AUDIT PROGRAM FOR

ITGC ENVIRONMENT

CONTENTS

1 INTRODUCTION............................................................................................................ 2
2 AUDITING IN AN IT ENVIRONMENT...............................................................................3
3 IT AUDIT APPROACH..................................................................................................... 6
3.1 PLANNING PHASE.............................................................................................................................................7
Step 1. Obtain background information..........................................................................7
Step 2. Identify IT systems of relevance to financial management.................................7
Step 3. Assess the complexity of the IT systems..............................................................7
Step 4. Preliminary risk assessment................................................................................8
3.2 EXECUTION PHASE...........................................................................................................................................9
Step 5. Review of general controls................................................................................10
Step 6. Review of application controls...........................................................................12
3.3 REPORTING PHASE........................................................................................................................................12
Step 7. Document findings............................................................................................13
Step 8. Overall assessment............................................................................................13
4 RELATED PROCEDURES...............................................................................................14
5 ANNEXES.................................................................................................................... 15
5.1 CHECKLIST FOR GENERAL CONTROLS............................................................................................................15
5.2 LIST OF APPLICATION CONTROLS..................................................................................................................31
5.3 IT AUDIT GLOSSARY.....................................................................................................................................38

LRWC ITGC - 2022

 1 1 INTRODUCTION

Information 1. The resources used in information technology (IT) are infrastructure,

technology
applications, information and people. An IT system designed for use in financial
and management reporting will have procedures and databases for initiating,
recording, processing and reporting transactions (as well as events and conditions)
and maintaining accountability for the corresponding assets, liabilities and equity.
2. Increasingly, the use of IT systems is having an impact on audit. The risks
associated with IT must be taken into account when evaluating the reliability of
accounts, the legality and regularity of underlying transactions and the
effectiveness of internal control systems.

Scope of this 3. 3. The methodology for auditing in an IT environment varies according to

ITGC Audit
whether the objective is a financial, performance or IT audit. For illustrative
purposes, this guideline focuses on the task of IT General Control environment in
accordance with Control Objectives for Information and Related Technologies
(COBIT), which provides the general framework for the assessment and is
augmented as necessary with applicable regulations, legislations, standards,
policies, agreements, and related guidance.

4. Section 2 of the guideline presents the risks introduced by computerized

information systems and the interconnections between financial audit and the IT
environment.

5. Section 3 provides step-by-step guidance for ITGC audit work. It defines eight
steps, broken down into planning, execution and reporting phases.

6. Lastly, Section 4 addresses the related procedures arising in the overall

context of the LRWC’s ITGC audit work.

7. The guideline concludes with annexes: a "Checklist for IT General

Controls" and a "List of application controls" to help auditors perform IT
audit tasks, and an “IT audit glossary”.

LRWC ITGC – 2022 IAD Guideline for Audit p2

of IT
 2 AUDITING IN AN IT ENVIRONMENT

IT risks and controls 8. Most financial transactions and statements are now processed or produced using
in the internal
control framework IT systems. The procedures for initiating, recording, processing and reporting
transactions and recording the corresponding assets and liabilities are usually
implemented within IT systems. Given, therefore, that financial data are now
predominantly electronic data, financial and administrative controls are also
increasingly electronic in nature.

9. The storage and processing of information in IT systems introduces new risks

and possible control weaknesses, owing mostly to the ease with which data and the
IT systems themselves can be modified.

10. IT systems are one of the five components of the internal control framework,
and key IT controls should be in place to mitigate the IT-related risks and thus
ensure the confidentiality, availability and integrity of data and the efficiency and
effectiveness of business processes. The following table gives examples of risks
and their IT sources:

Risk IT-related risk source

Individual errors become
systematic
Failure to identify the performer of
the transaction
Unauthorised access and
changes to data
Loss (destruction) of data
Disclosure of confidential
information
Control weaknesses undetected.
Automation replacing manual
operations
Electronic transactions not logged
Electronic data not properly
secured
Electronic data not protected
(backups and archiving)
Electronic data not properly
secured
IT risks and controls not
(adequately) considered in audit

Table 1: Risks with an IT origin

LRWC ITGC – 2022

Guideline for Audit of IT p3
 11. The use of IT systems in business processes changes the nature of audit
evidence, the audit trail and the internal control environment. It also creates new
vulnerabilities to irregularities and fraud, and new audit procedures are therefore
necessary in order to deal with these challenges.

