SlideShare a Scribd company logo

ITGCs.pdf

S
ssuser918e9d1

IT General Controls

Business
1 of 16
Download to read offline
Presented by – Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Information Technology General Controls (ITGCs) 101 Internal Audit Webinar Series
 Introduction  Why are IT General Controls Important?  Types of Controls  IT General Controls Review - Audit Process  IT General Controls Review - Overview and Examples  Access to Programs and Data  Program Changes and Development  Computer Operations  Q&A Webinar Agenda
 IT systems support many of the University’s business processes, such as these below:  Finance  Purchasing  Research  Patient care  Inventory  Payroll Why are IT General Controls Important? We cannot rely on IT systems or data therein without effective IT General Controls
Why are IT General Controls Important? Financial Objectives, such as: - Completeness - Accuracy - Validity - Authorization Operational & IT Objectives, such as: - Confidentiality - Integrity - Availability - Effectiveness and Efficiently Ineffective ITGCs = No achievement of business objectives
How are controls implemented?  Automated Controls  Manual Controls  Partially Automated Controls What are controls for?  Preventive Controls  Detective Controls  Corrective Controls Types of Controls
IT General Controls Review - Audit Process 1. Understand and identify the IT Environment and systems to be reviewed 2. Perform interviews, walkthroughs, and documentation reviews to gain an understanding on processes 3. Assess appropriateness of existing control environment (control design) 4. Validate existing controls to assess control operating effectiveness
IT General Controls Review - Overview Access to Program and Data  Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data.  Objectives: Access to program and data is properly restricted to authorized individuals only. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
 Access to programs and data components to be considered:  Policies and procedures  User access provisioning and de-provisioning  Periodic access reviews  Password requirements  Privileged user accounts  Physical access  Appropriateness of access/segregation of duties  Encryption  System authentication  Audit logs  Network security IT General Controls Review - Overview Access to Programs and Data
Area Existing Control Design How to Test/Validate User access provisioning A formal process for granting or modifying system access (based on appropriate level of approval) is in place. Review an evidence of approval User access de-provisioning A formal process for disabling access for users that are transferred or separated is in place. Compare existing user accounts with a list of users that are transferred or separated Periodic access reviews Periodic access reviews of users, administrators, and third-party vendors are performed. Review an evidence of periodic reviews Password requirements Unique (to individual) and strong passwords are used. Assess password rules enforced Privileged user accounts Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel. Review accounts with privileged access rights Physical access Only authorized personnel are allowed to access secured areas and computer facilities. Walkthrough of areas (e.g. data center, backup storage etc.) IT General Controls Review - Example Access to Programs and Data
IT General Controls Review - Overview Program Changes and Development  Risk: Inappropriate changes to systems or programs may result in inaccurate data.  Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data  Risk: Inappropriate system or program development or implementation may result in inaccurate data.  Objectives: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.
 Program changes and development components to be considered:  Change management procedures and system development methodology  Authorization, development, implementation, testing, approval, and documentation  Migration to the production environment (Separation of Duties (SOD))  Configuration changes  Emergency changes  Data migration and version controls  Post change/implementation testing and reviews IT General Controls Review - Overview Program Changes and Development
Area Existing Control Design How to Test/Validate Change management controls A formal process for proper change management is in place. Review/assess change management procedures and validate that procedures are followed Change documentation All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked. Review change logs Testing Appropriate level of testing is performed. Review an evidence of test plans and results Approval Appropriate approval prior to migration to production is required. Review an evidence of approval Migration Access to migrate changes into production is appropriately restricted. Verify that a separation of duties (SOD) between developers and operators (= making changes) exists IT General Controls Review - Example Program Changes and Development
IT General Controls Review - Overview Computer Operations  Risk: Systems or programs may not be available for users or may not be processing accurately.  Objectives: Systems and programs are available and processing accurately. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
 Computer operations components to be considered:  Batch job processing  Monitoring of jobs (success/failure)  Backup and recovery procedures  Incident handling and problem management  Changes to the batch job schedules  Environmental controls  Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)  Patch management IT General Controls Review - Overview Computer Operations
Area Existing Control Design How to Test/Validate Batch job processing Batch jobs are appropriately scheduled, processed, monitored, and tracked. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Monitoring of jobs Failed jobs are followed-up and documented (including successful resolutions and explanations) Validate that failed jobs are followed-up and documented Backup and recovery Backups for critical data and programs are available in the event of an emergency. Review/assess procedures for backup and recovery and validate that procedures are followed Problem/issue management A formal process for problem/issue handling is in place in order to ensure timely identification, escalation , resolution and documentation of problem. Review/assess procedures for problem/issue management and validate that procedures are followed IT General Controls Review - Example Computer Operations
Conclusion/Q&A

