How Itgc Are Conducted

Download as pdf or txt
Download as pdf or txt
You are on page 1of 2

HOW ITGC ARE CONDUCTED…

1) ITGC audits are conducted by setting the scope of the audit and determining the reliability required
from each control to complete the tasks at hand. The scope of the ITGC commonly includes access control
to physical facilities, computing infrastructure, applications, and data; security and compliance aspects of
the system development life cycle, change management controls, backup and recovery, and operational
controls over computing systems.

2) Consistency in control audits is essential for ensuring the reliability and effectiveness of internal
controls. By using the same or similar test processes for all control audits, organizations can maintain a
standardized approach and facilitate change management. This consistency also enables auditors to verify
the operating effectiveness of controls and provide sufficient appropriate audit evidence.

3) When an audit reveals defective controls, it is important to prioritize which ones are most

critical to the business operations and remediate them first. This prioritization ensures that the

most significant risks are addressed promptly. The auditor should obtain more persuasive audit evidence

from tests of controls the greater the reliance placed on the effectiveness of a control. Prioritizing

the testing of controls is a best practice, especially in large organizations with numerous documented
controls.

4) Creating a baseline for controls is an essential step in understanding when they are not working as they

should. This baseline helps organizations reduce the need for audits by providing a standard for measuring

control effectiveness. The baseline should include the control objectives, the nature of the control,

and the expected results.

5) Continuously testing controls is crucial for maintaining a proactive approach to cybersecurity and IT

management. By regularly testing controls, organizations can identify potential issues and address them
promptly,

reducing the risk of cyberattacks and other operational disruptions. Some key aspects of continuous
controls testing
include:

Automated controls testing: Automating the processes used for testing internal controls helps ensure
their reliability

and allows for continuous improvement and updating of controls.

Prioritizing testing: Large organizations with numerous documented controls should prioritize testing to
focus on the

most critical controls and minimize the risk of operational disruptions

Documenting and tracking identified problems: When issues are encountered during testing, it is essential
to quickly

remediate them and verify the effectiveness of the remediation by rerunning the test program.

Revising control risk assessments: If ineffective controls are identified, the auditor should revise the
control risk

assessment and modify the planned substantive procedures as necessary.

By following these best practices, organizations can maintain a consistent approach to controls testing,
ensuring the

reliability and effectiveness of their internal controls and minimizing the risk of operational disruptions.

You might also like