ITGC

Question 1

SDLC

Answer 1

Relates to the development and implementation of new systems. It’s the process from initation to retirement phase of systems. Regular change or configuration management controls are tested, especially at the maintenance phase of the system. The authorization to inquire new systems is provided by the IT steering committee to upper level management. Post implementation review done shortly after the implementation of the revised/new system. I test regular change or configuration management controls to ensure they are designed appropriately and operating effectively.

Question 2

Walkthrough

Answer 2

I will obtain an understanding of the controls being tested from the walkthrough meeting with the IT audit department, observe from the evidence provided, reference the evidence provided and make an opinion whether exception is noted or not. For how to perform detailed testing, I will obtain population, validate the population by observing the pulling of the population, and then select a sample (usually 10%) and requesting the evidence similar to those from walkthrough for each of the sample, and then test the controls/testing attributes with the evidence provided.

Question 3

Backup and Recovery

Answer 3

• Review company’s backup process
• Back-up period
• Back-up failure (how they follow up/who’s responsible)
• Back-up tape security and if they send tapes offsite to secure location
• Samples of failed backup and how it was fixed

Question 4

Logical Access Audit

Access control

Answer 4

• Ensure there is written approval before user accounts are created.
• Ensure audit trail/audit log enabled in the system.
• Ensure audit have unique usernames and passwords that are periodically forced to retire.
• Verify user accounts are properly created.
• Access request and approval process (walkthrough)

Question 5

Physical Access Audit

Answer 5

• Authorized approvers list maintained.
• Ensure Access is granted after proper approval.
• Ensure physical Access to computer equipment and storage media limited to authorized personnel.
• Facility armed/monitored CCTV

Question 6

IT Operations

Answer 6

• Test back-up recovery

- Test job scheduling (scheduled job and batch job)

Question 7

Change Management/Change Control

Answer 7

• Firstly, we understand the company’s change methodology.
• I ensure there is a change request and approval process in place by management.
• Ensure there is a separate development, test and production environment.
• I ensure that production changes are developed and implemented after proper approval.

Question 8

Change Management Control

Answer 8

• Change are authorizes
• Changes are tested
• Changes are approved before migrating over to the production environment.
• SOD

Question 9

Access Control

Answer 9

• Password settings appropriation
  •minimum password length of 8 characters
  •idle session timeout
  •frequently forced password changes
  •ability of users to set their own passwords
• Test User Access Authorized and appropriately established
  •New users,
  •Terminated users
  •Transferred users
• Physical Access to computer hardware is limited to appropriate individuals
  •Obtain a list of employees with access to data center, determine if it is complete and review appropriateness.
  •Confirm controls are in place to restrict access to only those individuals.
  •Confirm the existence of physical access review
• Test that Logical Access is granted
  •Review of logs,
  •violation attempts reporting
  •review access for continued appropriateness
• Segregation of incompatible duties
  •Denotes that any individual that requests access to be set up is not the same person approving, authorizing, or establishing the same access.
  •Performed rights of a “privileged user and monitoring use of a “privileged” user account.