Alineando Cobit Itil Iso 4.1

8/10/2019 Alineando Cobit Itil Iso 4.1

1/17

COBIT and Application Controls

Appendix ETools for Designing and Implementing Application Controls

Defining Application Control Requirements/Identifying Relevant Application

Control O!ectives

Chapter 4 discusses managements responsibilities for identifying relevant application control objectives as part of defining the business requirements

for new automated solutions. COBI Online can be used by management as a tool for determining relevant application control objectives. Figure 24 is

a screen image showing how COBI Online can be used to identify and assess the importance of the application control objectives for a given

automated solution.


2/17

COBITand Application Controls !ppendi" #$ools for %esigning and Implementing !pplication Controls

Figure 24MyCOBIT Control Objectives Assessment FormFilter criteria: Filter1 Com!onent: F"#"$ C"O"$ C"%" %rocess: AC

ACApplication ControlsProcess: AC Application Controls Importance to the Enterprise

Unimportant

Somewhat Important

Important

Very Important

Critical

Relevance Compliance StateC=Current, P=Planned

Evidence

NotRelevant

Somewhat

Relevant

Very

Critical

Cov

eredbyotherobjective

Ma

nagementinotaware

Managementiaware

Managementicommittedto

reolve

!m"lementationigettingtarted

!m"lementationiwellunderway

Solutioniim"lemented

S

olutioniutainable

Control O!ective: "#"# So$rce %ata Preparation and A$thorisation

#nure that ource document are "re"ared by authoried and $uali%ied "eronnel%ollowing etablihed "rocedure, ta&ing into account ade$uate egregation o% dutieregarding the origination and a""roval o% thee document' Minimie error andomiion through good in"ut %orm deign' (etect error and irregularitie o theycan be re"orted and corrected'

#%%ectivene) *igh

Contribution)Very *igh #%%ort)Very *igh

Control O!ective: "# So$rce %ata Collection and Entry

&''( I)!C! !ll rights reserved. *age


3/17


4/17




Unimportant

Somewhat Important

Important

Very Important

Critical


Evidence

NotRelevant

Somewhat

Relevant

Very

Critical

Cov

eredbyotherobjective

Managementinotaware

Managementiaware


reolve



S

olutioniim"lemented

Solutioniutainable

#nure that tranaction are accurate, com"lete and valid' Validate data that werein"ut, and edit or end bac& %or correction a cloe to the "oint o% origination a"oible'

#%%ectivene) *igh


Control O!ective: "#*# Processin+ Inte+rity and Validity



5/17




Unimportant

Somewhat Important

Important

Very Important

Critical


Evidence

NotRelevant

Somewhat

Relevant

Very

Critical

Coveredbyotherobjective

Managementinotaware

Managementiaware


reolve



S

olutioniim"lemented

Solutioniutainable

Maintain the integrity and validity o% data throughout the "roceing cycle' #nurethat detection o% erroneou tranaction doe not diru"t "roceing o% validtranaction'

#%%ectivene) *igh


Control O!ective: "#,# O$tp$t Review( Reconciliation and Error-andlin+



6/17




Unimportant

Somewhat Important

Important

Very Important

Critical


Evidence

NotRelevant

Somewhat

Relevant

Very

Critical

Coveredbyotherobjective

Managementinotaware

Managementiaware


reolve


!m"le

mentationiwellunderway

S

olutioniim"lemented

Solutioniutainable

#tablih "rocedure and aociated re"onibilitie to enure that out"ut i handledin an authoried manner, delivered to the a""ro"riate reci"ient and "rotected duringtranmiion that veri%ication, detection and correction o% the accuracy o% out"utoccur and that in%ormation "rovided in the out"ut i ued'

#%%ectivene) *igh

Contribution)*igh #%%ort)*igh

Control O!ective: "#.# /ransaction A$thentication and Inte+rity

-e%ore "aing tranaction data between internal a""lication and buineo"erational %unction .in or outide the enter"rie/, chec& it %or "ro"er addreing,authenticity o% origin and integrity o% content' Maintain authenticity and integrityduring tranmiion or tran"ort'

