General IT Controls (GITC or ITGC)
Information Technology General Controls is a type of internal controls which is combined a set of policies that further ensure effective implementation of those controls in an organization. ITGC is also known as General Computer Controls (GCC).
Companies, auditors, business partners, and shareholders rely on ITGC’s as a key component of integrity over financial statements, business processes and information systems.
GITCs are a critical component of business operations and financial information controls. They provide the foundation for confidence on data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, and reliability of financial information relies on proper access controls, physical facility, logical security, backup & recovery, computing infrastructure, change management, and operational controls.
The information within IT systems is critical for meeting many requirements in an organization such as,
- Financial information relied upon by decision makers that is maintained within the IT systems.
- Many user credential and data are stored in servers as well as in cloud infrastructure.
In absence of ITGCs controls, employees can’t rely on the data and reports that IT systems provide us.
When we talk about critical control areas of the above mentioned, let see a one of the control and detailed overview of it.
User Access Management
User Access provisioning
Granting any new user access is the initial step for maintaining a controlled environment on the IT application. An inappropriate user access could result in posting of unauthorized financial transactions.
User Access De-provisioning
When employees are separated from the organization or leaves, their User credentials can be misused for processing of financial transactions or such operations. Such transactions would not only be unauthorized, but also lack accountability. Similarly, if an employee gets transferred to another division/ department and the old access provisioned to him doesn’t become obsolete, it leaves a chance to be used later.
Excessive access
Access to business application needs to be granted based on roles and responsibilities of users. Provision of access that is not in line with the user’s job responsibilities could lead to posting of unauthorized financials transactions.
Generic and Privilege access
Generic User IDs could lead to accountability issues for transactions processed using such IDs. Further, if privileged or administrative access is granted to Generic User IDs then such access can be misused for posting transactions that could have a pervasive impact on the financial statements.
User Access Review
While restructuring, user access provisioning is key to controlling the access management of an IT application; periodic user access review keeps the access aligned with respect to business requirements. In the absence of periodic user access review, excessive access may remain with the user or within the system. User access review also detects if there are any anomalies in access provisioned, de-provisioned or any other privilege/ excessive access.
Global Technology Audit Guide (GTAG)
The GTAG provides an overview of IT-related risks and controls for business executives, with which the audit activity will provide assurance about all important risks identified. It describes how to identify and assess the risks and standardized and system-specific controls relevant to business applications.
The GTAG controls released so far are as mentioned below
GTAG 1: Information Technology Controls
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success
GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
GTAG 4: Management of IT Auditing
GTAG 5: Managing and Auditing Privacy Risks
GTAG 6: Managing and Auditing IT Vulnerabilities
GTAG 7: Information Technology Outsourcing
GTAG 8: Auditing Application Controls
GTAG 9: Identity and Access Management
GTAG 10: Business Continuity Management
GTAG 11: Developing the IT Audit Plan
GTAG 12: Auditing IT Projects
GTAG 13: Fraud Prevention and Detection in the Automated World
GTAG 14: Auditing User-developed Applications
GTAG 15: Formerly Information Security Governance--Removed and combined with GTAG 17
GTAG 16: Data Analysis Technologies
GTAG 17: Auditing IT Governance
While conducting ITGC audit, common questions should be asked and analyzed.
For example
For Change Management, the questions can be asked such as:-
- How Change Management is planned?
- How Change plan is tested before the change?
- Are changes appropriately documented and approved by authorized personnel?
- Were necessary maintenance changes tested?
- Are appropriate segregation of duties in place for approving and making changes to the production environment?
- How are changes approved and tracked?
- What processes are in place to identify required control gates throughout the system development life cycle (e.g. peer review of code, software security scanning, third party approval).
- How you analyze impacts after a change occurred.
For further suggestions, please provide in the comment section.
-DR
No comments:
Post a Comment