MINOR PROJECT REPORT

ON
“GENERAL IT CONTROL - RCM”

Submitted To

National Forensic Sciences University

MASTER OF SCIENCE
In
CYBER SECURITY
Submitted By
Sejal Umesh Sawratkar
(032300300008002025)

Under the Supervision of

Dr. Raj Jaiswal

National Forensic Sciences University,

Goa Campus, Ponda, Goa - 403401.
july, 2024
 DECLARATION

I, Sejal Umesh Sawratkar, certify that - General IT Control - RCM

a. The work contained in the dissertation is original and has been done by
myself under the supervision of Dr. Raj Jaiswal.

b. The work has not been submitted to any other Institute for any degree or
diploma.

c. I have conformed to the norms and guidelines given in the Ethical Code of
Conduct of the Institute.

d. Whenever I have used materials (data, theoretical analysis, and text) from
other sources, I have given due credit to them by citing them in the text of the
dissertation and giving their details in the references.

e. Whenever I have quoted written materials from other sources and due credit
is given to the sources by citing them.

f. From the plagiarism test, it is found that the similarity index of whole
dissertation 15% and single paper is less than 10 % as per the university
guidelines.

Date: 24th July ‘24

Place: Goa

Sejal Umesh Sawratkar

Enrollment No.: 032300300008002025

I
 CERTIFICATE

This is to certify that the work contained in the dissertation entitled

“General IT Control- RCM”, submitted by Sejal Umesh Sawratkar
(Enrollment No.:032300300008002025) for the award of the degree of Master
of Science in Cyber Security to the National Forensic Sciences University,
Goa Campus, is a record of bonafide research works carried out by him under
Dr. Raj Jaiswal’s direct supervision and guidance.
Date: 24th July’24
Place: Goa

Dr. Raj Jaiswal

Lecture,
National Forensic Sciences University,
Goa Campus, Ponda, Goa, India.

II
 ACKNOWLEDGEMENTS

I would like to take this opportunity to convey my heartfelt thanks to all those
who have helped me make this project a success.
Special thanks to Dr. Raj Jaiswal for his valuable guidance during the course of
the project.
Finally, I thank my family members and friends who have helped me complete
this project successfully.
Last but not least, I would be thankful to the university for giving me an
opportunity
With Sincere Regards,

Sejal Umesh Sawratkar

Msc. Cyber Security
National Forensic Sciences University,
Goa Campus, Ponda, Goa, India

III
 ABSTRACT

Fabtech Technologies Private Limited's General IT Controls are thoroughly

examined in this project report, which places special emphasis on the Risk
Control Matrix (RCM). By outlining vital processes, related hazards, and
controls to reduce these risks, the RCM is an essential tool for identifying,
evaluating, and managing IT-related risks. The purpose of this study is to
provide a thorough analysis of the IT control environment at Fabtech
Technologies, evaluate the controls' efficacy, and make improvement
recommendations as needed.

To keep its information systems safe, intact, and accessible, Fabtech

Technologies uses strong IT controls. Data center and network operations,
backup management, access security, system software acquisition, change and
maintenance, backup policies, and the company's IT control architecture are all
thoroughly examined in the report. Processes and activities are broken down
into sections of the report that assess the controls put in place to deal with
identified risks.

The assessment of IT controls comprises a study of both automatic and human

controls, their applicability, efficacy, and the techniques used to test them.
Design, implementation, and operational performance are the three main
metrics used to determine a control's efficacy. In addition to outlining key areas
for control enhancement, the report offers practical suggestions to fortify the IT
control environment.

IV
The purpose of this research is to shed light on Fabtech Technologies' IT control
mechanisms by doing an in-depth investigation of them to determine whether or
not they comply with regulations and industry standards. The results and
recommendations offered in this report are designed to help the continual
improvement of the company's IT governance and risk management framework,
eventually safeguarding the organization's information assets and supporting its
business objectives.

