Jingga/Organization-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Organization-Guide.git synced 2026-01-22 09:18:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update SOX

Browse Source
This commit is contained in:
Dennis Eichhorn 2022-11-30 23:54:25 +01:00
parent b9e539946d
commit 564fd774af
3 changed files with 90 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
Processes/Quality Management/COSO/CLC.md
View File

@ -2,43 +2,40 @@
| No. | Component | Control Area | Question | Answer | Evidences |
| ---- | ----------------------------- | ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | Control Environment | Principle of financial reporting | Do you have basic financial reporting policies? | Yes, the organization follows the German law regarding financial reporting and internal reporting guidelines. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Reporting<br />Process: Finance |
| 2 | Control Environment | Understanding accounting policies | Are the selected accounting principles approved? | Yes, employees are required to act according to the the German law and follow the accounting policies. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Accounting |
| 3 | Control Environment | Management philosophy and application | Does management determine the management philosophy, operating style and code of ethics and manifest them to employees? | Yes, all are described in the organization guidelines | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 4 | Control Environment | Management philosophy and application | Do you have any procedures or processes to re-mediate detected behaviors deviating from the management philosophy, operating style and code of ethics | Yes, public email to submit deviating behavior, public discussion and issue tracker to bring forward deviating behavior | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Discussions](https://github.com/orgs/Karaka-Management/discussions)<br />[Issues](https://github.com/Karaka-Management/Karaka/issues) |
| 5 | Control Environment | Management philosophy and application | In case you find deviations from the principles, do you deal with them according to the predetermined procedures or processes? | Yes, so far no such case occurred | Code of Conduct<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 6 | Control Environment | Director | Do you have any company rules to clearly specify that the board of directors or a director in charge have responsibilities for appropriately supervising and monitoring the management in regard to the financial reporting and relevant internal controls? | Yes, legal obligations and the finance process must be followed. | Process: Finance |
| 7 | Control Environment | Director | Does the board of directors or corporate auditors supervise the performance of management regard the financial reporting and relevant internal controls? | Yes, financial controls are audited by independent auditors | Annual year end audit |
| 8 | Control Environment | Organization | Does the management appropriately improve organizational structures or practices to resolve existing problems considering the size, content of the operations and business objectives of the company? | Yes, during the budget process and if necessary based on information provided during meetings such as the executive committee meeting. | Budget<br />Executive Committee Meeting Minutes |
| 9 | Control Environment | Organization | Does the management assign roles in regard to each function and activity unit in the company? | Yes. This can be seen in the organigram. | Organigram<br />Processes<br />Checklists |
| 10 | Control Environment | Organization | Do you have any rules to clarify segregation of duties and appropriately delegate authority and responsibilities to personnel in charge of each function and activity unit in the company? | Yes. This can be seen in the organigram and in the processes. | Organigram<br />Processes<br />Checklists |
| 11 | Control Environment | Organization | Does the management assign a person in charge for each role? | Yes. This can be seen in the organigram. | Organigram<br />Processes<br />Checklists |
| 12 | Control Environment | Power | Are the assignment of responsibilities and delegation of authority made clear to all employees? | Yes. This can be seen in the organigram and processes. | Organigram<br />Processes<br />Checklists |
| 13 | Control Environment | Power | Is the delegation of responsibilities and authority to employees, etc. kept at appropriate levels, not without limitation? | Yes. This can be seen in the organigram and processes. | Organigram<br />Processes<br />Checklists |
| 14 | Control Environment | Power | Are the delegation of responsibilities and authority to employees, etc. updated on a timely basis in case organizational structures or other fundamentals of the company are changed? | Yes. This can be seen in the organigram and processes. | Organigram<br />Processes<br />Checklists |
| 15 | Control Activities | Business procedure | Are policies and procedures or operating manuals established to ensure the performance of control activities that sufficiently mitigate and address the risks in business operations, especially in regard to the reliability of the financial reporting? | Yes. This is done in the risk control matrix of every process, risk management, CLC and ITGC. | Process Risk Control Matrix<br />Risk Management<br />Risk Review<br />CLC<br />ITGC |
| 16 | Control Activities | Business procedure | How do you confirm if employees perform their operations in compliance with policies and procedures or operating manuals? | This is done through the implemented controls and annual risk review. | Process Risk Control Matrix<br />Risk Review |
