IT Audit & Assurance

Information Technology General Controls (ITGC)

General controls over IT activities are integral to IT processes and services. Review of ITGC is assessing the adequacy and reasonableness of controls within the IT environment and infrastructure that govern the development, maintenance and secured operation of the automated application systems. The IT controls in scope cover the areas of the IT organization and infrastructure, systems development and maintenance, change management, security, and continuous service of computer operations. These controls aid in: appropriate and efficient development and implementation of systems applications; the integrity of program and data files; and, efficient computer operations.

Benefits of ITGC:

IT controls protect data integrity and are a significant component of an organization internal control.
IT systems are increasingly relied upon as tools to provide efficient processing and reporting for decision making purposes.
Reliable IT controls reduce the extent of testing and reliance on manual transaction-level controls.
IT controls increase the effectiveness, efficiency and reduce costs of internal controls by establishing a sound information system foundation and leveraging systems across the organization.

Application Controls Review

Information is critical to an agency/enterprise for financial reporting and decision-making. Timeliness, accuracy and reliability of information depend on the underlying applications systems used to generate, process, store and report such information. Application controls are the controls over the processing and data within an applications system, specific to each application. They help assure timely, accurate and reliable information. At the business process level, controls are applied to specific business activities. Usually, business processes are automated and integrated with IT application systems and accordingly many of these application controls are automated. However, some controls are manual such as separation of duties, transaction authorization and manual reconciliations. Poor IT general controls, or breakdowns in such controls, could impact the reliability of application controls. Application controls include:

Source data preparation, authorization, collection and entry
Accuracy, completeness and authenticity checks
Processing, integrity and validity
Output review, reconciliation and error handling
Transaction authentication and integrity

Sufficient application controls should exist to mitigate significant risks. The reliability of these controls, can impact the nature, timing and extent of substantive procedures which the financial examiners perform. Accordingly, we assist in this process by identifying application controls which mitigate significant financial reporting risks and certain non-financial reporting risks. Application controls are evaluated and are intended to provide specific control/risk mitigation to reduce inherent risk to an acceptably low level of residual risk.

We can help

Evaluate the most effective SSAE 16/SOC report
Identify needs of report users
SSAE 16/SOC readiness assessment
Assess the design of controls
Remediate the control gaps
Transition from SAS 70 to SSAE 16

Rigorous and efficient control testing

FISMA Review

The Federal Information Security Management Act (FISMA) is a federal law designed to increase the security posture of government agency federal systems, bureaus, departments and their supporting entities such as vendors and their subcontractors. Since its establishment, an increasing number of federal information systems and databases have been integrated into non-federal agencies, including municipalities, law enforcement, and contractors.

Our Approach:

To complete our review we follow various guidelines and standards, such as GAO’s Federal Information System Controls Audit Manual (FISCAM) which outlines audit procedures for conducting IT audit work for financial statement audits. We also conduct our general controls reviews using the newest version of CoBiT, ISO/IEC, National Institute of Standards and Technology (NIST). To execute our review we perform the followings:

Develop Work Program
Execute the testing program
Monitor progress
Review findings
Hold meetings with Company/Agency individuals responsible for the respective sections to confirm our understanding of control weaknesses noted and obtain Company concurrence with our findings
Make an overall information technology control risk assessment, and
Issue our report to the respective Department on the overall information technology control risk assessment

We execute tests of the IT controls, document our test results and identify the cause of any problem areas noted in our review. We also make recommendations that the Company/Agency could implement to mitigate identified control risks. The assessment of the overall IT control structure is designed to assist the management in evaluating part of the Agency/Company’s internal environment and in determining if management can rely on more specific process and application controls relating to the processing of transactions and information included in the Agency/Company’s Annual Statement and thus reduce the nature and extent of substantive examination procedures for the examination.

SSAE 16/SOC Reporting

A SSAE 16 or service organization control (SOC) report will distinguish you in the marketplace and shows your commitment to quality and internal control. We can help you design the controls needed to securely host and process confidential information.

Increasing demand for a SSAE 16 (Statement of Standards for Attestation Engagement16) or SOC report
Proving your commitment to internal control
Complying with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404)
Protecting against a network penetration breach
Safeguarding customer information

A unique approach

InteliPath professionals have experience and intimate knowledge to help you merge internal control and security measures with business goals and objectives. From initial readiness and gap assessment to final control testing, our professionals will collaborate with your team leaders to dramatically impact your culture of control and security.

InteliPath has the experience with enterprise data processing systems, operating systems, and network protocols that are the lifeblood of your business. Our team includes professionals with accounting, auditing, information technology (IT), and information security credentials. By leveraging our business acumen with IT auditing experience, you can implement the critical controls to support SSAE 16/SOC reporting.

While FISMA outlines valuable controls for protecting these information systems, compliance with the law is complex. The requirements are time-consuming, yet the protection is often insufficient.

InteliPath’s team of FISMA experts can help prepare your organization for FISMA audits, system certification and accreditation (C&A), asset classification, risk assessments and ongoing security authorization to obtain an Agency Authority to Operate (ATO) or maintain an Agency ATO. Our processes, tools, and methodologies are based on the core components identified by FISMA and established by NIST – as outlined by the NIST visual model of cloud computing – such as Special Publications 800-53rev3 (Recommended Security Controls for Federal Information Systems), 800-30 (Risk Management Guide for Information Technology Systems), and FIPS-199 (Standards of Security Categorization of Federal Information and Information Systems).