Recommended

Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 

Recommended

Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisaasrulsani09
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
13 configuration management
13 configuration management13 configuration management
13 configuration managementrandhirlpu
 
Different Approaches To Sys Bldg
Different Approaches To Sys BldgDifferent Approaches To Sys Bldg
Different Approaches To Sys BldgUSeP
 

More Related Content

What's hot

Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 

What's hot (20)

Security audit
Security auditSecurity audit
Security audit
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample Report
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
The information security audit
The information security auditThe information security audit
The information security audit
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 

Similar to ITGCs.pdf

13 configuration management
13 configuration management13 configuration management
13 configuration managementrandhirlpu
 
Different Approaches To Sys Bldg
Different Approaches To Sys BldgDifferent Approaches To Sys Bldg
Different Approaches To Sys BldgUSeP
 
Software testing and introduction to quality
Software testing and introduction to qualitySoftware testing and introduction to quality
Software testing and introduction to qualityDhanashriAmbre
 
ICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITMohammad Abdul Matin Emon
 
System development life_cycle
System development life_cycleSystem development life_cycle
System development life_cycleSwapnil Walde
 
Information system implementation, change management and control
Information system implementation, change management and controlInformation system implementation, change management and control
Information system implementation, change management and controlShruti Pendharkar
 
SDLC Control
SDLC ControlSDLC Control
SDLC Controlbenji00
 
Software Development Life Cycle (SDLC).pptx
Software Development Life Cycle (SDLC).pptxSoftware Development Life Cycle (SDLC).pptx
Software Development Life Cycle (SDLC).pptxsandhyakiran10
 
Chap12 Developing Business It Solutions[1]
Chap12 Developing Business It Solutions[1]Chap12 Developing Business It Solutions[1]
Chap12 Developing Business It Solutions[1]sihamy
 
Change Management - ITIL
Change Management - ITILChange Management - ITIL
Change Management - ITILconnorsmaureen
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptx
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptxERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptx
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptxRamanaBulusu1
 

Similar to ITGCs.pdf (20)

13 configuration management
13 configuration management13 configuration management
13 configuration management
 
Different Approaches To Sys Bldg
Different Approaches To Sys BldgDifferent Approaches To Sys Bldg
Different Approaches To Sys Bldg
 
Software testing and introduction to quality
Software testing and introduction to qualitySoftware testing and introduction to quality
Software testing and introduction to quality
 
ICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of IT
 
System development life_cycle
System development life_cycleSystem development life_cycle
System development life_cycle
 
Information system implementation, change management and control
Information system implementation, change management and controlInformation system implementation, change management and control
Information system implementation, change management and control
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
Sdlc1
Sdlc1Sdlc1
Sdlc1
 
SDLC Control
SDLC ControlSDLC Control
SDLC Control
 
Software Development Life Cycle (SDLC).pptx
Software Development Life Cycle (SDLC).pptxSoftware Development Life Cycle (SDLC).pptx
Software Development Life Cycle (SDLC).pptx
 
Chap12 Developing Business It Solutions[1]
Chap12 Developing Business It Solutions[1]Chap12 Developing Business It Solutions[1]
Chap12 Developing Business It Solutions[1]
 
Mis unit iii by arnav
Mis unit iii by arnavMis unit iii by arnav
Mis unit iii by arnav
 
Change Management - ITIL
Change Management - ITILChange Management - ITIL
Change Management - ITIL
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
BIS Ch 4.ppt
BIS Ch 4.pptBIS Ch 4.ppt
BIS Ch 4.ppt
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptx
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptxERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptx
ERP SYSTEM POST IMPLEMENTATION AUDIT_TRNG_May,2023 - Part-3.pptx
 
Software testing kn husainy
Software testing kn husainySoftware testing kn husainy
Software testing kn husainy
 

Recently uploaded

The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...lizamodels9
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio managementJunaidKhan750825
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...Khaled Al Awadi
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCRsoniya singh
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfmuskan1121w
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...lizamodels9
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxAbhayThakur200703
 

Recently uploaded (20)

The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio management
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdf
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptx
 