| 17 | Control Environment | Personnel deployment and training | Does the management identify the competencies necessary for the company and procure/dispatch qualified personnel | Yes, this is done during the HR search and the employee evaluation. | Job description<br />Employee Evaluation Form |
| 18 | Control Environment | Personnel deployment and training | Are the competencies necessary reviewed regularly and maintained appropriately? | Yes, this is done during the HR search and the annual employee evaluation. | Job description<br />Employee Evaluation Form |
| 19 | Control Environment | Personnel deployment and training | Does the management provide employees, etc. with the means, training etc. necessary to fulfill their duties and support them in the improvement of their abilities? | Yes, this is done during the training period and checked in the employee evaluation. | Training Form<br />Employee Evaluation Form |
| 20 | Control Environment | Personnel evaluation | Do you have personnel evaluation standards? | Yes, all employee evaluations must be performed based on the standard evaluation form. | Employee Evaluation Form |
| 21 | Control Environment | Personnel evaluation | Are the personnel evaluation standards regularly reviewed and updated appropriately? | Yes, during the annual quality management audit. | Quality Management Audit Checklist |
| 22 | Risk Assessment and Response | Risk assessment structure | Is there an effective risk assessment system that involves appropriate levels of the management and managers? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 23 | Risk Assessment and Response | Risk assessment structure | Does the management asses the risk considering not only superficial facts but also backgrounds, incidents and other substantial elements? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 24 | Risk Assessment and Response | Risk assessment structure | Does the management appropriately assess and address fraud risks based on not only superficial facts regarding fraud, but also incentives, causes, backgrounds and other factors that may result in fraud? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 25 | Risk Assessment and Response | Risk assessment structure | Does the management reassess the risk and take appropriate measures whenever changes occur that may have a significant impact on the company? | Yes, this is done at least annually during the risk review. | Risk Review |
| 26 | Communication and information | Communicating information | Are the management's or supervisor's instruction communicated to all employees? | Yes, this is done by providing the processes, policies and guidelines to all employees. | Processes<br />Policies |
| 28 | Communication and information | Internal reporting | Do you have the Whistleblower System or other internal reporting program? | Yes, there is a email address which sends the incident to all executive committee members. | compliance@karaka.app |
| 29 | Communication and information | Internal reporting | Is the system or program in operation according to its original design? | Yes, according to the annual check. | Quality Management Audit Checklist |
| 30 | Communication and information | Financial information | How does the management acquire or access the accounting and financial information of the company? | Financial information are provided during the budgeting process, monthly reporting and executive committee meeting. | Budget<br />Monthly Reporting<br />Executive Committee Meeting |
| 31 | Communication and information | Financial information | How are the accounting and financial information or data from relevant business processes input to your accounting system or application? | Partly automatic (e.g. invoice scanning, customer invoices, online orders) and partly manually (e.g. accruals, manual bookings) | |
| 32 | Communication and information | Information sharing with managements | Do you have any internal rules documents which stipulate that the managements should share business an other information with each other? | Yes, this is defined in the management process and organization guidelines. | Process: Management<br />Organization Guidelines |
| 33 | Communication and information | Information sharing with managements | Does your management share information with each other in actual business? | Yes. During executive committee meetings, monthly reporting and budgeting process. | Executive Committee Meeting Minutes<br />Monthly Reporting<br />Annual Budget |
| 34 | Monitoring | Ongoing monitoring | Are ongoing monitoring activities appropriately embedded within the company's overall business operations? | Yes, this is done during the monthly reporting, annual budget, executive committee meeting and risk review. | Monthly Reporting<br />Budget<br />Executive Committee Meeting Minutes<br />Risk Review |
| 35 | Monitoring | Ongoing monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes? | Yes. | Quality Management Audit Checklist |
| 36 | Monitoring | Independent monitoring | Do you have any independent monitoring system other than ongoing monitoring activities embedded within the company's business operations, such as internal audits? | Yes, internal audits are performed. | Internal Quality Management Audit |
| 37 | Monitoring | Independent monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes | Yes. | Quality Management Audit Checklist |
| 38 | Monitoring | Response to results of monitoring | Are errors, material weakness of internal controls, etc. detected through the performance of control activities or noticed from outside the company timely reported to the management or senior managers and appropriately investigated and properly addressed? | Yes, this is ensured through the executive committee meeting, risk review, internal audit and Whistleblower system. | Executive Committee Meeting Minutes<br />Risk Review<br />Internal Quality Management Audit |
