IT GENERAL CONTROL ASSESSMENT

REPORT

1 Source: www.knowledgeleader.com
 Table of Contents
EXECUTIVE SUMMARY.......................................................................................................................................... 3
Background........................................................................................................................................................... 3
Audit Objectives.................................................................................................................................................... 3
Scope of Work....................................................................................................................................................... 3
Significant Findings/Conclusion............................................................................................................................. 3
Capability Maturity Model*..................................................................................................................................... 3
RATING SCALE....................................................................................................................................................... 4
OBSERVATIONS SUMMARY.................................................................................................................................. 5
DETAILED REPORT OBSERVATIONS................................................................................................................... 6
REPORT DISTRIBUTION LIST.............................................................................................................................. 12
Report Addressed To.......................................................................................................................................... 12
Report Copies To................................................................................................................................................ 13
APPENDIX A: PROCESS IMPROVEMENTS......................................................................................................... 14

2 Source: www.knowledgeleader.com
EXECUTIVE SUMMARY

Background
Founded in (Insert Year) by (Insert Name), (Insert Location)-based Company A has become one of the leaders
and innovators in direct sales and marketing. Company A provides home cookware systems, air purification and
water filtration systems, vacuum cleaning systems, juice extraction systems, dinnerware, cutlery and other related
household products designed to enhance the lifestyle of consumers. Products are delivered through a network of
independent distributors and salespeople with Company A facilitating sales through a dedicated consumer
financing program that provides credit to the company’s customers. With primary markets in the (Insert Location)
and (Insert Location), Company A has achieved significant growth and has recently expanded into the markets of
(Insert Location) and (Insert Location).

In (Insert Year), the (Insert Location) department of financial services issued a report regarding concerns related
to consumer lending operations. In response to the report, Company A has committed to strengthening its
operating environment and compliance functions. Further, Company A has dedicated resources to implementing a
robust internal audit function, developing comprehensive policies and procedures, and enhancing its control
environment.

Audit Objectives
Internal audit performed an assessment of the current information technology general control (ITGC) framework at
Company A. The objectives of the engagement were to:
• Obtain an understanding of specific IT processes and controls.
• Assist in developing the process flows, narratives and control matrices and gaining verifications from process
owners.
• Recommend internal control environment improvements, where applicable.

Scope of Work
The scope of the assessment included the logical access, operations management, change management, and
system development lifecycle (SDLC) control areas for the System B and System C applications, as well as
supporting infrastructure.

Significant Findings/Conclusion
Based on the scope of this review and current ITGCs, this audit resulted in an unsatisfactory audit rating. We
identified one critical and several major issues.

Detailed explanations of the observations and action plans are included in the Detailed Report Observations
section of this report.

Capability Maturity Model*

Overall Rating: Unsatisfactory

Company A’s current ITGC environment shows elements of the initial maturity stage as formalized procedures
and policies are not in place companywide, monitoring of activity is lacking, and formal controls are not in place
for several control areas. The ITGC processes also show elements of the repeatable maturity stage as some
processes are established and being followed despite the lack of documentation noted above.

3 Source: www.knowledgeleader.com
 Capability Level Capability Description

Continuous Improvement
Optimizing
Controls are continuously improved enterprisewide.

Quantitative
Managed Risks are managed quantitatively enterprisewide;
“Chain of accountability”.

Capabil Qualitative/Quantitative
Defined ityPolicies, processes and standards are defined and institutionalized –
Maturit “Chain of certification”.
y
Intuitive
Repeatable Processes are established and repeating. Reliance on
people continues, and controls documentation is lacking.

AD HOC/CHAOTIC
Initial Control is not a priority. An unstable environment leads to
dependency on heroics.

4 Source: www.knowledgeleader.com
RATING SCALE

Overall Rating Definition

Although audit observations were noted and require attention by management, controls
Satisfactory and processes are reasonably designed and operating. Action plans will be tracked
and reported during the standard reporting timelines.

An area will be rated “unsatisfactory” if:

• A critical observation is noted.
• Two or more major observations are noted.
Unsatisfactory
• Auditees are unresponsive or uncooperative.
Unsatisfactory ratings will result in a follow-up audit no later than 12 months from the
report date.

Observation Ratings

Significance Description

This rating represents a significant risk to the business, either in financial reporting
error/exposure, or materially significant risk in financial reporting, compliance, fraud or
Critical
reputation. This includes financial reporting errors or exposures greater than 5% of
annual earnings before interest, taxes, depreciation and amortization (EBITDA).

