Page 246 - COSO Guidance Book
P. 246
For example, at a medical practice, there might be increased concerns regarding patient data that is
maintained by a third-party service organization when compared with maintaining this sensitive
information in-house.
Like transaction-processing system controls, technology general controls may include both manual
and automated control activities.
Point of focus — Establishes relevant technology infrastructure control activities
Management selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology
processing.
The framework states that technology requires an infrastructure in which to operate, ranging from
communication networks for connecting technologies with each other and the rest of the entity, to
various computing resources (servers, laptops, and so forth) for applications to operate.
Point of focus — Establishes relevant security management process control activities
Management selects and develops control activities that are designed and implemented to restrict
technology access rights to authorized users commensurate with their job responsibilities and to
protect the entity’s assets from external threats.
The framework notes that security management includes subprocesses and control activities over
who and what has access to an entity’s technology, including who has the ability to execute
transactions. Security management generally addresses access rights at the data, operating system
(system software), network, application, and physical layers (such as administrative rights). Security
controls regarding access safeguard an entity from inappropriate access and unauthorized use of the
system. Access controls also support appropriate segregation of duties. Security threats can
originate from internal or external sources. By preventing unauthorized use of (and changes to) the
system, data and program integrity are safeguarded from malevolent intent (for example, an external
hacker) or error (for example, an employee is not provided with certain access rights [such as making
changes to a database] until after having received proper training and experience in order to decrease
the likelihood of errors).
An example of an adverse financial consequence due to a security breach conducted by external
hackers is provided by the major retailer Target. The security breach is cited as a major factor
causing Target’s fourth quarter earnings to drop 46%. Over 40 million customer debit and credit cards
5
were compromised and personal information was stolen from over 70 million individuals.
Point of focus — Establishes relevant technology acquisition, development, and maintenance process
control activities
Management selects and develops control activities over the acquisition, development, and
maintenance of technology and its infrastructure to achieve management’s objectives.
The framework states that technology general controls support the acquisition, development, and
maintenance of technology.
5
http://online.wsj.com/news/articles/SB10001424052702304255604579406694182132568?mg=reno64-
wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304255604579406694182132568
.html
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-12
