IT General Controls

ACCA UK's Internal Audit Network held a series of seven webinars on de-mystifying
IT audit for business auditors in 2017. The series started in May and concluded in
November with a webinar about the General Data Protection Regulation (GDPR). It
featured three main presenters - Vincent Mulligan FCCA (IT Audit Consultant at
Eisteoir Consulting Ltd), Mike Hughes CISA, SGEIT, CRISC and Steve Connors
CISM, FIPA, FFA (both partners at Haines Watts). To register to watch any of the
webinars in this completed series, click here.

This article provides a few brief highlights of the second webinar in the series on IT
general controls. In this session, the speakers considered the nature of ITGC, the
challenges internal auditors face reviewing them and the approaches that you can
use to audit them.

What are IT General Controls?

IT General Controls (ITGC) or General Computer Controls (GCC) are controls which
relate to the environment that supports IT Applications. The appropriateness and
effectiveness of ITGC’s therefore impacts on all the organisation’s IT applications.

IT general controls are policies and procedures that:

▪ Support application controls and IT components of manual controls
▪ Have a pervasive impact on controls at the application level
▪ Can relate to multiple applications
▪ Operate centrally or in multiple locations
▪ Support automated controls within applications

There are four main groupings of ITGC:

• Access to programs and data
• Program change
• Program development
• Computer operations

Why are ITGC important?

Organisations are increasingly dependent on IT and have increasingly complex
operational and financial IT systems. IT General Controls have an impact on the
controls over all financial IT systems:
o Effectiveness and efficiency of information management
o Reliability of information assets
o Compliance with applicable legal, regulatory and business requirements
o IT controls can have implications over manual as well as automated controls.

“Auditors cannot rely on automated controls if ITGC are not effective – if the
foundations are not there then you cannot rely on what you have built upon those
foundations.”
When should we audit IT General Controls?

Any weakness in IT general controls will have an impact on the application controls
audit so it is important that you look at IT general controls at an early stage so that
you can wrap that into your planning of application audits. Timing will also be
influenced by annual audit planning, changes in the IT environment, and events and
emerging risks.

You will need to consider what skills and experience is required to effectively audit
ITGC the timing of work (before or after implementation of any IT projects), and
specific risks to your environment.

How do we audit IT General Controls?

When auditing IT General Controls, you can audit them as separate control audits or
you can incorporate some IT General Controls work into IT functional audits.
Integrated audits can build on work that has already been done in relation to general
computer controls. However we are not just relying on auditors – these are controlled
environments so there are other business assurance processes such as continuous
monitoring, vendor audits, etc which will also provide assurance. When you are
thinking about getting assurance over IT General Controls, in addition to audits you
should consider the other mechanisms we use to get assurance – such as taking
part or observe at steering committees, and also ensuring you have access to
metrics and dash boards that will give you a view as to what is currently happening
in the IT environment. This can inform your view on the annual planning process and
what they may need to change.

A standardised vision of what an IT General Controls audit looks like this:

Understand the Identify In-Scope Review Existing

IT Environment Systems Documentation

Conduct Document Review Process

Interviews Processes Flows

Identify and Test Controls and

Finalise ITGC
Communicate Evaluate
Flows & Risks
Gaps Vulnerabilities
Access to Programs and Data

The risk is that unauthorised access to data may result in the destruction or change
of data, either malicious or accidental. This could include the recording of inaccurate
or fraudulent transaction. The objective is to implement access controls to restrict
access to specific programs and data to only those who are authorised to do so.

