An IT General Controls audit examines how well IT systems and applications are performing. If an audit indicates that certain controls are not being done correctly, those issues are considered risks to the IT department and its ability to function.
Nearly every one of the 18 items in six controls listed below is designed to prevent situations that threaten data center operations. Results of the ITGC audit also provide an effective assessment of the risk level to the infrastructure. They identify areas where improvement is needed, which can help reduce risk.
Let’s go over the details of six controls that are often part of an ITGC audit:
Control 1: Physical and environmental security
- Server room is locked with a card access system.
- A limited number of employees have card access to the server room.
- The data center has raised floors and water detectors under the floors.
- A heating, ventilation and air conditioning (HVAC) system alarm sends emails and launches audible signals if there is a system failure.
- Server room fire extinguishers are checked quarterly.
Control 2: Logical security
- New employees are provided access to system resources after being approved by HR.
- Terminated employees have their access credentials deleted within 15 minutes of notification by HR.
- Windows Active Directory is used to authenticate users requesting system resources.
Control 3: Change management
- Test and production environments are segregated from each other.
- Production changes and patches are tested, documented and approved before being placed into service.
Control 4: Backup and recovery
- Data is backed up daily according to a documented process and schedule.
- Disaster recovery plans are in place for critical systems and are tested annually.
Control 5: Incident management
- Daily activity reports are generated for review by IT management.
- An incident response process is documented and used regularly when responding to abnormal situations.
Control 6: Information security
- Firewalls are used to protect the network perimeter from suspicious activities.
- Antivirus software is used to prevent damage from viruses.
- Incoming and outgoing data traffic is monitored 24/7 to identify potential phishing attacks, distributed denial-of-service attacks and other attempts to penetrate the network perimeter.
- Penetration testing is performed twice annually to check for vulnerabilities.
Performing the ITGC audit
When performing the ITGC audit, examine each of the controls using a combination of techniques:
- Interviews with employees (and their managers) responsible for them.
- Examination of documentation (such as written procedures, policies and technical manuals).
- Personal observations (for example, watching how an individual performs tasks relating to the control).
When writing up the findings from your interviews and examinations, you’ll be in a better position to rationalize if a control is being performed properly.