SlideShare a Scribd company logo

ITGCs.pdf

S
ssuser918e9d1

The document provides an overview of an internal audit webinar on IT general controls (ITGCs). It discusses why ITGCs are important for achieving financial and operational objectives. It outlines the types of controls and reviews the audit process for assessing ITGCs. Key areas covered include access to programs and data, program changes and development, and computer operations. For each area, example existing controls, risks, objectives, and methods for testing controls are described. The purpose is to help attendees understand what ITGCs are, why they are important, and how auditors review them.

Business
1 of 16
Downloaded 17 times
1
2
3
Most read
4
5
6
7
8
9
10
Most read
11
12
13
14
Most read
15
16
Presented by – Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Information Technology General Controls (ITGCs) 101 Internal Audit Webinar Series
 Introduction  Why are IT General Controls Important?  Types of Controls  IT General Controls Review - Audit Process  IT General Controls Review - Overview and Examples  Access to Programs and Data  Program Changes and Development  Computer Operations  Q&A Webinar Agenda
 IT systems support many of the University’s business processes, such as these below:  Finance  Purchasing  Research  Patient care  Inventory  Payroll Why are IT General Controls Important? We cannot rely on IT systems or data therein without effective IT General Controls
Why are IT General Controls Important? Financial Objectives, such as: - Completeness - Accuracy - Validity - Authorization Operational & IT Objectives, such as: - Confidentiality - Integrity - Availability - Effectiveness and Efficiently Ineffective ITGCs = No achievement of business objectives
How are controls implemented?  Automated Controls  Manual Controls  Partially Automated Controls What are controls for?  Preventive Controls  Detective Controls  Corrective Controls Types of Controls
IT General Controls Review - Audit Process 1. Understand and identify the IT Environment and systems to be reviewed 2. Perform interviews, walkthroughs, and documentation reviews to gain an understanding on processes 3. Assess appropriateness of existing control environment (control design) 4. Validate existing controls to assess control operating effectiveness
IT General Controls Review - Overview Access to Program and Data  Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data.  Objectives: Access to program and data is properly restricted to authorized individuals only. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
 Access to programs and data components to be considered:  Policies and procedures  User access provisioning and de-provisioning  Periodic access reviews  Password requirements  Privileged user accounts  Physical access  Appropriateness of access/segregation of duties  Encryption  System authentication  Audit logs  Network security IT General Controls Review - Overview Access to Programs and Data
Area Existing Control Design How to Test/Validate User access provisioning A formal process for granting or modifying system access (based on appropriate level of approval) is in place. Review an evidence of approval User access de-provisioning A formal process for disabling access for users that are transferred or separated is in place. Compare existing user accounts with a list of users that are transferred or separated Periodic access reviews Periodic access reviews of users, administrators, and third-party vendors are performed. Review an evidence of periodic reviews Password requirements Unique (to individual) and strong passwords are used. Assess password rules enforced Privileged user accounts Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel. Review accounts with privileged access rights Physical access Only authorized personnel are allowed to access secured areas and computer facilities. Walkthrough of areas (e.g. data center, backup storage etc.) IT General Controls Review - Example Access to Programs and Data
IT General Controls Review - Overview Program Changes and Development  Risk: Inappropriate changes to systems or programs may result in inaccurate data.  Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data  Risk: Inappropriate system or program development or implementation may result in inaccurate data.  Objectives: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.
 Program changes and development components to be considered:  Change management procedures and system development methodology  Authorization, development, implementation, testing, approval, and documentation  Migration to the production environment (Separation of Duties (SOD))  Configuration changes  Emergency changes  Data migration and version controls  Post change/implementation testing and reviews IT General Controls Review - Overview Program Changes and Development
Area Existing Control Design How to Test/Validate Change management controls A formal process for proper change management is in place. Review/assess change management procedures and validate that procedures are followed Change documentation All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked. Review change logs Testing Appropriate level of testing is performed. Review an evidence of test plans and results Approval Appropriate approval prior to migration to production is required. Review an evidence of approval Migration Access to migrate changes into production is appropriately restricted. Verify that a separation of duties (SOD) between developers and operators (= making changes) exists IT General Controls Review - Example Program Changes and Development
IT General Controls Review - Overview Computer Operations  Risk: Systems or programs may not be available for users or may not be processing accurately.  Objectives: Systems and programs are available and processing accurately. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
 Computer operations components to be considered:  Batch job processing  Monitoring of jobs (success/failure)  Backup and recovery procedures  Incident handling and problem management  Changes to the batch job schedules  Environmental controls  Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)  Patch management IT General Controls Review - Overview Computer Operations
Area Existing Control Design How to Test/Validate Batch job processing Batch jobs are appropriately scheduled, processed, monitored, and tracked. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Monitoring of jobs Failed jobs are followed-up and documented (including successful resolutions and explanations) Validate that failed jobs are followed-up and documented Backup and recovery Backups for critical data and programs are available in the event of an emergency. Review/assess procedures for backup and recovery and validate that procedures are followed Problem/issue management A formal process for problem/issue handling is in place in order to ensure timely identification, escalation , resolution and documentation of problem. Review/assess procedures for problem/issue management and validate that procedures are followed IT General Controls Review - Example Computer Operations
Conclusion/Q&A