This rating represents a significant risk to the business or achievement of one or more
business objectives or has an impact on corporate reputation of Company A values. If
quantifiable, this rating represents an error/exposure greater than 2% of annual EBITDA.
Major This rating warrants executive management attention.
Examples include major accounts have not been reconciled in more than six months;
inconsistent measurement of key operating or financial metrics or policies.

This rating represents an elevated risk to the business or has an impact on achieving
business objectives. If quantifiable, this rating represents an error/exposure equal to or
Moderate less than 2% of annual EBITDA. This rating warrants executive management attention.
Examples include monthly reconciliations being performed, but reconciling items not
being addressed in a timely manner.

This rating represents some risk to the business and may improve internal control
Minor business or efficiency. This rating warrants functional or control owner attention. It cannot
have resulted in a financial reporting error.

5 Source: www.knowledgeleader.com
6 Source: www.knowledgeleader.com
7 Source: www.knowledgeleader.com
8 Source: www.knowledgeleader.com
9 Source: www.knowledgeleader.com
10 Source: www.knowledgeleader.com
11 Source: www.knowledgeleader.com
12 Source: www.knowledgeleader.com
13 Source: www.knowledgeleader.com
14 Source: www.knowledgeleader.com
15 Source: www.knowledgeleader.com
16 Source: www.knowledgeleader.com
17 Source: www.knowledgeleader.com
18 Source: www.knowledgeleader.com
19 Source: www.knowledgeleader.com
20 Source: www.knowledgeleader.com
OBSERVATIONS SUMMARY

Control Area Issue Operational Financial Compliance Significance

Formal policies for IT security,

operations management and
X X Moderate
change management are
lacking.
A. Entity-Level
Third-party control
environments are not X X Moderate
reviewed.

Password controls are

X Moderate
inadequate.

Internal controls related to

B. Logical Access X X X Major
logical access are poor.

User access is not

X X X Major
periodically reviewed.

Internal controls related to

X X Moderate
data center access are poor.

C. Manage Controls over changes to

X X Moderate
Operations scheduled jobs are lacking.

Backup media storage is

X X Moderate
inadequate.

Internal controls related to

change management are X X Major
poor.
D. Change
Management
Access to develop and
migrate codes is X X Critical
inappropriate.

Post-implementation reviews
E. SDLC X Minor
are lacking.

21 Source: www.knowledgeleader.com
DETAILED REPORT OBSERVATIONS

Agreed-Upon
Observations
Action Plans

A. Entity Level Controls

1. Formal policies for IT security, operations management and change Agreed-Upon

management are lacking. Action Plan –
Internal audit noted that procedures related to IT security and operations Action Plan
Moderate management are not documented in a formal policy. Company A does have Owner –
a change management policy to govern SDLC changes. However, this policy
Target Date –
is not adhered to for all planned/normal changes, as well as for infrastructure
changes. There is no consistent, formal way by which the company
documents the informal process/policy that is currently being followed. The
lack of a comprehensive and detailed policy covering all of these major IT
control areas increases the risk that the process is not performed
consistently across Company A’s IT department and that key controls are
not performed or documented on a routine basis.
Gap Reference(s):
IT.LA.01, IT.CM.01, IT.MO.01
Recommendation(s):
We recommend Company A develop a comprehensive set of policies and
procedures for IT governance. These policies and procedures should
address the following areas: IT security, operations management and
change management. The policies should be reviewed and approved on an
annual basis and updated as necessary to reflect changes in the technology
environment. The policies should contain procedures related to:
• User access, including new access requests, modification of access and
removal of user access
• Designing “privileged/administrative users” and their corresponding
access rights, along with the approval process
• User access reviews (including frequency), specific identification of
responsible parties and role of business unit management in determining
proper access
• Password parameters – required password configurations for the
network/domain, as well as applications (If applications cannot support
the password requirements, exceptions should be documented.)
• Application and infrastructure change procedures, including required
documentation, testing and approvals
• Backup scheduling and monitoring, including required backup schedules
for critical systems
• Job scheduling and monitoring, including request/approval procedures for
job scheduling modifications
• Physical access restrictions and monitoring
Additionally, we recommend that Company A adopts IT framework, such as
COBIT or ISO to assist in developing and implementing an ITGC framework.

