icab - itk chapter 5 set 2 - internal control in it systems
TRANSCRIPT
IT KNOWLEDGECA Professional Stage - Knowledge Level, ICABTutor: Mohammad Abdul Matin
Chapter 5Internal Control in Computer Based Business System
Chapter Outline Control, IT Internal Control, IT Internal Audit Responsibility of Control Control Objectives and Techniques Control over Acquisition, Implementation
and Changes Risk Assessment Business Continuity Plan Overview of ERP
Control Objectives for IT (COBIT) Developed in 1996 as generally accepted
information technology control objectives for day-to-day use.
COBIT 4.1 has around 34 high level processes and covers 201 control objectives in four domains:– Planning & Organization– Acquisition & Implementation– Delivery & Support– Monitoring & Evaluation
Control Objectives for IT (COBIT) A complete COBIT package contains:
Executive Summary: Summary, principles, concepts, synopsis of the framework, etc.Framework: Defines the different (34) high level and other IT processes in four domains. Also defines the Information criteria.Control Objectives: Defines the (210) control objectives in the form of statements throughout the high level processes.Management & Implementation Guidelines: Composed of Maturity Models to help defining and comparing expectations, CSFs, KPIs, Key Goals Indicators, industry norms, etc.
Control Objectives for IT (COBIT)
IT Assurance Guide: Tools to assess if the IT controls linked to the respective control objectives are achieving results. Compatible with ISACA’s (Information System Audit and Control Association) and ITAF’s (Information Technology Assurance Framework) standards.
Audit TrailsLogs that are designed to record activity at the system application and user levels to provide detective control related to security, issue finding, etc. Audit Trail Objectives:– Detecting unauthorized access– Facilitating reconstruction of failure events or
problems– Establishing personal accountability
Controls – IS Selection, Acquisition Strategic Master Plan
A strategic master plan to ensure appropriateness and priority Project Control
Project Management, resource and time planning with responsibilities
Data Processing ScheduleBackend tasks to be distributed and scheduled to maximize resource usage
System Performance MeasurementThroughput and time based utilization measurements
Post-Implementation ReviewCompare the cost and benefit between plan and implementation
Post Implementation Review (PIR) Post Implementation Review (PIR) of an initiative is
performed to mainly assess if the following were met as per expectation / plan:– Business Objectives (budget, deadline, benefits, etc.)– User Expectations (friendliness, workload, reliability, etc.)– Technical Requirements (expandability, ease of operation,
interconnectivity with external systems, etc.) PIR is typically performed after any project is completed,
has become stable and not being significantly changed/modified as a result of errors or realizations.
PIR should be performed by independent IS consultant/team who had not been involved in the original initiative/project/development.
Business Continuity Planning (BCP)Key Objectives of a BCP– Safety of people at the time of a disaster– Continue critical business operations– Minimize the duration of disruption of regular
operations– Minimize immediate damage or losses (data and
equipment)– Establishing management succession and emergency
powers– Facilitate effective coordination of recovery tasks– Reduce the complexity in recovery– Identify critical lines of business and supporting
functions
Business Continuity Planning (BCP)Eight Phases of Developing a BCP
i. Pre-planning activitiesii. Vulnerability assessmentiii. Business impact analysisiv. Definitions of requirementsv. Plan developmentvi. Testing programvii. Maintenance programviii.Plan testing and implementation
Enterprise Resource Planning (ERP) ERP system is a fully integrated business
management system covering different functional areas of an enterprise.
ERP systems can be general or industry specific. Components integrated within a ERP system can vary depending on the organizational needs and priority.
Examples of ERP systems: SAP, Oracle EBS, Dynamics AX, IFS, Glovia, Infor, Sage, etc.
Enterprise Resource Planning (ERP) Benefits of a ERP System
– Integrated Financial Systems– Standardized Processes– Shared, Real-time Information
Implementation of ERP Systems– Corporate culture– Process change– Management support– Project Manager competence– The ERP Team– Project Methodology– Training– Commit to the change
ERP Example: SAP World’s most used tier one ERP system
developed by SAP AG, a German company. SAR R/3 System Architecture:– Presentation layer– Application layer– Database layer
Can run on many different O/S and Database platforms
Can be distributed into multiple systems for load management and other objectives.
Common SAP R/3 Functional Modules
Exam Questions What is control? What are the purposes of
internal control? Explain the five key components required for effective internal control.
What is Audit Trail? Explain its objectives. Describe Post Implementation Review (PIR). Why is information system security important? Explain “vulnerability management” and “threat
management” in management of IT security What is disaster recovery plan? Describe major
areas of a disaster recovery planning document. What is ERP? Explain SAP as a ERP system.
Thank You