Please enable JavaScript.
Coggle requires JavaScript to display documents.
AO General Computer Controls - Coggle Diagram
AO
General Computer Controls
Access Controls
Possible weaknesses in
access controls
and
recommendations for improvements
1.) Lack of password complexity requirements.
Recommendation:
Implement
stronger password complexity requirements
such as
Special Characters
Additionally, encourage employees to choose unique and non-guessable passwords.
Numbers
Including a combination of uppercase and lowercase letters
Weaknesses
Lack of length: Short passwords offer less protection against automated password-cracking tools
Lack of education: Employees may not be aware of the importance of using strong passwords or may not understand the potential risks associated with weak passwords.
Insufficient variety: In the absence of guidelines specifying the inclusion of diverse character types
Lack of password policy enforcement:
Without enforcement, there is no incentive for employees to adhere to strong password practices.
Weak passwords that are easily guessable
Lack of periodic updates: If passwords are not regularly changed, it increases the chances of unauthorized access
2.) Lack of user IDs.
Weaknesses
Recommendation
Implement unique user IDs for all employees
1.) System development & implementation controls
3.) System design and programming standards
4.) Testing of new system;
Testing of a
Self-Developed System
should be carried out in 3 stages:
System testing
Ensure the logic of
various individual programs links together to form a system
in-line with the detailed system description.
Live testing:
Parallel running:
New system in parallel with old system
Problem: cost of double processing, difficulty of comparison (e.g. additional info).
Pilot running:
Introduce system for only small portion.
Program testing
Checking the
logic of the program to their specs
.
2.) System specification and user needs
5.) Conversion to new system.
Weaknesses and Recommendations in the
Conversion of the Computer System
:
Weaknesses
3.) Inadequate testing:
Conduct comprehensive testing, including
balancing files, third-party confirmations, exception report follow-up, parallel testing
, and
user approval
.
2.) Insufficient control over data conversion:
Establish a
data control group
and
involve senior management
and
auditors to supervise
and
ensure data integrity
.
4.) Lack of a backup system:
Invest in a
reliable backup device
or system for
regular data backup
and quick recovery
in case of system failures or data loss.
1.) Lack of proper planning and preparation:
Develop a
detailed plan with timetables, methods, and preparations for data files
. Ensure constant power and air-con in the premises.
1.) Project Authorisation and Management
Weaknesses and Recommendations in the
authorisation of the development of the new system
:
Weaknesses
3.) Inadequate emphasis on a detailed feasibility study.
P
erform a comprehensive feasibility study
, considering
financial, technical, operational,
and organizational aspects
to assess viability, benefits, costs
, and
risks
before authorising the project.
4.) Lack of a defined project management structure.
Establish a structured project management framework
with a steering committee responsible for oversight, authorisation, adherence to timelines
and
budgets
, and
monitoring of quality requirements.
2.) Insufficient evaluation of technical soundness and compatibility.
Conduct a thorough assessment of
technical soundness
and
compatibility with existing systems
to identify and address any
integration challenges or potential failures
.
5.) Immediate conversion without a transition plan.
Develop a
comprehensive transition plan to ensure a smooth conversion process
, including
data migration
,
user training
,
testing
, and
post-conversion support
.
1.) Lack of comprehensive stakeholder involvement.
Include
representatives from all relevant departments
, including the
user department
and
internal/external auditors
, to
gather diverse perspectives
and
ensure a comprehensive understanding of system requirements
.
2.) Systems maintenance
Systems Maintenance Weaknesses and Recommendations
:
Weaknesses
Inconsistent review of outstanding change requests by senior officials
Implement a regular review of outstanding change requests by senior officials
Insufficient documentation of change requests and approvals
Establish a
comprehensive documentation process
for change requests and approvals
Failure to ensure that all changes are made in accordance with user needs
Ensure that all
changes are made in accordance with user needs
through regular communication with the data processing departmen
t.
Lack of clear guidelines for the testing process
Develop and document
clear guidelines for testing changes
3.) Organisational and management controls
Organisational and management controls Weaknesses and Recommendations
:
Weaknesses
3.) Weak staff practices and processing:
4.) Employment practices:
2.) Inadequate organizational controls:
5.) Insufficient controls against computer viruses:
1.) Lack of segregation of duties:
Insufficient separation of responsibilities among system analysts, programmers, and operators, and limited segregation in transaction initiation, authorization, processing, and safeguarding.
6.) Lack of supervision and review:
Computer operating controls
System software controls
Business continuity
Business Continuity Weaknesses and Recommendations:
Weaknesses
5.) Failure to maintain updated lists for key personnel:
E
stablish and update contact lists regularly
to ensure effective communications during emergencies
4.) Lack of testing and validation of backup procedures.
C
onduct periodic tests
and
drills to validate the effectiveness of backup and recovery procedures
6.) Lack of redundancy in critical systems and Infrastructure
I
mplement redundancy measures
in critical systems to minimize single points of failure
3. Inadequate off-site storage for backups
Implement
secure off-site storage,
such as
cloud storage
or
off-site data centers
, to protect backups from physical damage
7.) Failure to conduct regular risk assessments:
C
onduct periodic risk assessments
identify threats and weaknesses, and
implement approapriate controls and mitigation strategies
.
2.) Inconsistent backups for critical files and programs
:star:Regular backups are
performed on a rotational basis with online/real-time functionality
, storing
backup files offsite
,
utilizing hardware backup facilities
, keeping them in a
fireproof safe
, and
retaining files/records for the necessary duration
.
8.) Lack of Regular Review and updates to the Business Continuity Plan:
Regularly
review and update the plan
to reflect changes in
technology, personnel
, and
business operations
.
1.) Lack of a Comprehensive disaster recovery Plan:
:star:
E
stablish emergency plan and disaster recovery procedures
, including
assigning responsibilities
,
compiling a list of files
and
data to be recovered
,
arranging alternative processing facilities
,
documenting and testing the recovery plan
, and
ensuring adequate insurance coverage
for all equipment.
9.) Physical Security
:star:
The physical environment should
provide protection against the elements
, such as rain, thunder, and lightning,
with functioning fire extinguishers available
and
tested for effectiveness
, while keeping water sources, including flower vases, away from water pipes.