#%%ectivene) *igh

Contribution)*igh #%%ort)*igh



7/17


Template for Design of Application Controls

Figure 2& is an e"ample of a template that may be useful for members of the application solution design team to assist in the design of application

controls. his template can be used to capture +ey elements of designed controls, including their respective attributes, and provides for a conclusion as

to whether the controls achieve the respective control objectives. Control information is presented in a way to facilitate management review and

approval as part of its responsibilities to ensure the adequacy of design of application controls, as discussed in chapter 4. Control practices in this table

have been provided from theIT Assurance Guide: Using COBIT and will need to be updated to meet specific requirements of each application solution.

Figure 2&Tem!late 'or Assisting in t(e )esign o' A!!lication Controls*rocess-!pplication ame !pplication Control %esignBusiness *rocess Owner/ %ate/

*e'

Control Objective an+ Control

%ractices )escri!tion

In'ormation Objective In'ormation Criteria Control Activity Attributes )esign

,''ectiveness

Conclusion

Completeness

!ccuracy

0alidity

!uthorisation

)

egregationof%uties

#ffectiveness

#fficiency

Confidentiality

Integrity

!vailability

Compliance

1eliability Ty!e:

-2anual-!utomated-3ybrid-Configurable

-ature:

-*reventive-%etective

-

Fre.uency:

-ransaction-%aily-ee+ly-2onthly-!nnually

%ro/imity:

-*oint of ris+-!fter ris+event-2anagementreview

%er'orme+

by:

- Insert role

AC1 0ource )ata %re!aration an+ Aut(orisation

#nsure that source documents are prepared by authorised and qualified personnel following established procedures, ta+ing into account adequate segregation of duties regarding the origination and approval of these documents.

2inimise errors and omissions through good input form design. %etect errors and irregularities so they can be reported and corrected.

5 %esign source documents in away that they increase accuracywith which data can be recorded,

control the wor+flow andfacilitate subsequent referencechec+ing. here appropriate,include completeness controls in

the design of the sourcedocuments.

& Create and document proceduresfor preparing source data entry,

and ensure that they areeffectively and properlycommunicated to appropriate andqualified personnel. hese

procedures should establish andcommunicate requiredauthorisation levels 6input,editing, authorising, accepting

and rejecting source documents7.he procedures should also



8/17



*e'Control Objective an+ Control



,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uth

orisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!v

ailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated

-3ybrid-Configurable

-ature:


-

Fre.uency:

-ransaction-%aily

-ee+ly-2onthly-!nnually

%ro/imity:

-*oint of ris+-!fter ris+

event-2anagementreview

%er'orme+

by:

- Insert role

identify the acceptable sourcemedia for each type of

transaction.

8 #nsure that the functionresponsible for data entrymaintains a list of authorised

personnel, including their

signatures.

4 #nsure that all source documentsinclude standard components and

contain proper documentation6e.g., timeliness, predetermined

input codes, default values7 andare authorised by management.

9 !utomatically assign a uniqueand sequential identifier 6e.g.,

inde", date and time7 to everytransaction.

: 1eturn documents that are notproperly authorised or areincomplete to the submitting

originators for correction, and logthe fact that they have beenreturned. 1eview logs

periodically to verify that

corrected documents are returned

by originators in a timely fashion,and to enable pattern analysis and

root cause review.

AC2 0ource )ata Collection an+ ,ntry

#nsure that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transactionauthori;ation levels. here appropriate for reconstruction, retain original source documents for the appropriate amount of time.

5 %efine and communicate criteriafor timeliness, completeness and

accuracy of source documents.#stablish mechanisms to ensure



9/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uth

orisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!v

ailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

that data input is performed inaccordance with the timeliness,

accuracy and completenesscriteria.

& enerate error messages in a

timely manner as close to the



10/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uth

orisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!v

ailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

point of origin as possible. hetransactions should not be

processed unless errors arecorrected or appropriatelyoverridden or bypassed. #rrorsthat cannot be corrected

immediately should be logged inan automated suspense log, andvalid transaction processing

should continue. #rror logsshould be reviewed and actedupon within a specified andreasonable period of time.