12. Where accounting or other information systems are computerized, the

auditor determines whether internal controls are functioning properly to ensure
the integrity, reliability and completeness of the data.

Audit objectives 13. The audit of controls on IT systems should have specific objectives, including
verification of the accounts or other data produced by the system (e.g. data
extracted for sampling purposes). The evaluation of internal controls should vary
according to the type of audit and the degree of reliance the auditor wishes to
place on them.

Reliability of data 14. When IT systems data are an important part of the audit and data reliability is
crucial to accomplishing the audit objective, auditors need to satisfy themselves
that the data are reliable and relevant.

15. Data produced, stored or provided to the auditor by means of IT should not be
treated as reliable until the auditor has convincing evidence that this is so. The
components of reliability are accuracy, completeness and validity.
The quality of the data received from the auditee may significantly influence
whether or not the audit objectives are achieved.

16. Evidence for the reliability of the computerized data provided by an auditee
may come, depending on the nature of the data, from assurance that internal
controls on IT are functioning securely and correctly, from cross-checking of
the data (e.g. by reconciling them with data from other sources), or from a
combination of the two.

17. The absence of appropriate IT controls may give rise to conditions and events
indicating a risk of material misstatement. This in turn would influence the
nature, timing and extent of subsequent IT-related audit
procedures.

LRWC ITGC – 2022

Guideline for Audit of IT p4
 Use of IT audit in 18. The objectives of IT audit in the context of a financial audit include:
financial audit
a) Understanding the overall impact of IT on key business processes;
b) Assessing management controls on IT processes;
c) Understanding how the use of IT for processing, storing and
communicating information affects internal control systems, inherent risk
and control risk;
d) Evaluating the effectiveness of controls on IT processes which
affect the processing of information.

Use of IT audit in 19. IT audit may be used in the context of a performance audit when:
performance audit
a) The audit focuses on the performance of IT systems;
b) The audit examines the efficiency and effectiveness of a business
process and/or programme where IT is a critical tool for the
organization managing these processes or programmes;
c) Data reliability is to be assessed.

Typical IT audit 20. IT audit work in LRWC occurs mainly in the context of:
work in LRWC
a) Financial audits: reviewing key general controls and related
application controls on information systems;
b) Compliance audits: reviewing whether IT controls comply with rules and
regulations, usually the DPA of 2012, PAGCOR and AMLA.
c) Specific IT audits: when the main audit objective is linked to the
effectiveness and efficiency of IT.

LRWC ITGC – 2022

Guideline for Audit of IT p5
 3 IT AUDIT APPROACH

IT audit tasks 21. The following IT audit tasks are necessary so that audits can be planned and
implemented fully in accordance with the Control Objectives for Information and
Related Technologies (COBIT).

22. IT audit work consists of the following steps:

PLANNING
1. Obtain background information

2. Identify IT systems of relevance to

financial management

Checklist for
3. Assess complexity of IT systems
general controls

4. Preliminary risk assessment

EXECUTION
Refined checklist
5. Review of general controls for
general controls

Are general controls effective?

YES
NO 6. Review of application controls List of
application
controls

REPORTING
7. Document findings

8. Overall assessment

LRWC ITGC – 2022

Guideline for Audit of IT p6
 3.1 Planning phase

23. The objective of the planning phase is to identify risks that are relevant to the
audit goals and determine which controls will be assessed during the execution
phase:

a) General controls (as for the IT control environment);

b) Application controls (in IT applications of relevance to financial
management).

Step 1. Obtain 24. During the planning phase it is important for the auditor to obtain an
background
understanding of the auditee's IT systems, an inventory of the auditee’s IT systems
information
and resources (IT budget and staffing, IT organization, software and hardware) and
a statement of the concerns arising from previous internal or external audits of IT
systems.

Step 2. Identify 25. IT systems for accounting and financial reporting comprise procedures and
IT systems of
databases for initiating, recording, processing and reporting transactions and
relevance to
financial recording the auditee's corresponding assets and liabilities.
management
26. The auditor must identify which IT applications are important in the
context of financial reporting and business management and obtain sufficient
information and understanding in their regard.

