Four General Domains of ITGC and how to audit each domain:

1. Access to Program and Data

Risk: Unauthorized access to program and data may result in improper
changes to data or destruction of data.
Objectives: Access to program and data is properly restricted to
authorized individuals only.
Some of the access to programs and data components to be considered:
 Policies and procedures
 User access provisioning and de-provisioning
 Periodic access reviews
 Password requirements
 Privileged user accounts
 Physical access
 Appropriateness of access/segregation of duties
 Encryption
 System authentication
 Audit logs
 Network security

Example on how Areas in Access to program and Data are audited:

Area Existing Control Design How to test/validate

User access A formal process for granting or Review an evidence of approval
provisioning modifying system access (based
on appropriate level of
approval) is in place
User access A formal process for disabling Compare existing user accounts
deprovisioning access for users that are with a list of users that are
transferred or separated is in transferred or separated
place.
Periodic access Periodic access reviews of Review an evidence of periodic
reviews users, administrators, and reviews
third-party
vendors are performed.
Password Unique (to individual) and Assess password rules enforced
requirements strong passwords are used.
Privileged account Accounts having privileged Review accounts with privileged
users system access rights (e.g. access rights
servers, databases,
applications, and
infrastructure) are limited to
authorized personnel.
Physical access Only authorized personnel are Walkthrough of areas to check the
allowed to access secured security (e.g. data center, backup
areas and computer facilities. storage etc.)
2. Program Changes
Risk: Inappropriate changes to systems or programs may result in inaccurate data.
Objectives: All changes to existing systems are properly authorized, tested, approved,
implemented and documented.
3. Program Development
Risk: Inappropriate system or program development or implementation may result in inaccurate
data.
Objectives: New systems/applications being developed or implemented are properly
authorized, tested, approved, implemented and documented.
Program Changes and Program Development are mainly linked together for some reasons.
Primarily both of their process uses the same components to be observed (i.e. development,
implementation, testing, approval, and documentation etc.).
Some program changes and development components to be considered:
 Policies and procedures
 User access provisioning and de-provisioning
 Periodic access reviews
 Password requirements
 Privileged user accounts
 Physical access
 Appropriateness of access/segregation of duties
 Encryption
 System authentication
 Audit logs
 Network security

Example on how Program Changes and Program Development are audited:

Area Existing Control Design How to Test/Validate

Change management A formal process for proper
controls change management is in
place.
Change documentation All changed made to
systems (e.g. servers,
databases, applications) are
documented and tracked.
Review/assess change
management procedures and
validate that procedures are
followed
Review change logs

Testing Appropriate level of testing Review an evidence of test plans

is performed.
Approval Appropriate approval prior
to migration to production
is required.
Migration Access to migrate changes
into production is
appropriately restricted.
and results
Review an evidence of approval
Verify that a separation of duties
between developers and
operators (making changes)
exists
4. Computer Operations
Risk: Systems or programs may not be available for users or may not be processing accurately.
Objectives: Systems and programs are available and processing accurately.
Some of the Computer operations components to be considered:
 Batch job processing
 Monitoring of jobs (success/failure)
 Backup and recovery procedures
 Incident handling and problem management
 Changes to the batch job schedules
 Environmental controls
 Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP)
 Patch management

Example on how Computer Operations are audited:

Area Existing Control Design How to Text/Validate

Batch job processing Batch jobs are appropriately
scheduled, processed, monitored,
and tracked.
Monitoring of jobs Failed jobs are followed-up and
documented (including successful
resolutions and explanations)
Backup and recovery Backups for critical data and
programs are available in the
event of an emergency.
Problem/issue A formal process for
management problem/issue handling is in place
in order to ensure timely
identification, escalation,
resolution and documentation of
problem.
Review/assess procedures
for batch job processing and
monitoring and validate that
procedures are followed
Validate that failed jobs are
followed-up and
documented
Review/assess procedures
for backup and recovery and
validate that procedures are
followed
Review/assess procedures
for problem/issue
management and validate
that procedures are
followed
IT Disaster Recovery Planning

Information technology systems require hardware, software, data and connectivity. Without one
component of the “system,” the system may not run.

-Computer room environment (secure computer room with climate control, conditioned and backup
power supply, etc.)

-Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals)

-Connectivity to a service provider (fiber, cable, wireless, etc.)

-Software applications (electronic data interchange, electronic mail, enterprise resource management,
office productivity, etc.)

-Data and restoration