Itgc Sox
Itgc Sox
duties (SoD) reviews for Sarbanes-Oxley, it on the risks that are associated with each general
PeopleSoft. Mehta has in-depth is also important control process area, such as change management,
knowledge and understanding What should to identify the logical access, computer operations, job scheduling,
of enterprise risk management; companies do to extent to which and third parties/service organizations that manage
IT security; and governance, a specific system applications or data centers.
identify the exact
risk and compliance (GRC) should be tested.
domains. With more than eight scope for ITGC? For example, an IDENTIFY RISK CRITERIA/PARAMETERS
years of experience, he has auditor would The organizations approach to Sarbanes-
worked with industry leaders in definitely perform Oxley risk assessment should identify the key
the food and beverage, staffing, detailed testing for the financial system of records risk parameters that would help to quantify
insurance and banking, and (SAP or PeopleSoft), but would not spend too the risks for ITGC. An application might be
health care industries. much time or cost on performing the same level considered high risk when viewed from a
of testing for a system that falls into the scope change management perspective because it might
Do you have
but has only a handful of system administrators undergo hundreds of changes every month, but it
something
to say about managing it. might be low risk when viewed from a logical
this article? The most appropriate and effective way to access perspective because it has only four to
define the right scope and the extent of testing five administrators and no end users accessing
Visit the Journal
pages of the ISACA for each Sarbanes-Oxley in-scope system is to the application.
web site (www.isaca. perform a risk assessment focusing on the risks To identify the appropriate risk parameters
org/journal), find the associated with Sarbanes-Oxley requirements and to perform a risk assessment for Sarbanes-Oxley
article, and choose specific to ITGC. Risk assessment is not a new ITGC, the focus should be on integrity and
the Comments tab to buzzwordeveryone in todays world talks about access risks.
share your thoughts.
application has a Structured Query Language (SQL) database by authorized individuals, and postimplementation control
that is maintained by two administrators, and no end users to ensure that the change is working as expected and that
have direct access to the database due to security designed nothing broke. Similarly, for logical access, both prevent
within the application. App 1 has its own authentication and detect controls (such as user provisioning/deprovisioning,
mechanism. Since App 1 is a commercial application, not monitoring of security logs, user access reviews and
many changes are performed, but historical data show appropriate password controls) should be established.
that about two changes are performed annually. Since this App 1 is rated as low risk due to the lower number of
is a commercial application, the vendor has built several changes made to the application and lack of development
application controls (approximately 25) that control the effort being done internally. For a low-risk application, the
environment to produce accurate financial reports and results. organization can consider testing only critical preventive
App 2 is a homegrown application and is maintained by controls, instead of doing a full-blown ITGC testing. For
20 developers, and about 100 end users access it. It has a example, for change management, only a preproduction
database that is maintained by 10 system administrators. The approval should be sufficient, since all development and
database can be directly accessed by the users if they open an testing is performed by the external vendor, and all other
Open Database Connectivity (ODBC) connection outside of change management controls can be referred to a Statement
the application. The application has integrated authentication on Auditing Standards No. 70 (SAS 70) report or an
with the underlying Windows operating systems. Since it equivalent. Similarly, for logical access, controls such as
was developed in house, the number of changes is on the system administrator reviews can be eliminated because
higher sideclose to 300 annually, according to historical there are only two administrators and direct access to the
data. No application controls are built into this homegrown database is not allowed. For low-risk applications, preventive
application. controls such as appropriate password configurations and
The results of risk assessment for these two applications provisioning/deprovisioning provide enough assurance that
show that App 2 is rated a high risk from a Sarbanes-Oxley the applications are secure and the necessity of detect controls
ITGC perspective and needs controls to be established to gain can be eliminated using this approach, which will result in
reasonable assurance about the integrity of financial data. fewer controls and reduction in overall cost of compliance.
Since the number of changes made to the application is high, Once an organization has identified the high-risk and low-
an auditor should test all aspects of change management, risk applications and the controls are established and tested
including predevelopment approvals, testing (unit, stress and for appropriateness, the internal audit department should
integration, as applicable), verification of test plans and test analyze the trend for failures and effective controls to evaluate
results, quality assurance testing, separation of environments whether more controls should be implemented for certain
(development, test, quality assurance, training, production), applications and whether some controls can be eliminated
segregation of duties (no developer access to production), for others. For example, if changes to password configuration
premigration approval, verification that migration is done controls are very rare and have been effective for a period of
1 in the previous example), those controls can be performed time, effort and money and also reduce the load on the IT
by inquiry, instead of a full-blown test, to confirm if any department. Performing
changes were made to the application, and further testing risk assessments Focusing on the parameters
can be done only if changes were made. If the trend analysis periodically with the right
that are critical from the
shows that the controls are effective year on year and, most parameters in place can be
important, if there is no feedback or issues raised by the used by audit management Sarbanes-Oxley ITGC
external auditor, existing controls are clear enough to ensure as a basis to gain comfort perspectivecan save a lot
that all financial transactions are secure and reliable. that all systems are being of time, effort and money
validated and tested as
and also reduce the load on
required by the Sarbanes-
Oxley ITGC requirements. the IT department.
Virtual Seminar and Tradeshow This will reduce the
probability of any significant deficiencies and increase
external auditors confidence in managements testing. If the
scope of the ITGC audit is appropriate, the extent of manual
procedures that an external auditor will typically perform will
be reduced, which will further reduce the overall cost
of compliance.
Editors Note
Collaborate with ISACA members and access additional
resources on this topic in the ISACA Knowledge Center
located at www.isaca.org/knowledgecenter.
Managing IT Enterprise Risk
19 October 2010