b. INGRESOS ANUALES PROCEDENTES DE FONDOS PÚBLICOS

Technology general controls include control activities over the technology in- frastructure, security management, and technology acquisition, development, and maintenance. They apply to all technology—from information technology applications on a mainframe computer; to client/server, desktop, end-user computing, portable computer, and mobile device environments; to opera- tional technology, such as plant control systems or manufacturing robotics. The extent and rigor of control activities will vary for each of these technolo- gies depending on various factors, such as the complexity of the technology and risk of the underlying business process being supported. Similar to busi- ness transaction controls, technology general controls may include both manual and automated control activities.

Return to Table of Contents

Technology Infrastructure

Technology requires an infrastructure in which to operate, ranging from com- munication networks for linking technologies to each other and the rest of the entity, to the computing resources for applications to operate, to the electri- city to power the technology. The technology infrastructure can be complex. It may be shared by different business units within the entity (e.g., a shared service center) or outsourced either to third-party service organizations or to location-independent technology services (e.g., cloud computing). These complexities present risks that need to be understood and addressed. Given the broad range of possible changes in the use of technology likely to contin- ue into the future, the organization needs to track these changes and assess and respond to the new risks.

Control activities support the completeness, accuracy, and availability of technology processing. Whether the infrastructure is batch scheduling for a mainframe computer, real-time processing in a client/server environment,

mobile wireless devices, or a sophisticated communications network, the technology is actively checked for problems and corrective action taken when needed. Maintaining technology often includes backup and recovery proced- ures, as well as disaster recovery plans, depending on the risks and con- sequences of a full or partial outage.

Security Management Processes

Security management includes sub-processes and control activities over who and what has access to an entity’s technology, including who has the ability to execute transactions. They generally cover access rights at the data, oper- ating system (system software), network, application, and physical layers. Security controls over access protects an entity from inappropriate access and unauthorized use of the system and supports segregation of duties. By preventing unauthorized use of and changes to the system, data and pro- gram integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or a simple er- ror (e.g., a well-intentioned employee using a vacationing colleague’s ac- count to get work done, and executing a transaction erroneously or deleting a file because he or she is not properly trained in the work).

Security threats can come from both internal and external sources. The ex- ternal threat is particularly important for entities that depend on telecommu- nications networks and the Internet. Technology users, customers, and mali- cious parties may be halfway around the world or down the hall. The many potential uses of technology and points of entry underscore the importance of security management. External threats have become prevalent in today’s highly interconnected business environments, and continual effort is required to address these risks.

Internal threats may come from former or disgruntled employees who pose unique risks because they may be both motivated to work against the entity and better equipped to succeed in carrying out a malicious act because they have greater access and knowledge of the entity’s security management sys- tems and processes.

User access to technology is generally controlled through authentication con- trol activities where a unique user identification or token is authenticated against an approved list. Technology general controls are designed to allow only authorized users on an approved list. These control activities generally employ a policy of restricting authorized users to the applications or functions commensurate with their job responsibilities and supporting an appropriate segregation of duties. Control activities are used to check requests for access against the approved list. Other control activities are in place to update ac- cess when employees change job functions or leave the entity. A periodic re- view of access rights against the policy is often used to check if access re- mains appropriate. Access also needs to be controlled when different techno- logy elements are connected to each other.

Technology Acquisition, Development, and Maintenance Processes Technology general controls support the acquisition, development, and main- tenance of technology. For example, a technology development methodo- logy23provides a structure for system design and implementation, outlining specific phases, documentation requirements, approvals, and checkpoints with controls over the acquisition, development, and maintenance of techno- logy. The methodology provides appropriate controls over changes to techno- logy, which may involve requiring authorization of change requests, verifying the entity’s legal right to use the technology in the manner in which it is be- ing employed, reviewing the changes, approvals, and testing results, and im- plementing protocols to determine whether changes are made properly. In some companies the development methodology covers the continuum from large development projects to the smallest changes. In other companies there is one distinct process for developing new technology and a separate process for change management. In either case, a change management pro- cess will be in place to track changes from initiation to final disposition. Changes may arise as a result of a problem in the technology that needs to be fixed or a request from the user community.

The technology general controls included in a development methodology will vary depending on the risks of the technology initiative. A large or complex

development initiative will generally have greater risks than a small or simple initiative. The extent and rigor of the controls over the initiative should be sized accordingly.

One alternative to in-house development is the use of packaged software. Technology vendors provide flexible, integrated systems allowing customiza- tion through the use of built-in options. Many technology development meth- odologies address the acquisition of vendor packages as a development al- ternative and include the necessary steps to provide control over their selec- tion and implementation. Once selected and implemented, technology gener- al controls outlined above would also apply to the ongoing development and maintenance of technology.

Another alternative is outsourcing. While in principle the same considerations apply whether controls are performed internally or by an outsourced service provider, outsourcing presents unique risks and often requires selecting and developing additional controls over the completeness, accuracy, and validity of information submitted to and received from the outsourced service provider.

Return to Table of Contents Return to Top

BREAK