Logical access and business applications 1318



  • Can someone offer some advice ?
    As well as automated controls, automated processes, reports and interfaces we have identified some specific LAS controls within our business processes.
    An example is control over the level of loans staff may be able to authorise e.g. Grade 1 _and_lt;100k, Grade 2_and_lt;200k etc.
    Do we treat this as a Busines Automated Control (BAC’s) or General Computing Controls (ITGC’s).
    I am happy classing it as a BAC but what level of testing would we carry out on this one control ?
    I have come up with a general set of tests which cover most of the COBIT headings, but surely this must be GCC testing ?
    Or would we do a combination of both ?



  • I see this as 2 controls
    a) The fact that you have an authorization level set is a control over loan approvals.
    b) Having this programmed into the system enhances the reliance on this control.
    To me, (a) is an ELC that is either in effect or not while (b) should be tested to ensure that the programmed control is working and cannot be overridden. Since it is a system control, a sample size of one should suffice.


Log in to reply