New Kick Starter Available!

Athletic Ticket Operations

Download today in the members-only
section of www.ACUA.org
 Connect with Colleagues Solve Problems

Stay up to Date • Subscribe to one or more Forums on the • Discounts and special offers from
Connect ACUA to obtain feedback and ACUA's Strategic Partners
share your insights on topics of concern • Utilize Kick Starters
• The College and University to higher education internal auditors. • Risk Dictionary
Auditor is ACUA's official • Mentorship program
journal. Current and past • Search the Membership Directory to • NCAA Guides
issues are posted on the connect with your peers. • Resource Library
• Internal Audit Awareness Tool
ACUA website. • Share, Like, Tweet & Connect on social • Governmental Affairs Updates
media. • Survey Results
• News relevant to Higher Ed • Career Center......and much more.
internal audit is posted on the Get Involved
Get Educated
front page. Articles are also
• The latest Volunteer openings are posted
archived for your reference on the front page of the website. • Take advantage of the several FREE
under the Resources/ACUA webinars held throughout the year.
• Visit the listing of Committee Chairs to
• Attend one of our upcoming
News. learn about the various areas where you
conferences:
might participate.
• Nominate one of your colleagues for an
AuditCon
ACUA annual award.
September 15-19, 2019
• Submit a conference proposal. Baltimore Marriott Waterfront,
• Present a webinar. Baltimore, MD
www.ACUA.org • Write an article for the C&U Auditor.
• Become a Mentor. • Contact ACUA Faculty for training
• Write a Kick Starter. needs.
 WEBINAR MODERATOR

▪ Don’t forget to
connect with us on
social media!

ACUA Distance Learning Director

Amy L. Hughes
Director of Internal Audit
Michigan Technological University
Information Technology General Controls

Sudeshna Aich, MBA, CISA

Senior Information Technology Auditor
Office of Inspector General Services
Florida State University

7
 Agenda

• What are Information Technology General Controls (ITGCs)?

• Why perform ITGC audits?

• How to Audit ITGC?

• What are the Common Deficiencies and Findings?

8
9
WHAT ARE ITGCS?

10
 What are IT General Controls?

IT general controls (ITGCs) are the basic

controls that apply to all the system components
(such as applications, operating systems, databases),
data, processes and supporting IT infrastructure. The
objectives of ITGCs are to ensure the integrity of the
data and processes that the systems support.

11
 Primary Areas of ITGCs

• ITGC Framework

• Access to Programs and Data

• Change Management

• Computer Operations

• Systems Development

12
 ITGC – Types of Controls
Preventive – Detective – Corrective
Preventive – prevent problems from occurring (Proactive)
• Segregation of Duties
• Monitoring
• Adequate Documentation
• Physical safeguards
Detective – identify problems after occurrence (Reactive)
• Logging and Monitoring
• Reviews
Corrective – prevent recurrence of problems
• Change controls as needed to eliminate error in future

13
How big is your audit shop:

1) 1 to 3 people
2) 4 to 6 people
3) 6 to 10 people
4) > 10 people

14
WHY PERFORM ITGC AUDIT?

15
 Why perform ITGC audits?

• Determine Effectiveness and Efficiency of ITGC Controls

• Ensure controls related to Confidentiality, Availability, and Integrity of
data and information are adequate
• Ensure Availability of mission-critical functions in a disaster situation
• Review Compliance with applicable polices, procedures, laws

16
 Why perform ITGC audits?
• IT systems support many of the University’s business processes,
such as:
➢ Student Records
➢ Grading
➢ Admissions
➢ Finance
➢ Purchasing
➢ Human Resources
➢ Research
We cannot rely on IT systems without effective IT General
Controls

17
Example of FSU’S IT Environment
This is an example of IT environment at a major University

• 500 acres in Tallahassee

• 14,000 employees
• 41,000 students
• $1.7 Billion Operating Budget
• 40-50,000 Network Connections
• 4500 Wireless Access Points

18
HOW TO PERFORM ITGC AUDITS?

20
 ITGC – Audit Approach
• Understand and identify the IT Environment and systems to be
reviewed
➢ IT governance
➢ Policies, procedures, guidelines
• Perform interviews, walkthroughs, and review documentation to
gain an understanding on processes
➢ Who performs what function
➢ How something is done and documented

“If it is not documented, you did not do it”

21
 ITGC – Audit Approach (Continued)
• Validate existing controls to assess control operating effectiveness
➢ What are the major controls?
➢ Are the controls working as intended?
➢ Are the controls in-line with the University’s IT security
framework?
➢ Are these controls reviewed periodically?
➢ Who reviews these controls?