| 1 | Control Environment | Management philosophy and application | Does management determine the management philosophy, operating style and code of ethics and how are they communicated to the employees? | Yes, all are described in the organization guidelines which are available to every employee. | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 2 | Control Environment | Management philosophy and application | Which procedures or processes do you have to re-mediate detected behaviors deviating from the management philosophy, operating style and code of ethics. | Employees can submit deviations to a public email and employees can openly mention such deviations. | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Discussions](https://github.com/orgs/Karaka-Management/discussions)<br />[Issues](https://github.com/Karaka-Management/Karaka/issues) |
| 3 | Control Environment | Management philosophy and application | In case you find deviations from the principles, how do you deal with them? | So far no such case occurred but the company deals with them according to the German law and as described in the policies. | Code of Conduct<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 4 | Control Environment | Director | How do you define the responsibilities of the management in regard to the financial reporting and relevant internal controls? | They are defined by the legal obligations and the processes. | Processes |
| 5 | Control Environment | Director | How does the board of directors or corporate auditors supervise the performance of management regard the financial reporting and relevant internal controls? | The financial statement and controls are audited annualy by independent auditors. | Annual year end audit |
| 6 | Control Environment | Organization | How does the management appropriately improve organizational structures or practices to resolve existing problems considering the size, content of the operations and business objectives of the company? | During the budget process and if necessary based on information provided during meetings such as the executive committee meeting. | Budget<br />Executive Committee Meeting Minutes |
| 7 | Control Environment | Organization | How does the management assign roles in regard to each function and activity unit in the company? | This is handled in the organigram. | Organigram<br />Processes<br />Checklists |
| 8 | Control Environment | Organization | How do you clarify segregation of duties and appropriately delegate authority and responsibilities to personnel in charge of each function and activity unit in the company? | This is implemented in the organigram and in the processes. | Organigram<br />Processes<br />Checklists |
| 9 | Control Environment | Organization | Does the management assign a person in charge for each role? | Yes. This can be seen in the organigram. | Organigram<br />Processes<br />Checklists |
| 10 | Control Environment | Power | How are the assignment of responsibilities and delegation of authority made clear to all employees? | This can be seen in the organigram and processes available to all employees. | Organigram<br />Processes<br />Checklists |
| 11 | Control Environment | Power | How are the delegation of responsibilities and authority to employees, etc. updated in case organizational structures or other fundamentals of the company are changed? | Updates are implemented immediately on organizational structure changes or in case of changes in employees. | Organigram<br />Processes<br />Checklists |
| 12 | Control Activities | Business procedure | Which policies and procedures or operating manuals established to ensure the performance of control activities that sufficiently mitigate and address the risks in business operations, especially in regard to the reliability of the financial reporting exist? | The company implemented the process descriptions, risk control matrices of every process, risk management, CLC and ITGC. | Process Risk Control Matrix<br />Risk Management<br />Risk Review<br />CLC<br />ITGC |
| 13 | Control Activities | Business procedure | How do you confirm if employees perform their operations in compliance with policies and procedures or operating manuals? | This is done through the implemented controls and annual risk review. | Process Risk Control Matrix<br />Risk Review |
| 14 | Control Environment | Personnel deployment and training | How does the management identify the competencies necessary for the company and procure/dispatch qualified personnel | This is done during the HR search and the employee evaluation. | Job description<br />Employee Evaluation Form |
| 15 | Control Environment | Personnel deployment and training | How are the competencies necessary reviewed regularly and maintained appropriately? | This is done during the HR search and the annual employee evaluation. | Job description<br />Employee Evaluation Form |
| 16 | Control Environment | Personnel deployment and training | Does the management provide employees, etc. with the means, training etc. necessary to fulfill their duties and support them in the improvement of their abilities and how is this implemented? | This is done during the training period and checked in the employee evaluation. If additional training or competencies are identified they are trained internally or through external seminars. | Training Form<br />Employee Evaluation Form |
| 17 | Control Environment | Personnel evaluation | What are your personnel evaluation standards? | All employee evaluations must be performed based on the standard evaluation form once a year. | Employee Evaluation Form |