: #nsure that errors and out=of=

balance reports are reviewed byappropriate personnel, followedup and corrected within areasonable period of time, and

that, where necessary, incidentsare raised for more seniorattention. !utomated monitoring

tools should be used to identify,monitor and manage errors.

? #nsure that source documentsare safe=stored 6either by the

business or by I7 for a

sufficient period of time in linewith legal, regulatory orbusiness requirements.

AC Accuracy$ Com!leteness an+ Aut(enticity C(ecs

#nsure that transactions are accurate, complete and valid. 0alidate data that were input, and edit or send bac+ for correction as close to the point of origination as possible.

5 #nsure that transaction data are

verified as close to the data entrypoint as possible andinteractively during onlinesessions. #nsure that transaction

data, whether people=generated,

&''( I)!C! !ll rights reserved. *age 5'


11/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uth

orisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!v

ailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

system=generated or interfacedinputs, are subject to a variety of

controls to chec+ for accuracy,completeness and validity.herever possible, do not stoptransaction validation after the

first error is found. *rovideunderstandable error messagesimmediately such that they

enable efficient remediation.

& Implement controls to ensureaccuracy, completeness, validityand compliancy to regulatoryrequirements of data input.

Controls may include sequence,limit, range, validity,reasonableness, table loo+=ups,e"istence, +ey verification,

chec+ digit, completeness 6e.g.,total monetary amount, totalitems, total documents, hash

totals7, duplicate and logicalrelationship chec+s, and timeedits. 0alidation criteria and

parameters should be subject to

periodic reviews andconfirmation.

8 #stablish access control and roleand responsibility mechanismsso that only authorised persons

input, modify and authorise data.

4 %efine requirements forsegregation of duties for entry,modification and authorisation

of transaction data as well as forvalidation rules. Implementautomated controls and role and



12/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uth

orisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confi

dentiality

Integrity

!v

ailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

responsibility requirements.

9 1eport transactions failingvalidation and post them to a

suspense file. 1eport all errors ina timely fashion, and do notdelay processing of validtransactions.

: #nsure that transactions failing

edit and validation routines aresubject to appropriate follow=up

until errors are remediated.#nsure that information on

processing failures is maintainedto allow for root cause analysisand help adjust procedures and

automated controls.

AC4 %rocessing Integrity an+ 3ali+ity

2aintain the integrity and validity of data throughout the processing cycle. #nsure that detection of e rroneous transactions does not disrupt processing of valid transactions.

5 #stablish and implementmechanisms to authorise theinitiation of transaction

processing and to enforce thatonly appropriate and authorisedapplications and tools are used.

& 1outinely verify that processingis completely and accurately

performed with automatedcontrols, where appropriate.Controls may include chec+ing

for sequence and duplicationerrors, transaction-record counts,referential integrity chec+s,control and hash totals, range

chec+s, and buffer overflow.

8 #nsure that transactions failingvalidation routines are reported

&''( I)!C! !ll rights reserved. *age 5&


13/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uthorisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confi

dentiality

Integrity

!vailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

and posted to a suspense file.here a file contains valid and

invalid transactions, ensure thatthe processing of validtransactions is not delayed andthat all errors are reported in a

timely fashion. #nsure thatinformation on processingfailures is +ept to allow for root

cause analysis and help adjustprocedures and automatedcontrols, to ensure earlydetection or to prevent errors.

4 #nsure that transactions failing

validation routines are subject toappropriate follow=up untilerrors are remediated or thetransaction is cancelled.

9 #nsure that the correct sequence

of jobs has been documentedand communicated to Ioperations. @ob output should

include sufficient informationregarding subsequent jobs toensure that data are notinappropriately added, changed

or lost during processing.

: 0erify the unique and sequentialidentifier to every transaction6e.g., inde", date and time7.