2. Third-party control environments are not reviewed. Agreed-Upon

22 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

Company A utilizes the third-party provider, Company B and the hosting Action Plan –
services for the System B and System C applications are collocated in the
Action Plan
Minor same data center. The System B database is stored on the SQL01-USHYC
Owner –
server and the System C database is stored on the SQL02-USHYC server.
Both SQL02-USHYC and SQL01-USHYC servers are hosted by Company Target Date –
B, located in a (Insert Location)-based data center. Company B issues a
SSAE 16/SOC 1 report. To-date, Company A has not obtained or reviewed
Company B’s SOC 1 report to identify any control issues which may impact
Company A’s IT security and data center operations. There may be issues
identified within Company B’s SOC 1 report which could necessitate
Company A developing designing and implementing compensating controls
to mitigate identified risks or issues or impact Company A’s ongoing reliance
on Company B for hosting services.
Gap Reference(s):
IT.MO.03
Recommendation(s):
Internal audit suggests that management obtain and review the SSAE 16
(SOC 1) results for all key IT third-party providers annually to confirm the
adequacy of the service provider's control environment. As part of this
process, management should determine whether all relevant user control
considerations are designed and operating effectively. Evidence of this
review should be documented and retained.
For smaller third-party providers that don’t issue a SSAE 16 (SOC 1) report,
internal audit suggest that Company A management meets with
management of the IT third-party provider to understand what kind of
controls they have in place. Company A management should determine if
they feel comfortable with the controls in place at the IT third-party providers
and document their findings.
Internal audit also recommends that this process be incorporated into the
broader vendor/third party management efforts and policies.

B. Logical Access

3. Inadequate Password Controls Agreed-Upon

Action Plan –
The System B password requirements authenticate via single sign on and
Moderate are based on the windows active directory. Active directory passwords and Action Plan
lockout policies are set in accordance with best practices. Passwords are set Owner –
to expire every 90 days. However, some user accounts have their
Target Date –
passwords configured to override the ad password policy. Therefore,
account expiration for several system and user accounts is not enforced. We
identified 18 active directory user accounts that are currently set to not
require password expiration. Fourteen of these users have not changed had
their passwords change in a year or longer, including some members of
Company A’s senior management team. Inconsistent enforcement of require
password changes increases the risk of password information being stolen
and/or hacked, which could lead to sensitive and proprietary company and
customer information being stolen and or manipulated.
Gap Reference(s):
IT.LA.02

23 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

Recommendation(s):
internal audit suggests that management systematically enforce password
expiration for all active directory user accounts to ensure that passwords are
changed every 90 days.

4. Internal controls related to requesting logical access to System B and Agreed-Upon

System C are poor. Action Plan –
Major Internal audit observed several procedures for provisioning access to the Action Plan
network, applications and supporting databases that do not align with Owner –
industry best practices. Specifically:
Target Date –
• User access requests can be made verbally over the phone.
− Verbal requests are documented by help desk personnel receiving the
request and the requester is not required to submit a ticket.
• Access requests that are submitted by a manager do not require a
separate approval from the user's supervisor.
− If a manager requests access for themselves, additional approval is
not required.
• Requests submitted by personnel, other than the user's
manager/supervisor (e.g., human resources), do not require additional
manager approval.
• Administrator-level access to the domain and databases are made
verbally and approval is not necessary to receive this access.
• Existing roles are not removed when a user transfers role within the
organization, potentially creating segregation of duties (SOD) conflicts.
The lack of adequately designed controls related to requesting logical
access increases the risk of unauthorized use, disclosure, modification,
damage or loss of data within critical systems.
Gap Reference(s):
IT.LA.03, IT.LA.04, IT.LA.05, IT.LA.06, IT.LA.07
Recommendation(s):
Internal audit suggests that management formalize procedures for
provisioning access to the network, applications and supporting databases.
IT help desk personnel should be trained to no longer accept verbal access
requests, including administrator level access requests. Access requests
should be approved by either the manager/supervisor of the user or the
business application owner before access being granted. As noted during
the SOD audit performed by internal audit earlier in (Insert Year), role-based
security access will be implemented for the System B and System C
applications. Once role-based security access is implemented for
applications, an approval matrix should be defined to assign authorized
approvers to specific application roles. When a user requires access to the
role, the role approver would approve the access request. Additionally,
internal audit suggests that management implement a process to review and
remove access that may create SOD conflicts.

5. Periodic reviews of user access do not exist. Agreed-Upon

Action Plan –
Company A does not currently have a formal and documented process to
Major review user access, including administrator access, to the network, System Action Plan

24 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

B, System C and supporting databases. This increases the risk of Owner –

unauthorized access to critical Company A systems, both for current and
Target Date –
terminated employees. Implementation of the new role-based security
structure should manage risk of unauthorized/inappropriate access by
current Company A employees.
Gap Reference(s):
IT.LA.08, IT.LA.09
Recommendation(s):
Internal audit suggests that management implement an annual review to
review user access, including administrator access, to the network, in-scope
applications and supporting databases. This analysis should also include a
review of terminated employees and contractors access to Company A
systems. Additionally, users and user roles should be reviewed to determine
if all access is appropriate based on job responsibilities. Company A is
currently in the process of designing and implementing a companywide role-
based security structure. Part of the final quality assurance (QA) of this new
design should include review to ensure that administrator access is
appropriately limited to a small number of individuals and that the
administrator role limits the ability of these users to perform other
incompatible duties.