| 18 | Control Environment | Personnel evaluation | How are the personnel evaluation standards regularly reviewed and updated appropriately? | During the annual quality management audit the evaluation form is reviewed. | Quality Management Audit Checklist |
| 19 | Risk Assessment and Response | Risk assessment structure | Is there an effective risk assessment system that involves appropriate levels of the management and managers? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 20 | Risk Assessment and Response | Risk assessment structure | Does the management asses the risk considering not only superficial facts but also backgrounds, incidents and other substantial elements? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 21 | Risk Assessment and Response | Risk assessment structure | Does the management appropriately assess and address fraud risks based on not only superficial facts regarding fraud, but also incentives, causes, backgrounds and other factors that may result in fraud? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 22 | Risk Assessment and Response | Risk assessment structure | How does the management reassess the risk and take appropriate measures whenever changes occur that may have a significant impact on the company? | This is done at least annually during the risk review. | Risk Review |
| 23 | Communication and information | Communicating information | How are the management's or supervisor's instruction communicated to all employees? | This is done by providing the processes, policies and guidelines to all employees. | Processes<br />Policies |
| 24 | Communication and information | Internal reporting | Do you have the Whistleblower System or other internal reporting program? | Yes, there is a whistleblower system in place. | Whistleblower System |
| 25 | Communication and information | Internal reporting | Is the system or program in operation according to its original design? | Yes, according to the annual check. | Quality Management Audit Checklist |
| 26 | Communication and information | Financial information | How does the management acquire or access the accounting and financial information of the company? | Financial information are provided during the budgeting process, monthly reporting and executive committee meeting. | Budget<br />Monthly Reporting<br />Executive Committee Meeting |
| 27 | Communication and information | Financial information | How are the accounting and financial information or data from relevant business processes input to your accounting system or application? | Partly automatic (e.g. invoice scanning, customer invoices, online orders) and partly manually (e.g. accruals, manual bookings) | |
| 28 | Communication and information | Information sharing with managements | What are your internal rules regarding information sharing for the management? | This is defined in the management process and organization guidelines. | Process: Management<br />Organization Guidelines |
| 29 | Communication and information | Information sharing with managements | How does your management share information with each other in actual business? | During executive committee meetings, monthly reporting and budgeting process. | Executive Committee Meeting Minutes<br />Monthly Reporting<br />Annual Budget |
| 30 | Monitoring | Ongoing monitoring | How are ongoing monitoring activities appropriately embedded within the company's overall business operations? | This is done during the monthly reporting, annual budget, executive committee meeting and risk review. | Monthly Reporting<br />Budget<br />Executive Committee Meeting Minutes<br />Risk Review |
| 31 | Monitoring | Ongoing monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes? | Yes. | Quality Management Audit Checklist |
| 32 | Monitoring | Independent monitoring | Do you have any independent monitoring system other than ongoing monitoring activities embedded within the company's business operations, such as internal audits and how are they implemented? | Yes, internal audits are performed. | Internal Quality Management Audit |
| 33 | Monitoring | Independent monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes | Yes. | Quality Management Audit Checklist |
| 34 | Monitoring | Response to results of monitoring | How are errors, material weakness of internal controls, etc. detected through the performance of control activities or noticed from outside the company timely reported to the management or senior managers and appropriately investigated and properly addressed? | This is ensured through the executive committee meeting, risk review, internal audit and Whistleblower system. | Executive Committee Meeting Minutes<br />Risk Review<br />Internal Quality Management Audit |

18
Processes/Quality Management/COSO/FSCP.md
View File

@ -0,0 +1,18 @@
# Financial Statement Closing Process (FSCP)
| No. | Component | Control Area | Question | Answer | Evidences |
| ---- | -------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | General closing | Principle of financial reporting | Which basic financial reporting policies do you have? | The organization follows the German law regarding financial reporting and has various internal reporting policies and guidelines. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Accounting<br />Process: Finance |
| 2 | General closing | Understanding accounting policies | Who approves the accounting policies and how are changes implemented? | The company follows the German laws. Internal accounting policies are approved by the CFO. Changes can be implemented by any accounting employee but must be approved by the CFO. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Accounting |
