General Control

Zaldy Adrianto

Denition
Risk assessment of the risks related
to the IT organization, security, acquisition, development and maintenance, computer operations.

Objectives
To provide a comprehensive
framework of internal controls for IT activities and to provide a certain level of assurance that the overall internal control objectives can be achieved.
According to Indonesian Auditing Standards (PSA No. 60 / SA Seksi 314)

General Control Elements

Organizational and Managerial System Development and Maintenance Operating System Software Data Entry and Program Backup and Recovery
According to PSA No. 60 / SA Seksi 314

Organizational and Managerial Control

Untuk memberikan keyakinan bahwa

struktur organisasi dan manajemen telah diciptakan untuk memiliki internal kontrol yang memadai, diantaranya dengan memiliki:
Kebijakan dan prosedur yang berkaitan dengan fungsi pengendalian. Pemisahan semestinya fungsi yang tidak sejalan (seperti penyiapan transaksi masukan, pemograman dan operasi komputer).

 Untuk memberikan keyakinan bahwa

System Development and Maintenance Control

pengembangan dan pemeliharaan sistem telah dilakukan dengan cara yang esien dan melalui proses otorisasi yang semestinya, termasuk kedalamnya adalah:
Pengujian, perubahan, implementasi dan dokumentasi sistem baru atau sistem yang direvisi. Perubahan terhadap sistem aplikasi. Akses terhadap dokumentasi sistem. Pemerolehan sistem aplikasi dan listing program dari pihak ketiga.

Operating System Control

Telah adanya pengendalian terhadap

operasi sistem untuk memberikan keyakinan bahwa:
Sistem digunakan hanya untuk tujuan yang telah diotorisasi Akses ke operasi komputer dibatasi hanya bagi karyawan yang telah mendapat otorisasi Hanya program yang telah diotorisasi yang digunakan. Kekeliruan pengolahan dapat dideteksi dan dikoreksi

Software Control
Telah adanya pengendalian terhadap perangkat

lunak aplikasi telah didesain, diperoleh dan dikembangkan dengan cara yang esien dan melalui proses otorisasi semestinya:
Otorisasi, pengesahan, pengujian, implementasi dan dokumentasi perangkat lunak sistem baru dan modikasi perangkat lunak sistem Pembatasan akses terhadap perangkat lunak dan dokumnetasi sistem hanya bagi karyawan yang telah mendapatkan otorisasi

Backup and Recovery Procedure

Telah adanya jaminan terhadap kelangsungan proses

pengolahan sistem informasi dan ketersediaan informasi. Meliputi:
Pembuatan cadangan data program komputer di lokasi yang berbeda dengan lokasi utama pengolahan data. Prosedur pemulihan untuk digunakan jika terjadi pencurian, kerugian atau penghancuran data baik yang disengaja maupun yang tidak disengaja Penyediaan pengolahan di lokasi di luar perusahaan dalam hal terjadi bencana.

Data Entry and Program Control

Telah adanya pengendalian terhadap

proses data entry dan kontrol program untuk memberikan keyakinan bahwa:
Struktur otorisasi telah diterapkan atas transaksi yang dimasukan ke dalam sistem. Akses ke data dan program dibatasi hanya bagi karywan yang telah mendapatkan otorisasi

General Control Illustration

Development Testing
Logical Access Control

Production
Output Process Input

Program Change Control

Physical Access Control

Policy and Standard Operating Procedures

IT Planning and Organization

Strategic Plan (3-5 years)
Current information assessment Strategic directions Development strategy Progress reports Initiative to be undertaken Implementation schedule

Operational Plan (1-3 years)

IT Plan Review
Auditors evaluate whether top
management has formulated a highquality information systems plan appropriate to the needs of their organization.

Example of risks caused by poor planning

declining efciency and effectiveness
of IT functions, insufcient resources to provide the required IT functions / availability, going concern issues and lack of competitive advantages.

Organization
Organizational controls ensure the
alignment of IT facilities with the business needs and the proper management of these facilities.

Key risks
IT does not support business needs Loss of efciency, untimely problem
solving, unsatised staff, no improvements

Unwanted combination of functions Untimely management reporting High dependence on one/few persons

 Planning and budgeting Quality and quantity of staff Segregation of duties or close
supervision

Key controls

Efcient use of IT Procedures and documentation

Organizational issues
Position of IT department in organization Planning and reporting Centralization or decentralization of tasks Functions and task descriptions of IT staff Quality and quantity of staff Cost center, Prot center, Investment
center and Hybrid center

Change Management
Change management procedures
ensure that changes not negatively controls.

in the IT hardware and software do affect the general and application

Key risks
Loss of effectiveness of IT controls Loss of valuable hardware during
changes needs

IT no longer meets the business

Key controls
Use of a development and
programming standards

Proper testing by the users Up-to-date hard- and software

documentation

User involvement in initiating and

approving changes

Integrated Audit Approach with the Systems Development Life Cycle

Feasibility Study Information Analysis System Design Program Development Procedures and forms development Acceptance Testing Conversion Operation & Maintenance

Software Change Process

Read, write and delete access rights for developers Use access rights for developers and users Use access rights for users Test and acceptance

Development

Production

Software library
Read access for librarian

 Technical feasibility:

Preliminary study

Operational feasibility:

Is the available Technology sufcient to support the proposed project? Can the technology be acquired or developed? Can the input data be collected for the system? Is the output usable?