C. Manage Operations

6. Internal controls related to physical access are poor.

Company B data center access is controlled by badge access. Physical
Moderate access to the data center is managed and granted through the Company B
portal and administrative users within the Company B portal have access to
grant personnel physical access to the data center. Personnel, including
vendors that require access to the data center, are not required to submit a
request or obtain approval for access. Additionally, a review of physical
access to data centers/server rooms housing in-scope applications and
supporting databases is not performed by IT management.
Physical access to the server room is controlled by a physical key. Copies of
the physical key are not tracked to identify if a terminated employee still
possesses access to the server room. Additionally, during work hours,
access to the suite where the server room is located is unlocked. The rear
suite door is always locked and access is restricted.
Poor internal controls related to physical access increases the risk of
inappropriate or unauthorized access to the organization's computer facilities
and information system (IS) assets, which could compromise processing
capabilities and system availability. Additionally, access to the data center
and servers hosting critical financial applications may not be adequately
restricted.
Gap Reference(s):
IT.MO.06, IT.MO.07, IT.MO.08
Recommendation(s):
Internal audit suggests that management implement formal procedures for
provisioning access to the Company B data center. All access requests
should be documented, as well as approved, before personnel or vendors

25 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

gaining access to the data center. A review of administrative portal access

should be performed by management on an annual basis to validate that
users with the ability to provision physical access to the data center are
appropriate.
Internal audit suggests that management implement badge access to the
server room or transfer the servers to a secure area. If either of these
options is not feasible, access to the server room should be tracked to
determine if access is appropriate for all personnel who possess copies of
the key. Because access to the server room has not been monitored,
management should change the lock and re-distribute keys for the server
room and then begin tracking.

7. Controls over changes to scheduled jobs are lacking. Agreed-Upon

Action Plan –
Scheduled jobs are managed through a custom tool, Company A job
Moderate scheduler. Anyone with access to the executable files has access to run the Action Plan
tool; however, the directory where the executable file is contained is limited Owner –
to the members of the development and infrastructure teams, which
Target Date –
management determined to be appropriate. Changes to these scheduled
jobs do not follow a formal change process, where changes to the job
schedules are documented and approved before completing the change.
Additionally, there are no secondary controls in place to monitor and detect
unauthorized changes to scheduled jobs. Failure to follow a formal change
process for scheduled jobs or monitoring changes to scheduled jobs
increase the risk of batch processing not being performed in a timely manner
or performed correctly, which could impact the data integrity, reliability and
availability of critical data.
Gap Reference(s):
IT.MO.04, IT.MO.05
Recommendation(s):
Internal audit suggests that management implements a formal procedure for
scheduled job changes, which would include a documented request through
a ticket, as well as documented approvals before the change being
implemented. In lieu of procedures, management should implement a
monitoring control to review changes to the job schedules for
appropriateness.

8. Backup media storage is inadequate. Agreed-Upon

Action Plan –
Backup disks are stored within the (Insert Location) data center, as well as in
Moderate the (Insert Location) server room. Additionally, backups are encrypted and Action Plan
copied to tapes, which are also stored in the (Insert Location) server room. Owner –
Although backups are stored in a secure location, an inventory of tapes is
Target Date –
not maintained, and tapes are not sent to an off-site location. This increases
the risk of critical and current application data not being able to be recovered
in the event of a business interruption.
Gap Reference(s):
IT.MO.02
Recommendation(s):
Internal audit suggests that management determines appropriate personnel
that are responsible for keeping track of all backup tapes and documentation

26 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

of this inventory should be maintained.

