IT GENERAL CONTROLS &

THE PREVENTION OF FRAUD

Ed Tobias, CISA, CIA, CFEMay 11, 2011

AGEN

DA

What are IT General Controls?

5 Areas for Review

Case Study

What are IT General Controls (ITGC)?

What is a “control”?•Process developed by management •Provides reasonable assurance:•Operations – effective & efficient•Reliable financial reporting•Compliance – laws & regulations

What are IT General Controls (ITGC)?

•Used to manage risks“control someone’s behavior”

•Examples: •Policies & procedures •Approvals•Reconciliations •SoD (Segregation of Duties)

What are IT General Controls (ITGC)?

What are IT General Controls (ITGC)?•Process developed by management •Provides reasonable assurance that:•Operations – effective & efficient•Reliable financial reporting•Compliance – laws & regulations

•Used to manage technology risks

What are IT General Controls (ITGC)?

What’s the difference???

What are IT General Controls (ITGC)?

•ITGC affect everything based on technology• Passwords• Program Changes / System updates• Roles / SoD• Backups / Recovery• 3rd-party providers

What are IT General Controls (ITGC)?

•ITGC are part of the entire system of internal control

What are IT General Controls (ITGC)?

3 main technology areas:1. System (servers)2. Network3. Applications

What are IT General Controls (ITGC)?

•ITGC provide assurance that information systems are working as intended•Rely on the information •Legal / regulatory compliance•Effective / efficient operations

What are IT General Controls (ITGC)?

Center for Internet Security•Applying ITGC consistently•Protects against 85%+ of top vulnerabilities reported by:•NIST•FBI•SANS Institute•Computer Security Institute

What are IT General Controls (ITGC)?

Without effective ITGC, where is the fraud …• Financial statements schemes• Asset misappropriation schemes• Fraudulent disbursements• Theft of assets/inventory

• Bribery / Conflicts of interest

What are IT General Controls (ITGC)?

Without effective ITGC, where is the fraud …• Theft of Intellectual Property • Financial Institution Fraud• Check & Credit Card Fraud• Insurance Fraud• Health Care Fraud• Securities Fraud

What are IT General Controls (ITGC)?

Without effective ITGC, where is the fraud …• Consumer Fraud – Identity Theft• Computer / Internet Fraud• Public Sector Fraud

What are IT General Controls (ITGC)?

Without effective ITGC, where is the fraud …

Almost everywhere since we use technology• Store information• Make decisions

5 Areas for Review

1. IT Entity-Level2. Change Management3. Information Security4. Backup and Recovery5. 3rd-party IT Providers

5 Areas for Review

Normally done by IT Auditors• Technology skills/background• Can be performed by• Operational/financial auditors• IT Security / Compliance

5 Areas for Review

Need to determine the “key information technology risks”• Framework (NIST, COBIT)• IT Management

5 Areas for Review

What 3-5 things keep them awake at night?

5 Areas for Review

1. IT Entity-Level• Need to understand IT

involvement

• Assess IT complexity• Low – COTS, 1 server, 1-15 users• High – ERP and/or customized,

4+ servers, 30+ users

5 Areas for Review

1. IT Entity-Level• Impact to the system?

• Mitigating controls?

5 Areas for Review

1. IT Entity-Level• Policies & procedures • Acceptable Use• Found in Employee Manual

5 Areas for Review

What about …• USB Thumb Drives

Your data has legs!

5 Areas for Review

What about …• Smartphones

Your data has legs!

5 Areas for Review

What about …• Rogue wireless access points

Your network is

OPEN!

5 Areas for Review

• Acceptable Use• Information Security

responsibilities

YOU are responsible for your company’s data!

5 Areas for Review

1. IT Entity-Level• Annual Technology Plan• Annual Budget• Prioritization of IT projects

5 Areas for Review

2. Change Management• All changes to system• Properly authorized• Securely implemented• SoD is important!

5 Areas for Review

2. Change Management• Vendor does changes• Access always on?• Logging access times?• Review key reports

before/after changes?

5 Areas for Review

2. Change Management• Key Spreadsheets• Locked down?• Protected formulas?• Restricted access?

5 Areas for Review

Impact of Spreadsheet Errors• Data entry error of $118,000• $11M severance error• $30M spreadsheet error• $644M misstatement

Statistics from 2006 ACL White Paper – Spreadsheets

5 Areas for Review

3. Information Security• Physical Security• Passwords• User IDs• Roles in the system• Administrators / Super Users• Logging• Encryption

5 Areas for Review

3. Information Security• Wireless Access

5 Areas for Review

3. Information Security• Physical Security

5 Areas for Review

3. Information Security• Password best practices (NIST)• Password length - 8• Complex passwords – 2/4• Upper / lower case• Numeric (0-9)• Special (!,@,#,$)

5 Areas for Review

3. Information Security• Password best practices (NIST)• Password history – 90 days• Suspended after 3 tries• Change initial password • Password history – 8

5 Areas for Review

3. Information Security• Password best practices (NIST)• Mitigating controls• No dictionary words• Regular training /

awareness

5 Areas for Review

3. Information Security• User IDs• No sharing• No generic IDs (i.e. Clerk1)• No default IDs/passwords• CIRT.net – 444 vendors,

1800+ passwords

5 Areas for Review

3. Information Security• Roles in the system• Simplify security

administration• Regularly reviewed?

5 Areas for Review

3. Information Security• Administrators / Super Users

“Keys to the Kingdom”

5 Areas for Review

3. Information Security• Administrators / Super Users• Limited number• Required for job duties• Audit trail / logging• Use only when necessary• Periodic review

5 Areas for Review

3. Information Security• Logging• Slows down system• Critical changes/info

• Protected from Admins• Regularly reviewed

5 Areas for Review

3. Information Security• Encryption• Data at rest

WHY? • Hacked• Internal theft• Backups are compromised

5 Areas for Review

3. Information Security• Encryption• Data in transit

WHY? • Packet sniffing - Wire theft• War driving

5 Areas for Review

3. Information Security• Wireless Access• Wireless Access Policy• Encryption • MAC Address filtering

5 Areas for Review

4. Backup and Recovery• Encrypted?• Limited access

5 Areas for Review

5. 3rd-party IT Providers

“Data in the Cloud”

5 Areas for Review

5. 3rd-party IT Providers• Outsource anything• Servers (Data Center)• Virtual Servers on demand• Applications• Virus scanning

5 Areas for Review

5. 3rd-party IT Providers• SAS70 • Replaced by SSAE16 Type 2• Effective June 15, 2011• Financial Reporting

5 Areas for Review

5. 3rd-party IT Providers• SOC 2• Security• Availability• Processing integrity• Confidentiality• Privacy

• Risk-based control framework

Case Study

Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag.

• Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme

• Detected through manual reconciliation & computer exception report

Case Study

• $7,148 check cleared the bank but not an outstanding check

• Uncashed check of $7,148 to a vendor was found in his office

• Clerk noticed missing exception reports

• Looked at IT system changes for days w/missing reports

Case Study

• Staff cuts left him as the authorized person for changes

• IT discovered 2 inactive, unauthorized program changes• $215,846• $13,930

Case Study

What went wrong?

Case Study

• Weak IT Entity-Level controls• Improper SoD• Poor change management

• Weak controls in payment dept

Questions

Contact Information

ed.tobias@hillsclerk.com

http://www.linkedin.com/in/ed3200