V
 LIST OF ABBREVIATIONS

Abbreviations should be alphabetically written

Abbreviation Description

CFO Chief Financial Officer

ERP Enterprise Resource Planning

GIC General IT Control

HOD Head Of The Department

RCM Risk Control Matrix

VPN Virtual Private Network

VI
 LIST OF FIGURES

Page
Fig. No Figure Description
No.
Figure 1 Use Case

Figure 2 Use Case

Figure 3 Use Case

Figure 4 Activity Diagram

VII
 TABLE OF CONTENTS
Acknowledgement III
Abstract IV
Abbreviations VI
List of Figures VII
List of screenshots
Chapter 1. Introduction 1-X
1.1 Introduction and Problem Summary
1.2 Aim and Objectives of the Project
1.3 Scope of the Project
Chapter 2. Literature Survey 2-X
2.1 Current/Existing System
2.1.1 Study of Current System
2.1.2 Problem & Weakness of Current System
2.3 Feasibility Study
2.3.1 Technical Feasibility
2.3.2 Operational Feasibility
2.4 Tools/Technology Required
Chapter 3. Design: Analysis, Design Methodology and
3-X
Implementation Strategy
3.1 Function of System

VIII
 3.1.1 Use Case Diagram
3.1.2 Activity Diagram
Chapter 4. Implementation 4-X
4.1 Implementation
4.1.1 IT Policy
4.2 Screenshots/Snapshots
Chapter 5. Summary of Results and Future Scope 5-X
5.1 Advantages/Unique Features
5.2 Results and Discussions
5.3 Future Scope of Work
Chapter 6. Conclusion 6-X
Bibliography- List of references

IX
 Chapter 1: Introduction

1.1 Introduction and Problem Summary

In an era where digital transformation is altering business operations, organizations are more
dependent on information technology (IT) to deliver efficiency, innovation, and competitive
advantage. However, growing reliance on IT also exposes firms to many risks, including data
breaches, system breakdowns, and regulatory concerns. As a result, the adoption of efficient
General IT Controls (GITCs) has become important for securing sensitive information and
assuring the stability of IT systems.

This project focuses on the General IT Controls framework within Fabtech Technologies
Private Limited, intending to analyse the existing status of IT controls and their efficacy in
mitigating risks. GITCs contain a set of policies, procedures, and practices that govern the
administration of IT resources, including access controls, change management, data backup
and recovery, and incident response. By reviewing these controls, the project tries to identify
risks and opportunities for improvement, ensuring that the business adheres to industry best
practices and regulatory standards.

Problem Summary:

Despite the crucial relevance of GITCs, many firms, including Fabtech Technologies, face
difficulty in properly carrying out and sustaining these controls. Typical challenges include
inadequate documentation of IT rules, insufficient training for personnel on security
processes, and a lack of regular evaluations and upgrades of existing controls. These
deficiencies can lead to illegal access, data loss, and non-compliance with regulatory
standards, ultimately harming the organization's operational integrity and reputation.

The main obstacle addressed in this project is the requirement for an exhaustive evaluation of
the existing General IT Controls at Fabtech Technologies. By identifying gaps and
vulnerabilities in the current control environment, the project intends to give practical
recommendations that will enhance the organization's IT security framework, decrease risks,
and build a culture of compliance and accountability.

1
1.2 Aims and Objectives of the Project

Aims of the Project

● Evaluate Current IT Controls: To assess the effectiveness of existing General IT

Controls at Fabtech Technologies Private Ltd.
● Identify Vulnerabilities: To identify vulnerabilities and gaps in the current IT
management system that may expose the organization to threats.
● Enhance IT Security: To make recommendations for strengthening the overall
security posture of the company.
● Ensure Compliance: To ensure that the organization adheres to relevant laws and
regulations and industry best practices.
● Promote Awareness: To create a culture of IT security awareness among employees
through training and communication.

Objectives of the Project

● Conduct a Risk Assessment: To carry out a comprehensive risk assessment to identify

potential threats and weaknesses in the IT environment.
● Review IT Policies and Procedures: To analyze existing IT policies and procedures
for appropriateness and effectiveness for handling risks.
● Evaluate Access Controls: To assess the effectiveness of user access controls and
permissions management.
● Analyse Change Management Processes: To review the processes for managing
changes to IT systems and applications to ensure they have been handled and
documented.
● Examine Data Backup and Recovery: To review the data backup and recovery
processes to ensure data integrity and availability in case of incidents.
● Develop Recommendations: To formulate actionable recommendations based on the
findings of the assessment for improving the IT control environment.
● Create an Implementation Plan: To define a clear plan for implementing the
recommended improvements, including dates and accountable parties.

2
 ● Monitor and review: To construct a framework for ongoing monitoring and periodic
examination of IT controls to ensure continuous improvement.

