1

IT general controls:

The Eurosystem approach

Visit to the Central Bank of Armenia

Yerevan, 25-27 Sept 2013

2

IT general controls

Increased focus on IT general controls

Sarbanes Oxley Act

(SOX)

Internal controls

IT general controls

are needed to support

the reliability of

application controls

For example, ensuring

database security is often

considered a requirement

for reliable financial

reportingIT controls

3

Integrated audit in the ESCB

• A business process audit is scheduled

• The business process is supported by an

application system

• The effectiveness of application controls

depends on the effectiveness of IT general

controls (ITGC)

• What IT general controls should be

included in the audit scope?

4

Possible approaches

A set of controls embedded within automated

solutions (applications)

Controls that apply to the overall functioning

of the organisation’s IT systems and to a

broad set of applications

IT General controls

Application controls

5

Possible approaches

Limited

Vertical

Approach

[b]

Deep

Vertical

Approach

[c]

Application

Approach

[a]

Horizontal Approach (ITGC review) [d]

IT General controls

Application controls

6

Application approach

• Partial assurance

• Need to be complemented with horizontal approach

PROs CONs

Audit scope explicitly limited to

application controls

• More time to focus on the specific application

• More efficient

7

Limited vertical approach

• Lack of transparency on the audit scope

• No assurance that the most relevant ITGC are reviewed

PROs CONs

Auditors identify which IT

general controls should be

reviewed

• Possibility of expanding or reducing the scope depending on the actual situation

8

Deep vertical approach

• Difficulty in identifying relevant ITGCs during the preparation

• Need of specific skills

• Audit effort

PROs CONs

Audit scope includes a

selection of IT general controls

• Higher value to the business management

• Comparable results between audit reports

• Reusability of results

9

Horizontal approach

• Difficulty in representing the business impact of findings

PROs CONs

IT General controls covered by

ad-hoc audit engagements

• Full analysis of a specific problem

• Reusability of results

10

Deep vertical approach

• The task force identifies the most relevant IT general controls

– For example:• Change management

• Security

• Computer operations

• The auditors evaluate those controls

• Full coverage of ITGCs is obtained over time, through multiple business audits and dedicated IT horizontal audits

11

The IT general control catalogue

1. IT Governance1.1 – IT Organisation, Roles and Responsibilities (PO4) and IT Human Resources (PO7)

1.2 – Operating policies, procedures and supporting documentation (DS13, AI1/2)

1.3 – IT Risk Management (PO9)

2. Security

2.1 – Network Security (DS5.10)

2.2 – Logical Access Management (DS5.3/4)

2.3 – Data integrity and confidentiality (DS5.8/10/11; DS11)

2.4 – Malicious Code Monitoring (DS5.9)

2.5 – Logging and Security Monitoring (DS5.5; DS13.3)

2.6 – Physical Security (DS12)

3. Change Management3.1 – Change and Release Management (AI6/7)

3.2 – Infrastructure and Configuration Management (and Protection) (DS9 and DS5)

4. Operations (Service Delivery/Support/Man.)4.1 – Availability, Capacity, Performance and IT Service Continuity Management (DS3/4)

4.2 – Incident/Problem Management (DS8/10, 5.6)

4.3 – Service Level Management (DS1)

5. End User Computing5.1 – End User Computing (ITCO SOX)

6. Third party management6.1 – Third party management (DS2)

IT General controls are selected from a “catalogue”

IT General Control

Catalogue

12

The IT general control catalogue

ITGC - 6 - Third party management

6.1 - Third party management (DS2)

High Level Control Objective - Third party services used to operate/ support systems meet business requirements, are

defined appropriately in contracts and the risks associated with third party service providers are monitored and managed.

Third Parties comply with all security requirements and policies for the protection of data as specified in underlying contracts.

CIA Rating: MMM

Inherent Risk - Inadequate control over Third Party services and/or inappropriate access to sensitive/critical data may lead to

i) System unavailability. ii) Inadequate protection of information assets, which could result in security breaches and/or financial

or reputational loss. RiskIT: 16, 31, 32, 33, 34

Illustrative ITGC Control

Practices

Illustrative ITGC Tests of Control Practices:

For the relevant system(s) and underlying IT components &

infrastructure [in scope], check that:

COBIT 4.1

References and

ESCB IT Policies

6.1.1 Third party service delivery

(DS2.4) Third party services meet business

requirements and are secure, accurate

and available; support processing

integrity; and are defined clearly in

contracts.

Risks associated with third party

contracts are monitored and managed

in accordance with established

performance criteria.

?

RiskIT: 16, 32, 33, 34

Most common issues (control

weaknesses):

Ineffective control is exercised

over the delivery of services by

the third party.

Deliverables fail to meet

requirements.

Delays and cost overruns arise.

A relevant service contract(s) is in place which includes

adequate definitions of the services to be performed and the

obligations which the third party should abide by.

Business requirements, policies and procedures exist from

which appropriate controls can be derived.

Controls to support security and data integrity are defined

and communicated to all parties.

Third Parties have no undue access to sensitive data.

Contracts have been reviewed and are duly approved and

signed prior to the commencement of work.

The third party reports on the attainment of agreed-upon

performance criteria (in line with defined SLAs and the

supplier contract).

ITCO SOX: 21 -

Manage Third-

party Services

COBIT:

DS2.4 Supplier

Performance

Monitoring

ESCB:

ITC/09/237 Annex

4 (10.2.3)

High level control

objective

Inherent risk

Control practices

Possible tests of

control practices

13

Selection of ITGCs

• Drivers for selecting the ITGCs to assess:

– Business audit objective and scope (and

relevant risks)

– Criticality assessment

– IT environment

– Resource constraints (time, skills)

– Global coverage of ITGCs