Internal Control Checklist/Questionaires/Assessment On Information Technology (Part 2)

by

Some of us as financial executive might be entrusted with the role of overseeing the IT department. It is therefore important to understand some pertinent points on internal control or internal checks so as to prevent or reveal computerized fraud.

Besides, reading the below article, it is advisable to read my earlier article on Checklist/SOP on Internal Controls on IT.

For fraud prevention and data integrity standpoint, within the IT department, we should ensure that information processing is taking place in a controlled and consistent environment.

To do so, we should at least maintain the following set of general controls for all systems pertaining to the financial systems of the Company.

IT Personnel Selection and Management

We should provide for a well-organized and well-managed IT department. In order to do so, we should ensure that:

  • Qualified personnel are employed and retained within the IT department. To accomplish this, a procedure for hiring, training and review of all employees needs to be created, followed and maintained by IT management.
  • The resources of IT are appropriately managed. It is important to ensure that the activities of the IT department are consistent and contribute to the achievement of the Company’s goals and objectives. This includes providing direction and prioritization on how systems should be changed or what new systems should be installed and be covered by this policy.
  • Adequate segregation of duties is maintained. An adequate division of duties helps to deter fraud and prevent human errors. Where this segregation of duties is not possible, the IT management group should ensure that all personnel are closely supervised. For example, developers should not be the administrators of the system they develop for and testers should not do testing for the systems they develop.
  • Error and fraud control for the IT department is prevented. To accomplish this, the IT department should not:
    – Originate or authorize business transactions other than those that pertain to the IT department, such as purchasing;
    – Have sole control over non-IT assets such as blank checks, drafts and signatory stamps;
    – Have the authority to approve actions they requested; and
    – Ever perform an action in or to the system without following the change control policy.

Physical Security and Protection for the Systems

Adequate controls need to be in place to prevent tampering or damage to the physical equipment that runs the systems, as this could result in loss or corruption of data required by the Company. In order to do so, within the IT department we should ensure that the following is in place for the area that contains the equipment that runs the systems:

  • A fire detection and suppression system that notifies local authorities in the event of a fire. This includes having the system routinely tested at least bi-annually.
  • Secure entryways with individual security codes for those authorized to gain entry into the area. There should be a procedure, controlled by IT management, for how access is granted to this area.
  • Have backup power sources to ensure that systems are not shutdown due to power loss. This system should also be able to notify IT members of a problem.
  • Have HVAC system to ensure proper climate for the system. This system should also be able to notify IT members of a problem.

Electronic Security and Protection for the Systems

Electronic security encompasses the broadest spectrum of protecting the systems. It includes the users, machine, the servers, the network, the Internet and the users themselves. Since users access the systems via electronic means, this is the most important of all security areas and has to have some of the most stringent controls.
Electronic security encompasses the broadest spectrum of protecting the systems. It includes the users, machine, the servers, the network, the Internet and the users themselves. Since users access the systems via electronic means, this is the most important of all security areas and has to have some of the most stringent controls.

Passwords to systems:

The passwords to the systems are the gateway to all rights in the systems and therefore must be complex, change regularly and not be shared to ensure that only authorized users can access the systems.

Hence all passwords should be:

  • changed every 6 months;
  • consist of at least seven (7) characters with at least one numeric-character, one alpha-character and one special character or capital alpha character;
  • must not contain a sequence of characters identical to/in the user’s name;
  • should not be able to be repeated for seven (7) changes; and
  • Must not be shared between users (this is to ensure that transaction audit records are valid).

No one should be able to determine the password of a user from the system. This is to ensure that transaction audit records are valid.

Virus protection on systems and user machines:

Viruses can have disastrous effects on the systems. They can delete all data, corrupt individual records or grant unauthorized users access to Company data.

To prevent this, all machines unless authorized by IT management:

  • should have virus software installed on it prior to connection to the network;
  • should update its virus definitions daily;
  • should update its scan engine weekly;
  • should perform a full file system scan once per week; and
  • should perform on-access scans of all files, email and Internet activity.

Access to the systems:

Granting and removing access to the systems constitutes a change and is therefore governed by Change Control.

In addition:

  • Key Contacts should approve all requests for access, limiting access to those who need it to do their jobs in the normal course of business;
  • Security software rules are implemented by trained IT personnel;
  • Key Contacts regularly verify that all individuals who have been given access still require it and only have the access that they need;
  • When a user leaves the Company, that user’s access must be removed from the systems as soon as possible. For audit tracking purposes, a user’s account can never be given to another user.
  • All systems must be protected from the Internet. The architecture of the network should be implemented with the security of the systems in mind. IT Management must approve this architecture.

Data Security

The data itself and the users that process it are the most important piece of the systems.
To ensure data integrity, the following needs to be implemented with appropriate training given to those that use the systems:

The data itself and the users that process it are the most important piece of the systems.To ensure data integrity, the following needs to be implemented with appropriate training given to those that use the systems:

  • IT security policy;
  • Company’s Change Control system;
  • Key Contacts need to been assigned for all data and must be trained in their responsibilities such that they have a full understanding of the importance of their responsibilities;
  • Data, both electronic and physical, should be marked as “classified” and a procedure should be in place regarding the disposal and handling of this material;
  • Initial and on-going security awareness-training programs should be provided to all employees and contractors;
  • Training and operational instructions should be provided to all users of the systems prior to use; and
  • A procedure for how to deal with problems encountered in the systems must be documented.

System Software Installation and Upgrades

All the software components of a system can affect how the system operates and interoperates with other systems. All software components, in this case, are being defined as the operating system, the system application and all other software installed on the system. With the systems covered by this policy, special care must be taken to ensure that the base installation, upgrades and patches to all these components are properly installed, tested, validated and placed into production with the least amount of interruption.

To this end, the IT department must have procedures in place, as listed below:

  • A process should be established for the user to initiate a change request that the Key Contact and IT management can then authorize to perform modifications to the applications.
  • Procedures should be established to ensure that only authorized, tested and approved modifications can be moved to the pre-production and production environments. This procedure should be governed by Change Control. This procedure should also indicate how to handle emergency changes that are determined by the Key Contact and IT management to be addressed immediately.
  • Equipment used for production and pre-production should be the same physical equipment. This is to ensure that changes to the supporting operating systems or applications can be tested without interfering with production.
  • IT Programmers should not have the ability to perform these installations, upgrades and patches. IT System Engineers should perform these tasks (see adequate segregation of duties in the “IT Personnel Selection and Management” section for more details).
  • A procedure should be established for defining how documentation relating to the systems is created, tested, stored and carried out.

Systems Support

System support for the end user is critical for the systems to function properly. A process is needed for when users need support or help on the system. This process should include recording, analyzing and resolving the issues encountered. This process and the hours of its availability should be reviewed periodically to ensure adequate service is being provided to the system’s users.

Business Continuity

Backup Policy

  • To ensure the re-creation of critical data, application processes and systems software, backups of this data should be performed on a regularly scheduled basis.
  • This should be automated with automatic notification to IT members of failure, where possible, and manual notification where it is not.
  • These backups should be stored off-site in a secure location.
  • A rotation schedule for these backups should be developed and reviewed annually to ensure they are meeting the business requirements of the Company.

Business Continuity Policy

The purpose of business continuity is to ensure:

  • that the recovery of the business environment can be accomplished in a timely and efficient manner in the event of a disaster.
  • a detailed business continuity plan, including system recovery documentation, should be established to address such an occurrence. This plan should be reviewed and tested annually to ensure it remains current and viable.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.