27. In order to facilitate the evaluation of risks and the planning of IT audit
tasks, the auditor should document:
a) which IT applications feed into the financial statements;
b) which transactions are processed through these IT applications;
c) which areas of accounts (such as administrative expenditure) are
covered by these IT applications.

Step 3. Assess 28. The purpose of assessing the complexity of IT systems is to:
the
complexity of a) Identify risks - complex systems are more risky than simple ones;
the IT b) Decide whether there is a need for external assistance. In principle,
systems
auditors are competent to carry out IT audit tasks in relation to simple
systems, with the IT audit team providing support in the audit
of more complex systems.

LRWC ITGC – 2022

Guideline for Audit of IT p7
 29. The following factors will influence this assessment:

a) Hardware and network complexity;

b) IT applications and data entry methods;
c) IT organization;
d) The presence of systems under development or recently subject to
change;
e) The sensitivity of the processed data;
f) Any specific difficulties affecting the audit trail;
g) The auditor’s technical knowledge and skills.

Step 4. Preliminary 30. Using all the information obtained in the previous steps, the auditor will then
risk assessment
make a preliminary risk assessment.

31. Just as in the more general audit context, internal control in IT

comprises two elements:
a) the internal control environment, i.e. the overall attitude,
awareness and actions of management;
b) internal control procedures, i.e. procedures complementary to the
control environment which contribute to the entity’s achievement of its
objectives.

32. Please note that the overall assessment of control risk should not be
better to the assessment of the internal control environment, since
even excellent control procedures can be undermined by a poor control
environment.

Identifying the risk 33. The auditor should be aware of conditions or events that may indicate a risk of
of material
material misstatement consequent upon the use of IT.
misstatement
The following is a non-exhaustive list of factors that should be considered, when
performing the preliminary risk assessment, as contributing to the risk of
material misstatement:
a) Changes in the IT environment;
b) Installation of significant new IT systems;
c) Insufficient controls on the transfer of data between IT systems;
d) Inconsistency between the entity’s IT and business strategies.

Output of the risk 34. The auditor should:

assessment
a) Refine the checklist for general controls (see annexes), which
summarizes the risks that are customarily encountered at the LRWC’s IT
auditee. Such risks relate mostly to the
integrity and confidentiality of data;

LRWC ITGC – 2022

Guideline for Audit of IT p8
 b) Decide whether or not to include application controls during the
execution phase.
35. Application controls on robust IT systems should be reviewed when auditing
the owner of the system rather than other users.

Planning of IT audit 36. The results of the planning phase (steps 1-4) should be stated in the corresponding
work
IT Audit Procedures and Engagement.

3.2 Execution phase

What are 37. General controls relate to the environment within which automated
general controls?
application systems are developed, maintained and operated. They are
concerned with IT-related policies, procedures and working practices.

38. They are used to ensure the proper development, implementation and
maintenance of all automated applications and the integrity of data files. They
therefore minimize risks to the functioning of the organization’s IT
systems and infrastructure and specific risks to applications.

39. General controls include:

a) IT governance and management controls: These are high-level

controls designed to provide a formal IT governance framework aligned
with the business strategy. IT strategic planning and monitoring, IT policies
and procedures, IT roles and responsibilities, the segregation of duties, IT risk,
project and investment management, and legal and regulatory compliance can
all be considered IT governance and management controls;

b) Data management controls ensure that data are properly stored, archived
and disposed of. They also help ensure the reliable production of financial and
management information;

c) Business continuity planning addresses the scenario of a computer

systems breakdown and concerns the organization’s arrangements for
protecting data and continuing or restarting operations in that situation;

d) Information security controls help organizations establish and maintain

IT security roles, responsibilities, policies, standards and procedures. They
include logical access controls aimed at ensuring that data can only be seen
or altered by authorized persons, inside or outside the

LRWC ITGC – 2022

Guideline for Audit of IT p9
 organization, and in accordance with data privacy requirements.
Information security controls are also concerned with preventing
unauthorized access to and interference with IT systems;

e) Change management controls provide assurance that systems and

controls continue to function as designed;

f) Outsourcing controls: Given that more and more organizations now

prefer to outsource IT services, it has become crucial to manage service-level
agreements. Depending on the scope of outsourcing, inappropriate
management could be detrimental to the IT areas subject to control.

