Separate systems
Wholly separate IT systems. Integration of information only occurs through transfers initiated by staff of information from one stand-alone system to another
Enterprise systems
Systems from across different areas of a business that are connected to a central data system, which can be accessed across the business for a variety of purposes and activities
Straight through processing
Removes the need for human intervention - the entire system is fully automated. Human intervention only occurs when exceptions must be managed
IT controls should be designed so that they are
Tailored to the level of risk of the business
Remit of IT department (5)
- Develop IT strategy
- Develop and communicate IT policy
- Develop procedures to address controls
- Specify scope of activites
- Monitor activities and IT controls
In order to achieve effectiveness and efficiency through IT, businesses should (2)
- Perform regular assessments of infrastructure, applications, and user requirements
- Monitor both internal and external service provider activities
Four steps for developing an IT strategic plan
1) Identify the starting position of IT within the org
2) Identify ideal IT systems to support bus in achieving objectives
3) Analyse the gaps between current and ideal IT environment
4) Build the systems project plan
Control Objectives for Information and Related Technology (COBIT)
Framework providing set of generally accepted measures, indicators, processes and best practices to assist in the use of IT
Four key areas ITGCs commonly cover (acronym)
APOC
A >
Access to programs and data
P >
Program changes and development
O >
Computer operations
C >
Continuity of operations
IT General Controls (ITGCs)
Provide the foundation to the control activities over processing
IT Application Controls (ITACs)
Automated procedures that typically operate at a transaction level and are designed to ensure the integrity of the data. These controls ensure that only information that is authorised, accurate and complete will be processed
Master file data
Presents risks that must be addressed through both strong ITGCs and ITACs
Master files
Contain data which may affect more than one processing cycle
Master file change controls (7)
- All changes should be recorded on change request form
- Changes should be authorised appropriately
- Records of before and after should be kept and reviewed
- Segregation of duties
- Audit log should be generated
- Batch controls used for making numerous changes
- Complete listing of the data should be reviewed in detail periodically
Program changes (2)
- Bug fixes
- Version upgrades
In order to ensure changes and developments are appropriate, must consider: (4)
- Authorisation
- Development
- Testing
- Approval
Changes should be made in what environment
Separate test environment (NOT live environment)
Actions to be taken to mitigate risks from program changes (4)
- Migration to production environment
- Configuration changes
- Emergency changes
- Production development
Project management general controls (5)
- Initiation
- Planning the project
- Risk management approach
- Execution
- Completion
Systems development life cycle (SDLC)
Process to introduce, develop, maintain and enhance software
