Logical access and business applications 1318
popesmeade last edited by
Can someone offer some advice ?
As well as automated controls, automated processes, reports and interfaces we have identified some specific LAS controls within our business processes.
An example is control over the level of loans staff may be able to authorise e.g. Grade 1 _and_lt;100k, Grade 2_and_lt;200k etc.
Do we treat this as a Busines Automated Control (BAC’s) or General Computing Controls (ITGC’s).
I am happy classing it as a BAC but what level of testing would we carry out on this one control ?
I have come up with a general set of tests which cover most of the COBIT headings, but surely this must be GCC testing ?
Or would we do a combination of both ?
kymike last edited by
I see this as 2 controls
a) The fact that you have an authorization level set is a control over loan approvals.
b) Having this programmed into the system enhances the reliance on this control.
To me, (a) is an ELC that is either in effect or not while (b) should be tested to ensure that the programmed control is working and cannot be overridden. Since it is a system control, a sample size of one should suffice.