IT Infrastructure

• IT infrastructure refers to the collection of hardware, software, networks, and facilities that are used to
develop, test, deliver, monitor, control, or support information technology services.
• It includes everything from physical devices such as servers, computers, and networking equipment to
virtual resources like software and data storage solutions.
• IT infrastructure is the backbone of any organization's IT system, providing the foundation for its digital
operations.
• In summary, IT infrastructure is the broader framework that encompasses all the elements supporting an
organization's IT operations.
IT Assets
• IT assets, on the other hand, are the individual components or resources within the IT infrastructure that
have a specific value to the organization.
• These can include hardware assets (such as servers, computers, and mobile devices), software assets
(including applications and operating systems), network assets (routers, switches, etc.), and data assets
(databases, files, etc.).
• Proper management of IT assets is crucial for organizations to optimize their IT investments, ensure
security, and maintain operational efficiency.
• In summary, IT assets are the specific components within that infrastructure that have individual value
and need to be managed effectively.

Description of IT Controls
• IT audit controls, often referred to as IT controls, are measures put in place to ensure the effectiveness,
security, and reliability of an organization's information technology systems and processes.
• The primary purpose of IT audit controls is to safeguard information assets, maintain data integrity,
ensure confidentiality, and promote the efficient and lawful use of IT resources.
• IT audit controls are essential for maintaining the integrity, availability, and confidentiality of an
organization's information assets.

Categories of IT Controls:
a. IT General Controls (ITGC ) b. IT Application Controls (ITAC)
1. IT General C ontrols (ITGC)
 IT General Controls (ITGC) are a set of foundational controls that are essential for the effective
functioning of an organization's overall information technology environment.
 These controls are not specific to any particular application or system but are instead designed to
provide a general framework for IT governance, risk management, and compliance.
 ITGC are crucial for ensuring the reliability, integrity, and security of an organization's IT
infrastructure.
Access Controls
 User Access Management: Ensures that access to systems and data is appropriately authorized
and regularly reviewed.
Authentication: Verifying the identity of users before granting access to IT systems.
Authorization: Assigning appropriate permissions to users based on their roles and responsibilities.
 Segregation of Duties (SoD): Prevents conflicts of interest by separating key duties among
different individuals to reduce the risk of fraud or errors. Ensuring that no single individual has
control over all aspects of a critical process to prevent fraud and errors.
Change Management Controls
 Change Approval: Ensures that changes to hardware, software, or configurations are properly
authorized and documented.
 Version Control: Manages and tracks changes to software versions and configurations.
IT Operations Controls
 Job Scheduling: Ensures that batch jobs and processes are scheduled, executed, and monitored
effectively.
 Backup and Recovery: Ensures that data is regularly backed up and that there are procedures in
place to recover it in case of data loss or system failures

Physical and Environmental Controls

 Data Center Security: Implementing measures to ensures that physical access to data centers,
server rooms and other critical IT infrastructure is restricted and monitored.
 Environmental Controls: Manages environmental factors such as temperature and humidity to
protect IT equipment. Implementing measures to protect IT equipment from environmental
hazards, such as wind, rainfall, temperature and humidity controls
Incident Response and Monitoring Controls
 Incident Detection and Reporting: Establishing mechanisms to identify and report security
incidents promptly.
 Incident Response Plan: Having a documented plan outlining the steps to be taken in response to
a security incident
 Security Incident Monitoring: Monitors for security incidents and alerts, with a documented
incident response plan in place.
 Logging and Auditing: Maintains logs of system activities for audit purposes and reviews them
regularly
IT Governance Controls
 Policies and Procedures: Measures that establish and enforces IT policies and procedures to guide
IT activities
 Risk Management: Implementing measures that identify and assess IT related risks and
implement controls to mitigate them
Compliance Controls
 Regulatory Compliance: Implementing measures that ensure that IT systems and processes
comply with relevant laws, regulations, and industry standards
2 IT application controls (ITAC)
• IT Application Controls, often simply referred to as application controls, are specific controls within the
IT environment that are designed to ensure the integrity, accuracy, completeness, and confidentiality of
data processed by application systems.
• IT application controls are specific to individual applications and the processes they support unlike IT
General Controls (ITGC), which are more general and focus on the overall IT environment.
• Application controls play a crucial role in preventing and detecting errors or fraud related to data
processing at the application level.
two main categories of IT Application Controls (ITAC):

 Input Controls:
• Data Validation: Ensures that data entered into the system is accurate, complete, and valid. This may
involve checks for data types, ranges, and formats.
• Field Check: Verifies that the data entered into specific fields conforms to predefined criteria.
• Reasonableness Check: Examines the validity of data based on its relationship to other data within the
application.
• Limit Check: Validates that the values entered fall within predetermined limits.
• Validation Rules: Implements rules to validate the accuracy and integrity of data.
  Processing Controls:
• Data Transformation Controls: Ensures that data is transformed accurately during processing, such as
calculations, translations, or other data manipulations.
• Concurrency Controls: Manages simultaneous access to data to prevent conflicts and ensure data
consistency.
• Transaction Controls: Verifies the accuracy and completeness of individual transactions processed by
the application.
• Batch Controls: Ensures the accuracy and completeness of data processed in batch mode.
• Error Handling and Logging: Implements mechanisms to detect and handle errors, with appropriate
logging for review and analysis.