ITGCs.pdf

  • 1. Presented by – Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Information Technology General Controls (ITGCs) 101 Internal Audit Webinar Series
  • 2.  Introduction  Why are IT General Controls Important?  Types of Controls  IT General Controls Review - Audit Process  IT General Controls Review - Overview and Examples  Access to Programs and Data  Program Changes and Development  Computer Operations  Q&A Webinar Agenda
  • 3.  IT systems support many of the University’s business processes, such as these below:  Finance  Purchasing  Research  Patient care  Inventory  Payroll Why are IT General Controls Important? We cannot rely on IT systems or data therein without effective IT General Controls
  • 4. Why are IT General Controls Important? Financial Objectives, such as: - Completeness - Accuracy - Validity - Authorization Operational & IT Objectives, such as: - Confidentiality - Integrity - Availability - Effectiveness and Efficiently Ineffective ITGCs = No achievement of business objectives
  • 5. How are controls implemented?  Automated Controls  Manual Controls  Partially Automated Controls What are controls for?  Preventive Controls  Detective Controls  Corrective Controls Types of Controls
  • 6. IT General Controls Review - Audit Process 1. Understand and identify the IT Environment and systems to be reviewed 2. Perform interviews, walkthroughs, and documentation reviews to gain an understanding on processes 3. Assess appropriateness of existing control environment (control design) 4. Validate existing controls to assess control operating effectiveness
  • 7. IT General Controls Review - Overview Access to Program and Data  Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data.  Objectives: Access to program and data is properly restricted to authorized individuals only. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
  • 8.  Access to programs and data components to be considered:  Policies and procedures  User access provisioning and de-provisioning  Periodic access reviews  Password requirements  Privileged user accounts  Physical access  Appropriateness of access/segregation of duties  Encryption  System authentication  Audit logs  Network security IT General Controls Review - Overview Access to Programs and Data
  • 9. Area Existing Control Design How to Test/Validate User access provisioning A formal process for granting or modifying system access (based on appropriate level of approval) is in place. Review an evidence of approval User access de-provisioning A formal process for disabling access for users that are transferred or separated is in place. Compare existing user accounts with a list of users that are transferred or separated Periodic access reviews Periodic access reviews of users, administrators, and third-party vendors are performed. Review an evidence of periodic reviews Password requirements Unique (to individual) and strong passwords are used. Assess password rules enforced Privileged user accounts Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel. Review accounts with privileged access rights Physical access Only authorized personnel are allowed to access secured areas and computer facilities. Walkthrough of areas (e.g. data center, backup storage etc.) IT General Controls Review - Example Access to Programs and Data
  • 10. IT General Controls Review - Overview Program Changes and Development  Risk: Inappropriate changes to systems or programs may result in inaccurate data.  Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data  Risk: Inappropriate system or program development or implementation may result in inaccurate data.  Objectives: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.
  • 11.  Program changes and development components to be considered:  Change management procedures and system development methodology  Authorization, development, implementation, testing, approval, and documentation  Migration to the production environment (Separation of Duties (SOD))  Configuration changes  Emergency changes  Data migration and version controls  Post change/implementation testing and reviews IT General Controls Review - Overview Program Changes and Development
  • 12. Area Existing Control Design How to Test/Validate Change management controls A formal process for proper change management is in place. Review/assess change management procedures and validate that procedures are followed Change documentation All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked. Review change logs Testing Appropriate level of testing is performed. Review an evidence of test plans and results Approval Appropriate approval prior to migration to production is required. Review an evidence of approval Migration Access to migrate changes into production is appropriately restricted. Verify that a separation of duties (SOD) between developers and operators (= making changes) exists IT General Controls Review - Example Program Changes and Development
  • 13. IT General Controls Review - Overview Computer Operations  Risk: Systems or programs may not be available for users or may not be processing accurately.  Objectives: Systems and programs are available and processing accurately. IT General Controls Program Changes Program Development Computer Operations Access to Program and Data
  • 14.  Computer operations components to be considered:  Batch job processing  Monitoring of jobs (success/failure)  Backup and recovery procedures  Incident handling and problem management  Changes to the batch job schedules  Environmental controls  Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)  Patch management IT General Controls Review - Overview Computer Operations
  • 15. Area Existing Control Design How to Test/Validate Batch job processing Batch jobs are appropriately scheduled, processed, monitored, and tracked. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Monitoring of jobs Failed jobs are followed-up and documented (including successful resolutions and explanations) Validate that failed jobs are followed-up and documented Backup and recovery Backups for critical data and programs are available in the event of an emergency. Review/assess procedures for backup and recovery and validate that procedures are followed Problem/issue management A formal process for problem/issue handling is in place in order to ensure timely identification, escalation , resolution and documentation of problem. Review/assess procedures for problem/issue management and validate that procedures are followed IT General Controls Review - Example Computer Operations