? 2aintain the audit trail oftransactions processed. Include

date and time of input and useridentification for each online or

batch transaction. Aor sensitivedata, the listing should contain

before and after images and

&''( I)!C! !ll rights reserved. *age 58


14/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uthorisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confi

dentiality

Integrity

!vailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

should be chec+ed by thebusiness owner for accuracy and

authorisation of changes made.

2aintain the integrity of dataduring une"pected interruptionsin data processing with systemand database utilities. #nsure

that controls are in place toconfirm data integrity after

processing failures or after use

of system or database utilities toresolve operational problems.!ny changes made should bereported and approved by the

business owner before they areprocessed.

( #nsure that adjustments,overrides and high=valuetransactions are reviewed

promptly in detail forappropriateness by a supervisorwho does not perform data entry.

5' 1econcile file totals. Aore"ample, a parallel control file

that records transaction countsor monetary value as data should

be processed and then compared

to master file data oncetransactions are posted. Identify,report and act upon out=of=

balance conditions.

AC& Out!ut *evie$ *econciliation an+ ,rror 5an+ling

#stablish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient and protected during transmission that verification, detection and correction of theaccuracy of output occur and that information provided in the output is used.

5 hen handling and retainingoutput from I applications,



15/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uthorisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!vailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

follow defined procedures andconsider privacy and security

requirements. %efine,communicate and follow

procedures for the distribution ofoutput.

& !t appropriate intervals, ta+e a

physical inventory of allsensitive output, such asnegotiable instruments, and

compare it with inventoryrecords. Create procedures withaudit trails to account for alle"ceptions and rejections of

sensitive output documents.

8 2atch control totals in theheader and-or trailer records ofthe output to balance with thecontrol totals produced by the

system at data entry to ensurecompleteness and accuracy of

processing. If out=of=balance

control totals e"ist, report themto the appropriate level ofmanagement.

4 0alidate c ompleteness andaccuracy of processing before

other operations are performed.If electronic output is reused,ensure that validation hasoccurred prior to subsequent

uses.

9 %efine and implementprocedures to ensure that thebusiness owners review the finaloutput for reasonableness,

accuracy and completeness, and



16/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uthorisation

)egregation

of%uties

#ffe

ctiveness

#

fficiency

Confidentiality

Integrity

!vailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

that output is handled in linewith the applicable

confidentiality classification.1eport potential errors, log themin an automated, centralisedlogging facility, and address

errors in a timely manner.

: If the application producessensitive output, define who canreceive it, label the output so it

is recognisable by people andmachines, and implementdistribution accordingly. herenecessary, send it to special

access=controlled output devices.

AC6 Transaction Aut(entication an+ Integrity

Before passing transaction data between internal applications and business- operational functions 6in or outside the enterprise7, chec+ it for proper addressing, authenticity of origin and integrity of c ontent. 2aintain authenticityand integrity during transmission or transport.

5 here transactions aree"changed electronically,

establish an agreed=uponstandard of communication andmechanisms necessary formutual authentication, including

how transactions will berepresented, the responsibilitiesof both parties and how

e"ception conditions will behandled.

& ag output from transactionprocessing applications inaccordance with industry

standards to facilitatecounterparty authentication,

provide evidence of non=repudiation, and allow for

content integrity verification

&''( I)!C! !ll rights reserved. *age 5:


17/17






,''ectiveness

Conclusion

Com

pleteness

!ccuracy

0alidity

!uthorisation

)egregation

of%uties

#ffectiveness

#

fficiency

Confidentiality

Integrity

!vailability

Co

mpliance

1

eliability Ty!e:

-2anual-!utomated


-ature:


-

Fre.uency:

-ransaction-%aily


%ro/imity:



%er'orme+

by:

- Insert role

upon receipt by the downstreamapplication.

8 !nalyse input received from

other transaction processingapplications to determineauthenticity of origin and themaintenance of the integrity of

content during transmission.

&''( I)!C! !ll rights reserved. *age 5?

Alineando Cobit Itil Iso 4.1

Documents

Transcript of Alineando Cobit Itil Iso 4.1