ID No.

200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness

LAS-RISK-01. A User Access Creation, modification EFFECTIVE Obtain the UARF Found no Effective
[Lack of or Management (UAM) and deletion of user of new users in exceptions
Improper process is in place whereby accounts are SAP B1 and check
User Access the granting or requested through the for
Management] modification of access use of a User Account a.) check
rights are documented, Request Form which approval;
Users may have reviewed and properly is processed by the b.) proper access
access approved System Administrator rights granting
privileges and requires it to be
beyond those signed completely by
necessary to both the requestor and
perform their approver.
assigned duties
which may
create improper
segregation of
duties
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness

LAS-RISK-01. Access rights are granted The access rights are Effective Obtain the UARF Found no Effective
[Lack of or based on the principle of granted by the System sample of new exceptions
Improper least privilege Administrator in users in SAP B1
User Access accordance with the and check for
Management] function of the a.) check
employee. approval;
Users may have b.) proper access
access rights granting
privileges
beyond those
necessary to
perform their
assigned duties
which may
create improper
segregation of
duties
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness
LAS-RISK-01. Access for terminated or Per company policy, EFFECTIVE Obtain list of No EFFECTIVE
[Lack of or transferred users is user accounts of all users in exceptions
Improper User removed or modified in a separated employees SAP B1 and
Access timely manner are deleted from the check if the
Management] system within 3 accounts of
working days from the the resigned
Users may have employee’s last day at employees still
access privileges work exist
beyond those
necessary to
perform their
assigned duties
which may create
improper
segregation of
duties.
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness
LAS-RISK-01.
[Lack of or The system Effective Obtain list of No Effective
Improper User
Super-user accounts administrator is the all users with exceptions
Access are limited and only privileged user in corresponding
Management] properly restricted the production access and
environment. The scan for
Users may have programmer on the privileged
access privileges other hand is a super access rights.
beyond those user in the DEV and
necessary to QAS environment
perform their
assigned duties
which may create
improper
segregation of
duties.
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness
Access to database
Direct database EFFECTIVE Obtain list of users 1 exception Effective
tables is limited to access is limited to and check for found.
authorized personnel, the DB Administrator. incompatible
LAS-RISK-02. based on their job access rights.
[Risk of Direct
Database
responsibilities and
Access] assigned role, and such
access is approved by
Inappropriate Management
changes may be
made directly to
financial data
through a direct
database access
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]

Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness
Access is authenticated Users log on to the Effective Use a single No Effective
through unique user IDs system using a sample for logon exceptions
and passwords or other combination of using account
LAS-RISK-03. methods. username and credentials
[Risk of Improper password
or Weak
Authentication
Mechanisms]

Systems may not

be adequately
configured to
prevent
unauthorized
access.
 ID No. 200338
ITGC Assessment Student Name De Vera, Ettore John U.
Lorete Hardware Corporation
[For Calendar / Fiscal Year ending: December 31, 2022 ]
Risk Arising from Control Objective(s) Actual IT General Assessment ITGC Testing Result Assessment of
Use of IT Control of Design Worksteps Operating
Effectiveness
Password parameters Effective Obtain evidence No Effective
Password parameters meet enforced are as by generating exceptions.
company or industry follows: password
standards (e.g., password 1. Min. number of parameters from
minimum length, characters: 10 the system.
complexity, expiration, 2. With letters:
LAS-RISK-03.
account lockout) Mandatory
[Risk of Improper
3. Combination of
or Weak
upper case and
Authentication
lower case:
Mechanisms]
Mandatory
4. With numbers:
Systems may not
Mandatory
be adequately
5. With special
configured to
characters:
prevent
Mandatory
unauthorized
6. Expiration: 90
access.
days
7. Lock out: 10
attempts
8. With OTP to