| 3 | General closing | Accounting manual | Which accounting manuals and related documents exist? | Policies: Accounting<br />Process: Finance | |
| 4 | General closing | Seggregation of duties | How are the duties of posting financial data, collecting financial data and approving financial data for the reporting seggregated? | Financial data is posted by accountants, the collection of financial data is handled by controllers and the approval of the reporting data is performed by the CFO. | |
| 5 | General closing | Management of accounting system | What are the accounting systems access control mechanisms and how are they implemented? | The accounting system is username and password protected with access restrictions according to the position and function of every person. | |
| 6 | General closing | Management of accounting system | How is the financial data stored and maintained in the accounting system to prevent them from being altered unauthorized? | Accounting data are stored digitally and can only be accessed and modified based on individual user permissions. | |
| 7 | General closing | Management of accounting system | What are the accounting systems functions to prevent alterations or modifications after the settlement of the accounts? | Accounting periods can be locked preventing further alterations in the accounting system. | |
| 8 | General closing | Closing schedule | What is your closing schedule and how do you ensure the completion of the closing in time? | | |
| 9 | None-consolidation closing | Information and evidence | Do you keep references for financial statements including evidences such as contracts and invoices of significant transactions and how do you store them? | References are stored digitally for at least 10 years according to the German law. | |
| 10 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you prepare figures of accounts, such as allowances, which need accounting estimates? | Estimates are performed based on historic experiences and risk avoidance. | |
| 11 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you ensure the completeness and correctness of the journal entries? | Completeness is ensured by comparison to historic and budget figures as well as open orders. Correctness is ensured through comparison with historic and budget figures. | |
| 12 | None-consolidation closing | Preparation and approval of non-consolidated financial information | Which financial analysis do you perform (e.g. comparison of actuals and budget/previous year, KPI analysis, ...)? | Actual vs. budget, actual vs. previous year and KPI figures are analysed. | |
| 13 | Reporting package | Preparation and approval of reporting package | How do you ensure the necessary competencies for the employees involved in the creation of the financial closing and financial reporting? | This is done during the HR search and the employee evaluation. | |
| 14 | Reporting package | Preparation and approval of reporting package | Who approves the reporting package or revisions thereof? | CFO | |

76
Processes/Quality Management/COSO/ITGC.md
View File

@ -30,11 +30,11 @@
| No. | Question | Component | Situation | Evidences |
| ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | Policies and procedures for development and maintenance are described in a formal way | A, OS, DB, N, O | Documentations are prepared by the IT team and authorized by the head of IT | Process: Development<br />Process: Support & Service<br />Policies: IT |
| 2 | Roles and responsibilities concerning development and maintenance are clearly defined | A, OS, DB, N, O | IT personnel incl. service vendors perform changes | Process: Development<br />Process: Support & Service<br />Organigram |
| 3 | Changes are tested and their results are approved | A, OS, DB, N, O | Before updates for third party software are performed on the servers they are tested in a testing environment. Self-developed software changes are tested according the development process. | Third party: Software validation<br />Process: Development<br />Internal: Test protocols |
| 4 | Changes are approved for their migration to the production environment | A, OS, DB, N, O | The change in the production environment is approved by the head of IT for third party software and for self-developed changes according the development process. | Third party: Software validation<br />Process: Development<br />Internal: Merge protocol |
| 5 | Procedures are in place for preventing/detecting unauthorized changes to the production environment | A, OS, DB, N, O | Only the head of IT can install updates on the servers. Only the head of IT has the necessary IT authentication and IT permission. For self-developed changes all changes, merges can only be performed from authorized personnel and all merges are logged in merging protocols. | Permission List |
| 1 | How are policies and procedures for development and maintenance prepared? | A, OS, DB, N, O | Policies and procedures for development and maintenance are described in a formal way. Documentations are prepared by the IT team and authorized by the head of IT | Process: Development<br />Process: Support & Service<br />Policies: IT |
| 2 | How are roles and responsibilities concerning development and maintenance defined? | A, OS, DB, N, O | Roles and responsibilities concerning development and maintenance are clearly defined in the IT process and policies. IT personnel incl. service vendors perform changes | Process: Development<br />Process: Support & Service<br />Organigram |
| 3 | How are changes tested and their results approved? | A, OS, DB, N, O | Before updates for third party software are performed on the servers they are tested in a testing environment. Self-developed software changes are tested according the development process. | Third party: Software validation<br />Process: Development<br />Internal: Test protocols |
