IT General Controls (ITGC) control relating to the general computing environment in which applications are developed, maintained and operated. Controls over IT processes and activities that affect all the applications that reside on the computer system. Not application specific controls.
The key objectives are to ensure the confidentiality, integrity, and availability of
information systems resources:
- Confidentiality: application systems and data files are protected against unauthorized access.
- Integrity: application systems are effectively developed and maintained to meet business needs.
- Availability: system services are protected against disruptions.
The control areas can be derived from established information security and control frameworks like ISO27001 and COBIT. The key focus areas are:
- IT Organisation and Management
- Physical and Environmental Security
- Access Control
- Computer and Network Operations
- Systems Development and Maintenance
- Business Continuity Planning
The Audit Approach
1. Understand the Computing Environment
Gain an understanding of the organization’s use of computers. Identify the computing environment used to support the business operations (i.e. hardware/servers, applications, database, operating system, networks, and physical infrastructure), any new system implementations and the IT organizational structure.
2. Identify the Main Systems & Applications
For each application consider the business purpose, importance and the materiality (i.e. the value of transactions and information processed by the application). Identify the main systems and applications.
3. Assess the Control Environment
A preliminary assessment is performed using an IT General Controls Questionnaire to document the type of controls in place and identify any potential risks or weaknesses. Detailed tests of controls or technical review of the control areas is then carried out with a focus on those areas identified as weak in the preliminary assessment.
3.1 IT Organisation and Management
Organizational policies and management procedures are in place to control IT activities.
- IT steering committee to oversee IT activities and projects.
- Strategic IT plan/budgets for the short and long term.
- IT plan is aligned with business objectives and needs.
- Information security policy and procedures.
- Formal IT organizational structure.
- Segregation of duties (e.g. security, operations, development).
3.2 Physical and Environmental Security
Computing facilities and computer equipment are protected against unauthorized entry, theft, damage, and environmental hazards.
- Data center and server rooms secured by card/keypad door access systems.
- Access and actively monitored by CCTV system.
- Visitor log maintained and access supervised.
- Fire detection and suppression systems (e.g. smoke detector/alarm, CO2 extinguishers).
- Temperature and air-conditioning (backup air-con unit).
- Alternate power supply (e.g. UPS and standby generator).
- Power surge and lightning protection.
3.3 Access Control
Programs and data files are protected against unauthorized access, modification or deletion.
- Login and password security (e.g. system security settings).
- Assignment of user access rights (e.g. procedures and user access matrix).
- Powerful user-IDs/passwords are limited to authorized personnel.
- Access permissions to sensitive programs and data files.
- Security and audit event logging and review.
- Segregation of domains and networks.
- Firewall and intrusion detection for external network connections.
- Internet-facing servers placed in a DMZ.
3.4 Computer and Network Operations
Computer and network operations are efficient, effective and reliable.
- Documented computer and network operational procedures.
- Processing schedule and requirements (daily, weekly, month-end).
- Capacity planning and performance monitoring.
- Regular preventive maintenance and service.
- Data backup, retention and offsite storage.
- Anti-virus and malware protection software installed and updated.
3.5 System Development and Maintenance
System development and program changes are authorized, tested and documented.
- Formal systems development (SDLC) methodology.
- User requirements and user acceptance testing.
- Package/3rd party software support and maintenance.
- Program change request, testing, and migration to production.
- Separate development, test and production environments.
3.6 Business Continuity Planning
Plans and procedures are in place to initiate an effective recovery of computer operations in the event of a disaster.
- Documented business continuity plan (BCP) for critical systems/applications.
- Backup/disaster recovery site (a safe distance away from the main site).
- Business continuity plan tested and updated.
- Insurance coverage for computer equipment and data.
4. Conclude & Report
On completion of the review, a draft audit report is prepared to detail the:
- findings and root cause;
- risk exposure (likelihood and impact)
- risk rating (low, medium, high);
- recommendations for improvement; and
- overall rating and conclusion
A clearance meeting is held with IT management to discuss the draft report and verify that the findings are valid, recommendations are appropriate and to obtain the management responsibility for each finding.
The finalized audit report shall be issued and communicated to management and the audit committee on a timely basis to ensure corrective action is promptly taken.