1.3 Scope of the Project

The scope of the project on General IT Controls at Fabtech Technologies Private Limited
explains the boundaries and scope of work that needs to be performed. It defines what will be
included and excluded in the project, ensuring clarity and focus. Here’s an in-depth
description of the project scope:

o Project Assessment of General IT Controls:

● Evaluate the existing General IT Controls (GITCs) implemented inside the
organization, including policies, procedures, and practices relating to IT
governance.
o Key Areas of Focus:
● Access Control: Review user access management processes, including role-
based access control, user permissions, and authentication systems.
● Change Management: Analyze the processes for managing changes to IT
systems, including documentation, approval workflows, and testing
procedures.
● Data Backup and Recovery: Assess the effectiveness of data backup
procedures and recovery plans to assure data integrity and availability.
● Incident Response: Evaluate the incident response protocols in place for
recognizing, addressing, and mitigating IT security incidents.
o Risk Assessment:
● Conduct a comprehensive risk assessment to identify potential threats and
weaknesses within the IT infrastructure, including both internal and external
risks.
o Documentation Review:
● Review existing IT policies and procedures to ensure they are up-to-date,
thorough, and aligned with industry best practices and regulatory
requirements.
o Employee Training and Awareness:

3
 ● Assess the existing level of employee awareness of IT security rules and
procedures, and identify training gaps to promote understanding and
compliance.
o Recommendations for Improvement:
● Develop actionable recommendations based on the evaluation findings to
enhance the effectiveness of GITCs and fix identified weaknesses.
o Implementation Planning:
● Create a clear implementation plan for the identified improvements, including
dates, resource allocation, and accountable parties.
o Monitoring and Review Framework:
● Establish a structure for constant monitoring and periodic evaluation of IT
controls to ensure continuous improvement and adaptation to evolving risks.

4
 Chapter 2
Literature Survey

2.1 Current/Existing System

2.1.1 Study of Current System

The assessment of the current system includes a complete investigation of the existing
General IT Controls (GITCs). The study does to understand how the current controls
are implemented, their effectiveness, and any gaps that may exist. The following
components indicate the important areas to be considered in the examination of the
current system:
o IT Policies and Procedures
● Documentation Review: Evaluate the existing IT rules and processes to verify
they are well-documented, up-to-date, and aligned with industry standards.
● Policy Coverage: Assess whether the policies cover critical areas such as data
security, access control, incident response, and change management.
o Access Control Mechanisms
● User Access Management: Analyze the processes for granting, changing, and
revoking user access to systems and data.
● Role-Based Access Control (RBAC): Review the implementation of RBAC to
ensure that users have access only to the information essential for their jobs.
● Authentication mechanisms: Evaluate the effectiveness of authentication
mechanisms employed, such as passwords, multi-factor authentication, and
biometric systems.
o Change Management Processes

5
 ● Change Request Procedures: Examine the procedures for submitting,
reviewing, and approving change requests relating to IT systems and
applications.
● Documentation and Testing: Assess how modifications are documented and
whether enough testing is undertaken before implementation to avoid
interruptions.
o Data Backup and Recovery Backup Procedures
● Review the data backup processes, including frequency, storage techniques,
and retention regulations.
● Disaster Recovery Plans: Evaluate the effectiveness of disaster recovery plans
to ensure that vital data can be restored in the case of a breakdown or incident.
o Incident Response and Management
● Incident Reporting: Analyze the procedures for reporting and responding to IT
security issues, including roles and responsibilities.
● Post-Incident Review: Assess whether there is a mechanism for conducting
post-incident evaluations to identify lessons learned and enhance future
responses.
o Employee Training and Awareness Training Programs
● Evaluate the efficiency of training programs relating to IT security rules and
procedures for employees.
● Awareness Campaigns: Assess the activities in place to enhance awareness of
IT security threats and best practices among staff.
o Monitoring and Auditing
● Control Monitoring: Review the systems in place for monitoring the
effectiveness of IT controls and identifying potential issues.
● Audit Trails: Assess the availability and integrity of audit trails for essential
systems to ensure accountability and traceability.
o Compliance with Regulations
● Regulatory Requirements: Identify important regulatory obligations (e.g.,
GDPR, HIPAA) and examine the organization’s compliance status.
● Internal Compliance Audits: Review the frequency and findings of internal
compliance audits related to IT controls.

