Professional Documents
Culture Documents
ITGC and ITAC
ITGC and ITAC
•TERMINATION-
Proper documentation exists?
Appropriately removed?
Yes/No Comment
Form a checklist for 1) Fire Hazard, water damage, Air conditioning, power supply
2) Access controls
3) Backup procedures
4) Internet usage
5) Anti-virus
6) Password
Backup
• Perform Regular Backups
– The principle for regular data backups is to back up data daily.
– That backup could be to media (e.g., tape or external hard drive), or
– to a remote location via the cloud (i.e., the Internet).
– backups be conducted to a different media for end-of-week and end-of-month backups
• Test Backup Process Reliability
– IT auditor should still validate what is being backed up.
– There is a risk of corruption during the backup process, an IT auditor
should ensure that a health check is periodically performed.
• Use Secure Storage
– Use a location that is at a safe distance from the entity’s location. The
cloud automatically provides this element.
• Perform Test Restores
– provide a test for restoring the backup at least once a year.
IT Operations Control
• The roles of IT operations include the following:
– Capacity Planning
– Performance Monitoring
– Initial Program loading
– Media Management
– Job scheduling
– Help desk and problem management
– Maintenance of both hardware and software
– Network monitoring and administration
Application Control Review
Application controls
• Application controls pertain to specific computer applications. They
include controls that help to ensure the proper authorization,
completeness, accuracy, and validity of transactions, maintenance,
and other types of data input. Examples include system edit checks of
the format of entered data to help prevent possible invalid inputs,
system enforced transaction controls that prevent users from
performing transactions that are not part of their normal duties, and
the creation of detailed reports to ensure all transactions have been
posted completely and accurately.
• Application Controls include:
– Controls over the input of transactions.
– Controls over processing.
– Controls over output.
– Controls over standing data and master files.
• Application system is a set of interrelated
components, designed for performing a
particular business process or a group of
business processes.
• All the activities of the business process can
be carried out through the computer or the
output from a computer system can be used
intermittently as input for a manual system
and then the output of the manual system can
again be used as input for a computer system
to get the final output.
Types of application system
• Single user Applications
– Stand alone environment
• Multi-user application
– File and Record level locking
– Works in networking environment
• Client server
– Works in request-response way.
• Web based- Application
– Thin clients:
• Browser based solutions where server is a web server
and clients are browsers.
• A thin client machine is going to communicate with a
central processing server, meaning there is little
hardware and software installed on the user's machine.
– Thick clients:
• Is a system that is designed to have software loaded on
the user’s PC
• processing is done locally on the user system, and the
server is accessed primarily for storage purposes
Subsystem Factoring
• Boundary control
• Input control - These controls are used mainly to check
the integrity of data entered into a business application,
whether the data is entered directly by staff, remotely
by a business partner, or through a web-enabled
application interface. Data input is checked to ensure
that is remains within specified parameters.
• Processing control - These controls provide an
automated means to ensure processing is complete,
accurate and authorized.
• Output control-These controls address what is
done with the data and should compare
output results with the intended result by
checking the output against the input.
Boundary Subsystem and Controls
• Objectives of boundary subsystem
– The system has an authentic user
– The user gets authentic resources
– Users are allowed to employ resources only in
restricted ways
• Access Control
– Logon IDs and Passwords
– Interrogation System -
• Terminal Restriction
– Access to the application is restricted to the
designated terminal
• Temporal Restriction
– Access to the application is restricted on the basic
of time e.g. cash payment in bank during customer
hours
• Usage Control
– Access to menu on a “need to know” basis
– Based on profile e.g. Librarian, member
Audit trail control for boundary system
• Audit trails are basically the primary source
for building the profile of past behavior of any
system/subsystem.
– Operational: Maintains record of resource
consumption within the system
– Accounting: Maintains the record of each event
within the system. (Identification, Authentication,
resource requested, action privileges, terminal
identifier, Start and finish time, number of login
attempt, resource provided/denied etc.)
Input Subsystem
• Validation of input
• Field Level input control
– –Sequence check: invoice numbers
– –Limit Check: Pay predetermined amount
– –Range Check: Product code, marks
– –Set Mapping/validity check: Gender, marital status
– –Master reference: States, hard coded or from db
– –Completeness check: contain data rather than zeros or blanks (No Null value)
– –Duplicate check: New transactions are matched to those previously input to
ensure that they have not already been entered. vendor invoice number agrees
with previously recorded invoices to ensure that the current order is not a
duplicate and, therefore, the vendor will not be paid twice.
– –Logical relationship check: condition is true, then one or more additional
conditions or data input relationships may be required to be true and consider
the input valid.
File level input control: Input validation program will
check for correctness of input from different files or
files used by other application. (Generation
number/version number, Retention date)