IT Governance, Risk, and Compliance » GCC

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part VIII

Robert Davis — Tue, 03 Apr 2012 22:01:00 +0000

Jointly, physical and logical security can significantly reduce the risk of irregular and illegal acts. Within this context, superior IT physical security is a major larceny deterrent for certain hardware. For example, bolting a personal computer to a fortified mount minimizes the threat of thief. Whereas, deploying general logical security practices usually requires adequate administration to reduce the risk of blackmail based on malware threats. Specifically; anti-virus software, firewalls as well as intrusion detection systems and/or intrusion prevention systems should be installed and monitored to assist in minimizing the risk of compromising the entity’s IT architecture.

Given the greater potential for an IT software related irregular or illegal act, an IT auditor should pursue understanding the backdoors and trapdoors in the entity’s computer processing environment and evaluate whether adequate preventive and detective controls are deployed. Furthermore, when performing irregular or illegal act agreed-upon procedures assessments, an IT auditor should determine if management designed adequate encryption requirements for sensitive data.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part VII

Robert Davis — Fri, 30 Mar 2012 20:48:27 +0000

SOD controls are designed to reduce the opportunities for errors, mistakes, omissions, irregularities, and illegal acts perpetration and concealment. SOD is a primary internal control measure utilized for manual and automated systems. An autonomous function for computer data entry may exist within an enterprise. However, even if the entity distributes data entry (entering) responsibility to employees, SOD should be maintained. Furthermore; origination, processing, verification, signoff, and distribution responsibilities should be monitored and evaluated for violating SOD controls.

Protective measures should also be deployed to ensure information assets are maintained in a properly controlled and secured environment. Specifically, a physically and logically secure environment should exist at the GCC level. Regarding irregular and illegal acts, adequate IT personnel and inventory identification as well as access restrictions should be considered crucial controls. Pervasively, employing a competent information security manager can ensure continuous monitoring of general as well as application access.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part VI

Robert Davis — Tue, 27 Mar 2012 21:05:21 +0000

Computer usage in information processing systems frequently eliminates generally accepted accounting control principles regarding adequate SOF and SOD. In particular, manual system organization incompatibles are normally reassigned to distinct departments or personnel. Computerized information systems, however, have a tendency to consolidate incompatible functions and duties within the IT department. As a result, IT personnel are potentially in a position to commit irregular and/or illegal acts, if compensating controls do not exist.

SOF and SOD are considered organizational controls that may prevent, deter, and/or detect irregular and illegal acts. An entity’s IT management is responsible for sustaining an adequate Internal Control Structure (ICS) to safeguard information system assets. One of the factors an ICS relies on is maintaining adequate SOF between the various IT department units as well as other non-IT groups.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part V

Robert Davis — Fri, 23 Mar 2012 20:03:59 +0000

Effective policy, procedure, or directive compliance requires an extensive set of interrelated practices as well as processes. However, organizational policies, procedures, and directives may not incorporate controls or may reflect inadequate controls. Furthermore, organizational policies, procedures, and directives may be inaccurate, incomplete, or outdated. Conversely, regarding adequate controls, GCC organizational policies, procedures and directives should include computer security measures. Specifically, at a minimum, one organizational GCC policy and procedure should address unauthorized computer usage and requesting computer access.

Through key operations GCC; Segregation-of-Functions (SOF) and Segregation-of-Duties (SOD) supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Assessing control existence and adequacy for an audit area are primary IT auditor responsibilities. Therefore, an IT auditor should study and evaluate policies, procedures, directives, SOF, and SOD controls as well as protection-of-information-assets to demonstrate due diligence regarding irregular and illegal act risks.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part IV

Robert Davis — Tue, 20 Mar 2012 22:20:47 +0000

At the IT level, general controls usually represent the policies, procedures, and directives applied to all or a large portion of an entity’s information systems and assist in ensuring their proper operation. Sub-categorically, ISACA defined general computer controls (GCC) are general controls, other than application controls, that relate to the environment within which computer based application systems are developed, maintained and operated, and therefore applicable to all applications. Furthermore, ISACA avers, pervasive controls are a general controls subset and appertain specifically to management and monitoring IT related activities.

Management is responsible for implementing and maintaining an adequate internal controls system. Whereby; policies, procedures and directives are the primary means to document management’s intentions regarding an organization. In this context, published policies, procedures, and directives reflect managements’ criteria for executing specific tasks.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“