2.1.2 Problems & Weaknesses of Current System

6
o Inadequate Documentation of IT Policies
● Lack of Clarity: Some IT regulations may not be clearly recorded or easily
available to staff, leading to misunderstanding regarding compliance and
duties.
● Outdated rules: Certain rules may not have been reviewed or updated
regularly, resulting in misalignment with current best practices and regulatory
obligations.
o Weak Access Control Mechanisms
● Insufficient Role-Based Access Control: The implementation of role-based
access control may not be full, allowing unauthorized users to access critical
information.
● Inconsistent User Access assessment: periodic assessments of access rights for
users may not be completed, increasing the danger of lingering access for
former workers or people who have changed positions.
o Ineffective Change Management Processes
● Lack of Formal Change Requests: Changes to IT systems may be done
without formal requests or approvals, leading to unlawful modifications and
consequent interruptions.
● Inadequate Testing of Changes: Changes may not be fully tested before
implementation, raising the risk of system failures or security vulnerabilities.
o Insufficient Data Backup and Recovery Procedures
● Infrequent Backups: Data backups may not be conducted routinely, risking
data loss in the event of a system breakdown or cyber incident.
● Unverified Recovery Plans: Disaster recovery plans may not be evaluated
regularly, leading to uncertainty about their usefulness during an actual crisis.
o Limited Incident Response Capabilities
● Delayed Incident Reporting: Employees may not be aware of the necessary
procedures for reporting IT security problems, leading to delays in reaction
and mitigation.
● Lack of Post-Incident Analysis: There may be no formal mechanism for
performing post-incident reviews, limiting the organization from learning
from past incidents and improving future responses.
o Insufficient Employee Training and Awareness

7
 ● Lack of Regular Training: Employees may not receive regular training on IT
security policies and best practices, leading to a lack of awareness of potential
risks.
● Limited Awareness Campaigns: There may be insufficient measures to
establish a culture of security awareness within the organization.
o Weak Monitoring and Auditing Practices
● Inadequate Monitoring of Controls: There may be insufficient mechanisms in
place to monitor the effectiveness of IT controls, leading to undetected
vulnerabilities.
● Lack of carry out Audit Trails: Critical systems might not maintain audit trails,
making it impossible to trace actions and hold individuals accountable.

2.3 Feasibility Study

2.3.1 Technical Feasibility

o Technical Feasibility: Technical feasibility examines whether the technology

required for implementing the suggested changes is available, reliable, and
compatible with existing systems. Key considerations include:

o Existing Infrastructure: Evaluate if the current IT infrastructure (hardware,

software, and network capabilities) will accommodate the proposed changes.
For example, if new security software is needed, assess if the current servers
and network will handle it.

o Integration with Current Systems: Determine if new technologies or processes

can be integrated with current systems without important distractions.
Compatibility with current applications and databases is the key.

o Availability of Resources: Assess if the necessary technical resources (e.g.,

skilled people, tools, and technologies) are available to implement and
maintain the modifications. This includes evaluating the expertise of the IT
staff and the availability of external vendors if needed.

8
 o Scalability: Consider whether the solutions being provided can scale as the
organization grows. It includes investigating whether the technology can
handle greater information loads or user access in the future.

o Security and Compliance: Ensure that any new technology complies with
relevant security standards and regulation. This includes studying the security
features of new software or hardware.

2.3.2 Operational Feasibility

o Alignment with Business Processes: Evaluate if the proposed changes align

with existing business processes and workflows. Changes could increase
efficiency rather than disrupt operations.

o Impact on Staff: Consider how the changes will affect staff, including the
demand for training and changes to their employment. Assess whether
workers are willing and able to adapt to new processes or technologies.

o Resource Availability: Determine whether the organization has the necessary

human and financial resources to implement and maintain the improvements.
This includes budgeting for new technologies, training, and continuous
support.

o Change Management: Assess the organization’s capacity for change

management. This includes examining the mechanisms in place for managing
transitions, communicating changes, and addressing employee concerns.

o Support from Management: Ensure that there is buy-in from management and
key stakeholders for the organized enhancements. Leadership support is
necessary for successful implementation and sustainability.

9
 Chapter 3
Design: Analysis, Design Methodology, and Implementation
Strategy

3.1 Function of System

3.1.1 Use Case Diagram

A use case diagram is a graphical representation of the interactions between a system

and users, highlighting the numerous ways a system may be used. Here is a simple
example of a use case diagram for an General IT Control:

Actor:
- Employee: - use case for employee will be access control management, incident
management and training and awareness
-IT Manager: - use case for IT Manager is change management, Monitoring and
auditing
-ERP team: - use case for this is access control management and

10
 Figure 1
Figure 1 explains that Employee looks after Access Control Management, Incident
Management and Training and Awareness.