22
Does your organization have IT Security Policy?

1) Yes
2) No
3) Do not know

23
AUDITING IT GOVERNANCE AND
FRAMEWORK

24
Why do we need to audit IT Governance and Framework?
• Obtain an understanding of IT Framework –
➢ IT Security Policy, procedure, guidelines
• Determine if controls over University’s IT structure are
reasonable and oversight is adequate
➢ IT reports and log
• Determine if IT operations are in-line with the University’s
strategies and objectives
➢ IT reports and log

25
 Example of Policy Objective
(FSU)
4-OP-A-9 Internal Controls
Objective
The purpose of this policy is to provide guidance to help ensure the internal
control objectives of the University are met. It is the responsibility of all University
employees to ensure protection of University assets and resources. Administrators
at all levels are responsible for establishing a strong control environment, setting
the appropriate tone at the top, and displaying the proper attitude toward
complying with these established controls

4-OP-H-5 Information Security Policy

Objective
The FSU Information Security Policy establishes a framework of minimum
standards and best practices for the security of data and Information Technology
(IT) resources at Florida State University

26
AUDITING ACCESS MANAGEMENT
CONTROLS – COMMON TERMINOLOGIES

27
 Access to Data
Data can be accessed via:
• Applications that create, edit, maintain and report data
• The network (Network domain administrators)
➢ Data ‘In Transit’, ‘In Process’
• Primary servers (Server administrators)
➢ Data ‘In Transit’, ‘In Process’
• Databases (Database administrators)
➢ Data ‘At Rest’, ‘In Transit’, ‘In Process’

28
 Access to Programs

User Access Management:

• User Access Provisioning
• Excessive Access
• Generic User ID and Privileged Access
• User Access Review
• User Access De-provisioning

29
 Authentication
Authentication Controls
More powerful in terms of mitigating risk.
Authentication verifies that the login (ID/password) belongs to the
person who is attempting to gain the access, i.e., users are who they
say they are.
• Single Sign-on
• Multifactor Authentication

30
 Authorization
Authorization controls
Act of checking to see if a user has the proper permission to access a
particular file or perform a particular action, assuming that user has
successfully authenticated.
• Credential focused
• Dependent on specific rules and access control lists preset by the
network administrator(s) or data owner(s)

31
 Physical Access Controls
Physical Access Controls
Limit access to buildings, rooms, areas, and IT assets.
• ID at the entrance
• Closing off access to laptops, desktops, and servers
• Safe structure for datacenter
➢ Natural disasters – tornadoes, earthquakes, floods, and
tsunamis.

32
 Logical Access Controls

Logical Access Controls

Limits connection to computer networks, system files, and data to
authorized individuals only and to the functions each individual can
perform on the system. Logical security controls enable the
organization to:
• Identify individual users of IT data and resources.
• Restrict access to specific data or resources.
• Produce audit trails of system and user activity.

33
Does your organization require periodic review of user access rights?

1) Yes
2) No
3) Do not know

34
AUDITING ACCESS MANAGEMENT
CONTROLS

35
Why do we need to audit controls over User Access Management?

• To ensure:

➢ IT Policies and procedures contain details about user

management controls
• Unique user IDs
• Modification of existing user rights due to transfers or
role changes
• Disable and/or remove user accounts for terminated and
transfer users
• Periodic review of user access for all the users

36
Why do we need to audit controls over User Access Management?

• To ensure:

➢ User access rights are appropriately requested, reviewed, and

approved
➢ User accounts are unique and not shared
➢ All users and their activities are identifiable using unique user IDs
➢ User access rights are in line with documented job requirement
➢ Least-privileged access and need-to-know access for applications,
databases, and servers is enforced

37
 Why do we need to audit controls over User Access Management?
(Continued)

• To ensure:

➢ Only authorized users have access to confidential and sensitive

information
➢ Only authorized users have access to server room, datacenter
➢ All users and their activities are identifiable using unique user IDs
➢ Only authorized individuals have elevated privileges and their
activities are logged and monitored:
• System administrators
• Database administrators
• Network administrators

38
Why do we need to audit controls over User Authentication and
Authorization?

• To ensure:

➢ Authentication and authorization controls are addressed in detail

in IT policies and procedures
➢ Authentication mechanisms are enabled
• Single Sign On
• Multi-factor authentication
➢ Password parameters are enforced for length, characters user,
locking of computer screen when not used for certain time,
password requirement to unlock the computer screen etc.
➢ Vendor default passwords are modified

39
AUDITING CHANGE MANAGEMENT
CONTROLS

40
 Change Management

Change management is the process that ensures that all changes

are processed in a controlled manner, including standard changes and
emergency maintenance relating to business processes, applications and
infrastructure.
The main purpose of change management is to enable fast and
reliable delivery of change to the business and mitigation of the risk of
negatively impacting the stability or integrity of the changed environment.