More Related Content

PDF
audit_it_250759.pdf
mabkhoutaliwi1
 
PDF
Auditing application controls
CenapSerdarolu
 
PPTX
03.1 general control
Mulyadi Yusuf
 
PDF
IT-Audit-Manual-2017-1st-Edition.pdf
JacobYeboa1
 
PPTX
Auditing SOX ITGC Compliance
seanpizzy
 
PDF
Information Technology Control and Audit.pdf
Maicolcastellanos2
 
PPTX
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
Segregation of Duties Solutions
Ahmed Abdul Hamed
 
audit_it_250759.pdf
mabkhoutaliwi1
 
Auditing application controls
CenapSerdarolu
 
03.1 general control
Mulyadi Yusuf
 
IT-Audit-Manual-2017-1st-Edition.pdf
JacobYeboa1
 
Auditing SOX ITGC Compliance
seanpizzy
 
Information Technology Control and Audit.pdf
Maicolcastellanos2
 
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Segregation of Duties Solutions
Ahmed Abdul Hamed
 

What's hot (20)

PPTX
IT General Controls
Cicero Ray Rufino
 
PPT
IT System & Security Audit
Mufaddal Nullwala
 
PDF
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
PDF
Steps in it audit
kinjalmkothari92
 
PDF
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
PPTX
IT Audit For Non-IT Auditors
Ed Tobias
 
PPT
Introduction to it auditing
Damilola Mosaku
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PDF
Cisa domain 1
Ismail aboulezz
 
PPTX
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
PDF
What is ISO 27001 ISMS
Business Beam
 
PPTX
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
PPTX
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPS
ISO 27001 2013 isms final overview
Naresh Rao
 
PPT
Security audit
Rosaria Dee
 
PPTX
Data Protection Officer Dashboard | GDPR
Corporater
 
DOCX
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
PPTX
03.2 application control
Mulyadi Yusuf
 
IT General Controls
Cicero Ray Rufino
 
IT System & Security Audit
Mufaddal Nullwala
 
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Steps in it audit
kinjalmkothari92
 
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
IT Audit For Non-IT Auditors
Ed Tobias
 
Introduction to it auditing
Damilola Mosaku
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Cisa domain 1
Ismail aboulezz
 
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
What is ISO 27001 ISMS
Business Beam
 
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
ISO 27001 2013 isms final overview
Naresh Rao
 
Security audit
Rosaria Dee
 
Data Protection Officer Dashboard | GDPR
Corporater
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
03.2 application control
Mulyadi Yusuf
 
Ad

Similar to ITGCs.pdf (20)

PDF
IT & the Auditor
Linda Forbes
 
PDF
Internal Controls Over Information Systems
Jeffrey Paulette
 
PDF
Fundamentals of Information Systems Security
dmjldssgz284
 
DOCX
Effects of IT on internal controls
Lou Foja
 
PPTX
Controls in Audit.pptx
HardikKundra
 
PPTX
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
Chapter 15-Accounting Information System
RejiePantinople
 
PDF
The Information Office
Mahesh Patwardhan
 
PPTX
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
hamzaalkhairi802
 
PPT
8. operations security
7wounders
 
PPTX
CISM_WK_3.pptx
dotco
 
PPTX
Security Baselines and Risk Assessments
Priyank Hada
 
PPT
It Audit And Forensics
JED Consulting Services LLC
 
PPT
Testing
lorenceman
 
ODP
CISSP Week 12
jemtallon
 
PPT
The Importance of Security within the Computer Environment
Adetula Bunmi
 
PPTX
Infosec policies to appsec standards ed final
eadams2330
 
PPT
Introduction to Information Security CSE
BurhanKhan774154
 
PPT
Intro.ppt
RamaNingaiah
 
PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
rasanjakavindu54
 
IT & the Auditor
Linda Forbes
 
Internal Controls Over Information Systems
Jeffrey Paulette
 
Fundamentals of Information Systems Security
dmjldssgz284
 
Effects of IT on internal controls
Lou Foja
 
Controls in Audit.pptx
HardikKundra
 
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
Chapter 15-Accounting Information System
RejiePantinople
 
The Information Office
Mahesh Patwardhan
 
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
hamzaalkhairi802
 
8. operations security
7wounders
 
CISM_WK_3.pptx
dotco
 
Security Baselines and Risk Assessments
Priyank Hada
 
It Audit And Forensics
JED Consulting Services LLC
 
Testing
lorenceman
 
CISSP Week 12
jemtallon
 
The Importance of Security within the Computer Environment
Adetula Bunmi
 
Infosec policies to appsec standards ed final
eadams2330
 
Introduction to Information Security CSE
BurhanKhan774154
 
Intro.ppt
RamaNingaiah
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
rasanjakavindu54
 
Ad

Recently uploaded (20)

PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PPTX
5 Stages of group development guide.pptx
keerthanashanmugam201
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
Training And Development of Employee .pdf
nivethavm864
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PDF
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
Business Management - unit 1 and 2
anithak410
 