Figure 2
Figure 2 explains that IT Manager looks after Change Management, Monitoring and Auditing

11
 Figure 3
Figure 3 explains that Employee looks after Access Control Management and Change
Management

3.1.2 Activity Diagram

Activity diagrams are used to illustrate the flow of control in a system and refer to the steps
involved in the execution of a use case. We can depict both sequential processing and
concurrent processing of activities using an activity diagram, i.e., an activity diagram focuses
on the condition of flow and the sequence in which it happens.

12
 Figure 4

Chapter 4
Implementation

4.1 IT Policy
1. Acceptable Use Policy (AUP)

13
 ● Get the word to the employees regarding the AUP and be sure they obey it.
● Check for regular updates and appreciation from users.
● Evaluate the effectiveness of communication and enforcement strategies.

2. Security Awareness and Training Policy

● The existence and consistency of training programs must be verified.

● Examine the value and grade of educational assets.
● Ensure records of training attendance and completion are stored.

3. The Goal of the Change Management Policy

● Review the change management process, including documentation and approval

guidelines.
● Examine change logs and verify that changes were permitted and tested.
● Assess the process for solving emergency changes and ensuring they are documented
retrospectively.

4. Incident Response Policy

● Evaluate the incident response plan and procedures.

● Verify the existence of an incident response team and their training.
● Review incident logs and afterwards to ensure proper documentation and follow-up.

5. Remote Access Policy

● Check for secure remote access methods (e.g., VPN, MFA).

● Verify user access controls and authentication actions.
● Review logs of remote access sessions to detect any unusual behaviors or
unauthorized access.

6. Vendor Management Policy

● Assess the vendor selection and onboarding process.

● Verify the existence of security clauses in vendor contracts.
● Ensure ongoing surveillance and regular security reviews of vendors.

7. Password Creation and Management Policy

● Verify password policies for complexity, length, and expiration.

14
 ● Assess the enforcement of password policies across the enterprise.
● Check for the implementation of secure password storage and handling methods.

8. Network Security Policy

● Review network architecture and security controls (e.g., firewalls, intrusion detection
systems).
● Assess network monitoring and logging structures
● Verify the set up and effectiveness of network segmentation and access controls.

4.2 Screenshot

(This screenshot covers the Area, process, Risk description, level of risk and control
description of IT policy and access security)

15
16
17
 Chapter 5
Summary of Results and Future Scope

5.1 Advantages
1. Enhanced Security Posture

18
 ● Risk Mitigation: By identifying and making flaws in IT controls, the investigation
helps decrease risks associated with data breaches, unauthorized access, and other
security threats.
● Preventative Measures: Implementing recommended measures can avoid potential
malpractices and increase overall security.

2. Compliance with Regulations

● Regulatory Adherence: The report makes sure that a company complies with crucial
rules and regulations, reducing the risk of legal penalties and enhancing corporate
governance.
● Audit Preparedness: Regular audits and compliance checks as suggested in the report
prepare the organization for external audits.

3. Employee Awareness and Training

● Increased Awareness: The study points out the need of training employees on IT
security rules, leading to a more security-conscious workforce.
● Reduction in Human Error: Training can significantly reduce the likelihood of human
errors that could lead to security issues.

4. Continuous Improvement

● Feedback Mechanism: The report encourages a culture of continuous improvement by

often examining and altering IT controls based on new threats and business demands.
● Adaptability: Organizations can cope with new technologies and threats more
effectively with a strong foundation in place.

5.2 Unique Features:

Risk Control Matrix (RCM): The report includes a complete RCM that maps risks to
specific controls, offering a clear perspective of the organization's risk landscape.

Periodic Review Recommendations: It points out the import of regular reviews of IT

policies and controls, ensuring they stay effective and relevant over time.

19
Employee Training Focus: The research highlights the significance of IT the start and
ongoing training for employees, defining a culture of security awareness.
Integration of Detective and Corrective Controls: It outlines both detective and corrective
controls, ensuring a comprehensive approach to risk management.

Management Involvement: The report highlights the need for management oversight and
approval in implementing IT controls, promoting accountability at all levels.

Documenting Standards: It encourages full documenting of rules and procedures,

improving transparency and facilitating audits.

Adaptability to Change: The report supports a framework which allows for changes based
on new dangers and improvements in technology.

5.3 Results and Discussions

1. study of Current IT Controls

● Findings: The study showed significant deficiencies in existing IT controls, including

inadequate documentation, lack of staff training, and insufficient management
oversight.
● Discussion: These gaps represent major risks to the firm, including potential data
breaches and regulatory difficulties. Addressing these gaps is critical for boosting the
overall security posture.

