IT Knowledge - Testing GITCs Over Utility Tools v2023

IT Knowledge Topic
Utility tools that support GITCs

May 2023
For Internal Use Only
Disclaimer
This document is for reference information only. The use of this material is optional. It does not modify the audit
methodology or guidance set out in the relevant KPMG Audit Execution Guide (KAEG).
If there is a mandatory/specified approach (or document) for your local member firm, please use that. If you are unsure
of your member firm’s policy for use of this document, it is recommended you contact your relevant Risk or
Methodology team, including DPP resources.
This document may not cover all risks or considerations related to the specified topic. These materials are provided for
consideration and should be assessed for use, if appropriate, on an engagement-specific basis.
Audit work should be documented directly in KPMG Clara workflow. This document should not be put on file.
This document is a resource for engagement teams to use as they plan their information technology (IT) audit work in
relation to utility tools at the entity they are auditing. This document should not be retained in the audit workpapers.
Contents
1. Overview of utility tools that support GITCs,
2. General considerations when obtaining an understanding of the risks arising from the use of utility tools that
support GITCs, and
3. Example controls testing considerations.
Overview of utility tools that support GITCs

What are utility tools that support GITCs?
Utility tools are a specific type of application (i.e., a layer in an IT system) that helps optimize, automate, configure,
analyze or maintain IT systems. These utility tools may be used by entities to support their GITCs (i.e., access to manage
programs and data, program changes program changes, program acquisition and development, computer operations).
Utility tools can also be used by entities to produce information that we use as audit evidence or to select items to test.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. KPMG refers to the 1
global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity. KPMG International
Limited is a private English company limited by guarantee and does not provide services to clients. For more detail about our structure please visit home. KPMG/governance
NDP439920-1L
What are example utility tools that support GITCs?
There are many different types of utility tools that may be used in an IT environment. See below for example tools
categorized by IT process:
Access management tools Change Management workflow tools

Centrify ServiceNow
Okta Deployment tools
Azure Active Directory Jenkins
SailPoint Code version control
Password vaults Subversion
CyberArk Access to GitHub
Program Changes
Passwordstate programs and
data
Keypass
Keeper
Deployment Logging Tools

Jenkins Splunk
Program acquisition Computer
AWS CodeDeploy Workflow tools
and development Operations
Service management/ ServiceNow
workflow tools Batch Scheduled Jobs
Service Now TWS
JIRA IWS
ZenDesk ActiveBatch
How do we identify utility tools used to support a GITC?

