ken-co

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law

 

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law 

Menu

Auditing Automated Environment – Auditing IT General Controls

Introduction

In my last article, we understood the Basics of Auditing Automated Environment and the differences between IT General Controls and IT Application Controls. As understood, IT General Controls (ITGC) are controls that apply to all systems, components, processes, and data for a given organization or information technology (IT) environment. ITGCs aim to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations, ensuring the access is restricted to only those in need.

In this article, we shall discuss what are the different ITGCs and their objectives:

a. User Access Management

In the digital world, it is important to ensure that access to IT Resources and applications are restricted only to appropriate and authorized personnel and whether segregation of duties are in place. User Access Management controls provide reasonable assurance that the access management procedures are documented, approved, and adhered to. They ensure that access to IT systems is given based on job requirements and on a need-to-know basis. Access privileges are reviewed periodically, and access creation and termination are carried out after obtained appropriate approvals.

The typical areas of review include access provisioning, access review, privileged access review, joiner-mover-leaver access.

b. Change Management

All applications and IT infrastructure require periodical changes and updates. These could be owing to new business requirements or fixing bugs and technical vulnerabilities. The focus of change management controls is to provide reasonable assurance that changes to IT systems are authorized and implemented only after following documented change management procedures. It ensures that the appropriate authority approves changes to prevent unauthorized changes to the system.

The areas of review include access and process to make direct changes, emergency changes and the approval sequence, user acceptance testing etc.

c. System / Program Development

This could be treated as a sub-set of Change Management, where certain specific Programs, new features are developed. This could also be treated as an independent check when new systems are developed and whether a through system development life cycle has been conducted. This control ensures that new systems, programs either under development or already implemented, are properly authorized, evaluated, approved, implemented, and documented.

The areas of review include program development life cycle, Secure SDLC, data migration etc.

d. Patch Management

Patches are fixes given by the Product Company / Original Equipment Manufacturers (OEM). The controls ensure that patch management procedures are documented, approved and adhered to. They also ensure that all systems are updated with the latest patches and versions of the previous patch is stored in case of a need for roll back.

The areas of review include OS Patches, Network and Application Patches and the process in place to review them.

 

e. Physical & Environmental Control

These controls ensure the IT Assets and the Intangible assets stored on tangible equipment are physically secured and safeguarded. These controls provide reasonable assurance that physical access to computers and other resources is restricted to authorized and appropriate personnel and that data and applications are protected against environmental threats.

The areas of review include physical security, response to environment risks such as fire, earthquake etc.

f. Security Policy

These are controls which operate across the organization and pervasive through out the enterprise. These provide reasonable assurance that security policies and procedures are documented and approved by authorized personnel. The policies are also reviewed on a regular basis to ensure their relevance and applicability to the organization considering the various ongoing developments. These policies also give stability and form a base for all the departments / users to adhere to.

The areas of review include the implementation and the awareness of the users of the each of these policies like Password policy, access control policy, IT Asset policy etc.

g. Incident Management

Incidents are issues, bugs, attacks, or breaches which the organization has faced. It is essential that process for the same is developed and tracked. This will give the visibility from the top. Each of these incidents are also tracked for closure and root cause is identified. Further, the lessons learnt, areas of improvisations are defined to ensure subsequently there are no challenges. These controls provide reasonable assurance that reported IT incidents and related problems are analyzed, resolved and RCA (Root Cause Analysis) has been documented.

The areas of review include reporting process and responses to the incident.

h. Backup Management

Backing up data is a very important requirement from a business resilience perspective. These controls provide reasonable assurance that procedures for data backup, restoration and disposal are documented, approved and adhered to. It ensures that backups are taken at regular intervals during off peak hours and logs of both successful and unsuccessful backups are maintained.

The areas of review include the type of backup, the frequency and restoration drills.

i. Off-Site / External Storage

Many a times, data is stored at external locations. These including storing back up at external sites or even storing primary data on Cloud or other co-hosted data centers. These controls ensure that procedures are in place at the offsite / external storage including physical and environmental controls at the external storage. In case of usage of tape back-up at an offsite facility, there is also a need to keep track of their movement along with other access restrictions. It should also be ensured that the backup is encrypted and safeguarded as unauthorized access to reveal confidential information.

The areas of review include process and procedures in place to store the data at the offsite location, controls in place at the off-site / cloud service provider, including the physical and environment controls.

 

j. Disaster Recovery and Business Continuity Plan (BCP)

There is a need to demonstrate and periodically test business resiliency and Disaster Recovery and BCP just ensures the same is done. These controls ensure systems and processes are in place and thereby ensuring minimum business disruption despite a disaster or high-risk incident.

The areas of review include business impact assessment, testing of BC and DR, fire drills etc.

Concluding Thoughts

The importance of ITGCs as a baseline control are increasing by the day to ensure completeness, integrity and availability of IT systems and data. The audit of these controls provide assurance to organization as well as outsiders that IT systems process data appropriately and accurately, and that

the output of the systems can be trusted.

Author

The author CA Narasimhan Elangovan, is a practising CA and partner KEN & Co. He is a GRC Professional, a Digital transformation catalyst and an author. He believes in the power of technology to solve everyday problems. He can be reached at narasimhan@ken-co.in

 
Open chat
Powered by Joinchat