4. IT General Controls (ITGCs)
▷ Controls designed to ensure that information
processing takes place in a reasonably controlled
and consistent environment.
▷ These controls ensure the integrity of data, program,
and processing.
▷ Controls that apply to more than one computerized
application system.
5. Types of ITGCs
▷ Organization and management controls
▷ Segregation of duties
▷ Physical and environmental controls
▷ Logical access controls
▷ System development and program change controls
▷ IT operations controls (e.g., back-up and recovery)
▷ Business continuity planning
▷ End user computing controls
6. Logical Access Controls
▷ Formal procedures for creation of new users and
deletion of terminated users must exist
▷ Application access must be controlled with
individual user name and passwords. Furthermore,
this must be updated or changed periodically
▷ Users must be restricted to application menus in
accordance with their specific business functions
7. Logical Access Controls
▷ Super-user accounts must be limited and the
credentials of which are known only by appropriate
and authorized personnel only
▷ Use of super-user accounts are limited only to
perform actions requiring those rights. Issuance and
use of these user accounts must be properly
authorized, documented, reviewed and monitored
8. Program Change Controls
▷ Development & production of programs &
applications and its subsequent changes must exist
in separate environments
▷ Program change requests, authorizations and
approvals must be documented
▷ Program changes must be tested and accepted by
users
9. Program Change Controls
▷ Business owner or functional manager must formally
authorize migration to production of program
changes
▷ A distinct person other than the systems
programmer must move the program change into
the production environment
11. Test of Controls (Application Controls)
▷ Application control design is
effective
▷ IT general controls are operating
effectively
Test of Controls vs Test of Transactions
Test of Transactions
▷ Performed to obtain inferential
evidence that an application
control is operating effectively
▷ Samples are taken throughout the
period of reliance
12. ▷ IT general controls are ineffective, and
▷ No compensating control identified or
compensating control is ineffective
Or
▷ Application control could not be directly
tested (i.e., embedded or hard-coded
routines).
When to perform test of transactions?
13. •Application Control is
Effective
•IT General Control is
Ineffective
Identify
Compensating
Controls
Test
Compensating
Controls
With
compensating
control?
Test control
through
inferential
evidence
Compensating
control
effective?
Control
Effective
With
exceptions?
Control
Ineffective
Yes
Yes
No
NoYes
No