IT Audit IT General Controls (ITGC)'s role in Financial Audit

23-02-19

본문

Introduction

Many organizations rely on information systems, such as ERP, for business operations and financial reporting. Information systems are complex and require proper internal controls to operate efficiently and effectively. This is where IT general controls (ITGC) play an important role in the audit process. In this post, we'll discuss the importance of ITGC, how they are used in audits, and the various topics that are tested.

What are IT general controls (ITGC)?

ITGC can be defined as the framework used to manage an organization's IT environment. 
It includes a set of policies and procedures that ensure the confidentiality, integrity, and availability of data, and assesses whether IT systems are operating effectively and efficiently and aligning with business objectives.

ITGC's role in audits

The primary role of ITGC in an audit is to review the design and implementation of internal controls over IT systems to assess whether they are operating effectively. 

Topics tested by ITGC

ITGC tests a number of topics at the Application/Database/Operating System/Network tier, including

Access Control: It evaluates controls related to user access to IT systems, such as provisioning, de-provisioning, access review, SOD monitoring, and password parameters.
The key is to ensure that controls prevent unauthorized users from gaining access.

Change Management: Evaluate controls related to changes to information assets, such as upgrades, conversions, changes to data, and patches.
The key is to ensure there are no unauthorized changes.

Task scheduling/monitoring: Evaluate controls related to automated task scheduling and monitoring of IT systems.
The key is to assess authorization for task scheduling and controls to ensure that the results of task scheduling are monitored and that failures are acted upon in a timely manner.

Network security: Evaluate protection from outside the network level, such as firewalls and VPNs. 
The key is to control that critical data is managed to prevent outside access.

Backup and recovery: Evaluate controls related to backup and recovery of IT systems, such as backup procedures and data recovery processes.
The key is to ensure that controls are in place to prepare for the risk of business interruption, such as natural disasters.

Information security: These are controls to ensure that industry-recommended levels are in place to protect the confidentiality, integrity, and availability of data, such as security policies and procedures, encryption, and firewalls.

Physical security: Assessing controls to ensure physical security for key assets, such as data centers.

Conclusion.

In conclusion, ITGC plays an important role in the audit process by providing assurance that an organization's IT systems are operating effectively and efficiently. It provides a framework for managing the IT environment and ensures that the organization's IT systems are aligned with business objectives. The topics tested in an ITGC cover a wide range of areas, including access control, change management, backup and recovery, information security, and physical security. Understanding these topics is essential for auditors to assess the effectiveness of an organization's IT controls and provide recommendations.