SlideShare a Scribd company logo

IT General Controls

C
Cicero Ray Rufino

Basic Concepts of IT General Controls

Technology
1 of 14
IT General Controls
Audit Approach Information Technology Infrastructure And Control Procedures Application SystemsBusiness Processes Significant FS Accounts Audit of Financial Statements Substantive Procedures Test-of- Controls Procedures IT General Controls Application Controls IT-Dependent Manual Controls Manual Controls
What are IT General Controls?
IT General Controls (ITGCs) ▷ Controls designed to ensure that information processing takes place in a reasonably controlled and consistent environment. ▷ These controls ensure the integrity of data, program, and processing. ▷ Controls that apply to more than one computerized application system.
Types of ITGCs ▷ Organization and management controls ▷ Segregation of duties ▷ Physical and environmental controls ▷ Logical access controls ▷ System development and program change controls ▷ IT operations controls (e.g., back-up and recovery) ▷ Business continuity planning ▷ End user computing controls
Logical Access Controls ▷ Formal procedures for creation of new users and deletion of terminated users must exist ▷ Application access must be controlled with individual user name and passwords. Furthermore, this must be updated or changed periodically ▷ Users must be restricted to application menus in accordance with their specific business functions
Logical Access Controls ▷ Super-user accounts must be limited and the credentials of which are known only by appropriate and authorized personnel only ▷ Use of super-user accounts are limited only to perform actions requiring those rights. Issuance and use of these user accounts must be properly authorized, documented, reviewed and monitored
Program Change Controls ▷ Development & production of programs & applications and its subsequent changes must exist in separate environments ▷ Program change requests, authorizations and approvals must be documented ▷ Program changes must be tested and accepted by users
Program Change Controls ▷ Business owner or functional manager must formally authorize migration to production of program changes ▷ A distinct person other than the systems programmer must move the program change into the production environment
Test of Controls vs Test of Transactions
Test of Controls (Application Controls) ▷ Application control design is effective ▷ IT general controls are operating effectively Test of Controls vs Test of Transactions Test of Transactions ▷ Performed to obtain inferential evidence that an application control is operating effectively ▷ Samples are taken throughout the period of reliance
▷ IT general controls are ineffective, and ▷ No compensating control identified or compensating control is ineffective Or ▷ Application control could not be directly tested (i.e., embedded or hard-coded routines). When to perform test of transactions?
•Application Control is Effective •IT General Control is Ineffective Identify Compensating Controls Test Compensating Controls With compensating control? Test control through inferential evidence Compensating control effective? Control Effective With exceptions? Control Ineffective Yes Yes No NoYes No
Thank you

Recommended

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
Ed Tobias
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
CenapSerdarolu
 

Recommended

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
Ed Tobias
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
CenapSerdarolu
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
Salih Islam
 
Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
Information System audit
Information System auditInformation System audit
Information System audit
Pratapchandra
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
pramod_kmr73
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
Corporate Registers Forum
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
ssuser918e9d1
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
mabkhoutaliwi1
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
dotco
 

More Related Content

What's hot

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
Information System audit
Information System auditInformation System audit
Information System audit
Pratapchandra
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 

What's hot (20)

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
Security audit
Security auditSecurity audit
Security audit
 
Information System audit
Information System auditInformation System audit
Information System audit
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 

Similar to IT General Controls

293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
kndnewguade
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
Barun Kumar
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
Priyank Hada
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde
mikaelyde
 

Similar to IT General Controls (20)

audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
293504541-ict-its4-03-0811-assist-with-policy-development-for-client-support-...
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Compliance
ComplianceCompliance
Compliance
 
3. 1 req elicitation
3. 1 req elicitation3. 1 req elicitation
3. 1 req elicitation
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
 
Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)Management Theory & Practice(Robbins, S. Coulter M.)
Management Theory & Practice(Robbins, S. Coulter M.)
 
ISA 3 COBIT
ISA 3 COBITISA 3 COBIT
ISA 3 COBIT
 
Auditing information systems
Auditing information systemsAuditing information systems
Auditing information systems
 
Information system implementation, change management and control
Information system implementation, change management and controlInformation system implementation, change management and control
Information system implementation, change management and control
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized Environment
 
Software maintenance and evolution
Software maintenance and evolutionSoftware maintenance and evolution
Software maintenance and evolution
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

IT General Controls

  • 2. Audit Approach Information Technology Infrastructure And Control Procedures Application SystemsBusiness Processes Significant FS Accounts Audit of Financial Statements Substantive Procedures Test-of- Controls Procedures IT General Controls Application Controls IT-Dependent Manual Controls Manual Controls
  • 3. What are IT General Controls?
  • 4. IT General Controls (ITGCs) ▷ Controls designed to ensure that information processing takes place in a reasonably controlled and consistent environment. ▷ These controls ensure the integrity of data, program, and processing. ▷ Controls that apply to more than one computerized application system.
  • 5. Types of ITGCs ▷ Organization and management controls ▷ Segregation of duties ▷ Physical and environmental controls ▷ Logical access controls ▷ System development and program change controls ▷ IT operations controls (e.g., back-up and recovery) ▷ Business continuity planning ▷ End user computing controls
  • 6. Logical Access Controls ▷ Formal procedures for creation of new users and deletion of terminated users must exist ▷ Application access must be controlled with individual user name and passwords. Furthermore, this must be updated or changed periodically ▷ Users must be restricted to application menus in accordance with their specific business functions
  • 7. Logical Access Controls ▷ Super-user accounts must be limited and the credentials of which are known only by appropriate and authorized personnel only ▷ Use of super-user accounts are limited only to perform actions requiring those rights. Issuance and use of these user accounts must be properly authorized, documented, reviewed and monitored
  • 8. Program Change Controls ▷ Development & production of programs & applications and its subsequent changes must exist in separate environments ▷ Program change requests, authorizations and approvals must be documented ▷ Program changes must be tested and accepted by users
  • 9. Program Change Controls ▷ Business owner or functional manager must formally authorize migration to production of program changes ▷ A distinct person other than the systems programmer must move the program change into the production environment
  • 10. Test of Controls vs Test of Transactions
  • 11. Test of Controls (Application Controls) ▷ Application control design is effective ▷ IT general controls are operating effectively Test of Controls vs Test of Transactions Test of Transactions ▷ Performed to obtain inferential evidence that an application control is operating effectively ▷ Samples are taken throughout the period of reliance
  • 12. ▷ IT general controls are ineffective, and ▷ No compensating control identified or compensating control is ineffective Or ▷ Application control could not be directly tested (i.e., embedded or hard-coded routines). When to perform test of transactions?
  • 13. •Application Control is Effective •IT General Control is Ineffective Identify Compensating Controls Test Compensating Controls With compensating control? Test control through inferential evidence Compensating control effective? Control Effective With exceptions? Control Ineffective Yes Yes No NoYes No