Step 5. Review 40. The most important criterion for the information when reviewing general controls
of general
in financial audit is integrity(reliability), which relates to audit assurance that the
controls
information is valid, accurate and complete. In a performance audit, the most
important aspects may be efficiency and effectiveness.

41. The effectiveness of IT controls will depend on the strength of the general
controls. If the auditor concludes that the general controls are effective, he should
then assess the effectiveness of application controls. However, ineffective general
controls will render application controls ineffective (or severely limit their
effectiveness) since they act as a foundation on which specific application controls
are built. Application controls are to be considered ineffective when, for instance,
the necessary logical or physical access controls are not functioning adequately.

42. A full audit of general controls can require substantial technical

resources. However, adequate assurance can usually be obtained from a more
limited examination in the light of the risk assessment performed during the
planning phase, and by drawing on other sources of information.

43. The checklist for general controls (see annexes) provides guidance for
reviewing general controls through a set of close-ended questions that are mainly
concerned with the most significant control objectives in relation to data
reliability and the IT control environment. The checklist will help auditors check
the main IT control objectives, which are based on the COBIT framework in
reference to the related information criteria.

LRWC ITGC – 2022

Guideline for Audit of IT p 10
 44. Auditors should conduct their examination using the refined checklist for
general controls that was obtained at the end of the planning phase (see
paragraph 34).

45. If the auditor concludes that the general controls are not functioning effectively,
the application controls will generally also be ineffective. The auditor should
review the application controls only if the general controls are effective (see
paragraph 41).

What are 46. Application controls, which may be manual (performed by users) or
application
automated (performed by computer software), are procedures that apply to the
controls?
processing of transactions by individual applications and are designed to ensure the
integrity and confidentiality of data.

47. Application controls relate to procedures that are used to initiate, record,
process or report transactions or other financial data. They help ensure that
transactions were duly authorized and completely and accurately recorded and
processed.

48. The main objectives of application controls are:

a) Completeness – the application processes all transactions, and the

resulting information is complete;
b) Accuracy – all transactions are processed accurately and as
intended, and the resulting information is accurate;
c) Validity – only valid transactions are processed, and the resulting
information is valid.
d) Authorisation – only duly authorized transactions are processed;
e) Segregation of duties – the application provides for and supports
appropriate segregation of duties and responsibilities as defined by
management.

49. These objectives are targeted using six main types of application control
(COBIT):
a) System documentation controls;
b) Input controls;
c) Processing controls;
d) Output controls;
e) Data transmission controls;
f) Standing data and master file controls.

LRWC ITGC – 2022

Guideline for Audit of IT p 11
 Step 6. Review 50. Application controls on systems should be audited in accordance with the risk
of application
assessment performed during the planning phase, focusing on systems which have
controls
a direct impact on financial data and are more material to the audit objective. For
instance, compared with an accounting application, a document management
system may have only an indirect impact on financial data.

Manual and 51. Automated application controls which are embedded in an application reduce
automated
the risk of human error or manipulation of information and are therefore more
application controls
reliable than manual controls. Once properly established, automated application
controls are reliable until the next change to the program takes place. Efficient
general controls will lead to more reliance on automated rather than manual
application controls.

52. Where manual application controls are in place, the auditor should assess
arrangements for user cross-checking in the form of a manual comparison of
computer-processed data with the source documents.

53. When checking application controls on the systems identified during the
planning phase, the auditor may make use of the general framework in the annexed
list of application controls.

54. In the case of robust IT systems, the auditor should identify other application
controls in accordance with the financial regulatory framework after evaluating the
complexity of the application and the related IT risks.

55. Remember that application controls on robust IT systems should be

reviewed when auditing the owner of the system rather than other users.

Evidence 56. The auditor may obtain audit evidence by observation, inspection, inquiry and
confirmation, reperformance, recalculation, computation, analytical procedures,
or other generally accepted methods.

3.3 Reporting phase

57. Following the assessment of IT controls the findings should be

documented, with a general conclusion on the effectiveness of IT controls, in
accordance with LRWC’s IAD IT audit methodology.

LRWC ITGC – 2022

Guideline for Audit of IT p 12
 Step 7. Document 58. The auditor should document each significant finding, with a statement of the
findings
regulatory framework, facts, conclusion and IT risks.