| 4 | How are changes approved for their migration to the production environment? | A, OS, DB, N, O | The change in the production environment is approved by the head of IT for third party software and for self-developed changes according the development process. | Third party: Software validation<br />Process: Development<br />Internal: Merge protocol |
| 5 | What procedures are in place for preventing/detecting unauthorized changes to the production environment? | A, OS, DB, N, O | Only the head of IT can install updates on the servers. Only the head of IT has the necessary IT authentication and IT permission. For self-developed changes all changes, merges can only be performed from authorized personnel and all merges are logged in merging protocols. | Permission List |
## System Security (Access Control)
@ -42,28 +42,28 @@
| Question | Component | Situation | Evidences |
| ------------------------------------------------------------ | ------------ | ------------------------------------------------------------ | ------------------------------- |
| Number of users | A | Large number of users in large number of user locations/departments | Organigram<br />Permission List |
| Number of users | OS, DB, N, O | Number of users and user locations/departments is limited | Organigram<br />Permission List |
| What is the number of user? | A | Large number of users in large number of user locations/departments | Organigram<br />Permission List |
| What is the number of user? | OS, DB, N, O | Number of users and user locations/departments is limited | Organigram<br />Permission List |
| Frequency of "direct data change"<br /><br />(*"direct data change" means to change data with the utilities such as SQL software*) | N | No direct change to data has been required since its implementation, as the system has been in stable operation | |
### Assessment of Design Effectiveness
| No. | Question | Component | Situation | Evidences |
| ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | User authentication is required | A, OS, DB, N, O | User-ID and password are assigned on an individual basis | Application login screen<br />OS login screen<br />DB login screen<br />Server login screen |
| 2 | User and access rights granted to each user are documented | A | A list of users is prepared with the rights granted to each user. This list is generated from the system | Application permission List |
| 2 | User and access rights granted to each user are documented | OS, DB, N, O | A list of users is prepared with the rights granted to each user | Permission List |
| 3 | Policies and procedures for user-ID administration (add, change, remove, and periodic user validation) are described in an authorized documentation | A, OS, DB, N, O | The documentation is prepared and authorized by the head of IT | |
| 4 | Periodic user validation is performed, this means each user's access rights are reviewed on a periodic basis | A, OS, DB, N, O | Performed both in terms of existence of user and the detailed access rights granted to each user-ID on an annual basis by the head of IT | |
| 5 | User-ID administration requests are approved by managers in user dpt. and/or IT dpt, as appropriate | A, OS, DB, N, O | Records are maintained in the change management | |
| 6 | Access to privileged IT functions is restricted to appropriate personnel | A, OS, DB, N, O | These functions are restricted to IT personnel. Logs of the use of such privileged user-IDs are reviewed annually | |
| 7 | The level of complexity in password settings are appropriate | A, OS, DB, N, O | Password complexity is configured based on a minimum length of 8, at least one upper case letter, at least one lower case letter, at least one special character and at least one numeric value. Password changes must happen every 3 months | |
| 8 | Policies and procedures for direct change to data are described in a documentation | DB | Only the head of IT may perform and authorize direct changes to the data | |
| 9 | Direct change to data are authorized | DB | No direct changes to data where made | |
| 10 | Direct change to data are tested | DB | No direct changes to data where made | |
| 11 | Access to DB and/or utilities for direct change to data is restricted to appropriate personnel | DB | Only the head of IT has write/change permissions to the DB | |
| 12 | Physical access to computer hardware is restricted to appropriate personnel | A, OS | Data and programs are in a stand-alone PC in control of the user. User permissions for Applications and OS are restricted appropriately | |
| 12 | Physical access to computer hardware is restricted to appropriate personnel | DB | Server(s) are located in a machine room with appropriate physical access control | |
| 1 | Describe the user authentication process. | A, OS, DB, N, O | User-ID and password are assigned on an individual basis and necessary for accessing digital data. | Application login screen<br />OS login screen<br />DB login screen<br />Server login screen |
| 2 | How are user and access rights granted to each user documented? | A | A list of users is prepared with the rights granted to each user. This list is generated from the system | Application permission List |
| 2 | How are user and access rights granted to each user documented? | OS, DB, N, O | A list of users is prepared with the rights granted to each user | Permission List |
| 3 | Do you have policies and procedures for user-ID administration? | A, OS, DB, N, O | Policies and procedures for user-ID administration (add, change, remove, and periodic user validation) are described in an authorized documentation. The documentation is prepared and authorized by the head of IT | |
