ITGC Controls 2450



  • Hello Everybody,
    Hope you all are doing well.
    I’m a new external auditor and have to conduct an audit which will involve auditing ITGC controls. I’ve listed a few controls which I think come under ITGC. We will be testing for Control design and Operating effectiveness. Please let me know some more controls that could be included for this audit.
    Looking forward to responses from the experienced
    I’ve broadly covered the below areas:

    1. Access to programs and data
    2. Program changes, including maintenance to existing operating systems and IT Applications
    3. Program development for new, acquired or developed operating systems and IT Application
    4. Computer operations
      Control 1
      The entity has established a formalized security policy that provides guidance for information security within the entity and includes within its scope all aspects of the IT environment relevant to financial reporting applications and data (e.g., networks, perimeter security, operation system security, application security, acceptable systems use).
      Control 2
      There exists a formal procedure to communicate policy thorough out the organization.
      Control 3
      Physical access to computer facilities that house the financial applications is restricted to appropriate personnel.
      Control 4
      Roles (A role is a group of application functions) are created within the business application by way of a defined process. Users are given access to roles and their accesses are reviewed periodically.
      Control 5
      Controls exist to ensure access revocation due to termination is performed immediately after the user is terminated to minimize the likelihood of system abuse or sabotage.
      Control 6
      Passwords or stronger authentication methods help determine the authenticity of the user.
      Control 7
      Roles are reviewed periodically to verify grouping of non-conflicting functions/menu options.
      Control 8
      Access to powerful system level ID’s (i.e., root, administrator, security administration ids, batch processing ids) for in-scope systems is restricted to a defined set of system administration personnel users and their activities are monitored.
      Control 9
      The entity has established a formal change management process that outlines the requirements for making changes to systems and applications providing control over financial reporting.
      Control 10
      Only appropriate personnel should have access to migrate changes to production environment
      Control 11
      The entity has established a formal configuration change management process that outlines the requirements for making changes to systems and applications providing control over financial reporting.
      Control 12
      The organization has established a formal backup and recovery procedure, specifying procedure to be followed for backup and offsite backup site.
      Control 13
      A helpdesk function and system to allow logging and tracking of calls, incidents, service requests, and information needs has been established.


  • Hi and welcome to the forums 🙂
    As COBIT 4 provides an excellent framework for IT controls, I’ve already shared this link a few times today and this 200 guide might provide more ideas on ITGC controls you may want to look at, even though it is more tailored toward SOX 404 compliancy measurements:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920



  • Hi Sandeep,
    I have found the below control in your ITGC,if it is possible could you please advice how system administration activities are monitored ?
    Control 8
    Access to powerful system level ID’s (i.e., root, administrator, security administration ids, batch processing ids) for in-scope systems is restricted to a defined set of system administration personnel users and their activities are monitored.
    Thanks in advance for any advice or suggetions.
    Universal



  • Hi Universal,
    As per limited experience in this line of work,
    Firstly, we are required to check for users who have access to powerful Id’s in a particular application. If the users access is as job responsiblility / appropriate approvals available?
    Secondly, the Audit logs enabled on the application will help ensure accountability.
    The logs should essentially contain the transaction the user has performed on the system (Read data, updated data etc).
    User will be a generic id (ex. admin) in this case as we are referring to powerful Id’s.
    Hence, we generally ensure accountability by help of IP Addresses of user system.
    Hopefully this helps.
    Sandeep



  • Hi Sandeep - What you’ve shared is are good controls for these special system accounts 🙂
    The only additional practice I’ve seen often used is to change passwords annually on some these to better protect these privileged accounts. It’s a painful process and entails lots of extra work, but represents a good control (esp. when folks leave the company).



  • Hi Sandeep,
    Thank you for your reply.It helped a lot.
    I 'm also in the process of learning SOX(J-SOX) and ITGC.
    Firstly the powerful users are classified for different levels; example for OS level, Application Level, Data Bases level etc, and accordingly their roles/responsibilities their administrative powers are decided/approved by proper application process.
    Your idea is excellent to have audit log performed by the admins on the system for Read or update data etc, controlled by IP Address mechanism.
    Q1.What I would like to ask is; are you using any tool(software) or your company has developed special programs for having audit tools.What is
    the cost of this tool ?
    Q2.Moreover, I am also interested in knowing what kind of information is stored in the Audit logs.
    Example:
    A.Server/OS Administrator: Install new patches or files in the server.
    -In this case, till what extent activities of Server/OS Administrator the log is taken?
    LOG:GBPtime;date:IP address, admin id,admin role, changed file name
    B.Application Administrator: Install new programs/modules of an application.
    -only have power to install prgrams/modules for responsible application systems
    LOG: time;date:IP address, admin id,admin role, application name; changed file name
    Q3.How IP address mechanism works?
    What I suppose is;IP is associated with administrator ID and there are set of rules that instruct to trace the activities performed by them ?
    Thank you in advance.
    Universal



  • Hello Universal
    Nice set and well-thought set of IT control objectives you have established.
    But just wondering, are these objectives purely IT General Controls?
    Would some of them actually relates to IT Application Controls?
    Otherwise, would you have any suggestions on IT Application Controls? I am cracking my brain out here trying to conjure some…
    Also, i do understand Application Controls may largely depend on the IT Applications which could differ from companies to companies. However, would there be any generic IT Application Controls Objectives for reference?
    thanks all…


Log in to reply