Information Technology Reference
In-Depth Information
IT General Controls Audit
Overview
In this chapter, we will take a different approach in terms of presentation. We will use ques-
tions which normally you would find in an IT general controls audit questionnaire. Each
question is followed by an answer focusing on helping you to develop evidence-gathering
skills which are critical for an IS auditor to perform successful IS audits. It has been ob-
served that many IS auditors do not pay much attention to the evidence-gathering process
such that when it comes to analysing evidence collected during an audit, they find diffi-
culties in reporting findings and conclusions which are well supported by evidence.
In order to make it easy to review various types of evidence which can be collected during
an ITGC audit, the questions have been grouped into five sections. In each of the five sec-
tions, we will review five or more questions starting with IT governance. It is normally easy
to use a questionnaire to collect evidence during an audit. An IS auditor can use question-
naires to conduct interviews with management. Preparing a set of questions in advance can
be good practice as this will guide and help the auditor to cover all the necessary areas dur-
ing an interview.
The IT general controls audit is performed in order to assess the level and effectiveness of
controls existing in the IT environment. This is a high-level audit designed to give manage-
ment a general understanding of the level and effectiveness of IT controls in the enterprise.
The ITGC is usually the first audit which is conducted before other detailed investigations
are performed. Where controls are determined to be appropriate, the IS audit team can re-
commend that further specialised audits be conducted. If lack of controls is determined to be
significant and material, the IS audit team may recommend that controls be improved before
further investigations are done. A typical example would be a finding that all users are in the
administrator group on an enterprise application system. This means that all the users have
the same access rights and can perform all or any function such as reconfiguring the system,
posting and reversing transactions, and making changes to data. This is definitely material
weakness, and access controls need to be enhanced if the system has to be relied upon.
The ITGC audit can also be conducted as an independent audit to assess IT controls and se-
curity to data and IT systems. An ITGC audit gives management a general overview of IT
controls and an assurance that data and IT systems are protected.
Search WWH ::
Custom Search