| 4 | How do you perform user validation? | A, OS, DB, N, O | Periodic user validation is performed, this means each user's access rights are reviewed on a periodic basis. Performed both in terms of existence of user and the detailed access rights granted to each user-ID on an annual basis by the head of IT | |
| 5 | How are user-ID administration requests approved? | A, OS, DB, N, O | User-ID administration requests are approved by managers in user dpt. and/or IT dpt, as appropriate. Records are maintained in the change management | |
| 6 | How do you handle access to IT functions? | A, OS, DB, N, O | Access to privileged IT functions is restricted to appropriate personnel. Logs of the use of such privileged user-IDs are reviewed annually | |
| 7 | Describe the password/authentication complexity. | A, OS, DB, N, O | Password complexity is configured based on a minimum length of 8, at least one upper case letter, at least one lower case letter, at least one special character and at least one numeric value. Password changes must happen every 3 months | |
| 8 | Which policies and procedures for direct change to data do you have? | DB | Only the head of IT may perform and authorize direct changes to the data | |
| 9 | How do you handle direct data changes? | DB | Direct changes to data must be authorized by the head of IT. No direct changes to data where made | |
| 10 | Do you test data after direct changes? | DB | Direct change to data are tested and documented. No direct changes to data where made | |
| 11 | How do you restrict direct data changes? | DB | Only the head of IT has write/change permissions to the DB | |
| 12 | How do you restrict access to applications and OS? | A, OS | Data and programs on a stand-alone PC are in control of the user. User permissions for applications, data on the server and OS are restricted appropriately. | |
| 12 | How do you restrict access to server hardware and databases? | DB | Server(s) are located in a machine room with appropriate physical access control. | |
## System Operation and Administration
@ -79,32 +79,32 @@
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ----------------------------------------------------------- | --------- |
| 1 | Policies and procedures for backups | Exists | |
| 2 | Completion of backup is ensured | All backup job records are reviewed by monitoring personnel | |
| 3 | Backup and recovery are periodically tested | Every backup is automatically tested | |
| 4 | Policies and procedures for job operation are described in a documentation | | |
| 5 | Job schedule changes are approved | | |
| 6 | Procedures are in place for preventing/detecting unauthorized changes to job schedules | | |
| 7 | Completion of job execution is ensured | | |
| 1 | Do you have policies and procedures for backups? | Exists | |
| 2 | How do you ensure the completion of backups? | All backup job records are reviewed by monitoring personnel | |
| 3 | How do you test backups? | Every backup is automatically tested | |
| 4 | Which policies and procedures for job operation do you have? | | |
| 5 | How are job schedule changes approved? | | |
| 6 | How do you prevent/detect unauthorized changes to job schedules? | | |
| 7 | How is the completion of job execution ensured? | | |
| 8 | Requests for non-scheduled job execution are authorized | | |
| 9 | Policies and procedures for identifying, resolving, reviewing, and analyzing IT operations problems or incidents are described in a documentation | | |
| 10 | IT operations problems or incidents are identified, resolved, reviewed, analyzed, and follow-ups are evidenced in a timely manner | | |
| 9 | Which policies and procedures for identifying, resolving, reviewing, and analyzing IT operations problems or incidents exist? | | |
| 10 | How are IT operations problems or incidents identified, resolved, reviewed, analyzed, and follow-ups evidenced? | | |
## Outsourcing Contract Management
### Points to consider
| Question | Situation | Evidences |
| ---------------------------- | ------------------------------------------------------------ | ------------------------- |
| What services are outsourced | Some of the services are outsourced concerning development/maintenance related to ITGCs | Software vendor contracts |
| Question | Situation | Evidences |
| ----------------------------- | ------------------------------------------------------------ | ------------------------- |
| What services are outsourced? | Some of the services are outsourced concerning development/maintenance related to ITGCs | Software vendor contracts |
### Assessment of Design Effectiveness
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | --------- | --------- |
| 1 | Outsourced service are clearly defined and agreed with the service vendor in writing e.g. in contract and/or SLA | | |
| 2 | Service vendor's compliance to the service level is periodically reviewed | | |
| 3 | Regular review of service vendors is conducted in terms of appropriateness of the services defined, service vendor's ability to render the required service level, etc. | | |
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ------------------------------------------------------------ | --------- |
| 1 | Which outsourced IT services exist and how are they documented? | Outsourced service are clearly defined and agreed with the service vendor in writing e.g. in contract and/or SLA | |
| 2 | How do you ensure the compliance of vendors? | Service vendor's compliance to the service level is periodically reviewed | |
| 3 | How do you ensure the quality of the service vendors? | Regular review of service vendors is conducted in terms of appropriateness of the services defined, service vendor's ability to render the required service level, etc. | |