2. Implementation of Recommended Controls

● Findings: Following the suggestions, essential controls were implemented, including

revised IT rules, strengthened access restrictions, and frequent training sessions for
workers.

20
 ● Discussion: The adoption of these controls has led to increased compliance with
industry norms and regulations. Initial feedback from employees reveals a better grasp
of security norms.

3. Monitoring and Auditing

● Findings: A framework for ongoing monitoring and periodic audits was built,
enabling for real-time assessment of control effectiveness.
● Discussion: Early results from the monitoring activities reveal that most controls are
performing as planned, but some areas require further refinery. Regular audits will
assist uncover these areas for development.

4. Risk Mitigation Outcomes

● Findings: The beginning of the risk control matrix has allowed for better identification
and management of IT risks.
● Discussion: By aligning controls with noticed risks, the organization has drastically
reduced its exposure to possible threats, increasing overall resilience.

5.4 Future Scope of Work

Include a short executive summary at the beginning of the report that discusses key results,
ideas, and the overall significance of the IT controls evaluation.

Clearly detect the objectives and scope of the report, describing which components of IT
controls were examined and what the expected results are.

Provide a full description of the method used for the assessment, including tools, frameworks,
and criteria for evaluating IT controls.

Use charts, graphs, and tables to visually communicate data and findings, making complex
material more digestible.

Create a section dedicated to feedback ways and continuous improvement projects, enabling
steady review of IT controls.

Chapter 6:

CONCLUSION

21
The inspection of IT controls discovered many advantages and challenges within the current
framework. Key areas of concern included inadequate documentation of security strategy,
insufficient training for employees, and a lack of regular assessments of IT security
procedures. Additionally, the study showed specific vulnerabilities related to unauthorized
access and data management ways.

The findings indicate the importance of complete IT controls in preserving sensitive data and
maintaining operational integrity. The noticed deficiency symbolizes potential hazards that
could lead to data breaches, regulatory non-compliance, and reputational damage. Therefore,
solving these obstacles is not only an issue of compliance but also crucial for the
organization's entire risk management strategy.

To boost the effectiveness of IT controls, the article offers contracting a continuous

improvement framework that includes common training programs, updated documentation,
and a planned risk assessment schedule. Additionally, leveraging technology for automation
and having a clear incident response plan would only improve the organization’s security
posture.

Looking ahead, the company should stay careful and adaptable to the emerging nations of IT
security. Continuous monitoring, testing of performance regulations and staying current about
new technologies will all be key in continuing effective IT leadership. By defining a
proactive approach to IT security, the organization let not only protect its assets but also
position itself as a leader in compliance and risk management.

List of references
[1] “IT General Controls ACCA UK’s Internal Audit Network held a series of seven
webinars on de-mystifying.” Available: https://www.accaglobal.com/content/dam/members-
beta/docs/sectors-industries-roles/ia/IT%20General%20Controls.pdf

22
[2] K. Kinzer, “Definition & Examples of IT General Controls (ITGC),” JumpCloud, Jul. 20,
2022. https://jumpcloud.com/blog/what-are-it-general-controls-itgc

[3] “What are IT General Controls (ITGC)?,” SailPoint. https://www.sailpoint.com/identity-

library/it-general-controls/

[4] JumpCloud, “What Are IT General Controls (ITGC)?,” YouTube, Apr. 28, 2023.
https://www.youtube.com/watch?v=8TseSrOt5Ro (accessed Jul. 23, 2024).

[5]“IT General Controls Audit,” Schneider Downs.

https://schneiderdowns.com/cybersecurity/it-general-controls-audit/ (accessed Jul. 23, 2024).

[6] “What is IT audit (information technology audit)? | Definition from TechTarget,” CIO.
https://www.techtarget.com/searchcio/definition/IT-audit-information-technology-
audit#:~:text=An%20IT%20audit%20uses%20a

[7] “ITGC controls: Getting it right,” Pathlock, Feb. 10, 2023.

https://pathlock.com/learn/itgc-controls-getting-it-right/

[8] Wikipedia Contributors, “Information technology audit,” Wikipedia, Feb. 01, 2019.
https://en.wikipedia.org/wiki/Information_technology_audit

[9] “Understanding IT General Controls (ITGC) in Cybersecurity | HyperComply Blog,”

www.hypercomply.com. https://www.hypercomply.com/blog/itgc

[10] “ITGC. How to Audit?,” www.linkedin.com. https://www.linkedin.com/pulse/itgc-how-

toaudit-sourabh-prixit-shankhyan (accessed Jul. 23, 2024).

23