D. Change Management

9. Internal controls related to change management are poor. Agreed-Upon

Action Plan –
Changes related to Company A infrastructure do not follow a formal change
Major process. Documentation of change requests, testing and approval is not Action Plan
required before implementation of an infrastructure change. Owner –
Approval of planned application changes is provided to the project team and Target Date –
the IT manager before development of the change; however, planned
application changes do not require a formal approval before implementation
of the change. Additionally, out-of-band (emergency) changes receive only
verbal approval before implementation. This approval is also not
documented after the change has been implemented. This increases the risk
of changes to critical systems and applications not being thoroughly and
adequately tested, validated and approved before being implemented into
production, potentially adversely impacting Company A’s day-to-day
business or data.
Gap Reference(s):
IT.CM.02, IT.CM.03, IT.CM.04
Recommendation(s):
Internal audit suggests that management develop and implement formal
policies procedures for changes to infrastructure. All infrastructure changes
should require documented evidence of the change, including testing and
approvals before the implementation of the change. Planned application
changes should be approved after the change has been developed, testing
has occurred and before moving the change to production. Changes should
be categorized before development to understand if the change should
follow the planned, out-of-band or SDLC procedures.

10. Access to develop and migrate codes is inappropriate. Agreed-Upon

Action Plan –
A fundamental element of internal control is the adequate segregation of
Critical duties within a business process. Adequate segregation of duties reduces Action Plan
the likelihood that errors (intentional or unintentional) will remain undetected, Owner –
help prevent unauthorized changes from being initiated or completed, and
Target Date –
that access to information is restricted to only those who need access.
Currently there is no segregation of duties at Company A between the IT
users that have access to develop and migrate changes into the production
environment for System B and System C. All 18 users that can develop
changes to applications and infrastructure also have the ability to migrate
these changes into production.
Additionally, access to make direct changes to the code of the custom
applications, which interface and provide data back to the System B
application, is not appropriately restricted to only those users that require this
type of access for their specific job responsibilities. At the time of testing, 692
users had access to make direct changes to the custom applications.
Confirm that there is no logging or tracking performed of any changes made
to the custom applications, other than the updated release code that is
included in the change ticket.
This increases the risk of changes not following the formal change

27 Source: www.knowledgeleader.com
 Agreed-Upon
Observations
Action Plans

management process, which could impact the data integrity, reliability and
availability of critical data and in scope systems.
Gap Reference(s):
IT.CM.05, IT.CM.06, IT.CM.07
Recommendation(s):
Internal audit suggests that management implement segregation of duties
between access to develop and migrate changes for the System B and
System C applications. In order to mitigate the risk of inappropriate and/or
not adequately tested changes being developed and migrated to production,
management should also implement a monitoring control to review migrated
changes for appropriateness. Access to custom application code should be
reviewed and restricted to only those users that require access for their job
responsibilities. All other uses should have their access removed.

E. SDLC

11. Post-implementation reviews are lacking. Agreed-Upon

Action Plan –
Post-implementation reviews are not performed to ensure the
Minor system/change functions as expected and to analyze success and failures of Action Plan
the project in order to improve future SDLC projects. Not performing post- Owner –
implementation reviews increases the risk that the project will not meet
Target Date –
project objectives, deliver planned levels of benefit and address the specific
requirements as originally defined when scoping the SDLC change.
Gap Reference(s):
IT.SDLC.01
Recommendation(s):
Internal audit suggests that management implement a process to perform
post-implementation reviews following SDLC projects. Only large-scale
system implementations, installations and data conversions should require a
post-implementation review to be performed.

For each finding, internal audit will identify a custodian and target date to facilitate resolution. It is management’s
responsibility to ensure that all action plans are carried out and all findings are adequately addressed.
Management will provide internal audit with a status update on or before the target date and be prepared to
support satisfaction of the action steps upon their completion.

28 Source: www.knowledgeleader.com
REPORT DISTRIBUTION LIST

Report Addressed To
(Insert Name), IT/Operations and Infrastructure Manager

(Insert Name), Information Security Engineer

(Insert Name), Information Systems Manager

(Insert Name), Chief Information Officer

Report Copies To
(Insert Name), General Counsel and Chief Compliance Officer

(Insert Name), Chief Financial Officer

(Insert Name), Sales Administration – Financial Solutions Architect

29 Source: www.knowledgeleader.com
 APPENDIX A: PROCESS IMPROVEMENTS

Logical Access

PI.LA.01 Profiles for Active Directory, System B and System C are mirrored based on existing users, which
may result in users inadvertently being assigned excessive access. Access requests should specify
which roles are requested.

PI.LA.02 A time frame for access removal should be defined.

PI. LA.03 When access is removed due to a termination or a transfer, the help desk should document which
access has been removed within the help desk ticket.

Manage Operations

PI.MO.01 Documentation related to the root cause and resolution of backup/job failures should be retained.

PI.MO.02 A formal process to test backup media on an annual basis should be implemented. Backup
restores are currently performed on an as-needed basis.

30 Source: www.knowledgeleader.com