KY EXHIBIT C:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 20:14, 25 June 2006 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

EXHIBIT C


EVALUATION OF CONTROLS IN INFORMATION SYSTEMS (IS) QUESTIONNAIRE

INSTRUCTION NOTE 1:
In order to expedite the IS controls evaluation process, this questionnaire is designed to be completed by the insurance company's information systems management before the IS specialist(s) assigned to the examination begin(s) fieldwork. Accordingly, the tone of the questionnaire is directed to the insurance company's IS managers. The examiners recognize the wide variation in the size (e.g., large mainframe vs. small network) and structure (e.g., centralized vs. decentralized) of the many processing environments in place at company’s throughout the insurance industry. Therefore, several sections of the questionnaire contain a “Scoping Note,” which is designed to be answered by the insurance company’s IS managers and evaluated by the examiner to determine whether or not the particular section of the questionnaire needs to be completed by the company and tested by the examiner. For those sections that will be completed, the answers to each question should be made in a manner that reflects an understanding of the company’s particular control environment, as well as an understanding of the audit intent of each question. This can generally be achieved if the company involves an internal information systems auditor in the question answering process. Specific “Guidance Points” have also been included in the more technical areas of the questionnaire to help facilitate its completion by the company’s IS managers.

INSTRUCTION NOTE 2:
Every question includes a description of particular test documentation that should be provided by the insurance company. In those cases where documentation does not exist or is not otherwise available, the insurance company should provide examples of processes that can be observed and/or the individuals who can be interviewed to corroborate the presence of controls that are not formally documented.

INSTRUCTION NOTE 3:
Due to the inherently high degree of change in information technology, the period under review for this questionnaire should generally range from the latest 12 to 18 months of the overall financial condition examination time period. The period under review should generally encompass the last year of the examination period and the period of time up to and including the actual examination fieldwork. The period under review for this information systems evaluation is ____________________ through ____________________.

INSTRUCTION NOTE 4:
The questions must only be answered for all financially significant information systems. For the purposes of this questionnaire, financially significant information systems are defined as the computer hardware and software, including system programs and application programs, which are used to perform automated processing of a financially significant account balance or set of transactions. This includes financially significant e-business systems. Financially significant information systems are normally identified as "critical" in the insurance company's business continuity plan.

INSTRUCTION NOTE 5:
After the examiners have reviewed the company’s narrative response to each question within each relevant section, along with the appropriate sample test documentation gathered by the company and available on the company premises, the examiners may determine that information systems controls appear to be in place at the company. If this is the case, it may be efficient for the examiners to test the information systems controls to determine whether the controls are operating effectively, thereby allowing the examiners to rely on the results of the control tests to reduce the level of substantive testing. Specific “test procedures” have been included throughout the questionnaire to help facilitate the nature and extent of the test procedures to be performed. (“Test procedures” have been removed from this version of exhibit, which is for distribution to the company.) In accordance with the control testing guidance contained in Part 3 of the Financial Condition Examiners Handbook, the control tests will consist of either judgmental sampling or attribute sampling. Some controls, such as information systems management controls, will be more subject to judgmental sampling, whereby the examiner inspects a judgmental number of information systems management reports issued during the period under review. Other controls, such as programming controls, will be more subject to attribute sampling, whereby the examiner would select as few as 11 program change documents, if the level of risk initially identified from the responses to the questionnaire was determined to be low and the level of intended reliance on the controls is low, or as many as 76 program change documents, if the level of risk initially identified from the responses to the questionnaire was determined to be high and the level of intended reliance on the controls is high.

INSTRUCTION NOTE 6:
IS testing should be performed across all financially significant applications. Only one IS questionnaire may typically be completed by a company because many companies implement common controls across all applications. However, a company may not consistently apply and enforce the common controls across all applications. Some controls, such as inspection of the data center, are conducive to observation and are not subject to sampling. Other controls, such as programming and security authorization, are conducive to audit trail inspection and are subject to sampling. For those controls subject to sampling, the examiner should determine the appropriate sample size to be used based upon the level of inherent risk and the intended level of control risk applied against the compliance sample size table contained in Part 3 of the Financial Condition Examiners Handbook. For example, if the sample size is determined to be 70 and the company operates 7 financially significant applications within a common control infrastructure whereby only one IS questionnaire has been completed, the examiner should test 10 program changes for each application.

SUMMARY OF SCOPING NOTES:

  • Section A – No scoping note included, as completion of this section is required for all companies.
  • Section B – No scoping note included, as completion of this section is required for all companies.
  • Section C – This scoping note considers the conditions under which computer programs may undergo change.
  • Section D – This scoping note considers the conditions under which new computer systems may be developed and/or implemented.
  • Section E – No scoping note included, as completion of this section is required for all companies.
  • Section F and G – This scoping note considers the conditions under which the company would make changes to end of day, end of month, or end of year processes within financially significant computer systems.
  • Section H – This scoping note considers whether the company has ever used or currently intends to use an outside computer processing service organization.
  • Section I – No scoping note included, as completion of this section is required for all companies.
  • Section J – No scoping note included, as completion of this section is required for all companies.
  • Section K – This scoping note considers the status of current or planned e-business initiatives.
  • Section L – This scoping note considers whether the company has ever used or currently intends to use the public Internet or any WANs.


--Mdpeters 15:11, 23 June 2006 (EDT)