We identify utility tools used to support a GITC when we obtain an understanding of the IT processes and/or when we
evaluate the design and implementation of GITCs. Below are some questions we may ask to determine if a utility tool is
used to support a GITC:
Access to Programs and Data
• What tools are used to support the process to manage access to programs and data? For example,
- For authentication/authorization, are there any identity and access management (IAM) tools used?
- For provisioning access, are the requests automatically routed for approval? If so, what tool is used to route the
requests?
- For de-provisioning, are user/system accounts automatically de-provisioned? If so, what tool is used to automatically
de-provision access?
- For privileged access (i.e., “Firefighter” and/or other shared account(s)), are there any password vaults used to
manage shared passwords?
- For user access reviews, are there any tools used to support the process?
- For physical access, are there any tools used to manage physical access?
Program Changes
• What tools are used to support the process to manage program changes/changes to IT systems? For example,
- For authorization, are there any workflow tools used to track requests and approval of changes?
- Are changes in the IT system configuration managed through a utility tool?
- How is source code managed? Are program release/migration tools used?
NDP439920-1L
Program Acquisition and Development
• What tools are used to support the process to manage program acquisition and development? For example,
- For approval, are there any workflow tools used to track requests and approval of development?
- For data migration, are any tools used to support the data migration process?
- How is source code managed? Are program release/migration tools used? Are there different tools used other than
what is used for program changes?
Computer Operations
• What tools are used to support the process to manage computer operations? For example,
- Are there any tools used to manage job scheduling activities?
- Are there any tools used to support monitoring batch jobs/interfaces?
- Are there any tools used to support backup and recovery of data relevant to financial systems?
- Are there any tools used to manage incident/problem management?
When may a utility tool that supports a GITC be relevant to the audit?
A utility tool may be relevant to the audit if:
• It is used by the entity to support the execution of one or more relevant GITCs (e.g., password vault tool used to support
privileged access GITCs) and;
• There is one or more relevant RAFITs within the utility tool and/or;
• We rely on the information in the utility tool to test the operating effectiveness of GITCs (e.g., program change listing
used to select items to test program change GITCs).
Is a utility tool always relevant to the audit?
No. It depends on how the utility tool is used and the planned audit approach.
Why do we consider RAFITs and GITCs over utility tools that support GITCs?
Risks arising from the use of utility tools may impact the design or operating effectiveness of automated GITCs we intend
to rely on and/or information used in the audit. If we do not consider RAFITs and GITCs over utility tools, we may place
inadvertent reliance on them when relying on automated GITCs. If the utility tool impacts GITCs and/or information we
rely upon, then we identify the relevant RAFITs and the GITCs that address those RAFITs using the same framework as
identifying relevant RAFITs and layers of technology.
Refer to the Q&A in KAEG ‘How do we identify relevant layers of technology and RAFITs?’ ISA 315 [ISA | 1354.1500], AS
2110 [PCAOB | 1354.1500], AU-C 315 [AICPA | 1354.1500].
When do we test GITCs over utility tools that support GITCs?
Once we’ve determined the utility tool is relevant to the audit because it contains relevant RAFITs, we identify the tool as
a relevant layer, the relevant RAFITs in the layer and the GITC that address those RAFITs. We use the same framework we
use when determining relevant RAFITs (and the GITCs that address them) to automated process control activities.
Refer to the Illustrative automated GITCs, RAFITs, and testing considerations section for examples.
Where do we add utility tools in KPMG Clara workflow?
Utility tools are generally added as an IT layer in the GITC D&I activity screen for automated GITCs within KCw. The
example below illustrates the linear relationship between RMMs, PRPs, automated controls, IT layers, RAFITs, and GITCs.
When we identify relevant automated control activities, we identify the IT layer the automated control operates on, the
relevant RAFITs, and the GITCs that address those RAFITs. For those GITCs that are automated, we also identify the
relevant IT layers and RAFITs as well (refer to red box highlighted in the graphic below).
NDP439920-1L
Activity layers, RAFITs, and GITC
RMM PRP1 Automated Layer(s) RAFIT(s) GITC(s)
Control
The presentation All requisite Oracle 1 – Access PC 2.2

and disclosures manual journal to open/close GL APD3-2 – IAM
for the balance entries are not periods is Oracle APD 1.4 Tool
sheet are subject to restricted to
incomplete, approval. authorized APD 1.3
inaccurate or not personnel.
fairly presented.
Note: Other layers, RAFITs, GITCs may be identified for this
automated control. For the purposes of this example, only an
excerpt was included.
Automated GITC Layer(s) RAFIT(s) GITC(s)
APD3-2 – IAM Tool

Every day, user accounts of 2.1 PC 2.1 PC-1
terminated/resigned users is disabled via IAM Tool 2.2 PC 2.2 PC-1
an automated process, based on system
updates from the relevant HR systems. 2.3 PC 2.3 PC-1
In the example shown above, we identified an automated GITC APD3-2 that addresses RAFIT APD 1.3. In this scenario,
this automated GITC operates in an identity and access management tool. As such, the identity and access management
tool is an additional IT layer that is added in the GITC D&I activity screen for GITC APD3-2.
Note: Utility tools may have additional relevant IT layers just as any other IT system (e.g., application, database, and/or
operating system). We identify the relevant RAFITs and GITCs on each relevant IT layer that affects the operation of the
GITC in the utility tool.
Questions for obtaining an understanding of the entity’s utility tools

