In our series of articles covering IT General Controls (ITGC) we are looking at the information an IT Auditor should obtain and the type of questions that could be asked of management/control owners whilst performing an ITGC audit.
We have split the articles into the following sections:
- Understanding of IT
- Access to Programs and Data
- Program Changes
- Program Development
- Computer Operations
In the fifth part of our series we are focusing on the controls around Computer Operations.
Computer Operations
Job Processing
Does the organisation perform any systems jobs / batch job processing? Are roles and responsibilities defined and clearly communicated? Are there controls in place to ensure computer operations personnel have appropriate skills to perform their functions? Is there an appropriate job schedule documented for processing cycles?
Inspect checklists for completion of a sample of systems jobs to ensure they successfully completed and monitored.
Backup & Recovery Procedures
Is there a documented procedure for performing backups? What is the procedure? What are the daily, weekly, and monthly schedules?
Is any restore testing performed to ensure the data stored on the backup media is re-usable? Where is the backup media stored when off-site and on-site? Is the off-site location sufficiently distant from the on-site location? Is there a contract/ SLA in place with any third party for storing backup media off-site? Has the off-site storage facility appropriate environmental and security controls? What controls are in place to ensure the safety of the backup media whilst in transit?
Obtain checklists for backups and verify that they have been completed as scheduled, review any SLA between the organisation and third parties for offsite storage.
Incidents & Problem Management
How do you define the difference between a problem and an incident? Is there an SLA in place between IT and Business Units? Is the production environment monitored to identify incidents and failures? Are all incidents and failures logged and tracked through to resolution? Are escalation procedures established and followed?
Inspect a sample of incidents for prioritisation, appropriate authorisation and assignment.
Conclusion
Although our articles are not exhaustive they should provide a good starting point for IT Auditors in terms of the type of questions to be asked and the information to be reviewed whilst conducting an IT General Controls audit. It is always best to adopt a risk based approach during an ITGC and focus particular attention on controls which are considered higher risk and adjust sample sizes accordingly.
Did you find this post useful? Share it on LinkedIn!
If you want to stay up to date with new posts and join in discussions, join our LinkeIn group ISRiskAcademy.
IT General Controls (ITGC) – Computer Operations is a post from: isriskacademy.com