Economic feasibility: Do the benets of the system exceed the cost? Behavioral feasibility:

What impact will the system have on the users quality of working life?

Type of Testing
Program Testing System Testing User Testing Quality Assurance Testing

Physical Security
How we secure our assets?
Personnel Hardware Physical Facilities Documentation Assets Supplies Mainframe, minis & micros Peripherals: online/offline Storage Media

Data / Information Logical Software

Application System

Denition
Physical security of computer

hardware covers all controls to prevent damage to or loss of valuable assets and data on systems.

Key risks
Loss of valuable hardware Tampering or damage to hardware Damage by external inuences (re,
water)

Disturbances caused by power

uctuations

Key controls
Locked and dedicated computer room Availability of back-up power supply Fire and water detector No potentially dangerous situations
(sprinklers, computer room on ground oor, etc.)

 Fire and smoke; Water; Power supply uctuations and failures; Structural Damage; Pollution; Misuse; Theft.

Examples of physical threats

Control mitigating the threats

Fire; smoke and re detectors, reliable re
extinguishing tools Water; water detectors, facilities must be designed and sited to mitigate losses from water damage Energy variations;Voltage regularities, circuit breakers and UPS Structural Damage; Facilities must be designed to withstand structural damage Pollution; Regular cleaning of facilities and equipment should occur

Control mitigating the threats (contd)

Viruses and worms; Up-to-date virus Theft; labeling and locking.
scanning software, prevent use of virusinfected programs and to close security loopholes that allow worms to propagate.

Picture example of Physical Security

Logical Access Control

Logical Access Security covers the
controls to restrict access to information systems and data to authorized users.

Key risks
Potential for fraud and misuse of
systems and data

Loss of information condentiality

Key controls
Up-to-date user access list Use of unique user-id and password Periodic review of list by management Regular change of passwords Clean desk

Authentication Process
User Profiles Identification Authentication Authorization
Audit log Report writer Security reports

Access control files

Database

Software Library

Backup,Recovery and Contingency

Back up controls and business
continuity planning cover all procedures to ensure the availability of computer systems and data.

Key risks
Data cannot be recovered (in time) after
system failure

Back up tapes are damaged or lost or

cannot be used

Loss of valuable business information Business cannot be continued after disaster

(re, etc.)

Key controls
Regular back ups, preferably daily Safe storage of tapes, preferably in reproof
vault and externally tapes

Periodically testing of restore of back up Preparation of Business Continuity Plan

(not limited to IT!)

Backup Strategy for critical IT Resources

Personnel; Training and rotation of duties among information systems staff so they can take the place of others. Arrangements with another company for provision of staff Hardware; Arrangements with another company for provision of hardware Facilities; Arrangements with another company for provision of facilities Documentation; Inventory of documentation stored securely on site and offsite

Backup Strategy for critical IT Resources (contd)

Supplies; Inventory of critical supplies stored securely on site and off site Data / Information; Inventory of les stored securely on site and off site Applications software; Inventory of application software stored securely on site and off site System Software; Inventory of systems software stored securely on site and off site

Disaster Recovery Plan (DRP)

IT Disaster Recovery Plan forms one
part of the overall BCP

Limited use to the business if IT is

saved but the rest of the business is lost

What Is a Disaster?
A "Disaster" Is Any Event Which
Disables or Interrupts Your Clients Ability to Maintain a Business-AsUsual Environment for a Period of Time That Adversely Affects Ongoing Operations.

 A Process which ...

Services

Business Continuity Plan (BCP)

Safeguards vital corporate assets Ensures continued availability of Critical Minimizes the effect of a disaster Considers the entire business including
IT

Business Continuity Planning example

SAFETY
- fire - electrical - hazardous substances

HUMAN- DELIBERATE
- terrorist attack - industrial action - blackmail

MISCELLANEOUS
- loss of key staff - loss of key supplier - negligence

Is your Business safe ?

TECHNOLOGICAL
- loss of power - network outage - software /hardware breakdown - Year 2000

NATURAL
- inclement weather - legal/regulatory requirements - earthquakes/volcanoes

Some issues regarding BCP On-site vs. off-site contingency

planning

Hot- or cold standby Personnel resources available Single point of failure will fail ! Regular testing required

EXAMPLE PICTURE OF BCP STRATEGY

BACKUP TAPE

BACKUP STORAGE

POWER REGULATOR

Find the issues in the next 5 slides

How many did you nd? Was IT OK?