41
 Critical Points of Control in Change
Management
• Evaluating Changes
• Authorizing Changes
• Testing Proposed Changes
• Moving Approved Changes into Production Environment

42
Why do we need to audit controls over the Change Management
Process?

• To determine:

➢ If a detailed change management policy and procedures exist

➢ If the changes are appropriately reviewed, authorized,
approved/rejected, and tested prior to implementing in
production
➢ If there is sign-off process, prior to a change moving into
production, which includes information and documentation
related to completion of quality assurance test, user
acceptance test, approval for production implementation
➢ If only approved changes are implemented
➢ If changes have been implemented as planned

43
AUDITING COMPUTER OPERATIONAL
CONTROLS

44
 Computer Operations

Computer operations controls are designed to verify that the expected

level of services will be delivered, and that the IT systems are
functioning consistently, as planned.
• Monitoring the use of resources
• Monitoring the batch jobs
• Reviewing the job logs
• Monitoring the backup and recovery activities

45
Why do we need to audit controls over Computer Operations?

• To determine if:

➢ Computer operations controls are in place to ensure

systems and programs are available and operating as
intended
➢ Adequate physical safeguards, accounting practices, and
inventory management over sensitive IT resources are in
place
➢ The University has appropriate processes and controls in
place to continue its mission-critical functions with minimal
disruption in case of an emergency or a disaster

46
Why do we need to audit controls over Computer Operations?
(continued)

• To determine if:

➢ The University has a Continuity of Operations and Disaster

Recovery Plan
➢ The University has identified the mission-critical functions
for recover in disaster situation and the list is up-to-date
➢ The University has a geographically separated location for
backup and recovery

47
AUDITING SYSTEMS DEVELOPMENT
CONTROLS

48
 Systems Development

• The process of defining, designing, testing and implementing a

new software application or program.
➢ Internal development of customized systems
➢ Creation of database systems or

➢ Acquisition of third-party software

49
 Systems Development Life Cycle
The primary phases in the development or acquisition of a software
system are:
➢ feasibility study,
➢ requirements study,
➢ detailed design,
➢ programming,
➢ testing,
➢ Installation, and
➢ post-implementation review

50
Why do we need to audit controls over System Development?

• To determine if:

➢ Detailed polices and procedures have been established for

the systems to be developed, acquired or implemented, and
for systems maintenance
➢ Appropriate levels of authorization were obtained for each
phase of the Systems Development Life Cycle
➢ Adequate controls are in place for systems testing and the
promotion of systems to production environments

51
 Controls over Outsourced Services

Outsourcing is the process of contracting out one or more elements of

operations to a supplier of services outside of the organization's
management structure. A contractual arrangement is entered into at
an agreed price with the supplier.

52
Why do we need to audit controls over Outsourcing?

• To determine if:

➢ The University has an effective third-party management

process
➢ The University has a valid contract and a comprehensive
service level agreement (SLA) with the third-party service
providers
➢ If the University is obtaining and reviewing service
organization independent audit reports
• SOC 2 audits under AICPA standards
• ISO27001, Information Security Management Systems
Requirements

53
COMMON DEFICIENCIES AND
POTENTIAL RECOMMENDATIONS

54
Does your audit shop perform standalone IT audits?

1) Yes
2) No
3) Do not know

55
 Deficiencies
• Terminated employees are still active in systems and the network
• There is a lack of segregation of duties over the development and
production environments
• There is not a list of critical applications – no knowledge of
vulnerabilities
• External penetration testing and internal vulnerability scanning are
not conducted
• Shared and/or generic administrator accounts are not monitored
• System password parameters are not strong
• Disaster recovery plan is outdated and not tested
• Data backup is not tested
• There is no policy for portable device security

56
 Potential Recommendations
• Entity IT security controls related to account management need
improvement
• Some access privileges did not promote an appropriate separation
of duties
• The entity did not perform comprehensive periodic reviews of
access privileges for the application/server/database/network
accounts
• The business continuity and disaster recovery plans continue to
need improvement to ensure that critical operations continue in the
event of a disaster or other interruption of service

57
 ITGC Controls Currently Being Reviewed by FSU’s
IT Office
• Change Management
• Emergency Change Management
• IT Governance
• Vulnerability Management – ERP and Infrastructure
• Software Development Life Cycle Review
• User Provisioning
• User Terminations and Transfers
• Oracle DBA Entitlement Review
• Windows Domain Administrator Entitlement Review
• Security Awareness Training
• Disaster Recovery Plan Updates
• Policy Review - Security, Privacy, Acceptable Use
• Review of ITS access to SSN/Protected Information

58
 ITGC Audit Program
A detailed list of audit objectives and methodologies and common
findings are provided in the handout:

• IT General Control Audit Program

59
STANDARDS GUIDELINES AND BEST
PRACTICES

60
61
 ITGC – Resources

https://na.theiia.org/standards-guidance/Member%20Documents/GTAG-1-
2nd-Edition.pdf
https://www.iia.org.uk/resources/auditing-business-functions/supply-
chains/outsourced-services/?downloadPdf=true
http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Change-Management-Audit-
Assurance-Program.aspx
https://www.cisecurity.org/controls/cis-controls-list/

62
Thank you!

63
Upcoming ACUA Events

September 15-19, 2019

AuditCon in Baltimore, MD - Registration is closed but you may still register on-site.
Visit the ACUA website for details.

October 3, 2019
Using the ACUA Kick Starter to Audit IT System Access Controls

October 17, 2019

Climbing the ranks: Best practices for preventing fraud and misreporting in admissions and
institutional data
65

65