Auditing 378
General Controls
Organisational and Staff System Development and Access Controls Business Continuity Standards and
Practices Change Controls Operational Controls
Responsibility level, Request & authorisation, Preventative Internal Preventative Internal Scheduling and
corporate structure and needs assessment and Controls Controls production
reporting lines strategy selection Security Operating runs/processing
Segregation of duties Planning and design management and Environment protect Operating activities
- between departments Development and Testing policy against and use of assets
and Implementation Physical (i) physical and Librarian controls
- within departments Post implementation and access/controls (ii) non-physical dangers Logs and registers
Staffing practices training - Facilities and Corrective Internal Disaster recovery plan
- system Controls
Supervision and review and backup
Logical controls Repair after disaster
- Data) by
Detective Internal (i) backups and
Controls (ii) recovery plans
Logs and reviews
Librarian controls
Organisational Controls
- Objective: To establish an organisational framework for Information Systems activities
- This framework governs:
1. Levels of responsibility (structure)
Management MUST establish responsibility
at Directors’ Meetings,
through Computer Steering Committee
- Overall control, priorities, management policy
- Communication channel: users & IS department
And by speaking to the IS Manager who runs the processes on a day-to-day basis)
Management MUST also establish clear reporting levels (who reports to who – top-down
approach) and
must have a fixed policy on the documentation and clear communication channels to be
used in the business.
2. Segregation of duties
There should be separation between IS and users department
, Eg. IS department may not authorize transactions, change Master files, or correct
errors.
Users department checks and reviews masterfiles
Separate IS department
Organisationally independent of users
Report directly to top management
Separation within computer environment
Segregation between initiation, authorisation, custody and the reporting functions
Separation within CIS department
Minimum segregation of duties required
Development/programming AND
Operations
Separation should look as follows: [Ideal separate individuals are:]
System development (Analysts and programmers)
Operations (Operators)
Librarian
Data control (Data control clerks and Database Administrators)
Users
3. Supervision and review
The IS Manager and department heads should do regular system surveys (to check that
everything is in order), as well as after every change in the system.
ALSO, the users must check the IS department’s programs, using sample data, to determine
whether the program is functioning as needed.
4. Personnel practices
There should be written practices regarding:
Employment (hiring) processes
Staff scheduling policies and processes
Regular leave policies
Rotation of duties (cross-training)
Continuous evaluation & training (of IS personnel – to make sure that they stay
relevant)
Policies regarding dismissals or resignations
RISKS:
Conducting unauthorised transactions
Collusion to commit and hide fraud
Multiple functions performed by a single application (previously performed by separate individuals)
Errors are not detected
Untrustworthy or incompetent persons
General Controls
Organisational and Staff System Development and Access Controls Business Continuity Standards and
Practices Change Controls Operational Controls
Responsibility level, Request & authorisation, Preventative Internal Preventative Internal Scheduling and
corporate structure and needs assessment and Controls Controls production
reporting lines strategy selection Security Operating runs/processing
Segregation of duties Planning and design management and Environment protect Operating activities
- between departments Development and Testing policy against and use of assets
and Implementation Physical (i) physical and Librarian controls
- within departments Post implementation and access/controls (ii) non-physical dangers Logs and registers
Staffing practices training - Facilities and Corrective Internal Disaster recovery plan
- system Controls
Supervision and review and backup
Logical controls Repair after disaster
- Data) by
Detective Internal (i) backups and
Controls (ii) recovery plans
Logs and reviews
Librarian controls
Organisational Controls
- Objective: To establish an organisational framework for Information Systems activities
- This framework governs:
1. Levels of responsibility (structure)
Management MUST establish responsibility
at Directors’ Meetings,
through Computer Steering Committee
- Overall control, priorities, management policy
- Communication channel: users & IS department
And by speaking to the IS Manager who runs the processes on a day-to-day basis)
Management MUST also establish clear reporting levels (who reports to who – top-down
approach) and
must have a fixed policy on the documentation and clear communication channels to be
used in the business.
2. Segregation of duties
There should be separation between IS and users department
, Eg. IS department may not authorize transactions, change Master files, or correct
errors.
Users department checks and reviews masterfiles
Separate IS department
Organisationally independent of users
Report directly to top management
Separation within computer environment
Segregation between initiation, authorisation, custody and the reporting functions
Separation within CIS department
Minimum segregation of duties required
Development/programming AND
Operations
Separation should look as follows: [Ideal separate individuals are:]
System development (Analysts and programmers)
Operations (Operators)
Librarian
Data control (Data control clerks and Database Administrators)
Users
3. Supervision and review
The IS Manager and department heads should do regular system surveys (to check that
everything is in order), as well as after every change in the system.
ALSO, the users must check the IS department’s programs, using sample data, to determine
whether the program is functioning as needed.
4. Personnel practices
There should be written practices regarding:
Employment (hiring) processes
Staff scheduling policies and processes
Regular leave policies
Rotation of duties (cross-training)
Continuous evaluation & training (of IS personnel – to make sure that they stay
relevant)
Policies regarding dismissals or resignations
RISKS:
Conducting unauthorised transactions
Collusion to commit and hide fraud
Multiple functions performed by a single application (previously performed by separate individuals)
Errors are not detected
Untrustworthy or incompetent persons