supporting GITCs
General utility tools questions to consider
• Were the tools developed in-house or purchased from a third party?
• What are the layers of technology that support the utility tool?
• How do users authenticate to the utility tool?
• How is access to the utility tool provisioned and de-provisioned?
• Who has “superuser” access to the utility tool?
• Who has access to add/remove/modify user access within the utility tool?
• How are changes to the utility tool managed?
• How is access to implement changes to the utility tool’s production environment restricted?
• Is there a separate database? If so,
- How is access to the utility tool’s database managed
- How are changes to the utility tool’s database managed
NDP439920-1L
IAM (Identity and Access Management) tool specific questions to consider
Provision & de-provision access
• What is the source of the master data for new employees and contractors? How is the master data interfaced with IAM
tools?
• How are transfers in job roles information interfaced to the IAM tool?
• How is termination information interfaced to the IAM tool?
• Which target systems are configured to use the IAM tool?
• How are automated workflows configured? What triggers/actions were configured (i.e., setup or changes to roles and
their associated approvals)?
• Who has access to modify the configuration of a given workflow?
User access reviews
• How is the user access data fed into the IAM tool?
• What are the controls in place around the completeness and accuracy of the data?
Is management reviewing access at the appropriate level (i.e., roles, profiles, entitlements)?
Are the privileges of each user being reviewed?
Code repository tool specific questions to consider
• Who can make changes to production?
• How is segregation of duties managed between users who can make changes and users who can develop them?
• What privileges allow for administrative access?
• What privileges allow for the approval of the change to be implemented?
• What privileges allow for the code to be applied to the production environment?
• Which application/systems are configured to use the code repository tool?
Also refer to the Q&A in KAEG ‘How do we obtain an understanding of the IT systems used by the entity?’ ISA 315 [ISA |
7589.10383], AS 2110, [PCAOB | 7589.10383], AU-C 315 [AICPA | 7589.10383] as the process to obtain an understanding
of a utility tool used to support a GITC is the same process to obtain an understanding of IT systems used by the entity.
Illustrative automated GITCs, RAFITs, and testing considerations

