Scribd
Upload
126 views

IT Internal Control System - ICS-Matrix

This document provides an inventory of risks and controls related to an IT internal control system. It describes 5 key risks if controls are not followed: inappropriate user access, violation of segregation of duties, informal access requests, lack of unique user identification, and failure to promptly suspend user accounts. For each risk, it lists 1-2 corresponding controls that should be in place, examples of required evidence from clients, and testing procedures that can be used by auditors to validate the controls.

Uploaded by

Charielle Esthelin Bacugan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
126 views

IT Internal Control System - ICS-Matrix

This document provides an inventory of risks and controls related to an IT internal control system. It describes 5 key risks if controls are not followed: inappropriate user access, violation of segregation of duties, informal access requests, lack of unique user identification, and failure to promptly suspend user accounts. For each risk, it lists 1-2 corresponding controls that should be in place, examples of required evidence from clients, and testing procedures that can be used by auditors to validate the controls.

Uploaded by

Charielle Esthelin Bacugan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IT Internal Control System - ICS-Matrix

Risks Inventory

Risks Controls Required evidences from client Testing procedures by PwC


Risk description No. Control description (input; activity; output including evidence that the control
Process
Sub-

has been performed)

Risks if the controls are not being followed: UA.01 An approved procedure must be in place for granting access to all systems /
- Inappropriate user and IT access to system resources incl. violation of segregation of duties applications of business and infrastructure IT organisation (Password - Review if policy is complete and accurate and if processes of
IT Access Control Policy
principle settings). the client are in line with the policy
- Informal or unapproved requests for access to system resources
UA.02 Approved role- and authorisation concepts must exist and be followed. - User and authorisation requests for employees joining or - Approval supervisor?
Creations and changes of roles and authorisations should be approved. moving (within) the organisation - Approval role owner?
- Change log showing changes to user authorisations - Form available?
User Authentication

- Roles assigned as requested in the form?


- Old roles deleted in case of move?
UA.03 Approved procedures must exist and must be followed to ensure the unique
identification of a user and the effectiveness of the access mechanisms. - Reconciliation of user defined values / system default values
RSPARAM (Table of password settings)
with the password policy of the client

UA.04 Periodic reviews should be performed - at least annually - to ensure the Documentation of periodic review procedures - Timely review?
validity of access rights for all current users / IT personnel. - Appropriate persons involved?
- Follow up activities executed (e.g. removal of a user)?
UA.05 Approved procedures must exist and followed to ensure immediate action
- User Termination: User and authorisation requests for leavers - Form available?
relating to suspending and closing user accounts.
- Change log showing changes to user authorisations - Timely deactivation of the user accounts?

You might also like