Scribd
Upload
1K views

IA 1-4 IT General and Application Controls Table

The document outlines key IT general controls and application controls. It lists 7 categories of IT general controls including access controls, change management, and IT operations. It also lists 5 types of application controls including completeness checks, data input checks, calculation checks, interface checks, and authorization checks. Controls marked with an asterisk require more detailed testing with sample test attributes. The document provides a high-level overview of important IT and application control categories and considerations for audit testing.

Uploaded by

AdeyinkaAjagbe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views

IA 1-4 IT General and Application Controls Table

The document outlines key IT general controls and application controls. It lists 7 categories of IT general controls including access controls, change management, and IT operations. It also lists 5 types of application controls including completeness checks, data input checks, calculation checks, interface checks, and authorization checks. Controls marked with an asterisk require more detailed testing with sample test attributes. The document provides a high-level overview of important IT and application control categories and considerations for audit testing.

Uploaded by

AdeyinkaAjagbe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IT General and Application Controls Table

IT General Controls (ITGC)


Access Controls
AC.1 - Password settings are appropriate
(Test Password settings or configurations)
AC.2* - User access is authorized and appropriately established
(User Access Authorization: New Users, Terminated Users, and Transferred Users)
AC.3* - Physical access to computer hardware is limited to appropriate individuals
(Physical Security, including periodic physical access review)
AC.4 - Access to privileged IT functions is limited to appropriate individuals
(Administrators access)
AC.5* - Logical access process is monitored
(Periodic logical access review*, violation attempts review, privileged user’s activities log review)
AC.6 - General system security settings are appropriate (IT Infrastructure controls)
AC.7 - Segregation of incompatible duties exists within access control environment.
(SOD within requesting access, approving access, setting up access, and monitoring access)
Change Management
CM.1* - Changes are authorized.
CM.2* - Changes are tested.
CM.3* - Changes are approved before being migrated to production environment.
CM.4* - Segregation of incompatible duties exists within the change management environment.
(SOD within requesting change, developing change, and moving change into production)
IT Operations
OP.1* - Financial data has been backed-up and is recoverable
(Backup and periodic recovery)
OP.2* - Deviations from scheduled processing are identified and resolved in a timely manner
(Job scheduling*, including appropriate/limited access to scheduled jobs and tools)

Application Controls
AP.1 - Completeness Check –
(Test that controls exist to ensure all records are processed from initiation to completion)
AP.2 - Data Input Edit Check/Validity Check -
(Controls that ensure only valid data is input or processed. Most common, but N/A if there is no manual data entry)
(Examples: Error messages from input amount outside the acceptable range, or a date in an invalid format)
AP.3 - Calculation Check –
(Controls that ensure that accurate computation is occurring on processed transactions)
AP.4 - Interface Check –
(Controls that limit the risk of incomplete transfer of data among different systems)
AP.5 - Authorization Check –
(Controls that ensure that approvals and overrides are performed by only the authorized users)

* These controls require Test of Controls (or detailed testing) with multiple sample creating testing attributes (another
name for control in Test of Controls) from the above controls or from the Audit Program section of the IT Audit
Introduction document.

You might also like