To help illustrate how to identify layers, RAFITs and GITCs for tools, consider the illustrative examples below:
Examples of utility tools that are used by the entity to support GITCs
Fact pattern 1:
Consider the following:
• An engagement team plans to rely on the operating effectiveness of an automated process control activity that operates
on the PeopleSoft application IT layer.
• Relevant RAFITs have been identified and GITCs tested for the PeopleSoft application IT layer.
• During evaluation of the design and implementation of the GITC related to PeopleSoft program changes, the
engagement team identified the use of the JIRA ticketing tool that supports the initiation, tracking, and approvals for
PeopleSoft program changes.
• The JIRA ticketing tool only routes change requests for approval based on the established business rules configured in
the tool. It does not automatically migrate changes in the PeopleSoft system to production once approved. This is a
manual process that occurs after all approvals have been obtained.
• The engagement team plans to rely on the automated configuration within the JIRA ticketing tool to route program
change requests for the PeopleSoft system to the appropriate business owners for approval.
NDP439920-1L
The table below illustrates the PRP, automated process control activity that addresses the PRP, RAFITs relevant to the
automated process control activity, identification of an automated GITC, and the subsequent identification of the IT layer
for the JIRA tool, RAFITs relevant to the automated GITC and GITCs that address those RAFITs.
*Note: The full example from PRP to the tools that address the automated GITC table is only included in fact pattern 1 to
demonstrate the relationship between the tool and the automated process control activity.
All other fact pattern examples include a table that starts with the automated GITC and the RAFITs relevant to that
automated GITC and the GITCs that address those RAFITs.
NDP439920-1L
Table 1 Fact pattern 1
Automated
process
control
PRP activity IT Layer >> RAFIT >> GITC >> IT Layer>> RAFIT>> GITC
Unauthorized PeopleSoft is PeopleSoft 2.1 PC – Changes to 2.1 PC-3: The JIRA ticketing JIRA ticketing 1.1 APD – 1.1 APD-1: Access is
users can configured to IT programs were tool automatically routes tool Identification and authenticated through the
modify their prevent inappropriate (i.e., program change requests authentication use of passwords as a
own HR users from unapproved or do for the PeopleSoft system mechanisms are not mechanism for validating
records in the modifying not function as to the appropriate system implemented to that users are authorized
PeopleSoft HR their own HR intended). business owners for restrict logical access to gain access to JIRA.
system. records. approval to implement the to IT systems and
program change. data.
(Automated) 1.2 APD – Logical 1.2 APD-1: Management
access permissions are approves the nature and
granted (new or extent of user access
modified) to users and privileges for new and
accounts (including modified user access,
shared or generic including standard
accounts) that are application profiles/roles,
inappropriate (i.e., and critical financial
unauthorized or not reporting transactions.
commensurate with
job responsibilities).
1.3 APD – Logical 1.3 APD-1: Access for
access permissions are terminated/resigned or
not revoked in a transferred users is
timely manner. removed or modified in a
timely manner.
1.4 APD – Logical 1.4 APD-1: Privileged-level
access to users and access (e.g., configuration,
accounts (including data and security
shared or generic administrators) in JIRA is
accounts) that can restricted to the Security
perform privileged Administration team
tasks and functions commensurate with job
within IT systems is responsibilities and
inappropriate (i.e., segregation of duties
unauthorized or not considerations.
commensurate with
7
Automated
process
control
PRP activity IT Layer >> RAFIT >> GITC >> IT Layer>> RAFIT>> GITC
2.1 PC – Changes to IT 2.1 PC-1: Changes to JIRA
programs were ticketing tool programs
inappropriate (i.e., are approved by the
unapproved or do not business/IT prior to
function as intended). implementation into the
production environment.
2.2 PC – Changes to IT 2.2 PC-1: Changes to JIRA
configurations were ticketing tool
inappropriate (i.e., configurations are
unapproved or do not approved by the
function as intended). business/IT prior to
implementation into the
production environment.
2.3 PC – Logical access 2.3 PC-1: Access to
to implement changes implement changes into
to IT system program the production
or configurations into environment for JIRA
the production ticketing tool, including
environment is configuration changes, is
inappropriate (i.e., restricted.
unauthorized or not
commensurate with
2.1 PC-4: The control N/A N/A N/A
operator
implements/migrates
changes into the
PeopleSoft production
environment after final
approvals are obtained
within JIRA ticketing tool
(Manual)*.
8
In the example above, the engagement team relies on the operating effectiveness of the JIRA ticketing tool workflow
approval configuration to enforce program change requests for the PeopleSoft system to the appropriate system
business owners for approval. In addition to the PeopleSoft application IT layer, the JIRA ticketing tool is also considered
a relevant IT layer. RAFITs 1.1 APD – 1.4 APD and 2.1 PC, 2.2 PC, and 2.3 PC are deemed relevant on the JIRA utility tool
application layer since this is the layer where the automated GITC operates, and these are the relevant RAFITs that
would impact the operating effectiveness of the automated GITC.
Fact pattern 2
• An engagement team plans to rely on the operating effectiveness of an automated process control activity that operates
on the Oracle database IT layer.
• Relevant RAFITs have been identified and GITCs tested for the Oracle database IT layer.
• Engagement team also identified the use of CyberArk utility tool to manage passwords to the shared Oracle database
accounts. The engagement team uses the standard delivered functionality of CyberArk. Changes to CyberArk are limited
to patches, updates, and fixes.
• The engagement team plans to rely on the automated configuration within CyberArk to manage passwords to the
shared Oracle database IT layer.
CyberArk is configured to restrict access to privileged shared Oracle

database administrative passwords to authorized database
GITC administrators commensurate with job responsibilities. (Automated).
Relevant layer Application (CyberArk)
Relevant RAFITs Relevant GITCs

