept to be able to analyze the areas area technology plays a analytical part. In because which controls to cover in the program, organizations should admit that IT controls can accept a absolute or aberrant appulse on the banking advertisement process. For instance, IT appliance controls that ensure abyss of affairs can be anon accompanying to banking assertions. Access controls, on the added hand, abide aural these applications or aural their acknowledging systems, such as databases, networks and operating systems, are appropriately important, but do not anon adjust to a banking assertion. Appliance controls are about accumbent with a business action that gives acceleration to banking reports. While there are abounding IT systems operating aural an organization, Sarbanes-Oxley acquiescence alone focuses on those that are associated with a cogent annual or accompanying business action and abate specific actual banking risks. This focus on accident enables administration to decidedly abate the ambit of IT accepted ascendancy testing in 2007 about to above-mentioned years.
Section 802 & Records retention
Section 802 of Sarbanes-Oxley requires accessible companies and their accessible accounting firms to advance all analysis or analysis plan affidavit for a aeon of 5 years from the end of the budgetary aeon in which the analysis or analysis was concluded. This includes cyberbanking annal which are created, sent, or accustomed in affiliation with an analysis or review. As alien auditors await to a assertive admeasurement on the plan of centralized audit, it would betoken that centralized analysis annal have to aswell accede with Section 802.
In affiliation with certificate retention, accession affair is that of the aegis of accumulator media and how able-bodied cyberbanking abstracts are adequate for both accepted and approaching use. The five-year almanac assimilation claim agency that accepted technology have to be able to abutment what was stored 5 years ago. Due to accelerated changes in technology, some of today’s media ability be anachronous in the next three or 5 years. Analysis abstracts retained today may not be retrievable not because of abstracts degradation, but because of anachronistic accessories and accumulator media.
Section 802 expects organizations to acknowledge to questions on the administration of SOX content. IT-related issues cover action and standards on almanac retention, aegis and destruction, online storage, analysis trails, affiliation with an action repository, bazaar technology, SOX software and more. In addition, organizations should be able to avert the superior of their annal administration affairs (RM); amplitude of RM (i.e. paper, electronic, transactional communications, which includes emails, burning messages, and spreadsheets that are acclimated to assay banking results), capability of assimilation activity cycle, immutability of RM practices, analysis trails and the accessibility and ascendancy of RM content.
In affiliation with certificate retention, accession affair is that of the aegis of accumulator media and how able-bodied cyberbanking abstracts are adequate for both accepted and approaching use. The five-year almanac assimilation claim agency that accepted technology have to be able to abutment what was stored 5 years ago. Due to accelerated changes in technology, some of today’s media ability be anachronous in the next three or 5 years. Analysis abstracts retained today may not be retrievable not because of abstracts degradation, but because of anachronistic accessories and accumulator media.
Section 802 expects organizations to acknowledge to questions on the administration of SOX content. IT-related issues cover action and standards on almanac retention, aegis and destruction, online storage, analysis trails, affiliation with an action repository, bazaar technology, SOX software and more. In addition, organizations should be able to avert the superior of their annal administration affairs (RM); amplitude of RM (i.e. paper, electronic, transactional communications, which includes emails, burning messages, and spreadsheets that are acclimated to assay banking results), capability of assimilation activity cycle, immutability of RM practices, analysis trails and the accessibility and ascendancy of RM content.
End-user application / Spreadsheet controls
PC-based spreadsheets or databases are generally acclimated to accommodate analytical abstracts or calculations accompanying to banking accident areas aural the ambit of a SOX 404 assessment. Banking spreadsheets are generally categorized as end-user accretion (EUC) accoutrement that accept historically been absent acceptable IT controls. They can abutment circuitous calculations and accommodate cogent flexibility. However, with adaptability and ability comes the accident of errors, an added abeyant for fraud, and abusage for analytical spreadsheets not afterward the software development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and ascendancy spreadsheets, accessible organizations may apparatus controls such as:
Inventory and risk-rank spreadsheets that are accompanying to analytical banking risks articular as in-scope for SOX 404 assessment. These about chronicle to the key estimates and judgments of the enterprise, area adult calculations and assumptions are involved. Spreadsheets acclimated alone to download and upload are beneath of a concern.
Perform a accident based assay to analyze spreadsheet argumentation errors. Automated accoutrement abide for this purpose.
Ensure the spreadsheet calculations are activity as advised (i.e., "baseline" them).
Ensure changes to key calculations are appropriately approved.
Responsibility for ascendancy over spreadsheets is a aggregate albatross with the business users and IT. The IT alignment is about anxious with accouterment a defended aggregate drive for accumulator of the spreadsheets and abstracts backup. The business cadre are amenable for the remainder.
Inventory and risk-rank spreadsheets that are accompanying to analytical banking risks articular as in-scope for SOX 404 assessment. These about chronicle to the key estimates and judgments of the enterprise, area adult calculations and assumptions are involved. Spreadsheets acclimated alone to download and upload are beneath of a concern.
Perform a accident based assay to analyze spreadsheet argumentation errors. Automated accoutrement abide for this purpose.
Ensure the spreadsheet calculations are activity as advised (i.e., "baseline" them).
Ensure changes to key calculations are appropriately approved.
Responsibility for ascendancy over spreadsheets is a aggregate albatross with the business users and IT. The IT alignment is about anxious with accouterment a defended aggregate drive for accumulator of the spreadsheets and abstracts backup. The business cadre are amenable for the remainder.
Subscribe to:
Comments (Atom)