Here is the comparison of ITGC and ITAC:

a. Scope:
• ITGC: Broad in scope, covering the overall IT environment and infrastructure.
• ITAC: Focused on specific applications and the processes they support.
b. Objective:
• ITGC: Ensure the general integrity, confidentiality, and availability of the entire IT environment.
• ITAC: Ensure the accuracy, completeness, and security of data processed by individual
applications.
c. Examples:
• ITGC: Access controls, change management, physical and environmental controls, backup and
recovery procedures, and network security.
• ITAC: Input validation, processing controls, data transformation controls, transaction controls, and
error handling.
d. Applicability:
• ITGC: Relevant to the overall IT infrastructure and affect multiple applications.
• ITAC: Specific to individual applications and their associated processes.
e. Implementation:
• ITGC: Typically managed at an organizational level and are often established and enforced by IT
governance frameworks.
• ITAC: Developed and implemented by application developers and administrators during the design
and configuration of specific applications.
f. Focus:
 ITGC: Focus on the general controls that apply to the entire IT environment.
 ITAC: Focus specifically on controls within individual applications.

b. Customization:
• ITGC: Are generally standardized and apply to various systems and processes.
• ITAC: Are highly customized and tailored to the specific functionalities and processes of individual
applications.
c. Examples:
• ITGC: Network security policies, user access management, and change control procedures.
• ITAC: Input validation checks, transaction controls, and data transformation controls within an
accounting software.
d. Independence:
• ITGC: Are often independent of specific applications and can impact multiple systems.
• ITAC: Are inherently tied to the specific application they are designed for.
e. Integration:
• ITGC: Form the foundation on which IT applications operate.
• ITAC: Rely on the presence of effective ITGC for their overall effectiveness.

Key IT Indicators of Effective IT Controls

• IT indicators are simply management tools for assessing the effectiveness of the
InformationTechnology team's actions vis-à-vis the company IT infrastructure.
 Employee Response Time This has to do with the speed of service delivery by employee.
This indicators directly assess the level of employee commitment to company services.
 First Call Resolution (FCR) FCR is solving a problem on the first call. This KPI measures
the average number of tickets (calls) resolved once the user/customer contacts the support agent.
This IT indicator is important because it contributes to improving end-customer satisfaction and
reducing the average cost of service.
 SystemAvailability • This is a measure of the normal operation of the system whenever the
system services are required by the users or consumers. A log of both successful and unsuccessful
activities of the system is kept per time to establish the system availability in any given period. •
ROI (Return on Investment) • ROI calculates how much each amount of money invested is
returning, and it is very important for a clear understanding of IT’s benefits for the entire
company.
 Mean Time between Failures and Mean Time to Repair • This indicator measures the time
invested in considering the functioning of the system.
Mean Time between Failures = Uptime - Downtime / Number of failures. • Mean Time to Repair
indicates the time the team needs to invest to resolve a failure call.
 Net Promoter Score (NPS) • NPS determines how loyal customers are to a brand and how
likely they are to recommend it to others. • IT, being a service provider industry, requires a high
NPS. • Many businesses utilize Net Promoter Score (NPS) as a metric.
 Support Tickets Closed per employee • This KPI measures how many support tickets were
closed by each employee on the system. • This IT indicator is critical for identifying issues such
as: Employee performance gaps, Ineffective training and Lack of call script standards. • The
higher the average ticket closed, the better the productivity index and deliveries of each employee
 Number of projects with proven benefits • This metric is used to establish projects that were
completed in a manner that is consistent with the company's goals and the projects genuinely
assist the organization. • As a result, evaluating the number of projects is not enough; it is also
important to determine whether they genuinely assist the organization.
 Quality of Services (QoS) • This IT indicator gauges the quality of services. • It is a weighted
average of the other keys stated so far and it can include an assessment from the user who made
the call. • Constantly monitoring the quality of services allows a company to identify flaws and
make suggestions for improvement, resulting in increased team efficiency and better results.
 Service LevelAgreement (SLA) compliance • AService LevelAgreement (SLA) establishes the
quality of service levels. • The SLA metric evaluates the number of incidents, proposed
resolutions, and overall effectiveness. • The SLA system keeps track of expectations and overall
satisfaction while also recognizing failures and other difficulties. • The SLA compliance indicator
determines if the IT resources are being properly utilized, ensuring process improvement.