Table of Contents
ITGCs System Change Risks
Examples of Control Goals around System Change
Exemples of ITGC controls
Information Technology (IT), which has been ingrained in all business functions, is replacing outdated and cumbersome analog processes. IT infrastructure on large scale has resulted in significant cost savings, improved operational efficiency, and IT applications have encouraged innovation and helped to create competitive advantages.
IT has been dubbed the “Information Age”, meaning that all organizations must adopt IT to remain competitive. Although IT has many advantages, it has also brought about new, complex risks. This has had significant implications for audit professionals. There are three areas that present new IT-related risks. These include security concerns and regulatory compliance. Effective governance is also important. Information Technology General Controls can help mitigate these risks. ITGCs are critical in ensuring that process functions as intended. Non-financial targets include confidentiality and integrity, availability, effectiveness, and efficiency of processes (Amasaki 2015. ITGCs are a good choice because users can have confidence in their IT systems. Auditors can verify the quality of the controls and investors can be confident that they are accurate (Miron, 2008. Effective ITGCs will reduce regulatory issues, which means that the organization can achieve its business goals (GTAG 1). Inefficient ITGCs will have a reverse effect. The organization will not achieve its goals and will not work towards their long-term vision and mission. ITGCs are closely linked to the organization’s “business”. IT risks are present in every function and process because IT is integrated into them.
ITGCs can help reduce or eliminate risks in these processes, which directly affects the output and thus the performance of organizations. ITGCs may also be a key part of Sarbanes-Oxley (SOX), audits. Section 404 requires that IT-related risks be considered as part of the overall evaluation of financial reporting internal controls (Protiviti 2012. ITGCs need to create an environment that protects data integrity. Controls that protect data integrity from being compromised by malicious or unauthorized users are a key component of this.
ITGCs: Risks associated with system change Systems must adapt to business needs. A “patch” or smaller change is sometimes necessary to address minor system issues. To ensure that the changes are successful, it is important to manage the risks associated with making system changes. Without a structured process for managing change, a lot of things can go wrong. (Miron (2008) As a solid project management approach improves project quality and speeds up delivery, so does a structured change management process. It helps to keep the organization in control and increases success rates.
This process is essential to avoid increased downtime and rising costs. Miron (2008) also warns of the danger of not testing changes before implementation. Poor integration can result if the integration testing isn’t done properly and in the wrong environment. If user acceptance testing isn’t part of the testing phase, it could lead to poor acceptance of the changes. These issues can be mitigated by testing. System changes can also be a risk if changes are not properly logged or authorized (GTAG 2). IT personnel are often unable to manage the change process properly, which can result in both of these risks. The system’s overall philosophy and purpose must be reflected in the changes. Unauthorized changes can result in lower quality deliverables because they have not been approved and verified by the formalized processes that authorise changes. Poor logging of changes can lead to problems in auditing changes, training new personnel, and making additional changes. A reference manual is essential for any change. Not having it enough doesn’t bode well. These risks can lead to the change being not as planned or to create uncertainty. It is important to minimize the risk during system changes. It is important to pay attention to how duties are segregated during system changes. This establishes accountability (GTAG 2). Complex system changes require coordination and communication. The segregation of duties facilitates this. They provide clear reporting lines, supervisory responsibilities, and define accountability domains. This reduces fraud and helps prevent errors. As supervisors, they rectify mistakes and make sure that the procedures and policy are being followed. Segregating personnel responsible for designing changes and those who test them is one example of separation of duties. GTAG 2 illustrates this principle. Design teams may be reluctant to report any inadequacies in their work, i.e. conflict of interests. Effective ITGCs can help to reduce the risk of all the above. They should also be continuously improved.
Example of Control Objectives in Relation to System Change A system that prevents unauthorised changes can reduce service disruptions. For system change control to work in an organization, it is important that the management establishes and maintains a culture to manage change within the company. This could require that changes to service or products must be approved before they can be implemented. This will reduce the likelihood of anyone unauthorized to make changes to critical IT systems. To avoid disruptions of service, ensure that you have the right policies and procedures for testing. System change can also be made easier by ensuring that there are regular system backups.
A company must be able revert to an earlier working version in case of a production problem. A system that logs and tracks all changes to the system is another critical control. This will allow an organization to track back and pinpoint the root causes of any errors found in the system. Management must ensure that all control objectives are enforced and followed by the entire organization in order to achieve control objectives. GTAG 2 states that it is vital to have a centralized approach to decision making and for departments to communicate with each other in order not create silos.
Examples of ITGCITGCs Controls include operating systems, applications and supporting IT infrastructure. 180). These controls fall into one of two categories. The nature of implementation is the first group. This group includes controls that can be classified as manual, automated, or partially automated (Mirza and al. 46). The nature of control use is the second group. This group includes corrective, detective, or preventive controls. Preventive measures are meant to stop errors and irregularities occurring, just as their name suggests. These controls are proactive. 46). The segregation between duties with different persons to reduce the possibility of mistakes and other inappropriate actions is an example of one of these controls (Li et.al. 182). Accounting, approval, custody are some of the responsibilities that are shared. A security plan is also in place to protect assets when restricted access is allowed to cash, inventory, and equipment. In order to find out if there has been an error, assets are periodically inspected. 46). These controls find and correct errors or irregularities after they have occurred. Detective controls can include reconciliation. This is when employees exchange different data sets, search for and correct errors, and make corrections as necessary. Auditing to find mistakes and review performance is another example (Mirza and al. 46). Corrective controls help to minimize the damage from an error once it has happened (Mirza. 46). Corrective controls can include correcting the problem and obtaining the right processes. Insurance programs, which compensate losses and return insureds to their financial status (Li et. al. 197). Control Tests Performed An incident is any unplanned disruption of or degradation to service.
Many of these incidents are caused by changes. You can have poor documentation, not following work instructions, human error, and insufficient change windows. Follow the appropriate change protocols to provide reasonable assurance.
It is possible to add reasonable assurance by testing a change under a different environment. These tests are a great way to identify any potential problems with a change. The peer review process should take place after any successful tests. After the change has passed, the change management group will review it and seek approvals. It is important to get approval from service and product owners if there are any products or services that may be affected by the change.
After all tests have been completed and approvals obtained, pre/post checks would be conducted during a dry-run to verify that services are operating as planned before change implementation. A robust and well-written change rolling back procedure should be in effect in case the change causes service disruptions or fails. Governance, development and operations would all review any change that fails. Problem management would help to identify the root causes of failure. Once this is done, development would rewrite the change. After that, the change would undergo the change management process. These factors can be tested and then implemented according to plan.