5 Stages of group development guide.pptx
keerthanashanmugam201
 
Business model innovation report 2022.pdf
pradvapal
 
Training And Development of Employee .pdf
nivethavm864
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Chapter four Project-Preparation material
argachewbochena1
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 

ITGCs.pdf

  • 1. Presented by – Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Information Technology General Controls (ITGCs) 101 Internal Audit Webinar Series
  • 2.  Introduction  Why are IT General Controls Important?  Types of Controls  IT General Controls Review - Audit Process  IT General Controls Review - Overview and Examples  Access to Programs and Data  Program Changes and Development  Computer Operations  Q&A Webinar Agenda
  • 3.  IT systems support many of the University’s business processes, such as these below:  Finance  Purchasing  Research  Patient care  Inventory  Payroll Why are IT General Controls Important? We cannot rely on IT systems or data therein without effective IT General Controls
  • 4. Why are IT General Controls Important? Financial Objectives, such as: - Completeness - Accuracy - Validity - Authorization Operational & IT Objectives, such as: - Confidentiality - Integrity - Availability - Effectiveness and Efficiently Ineffective ITGCs = No achievement of business objectives
  • 5. How are controls implemented?  Automated Controls  Manual Controls  Partially Automated Controls What are controls for?  Preventive Controls  Detective Controls  Corrective Controls Types of Controls
  • 6. IT General Controls Review - Audit Process 1. Understand and identify the IT Environment and systems to be reviewed 2. Perform interviews, walkthroughs, and documentation reviews to gain an understanding on processes 3. Assess appropriateness of existing control environment (control design) 4. Validate existing controls to assess control operating effectiveness
  • 7. IT General Controls Review - Overview Access to Program and Data  Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data.  Objectives: Access to program and data is properly restricted to authorized individuals only. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
  • 8.  Access to programs and data components to be considered:  Policies and procedures  User access provisioning and de-provisioning  Periodic access reviews  Password requirements  Privileged user accounts  Physical access  Appropriateness of access/segregation of duties  Encryption  System authentication  Audit logs  Network security IT General Controls Review - Overview Access to Programs and Data
  • 9. Area Existing Control Design How to Test/Validate User access provisioning A formal process for granting or modifying system access (based on appropriate level of approval) is in place. Review an evidence of approval User access de-provisioning A formal process for disabling access for users that are transferred or separated is in place. Compare existing user accounts with a list of users that are transferred or separated Periodic access reviews Periodic access reviews of users, administrators, and third-party vendors are performed. Review an evidence of periodic reviews Password requirements Unique (to individual) and strong passwords are used. Assess password rules enforced Privileged user accounts Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel. Review accounts with privileged access rights Physical access Only authorized personnel are allowed to access secured areas and computer facilities. Walkthrough of areas (e.g. data center, backup storage etc.) IT General Controls Review - Example Access to Programs and Data
  • 10. IT General Controls Review - Overview Program Changes and Development  Risk: Inappropriate changes to systems or programs may result in inaccurate data.  Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data  Risk: Inappropriate system or program development or implementation may result in inaccurate data.  Objectives: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.
  • 11.  Program changes and development components to be considered:  Change management procedures and system development methodology  Authorization, development, implementation, testing, approval, and documentation  Migration to the production environment (Separation of Duties (SOD))  Configuration changes  Emergency changes  Data migration and version controls  Post change/implementation testing and reviews IT General Controls Review - Overview Program Changes and Development
  • 12. Area Existing Control Design How to Test/Validate Change management controls A formal process for proper change management is in place. Review/assess change management procedures and validate that procedures are followed Change documentation All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked. Review change logs Testing Appropriate level of testing is performed. Review an evidence of test plans and results Approval Appropriate approval prior to migration to production is required. Review an evidence of approval Migration Access to migrate changes into production is appropriately restricted. Verify that a separation of duties (SOD) between developers and operators (= making changes) exists IT General Controls Review - Example Program Changes and Development
  • 13. IT General Controls Review - Overview Computer Operations  Risk: Systems or programs may not be available for users or may not be processing accurately.  Objectives: Systems and programs are available and processing accurately. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
  • 14.  Computer operations components to be considered:  Batch job processing  Monitoring of jobs (success/failure)  Backup and recovery procedures  Incident handling and problem management  Changes to the batch job schedules  Environmental controls  Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)  Patch management IT General Controls Review - Overview Computer Operations
  • 15. Area Existing Control Design How to Test/Validate Batch job processing Batch jobs are appropriately scheduled, processed, monitored, and tracked. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Monitoring of jobs Failed jobs are followed-up and documented (including successful resolutions and explanations) Validate that failed jobs are followed-up and documented Backup and recovery Backups for critical data and programs are available in the event of an emergency. Review/assess procedures for backup and recovery and validate that procedures are followed Problem/issue management A formal process for problem/issue handling is in place in order to ensure timely identification, escalation , resolution and documentation of problem. Review/assess procedures for problem/issue management and validate that procedures are followed IT General Controls Review - Example Computer Operations