1.1 APD – Identification and authentication 1.1 APD-1: Access is authenticated through the use of passwords as a
mechanisms are not implemented to restrict mechanism for validating that user are authorized to gain access to
logical access to IT systems and data. CyberArk.
1.2 APD – Logical access permissions are 1.3 APD-5: Every quarter, business/functional managers periodically
granted (new or modified) to users and review user access of their direct reports to determine whether user
accounts (including shared or generic access to CyberArk is appropriately restricted.
accounts) that are inappropriate (i.e.,
unauthorized or not commensurate with job
responsibilities).
1.3 APD – Logical access permissions are not
revoked in a timely manner.
1.4 APD – Logical access to users and accounts 1.4 APD-1: Privileged-level access (e.g., configuration, data and security
(including shared or generic accounts) that can administrators) in CyberArk is restricted to the Security Administration
perform privileged tasks and functions within team commensurate with job responsibilities and segregation of duties
IT systems is inappropriate (i.e., unauthorized considerations.
or not commensurate with job
responsibilities).
2.3 PC – Logical access to implement changes 2.3 PC-1: Access to implement changes into the production environment
to IT system program or configurations into the for CyberArk, including configuration changes, is restricted.
production environment is inappropriate (i.e.,
unauthorized or not commensurate with job
responsibilities).
Refer to the CyberArk Audit Program Guide for additional illustrative GITCs and test procedures related to
CyberArk.
NDP439920-1L
In the example above, the engagement team relies on the operating effectiveness of CyberArk to store passwords used
to authenticate to the Oracle database shared privileged account. In addition to the Oracle database IT layer, the
CyberArk utility tool is also considered a relevant IT layer. RAFITs 1.1 APD – 1.4 APD and RAFIT 2.3 PC are deemed
relevant on the CyberArk utility tool application layer since this is the layer where the automated GITC operates and
these are the relevant RAFITs that would impact the operating effectiveness of the automated GITC. RAFITs 2.1 PC and
2.2 PC are not deemed relevant in this example as the engagement team uses the delivered functionality of CyberArk
and functionality changes are limited to patches, updates, and fixes.
*Note: If teams customize CyberArk and make functionality/code changes, then RAFIT PC 2.1 and PC 2.3 may be
relevant.
Fact pattern 3:
• An entity has multiple relevant financial reporting IT systems.
• The engagement team plans to rely on the operating effectiveness of various automated process control activities
across the multiple financial reporting systems.
• During evaluation of the design and implementation of the access to programs and data GITCs, the engagement team
identified the SailPoint utility tool used for identity and access management across the multiple relevant financial
reporting systems.
For connected applications, SailPoint is configured to automatically provision

GITCs system access based on pre-defined required approvals. (Automated)
Relevant layer(s) Application (SailPoint)

2.2 PC – Changes to IT configurations 2.2 PC-1: Changes to SailPoint are approved by appropriate IT and/or Business
were inappropriate (i.e., unapproved or management prior to migration into production.
do not function as intended).
2.2 PC-2: Changes to SailPoint configurations and changes to system code are
appropriately tested prior to migration.
1.4 APD – Logical access to users and 1.4 APD-1: Privileged access (i.e., configuration, data and security
accounts (including shared or generic administrators) in SailPoint is configured to restrict access to authorized system
accounts) that can perform privileged administrators commensurate with job responsibilities.
tasks and functions within IT systems is
inappropriate (i.e., unauthorized or not 2.3 PC-1: Access capabilities to make changes to SailPoint configurations are
commensurate with job limited to non-development IT personnel with change management
responsibilities). responsibilities.
2.3 PC – Logical access to implement
changes to IT system program or
configurations into the production
environment is inappropriate (i.e.,
unauthorized or not commensurate
with job responsibilities).
4.1 CO – System jobs, processes, and/or 4.1 CO-1: System jobs, processes, and programs are executed according to an
programs do not function as intended, established schedule and frequency and that they are monitored.
resulting in incomplete, inaccurate,
untimely or unauthorized processing of
data.
NDP439920-1L
4.2 CO – Logical access to make changes 4.2 CO-1: Only authorized users have access to update batch jobs, including
to system jobs, processes, and/or interface jobs, relevant to SailPoint in the job scheduling software.
programs is unauthorized or not
commensurate with job responsibilities.
Refer to the SailPoint Audit Program Guide for a listing of illustrative GITCs and test procedures related to SailPoint.
Example of tools that provide information relied on to test the operating effectiveness of a GITC
Fact pattern 4:
Consider an entity that uses JD Edwards. As part of obtaining an understanding of the financial reporting process, we
identify PRPs and automated process control activities related to JD Edwards. We identify RAFIT 2.1 PC-1 as relevant and
GITC 2.1 PC-1 that address this RAFIT as noted below:
RAFIT 2.1 PC: Changes to IT programs were inappropriate (i.e., unapproved or do not function as intended).
GITC 2.1 PC-1: Changes to IT programs are approved by the business/IT prior to implementation into the production
environment
In evaluating the design and implementation of GITC 2.1 PC-1, we noted that the entity uses ServiceNow tool to track
requests and approvals for program changes.
We plan to use a listing from ServiceNow of all program changes in JD Edwards during the period under audit to select
samples to test GITC 2.1 PC-1.
List of program changes to JD Edwards from ServiceNow during

