Information Technology General Controls (ITGC) Audit Program

A. Introduction

This audit program is by no means complete, but a high-level to get you started on your
unique ITGC audit program that is aligned to your organization’s IT operations. If you are a
new IT auditor, I advise you to work with an IT specialist to review your audit results to ensure
you don’t miss anything “technical”. The audit tests in this document are limited to 4 per
audit area.

Contact us to purchase the full audit program with over 10 audit tests per audit area
We also provide suggested audit results and/or audit program review services upon request.

B. Audit Objective

The objective of this audit is to provide reasonable assurance that the general IT controls
within the IT environment are operating effectively. This will be confirmed by reviewing the IT
policies and procedures, practices, organizational structure so as to provide reasonable
assurance that the business objectives will be achieved and that undesired events will be
prevented or detected, and corrected.

The audit program is divided into the following sections:

 IT Governance
 Change Management
 Logical and Physical Access Controls
 Backup and Recovery
 Third Party Providers

C. Audit Procedures/ Tests

1. IT Governance

Objective:
To ensure that there is an adequate and well-structured IT governance in place of reasonable
maturity i.e. documented and repeatable to prevent/ mitigate risks such as untimely,
inaccurate data processing, downtime of critical IT systems and IT processes.

1. Obtain the following documents to give you some background information on the
operations of the IT environment:
a) IT risk register
b) IT strategic plan
c) IT projects planned for the year and IT project completed the previous year
d) Policies and procedures
e) Previous IT audit reports
f) Organisational structure
g) Job descriptions
h) KPIs

2. Interview senior management and understand their issues and concerns.

3. Confirm that the IT strategic plan is documented and approved by senior management.

4. Confirm whether there is a planning or steering committee is in place to oversee IT

investments and IT projects. This IT steering committee should consist of senior
management and key business leads. Review agenda and minutes of past meetings.

2. Change Management

Objective:
To ensure there is a structured processes for software and hardware acquisitions,
development and implementation to provide assurance that automated business processes
and application controls are not interrupted from any changes to the IT environment.

1. Determine how IT equipment/ software and supplies are procured, and if there is a
formal procurement process.

2. Through interview, determine the change control process followed and obtain an
evidential copy of the change request form including supporting policies and procedures.

3. Confirm that the change request forms are serially numbered and contain provisions for
approval by supervisors from both IS and user departments.

4. Confirm that the change request form makes provision for the reason for the change,
effective date, person requesting, person who approved, person who made the change,
person who reviewed that the change was implemented correctly and in most cases the
person who tested the change.

3. Logical and Physical Access Controls

Objective:
To restrict access to company data and programs by means of preventing unauthorized
access or changes, including prevention of unintentional errors and fraud by employees
and/or intruders.

Logical:
1. Determine if there is a written policy/ procedure to manage access controls.

2. Obtain copy of the access request form and confirm that it provides for a written approval
by the appropriate level of management.

Physical:
1. Determine physical location of the following:
a. Operator consoles
b. Computer storage rooms
c. UPS/Generator
d. All communications equipment
e. All servers
f. Tape library
2. Through interview and observation, determine how the above IT assets are protected i.e.
located in a secure area with restricted access.

4. Backups and Recovery

Objective:
To ensure normal business operations can continue following a disaster or a complete
system failure by determining that the Disaster Recovery and Contingency plans are in place,
regularly reviewed and tested. There should be procedures in place to provide for the
recovery of files, address disaster recovery, and identify critical processing (data). The plan
should allow for periodic testing (at least annually), to ensure personnel understand their
respective roles during a disaster and validate the plan. There should be provisions for the
backup of critical information and materials both on-site and off-site.

1. Confirm that backups are being performed and review policies and procedures for
alignment.

2. Determine who performs the backups and ask if it is done on a regular basis and confirm
this via a logbook.

3. Evaluate if the servers and employee PCs are protected from viruses with anti-virus
software.

4. Confirm that system files and operating software are backed up especially before a
change to the system settings.

5. Third Party Providers

Objective:
The objective of third party providers is to ensure that IT services (specifically the business
critical ones) are being provided by reliable IT suppliers.

1. Obtain the IT supplier/ vendor register and confirm it is up to date, complete and there is
a process to keep it up to date (details confirmed annually and meetings held with all
suppliers).

2. Confirm that there are agreements with all parties that provide third party services.

3. Has the business critical services been identified? Evaluate if there are any third parties
providing services for critical business services/ processes.

4. Obtain Service Level Agreements (SLA) with the above vendors and confirm that third
parties have adequate controls to ensure business continuity.