When we are auditing access controls, we are not talking about one process – we
are talking about multiple processes that layered together give us the layers of
defence that create the secure environment. Some of the layers that we would
expect to see in an IT General Controls framework:

Policies &
Procedures

Segregation User Access

of Duties Requests

Access
Periodic Controls
Password
Access
Requirements
Reviews

Physical Privileged
Access Users

A walkthrough of IT General Controls provides the opportunity to understand what

controls are in place and how they are operating. With testing, we want to know what
actual access has been granted - we know what the system owner has approved
because we have seen that during the walkthrough but now we want to validate what
is actually happening. Without testing, we cannot get the level of assurance that we
want that the controls are working and that there aren’t any weaknesses or failures
to implement the policies throughout the period. Examples of walkthrough and
testing are summarised in this table:

Walkthrough Testing
• Logical access controls at the operating • Existence of security policy and
system/database level communication Sample of users – incl
• Security logs/review password resets, matching of access to job
• Process for starters/leavers/changes role, super user, review of violation logs
• Periodic review of user access • Sample of starters/leavers/changes –
• How is SoD achieved – consider access to appropriately authorised and timely
• Periodic review of user access – evidence
development, testing and live
• Sample of users with access to
environments as well as multiple user development/test/live – consider
accounts appropriateness of SoD, evidence of conflict
• Environmental controls – visit data • Evidence of testing environmental controls
centre/server room • Data centre access:
• What is the process for setting • Compare to staff list
up/terminating access to the server • Test to ensure unauthorised users can’t
room/data centre access
Program Change and Development

This relates to the development of applications and after they have been running live
for some time, how changes are made. The risk is that unauthorised amendments to
systems or programs may result in attacks (eg. denial of service) or fraudulent
activities. The objective is to have robust program change management controls to
ensure all changes to systems and applications are authorised, tested, documented
and approved. Further, programme development should follow a similar system of
authorisation, testing, approval and implementation.

Key areas to be considered in change and development audits:

Methodology

Authorisation
Post-Impl
Testing
Reviews
Approval

Change
& Dev Migration to
Data
the Live
Migration
Environment

Emergency Configuration
Changes Changes

Walkthrough and testing for program changes:

Walkthrough Testing
End to end processing of a change Existence of change procedures
request

• Consider planned/unplanned and

• Sample of change requests:
emergency changes • Approval
• Logging of request • Testing/UAT/sign-off
• Testing • Retention of documents (e.g.
• Move to production (‘live’)
environment
testing requests/sign off)
• Documentation update • Existence of separate
• Change scheduling environments for
• How would an unauthorised change testing/QA/staging
be identified
• Documentation update
• Review of change logs against change
requests
• Users who can promote changes to live
Walkthrough and testing for program development:

Walkthrough Testing
End to end processing of a development Existence of systems development lifecycle
project
Sample of developments:
Development lifecycle
• Confirm to development
Project management lifecycle/methodology
Procurement of IT equipment • Appropriate approvals
(software/hardware/infrastructure) • Testing/UAT/sign-offs
• Migration process – including data migration
Implementation of the project • Testing of interfaces
• Document retention
• Training
• Documentation is produced/updated
• Governance (risk
assessment/reporting/management)
• Post go live review

Computer operations

This is fundamentally about service management and service delivery – is the

service that is being provided what the business requires. For example, IT support
hours should mirror business requirements. Another example is whether patch
management is up to date to prevent malware attacks.

The risk is that systems and applications are inaccurately processing data and/or
processing inaccurate data. The objective is to have controls to ensure that system
and application processing operations are authorised, and any deviations from
normal behaviour are identified, investigated and ultimately resolved.

Key areas to be considered:

Job
Processing &
Monitoring

Comp
Ops
Incident & Back-up and
Problem Recovery
Resolution Procedures
Walkthrough and testing for computer operations:

Walkthrough Testing
• Backup and recovery procedures • Sample of backup logs to ensure no
• Periodic testing – file recovery/restore exceptions/errors.
• Back up storage • Sample of failed backups – what action was
• End to end process for incident taken?
management (incl escalation) • Evidence of recovery testing and results of
• Incident/problem tracking – helpdesk last test
facilities and software • Sample of requests for file restores
• Monitoring of live environment to identify • Physical & environmental controls over
failures access to and storage of back up tapes etc. or
• Job processing – including how going forward, the cloud
exceptions are actioned (e.g. if an • Sample of incidents/failures – confirm acted
interface fails to load) upon appropriately
• Sample of job processes to ensure completed
• Sample of scheduling failures to ensure
appropriate action taken

These have been very brief highlights of the webinar - to register to watch the
whole webinar, and any of the other webinars in this completed series, click
here.