Internal information the period under audit.
used to test the GITC
Relevant layer(s) Database (ServiceNow)

1.4 APD – Logical access to users and 1.4 APD-1: Privileged-level access (e.g., configuration, data and
accounts (including shared or security administrators) in ServiceNow database is restricted to
generic accounts) that can perform authorized personnel commensurate with job responsibilities
privileged tasks and functions within and segregation of duties considerations.
IT systems is inappropriate (i.e.,
unauthorized or not commensurate
with job responsibilities).
The example above is an example of a controls approach to evaluating period-of-time information used solely by KPMG
to select items to test the operating effectiveness of GITCs. We use the ServiceNow listing of JD Edwards program
changes to select samples to test GITC 2.1 PC-1. The engagement team tests this ‘period-of-time’ information by testing
the GITC (1.4 APD-1) that addresses data integrity (RAFITs 1.4 APD) at the ServiceNow database layer.
Data input risk is addressed by control GITC 2.1 PC-1: Changes to IT programs are approved by the business/IT prior to
implementation into the production environment., specifically the attributes noted below:
• Attribute 1: The business/IT authorized user commensurate with the entity’s IT delegation of authority, provides the
final approval to implement the program change.
• Attribute 2: Control operator implements/migrates the program change after final approval was provided by the
business/IT.
Data extraction and manipulation risk* is addressed by the following procedures:
• Inspect the query parameters in ServiceNow to extract the list of JD Edwards program changes where the status of the
ticket is ‘complete’, the ‘completion date’ is within the period under audit, there are no other exclusions, and obtain
system evidence of the query; and
• Observe entity management run the query to extract the data and send to the auditor without manipulation along with
excerpt of the query parameters.
NDP439920-1L
*Note: Engagement teams may also identify automated system configuration controls within ServiceNow to address
data extraction and manipulation risks.
Based on how each information risk is addressed above, the only IT layer relevant is the ServiceNow database. There are
no other relevant RAFITs on the ServiceNow application or operating system IT layers.
Direct test approach to information
Instead of using a controls-based approach, we may also direct-test the accuracy and completeness of the relevant data
elements by attribute sampling. For additional guidance on evaluating the reliability of information, refer to the Q&A in
KAEG ‘How may we test information that is used solely by KPMG to select items to test the operating effectiveness of
GITCs?’, ISA 500 [ISA | 2694.8566], AS 1105 [PCAOB | 2694.8566], and AU-C 500 [AICPA | 2694.8566].
NDP439920-1L

IT Knowledge - Testing GITCs Over Utility Tools v2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Knowledge - Testing GITCs Over Utility Tools v2023

Uploaded by

Copyright:

Available Formats

IT Knowledge Topic

Utility tools that support GITCs

For Internal Use Only

Overview of utility tools that support GITCs

Access management tools Change Management workflow tools

Deployment Logging Tools

How do we identify utility tools used to support a GITC?

The presentation All requisite Oracle 1 – Access PC 2.2

Automated GITC Layer(s) RAFIT(s) GITC(s)

APD3-2 – IAM Tool

Questions for obtaining an understanding of the entity’s utility tools

Illustrative automated GITCs, RAFITs, and testing considerations

CyberArk is configured to restrict access to privileged shared Oracle

Relevant layer Application (CyberArk)

Relevant RAFITs Relevant GITCs

For connected applications, SailPoint is configured to automatically provision

Relevant layer(s) Application (SailPoint)

Relevant RAFITs Relevant GITCs

List of program changes to JD Edwards from ServiceNow during

Relevant RAFITs Relevant GITCs

You might also like