59. Auditors should explain each control weakness in relation to the IT risks. They
should also determine which areas of the accounts could be negatively affected by a
control weakness.

Step 8. Overall 60. In addition to the individual findings, the auditors should reach an overall
assessment
conclusion about IT controls.

61. The assessment may lead to three possible conclusions in the context of the
financial audit:
a) IT controls functioned effectively, consistently and continuously during the
period under review;
b) weaknesses are noted in the effectiveness and continuity of IT controls, but the
overall system is considered reliable;

c) IT controls are unreliable, i.e. they did not function as expected and/or
they did not function continuously during the period under review and/or they
could not be tested.

Documentation 62. In the same way as any other audit work, IT audit should be executed,
documented, supervised, and subject to quality control in accordance with the
LRWC’s IAD IT audit methodology.

LRWC ITGC – 2022

Guideline for Audit of IT p 13
 4 RELATED PROCEDURES

Need for technical 63. The auditor must consider whether the cost of obtaining audit evidence is
resources
reasonable. As already stated, adequate assurance can often be obtained from a
more limited examination of general controls and by drawing upon other sources of
information.

64. The audit of application controls is not necessarily highly technical. Many
applications are designed to give definite assurance to management that data and
processing are in order, without the need for IT experts. In such cases, the checks
and procedures (including manual procedures) routinely carried out by regular
users may give satisfactory assurance that data and output are reliable. This level
of assurance will also be adequate for auditors – except in the case of specific IT
audits.

Need for further 65. When technical expertise is necessary for specific IT audit testing tasks
technical expertise
(network performance, penetration tests, security issues, user rights, change
management, technical documentation, etc.) and the necessary skills and resources
are not available in-house, external expertise should be organized to collect the
required audit evidence. This assistance should be planned at the preliminary stage
of the audit.

LRWC ITGC – 2022

Guideline for Audit of IT p 14
5 ANNEXES

5.1 Checklist for general controls

It is necessary to assess the IT general control environment as a basis for deciding how much audit reliance to place on data produced by computerized IT systems. Weaknesses
in the IT general control environment have a pervasive impact on all applications and data maintained in that environment.
The following checklist is a set of close-ended questions for use in a limited review of the IT general control environment at the audited entity. It will help auditors check the
main IT general control objectives, which are based on the COBIT framework in reference to the related information criteria, in the following areas:

A. IT governance and management

B. Data management
C. Business continuity planning
D. Information security
E. Change management
F. Outsourcing of IT infrastructure

Activity/entity audited:
Period/financial year audited:
Number of IT staff:
Document prepared by (name[s]): Date:
Document reviewed by (name[s]): Date:

LRWC ITGC – 2022

Guideline for Audit of IT p 15
 A. IT GOVERNANCE AND MANAGEMENT CONTROLS

COBIT
Control objectives Tests of controls Evaluation Documents required
ref.

1. Control objective: IT strategy is aligned PO1.4 1. Is there a multiannual IT strategy or IT plan (3- 5  IT strategy or IT
with and supports the overall business PO1.5 years) that is formally approved at an appropriate plan
strategy. level?
 IT annual work
2. Does the IT strategy have adequate and relevant programmes
objectives, budget and performance indicators?
Related information criteria:
Effectiveness 3. Are there IT annual work programmes in line
with the IT strategy?

2. Control objective: Make effective and PO5.3 1. Is IT expenditure planned, managed and monitored  IT annual budget
efficient IT investments and set and track PO5.4 within an annual budget which is aligned with the (separate or a
IT budgets in line with IT strategy and DS6.3 IT strategy and detailed enough to reflect the section of the
investment decisions. organization’s priorities? general budget of
the organization)

Related information criteria:  Any documents for

Effectiveness and efficiency follow-up of IT
annual budget

LRWC ITGC – 2022

Guideline for Audit of IT p 16
 COBIT
Control objectives Tests of controls Evaluation Documents required
ref.

3. Control objective: Provide accurate, PO6.3 1. Are there written and formally approved policies  Policies,
understandable and approved policies, PO6.4 and/or procedures covering most key aspects of IT procedures,
procedures and guidelines, embedded in PO6.5 management: guidelines and
an IT control framework. a. Data management and classification? manuals
b. Business continuity?
c. Information security?
Related information criteria: d. Risks and controls?
Effectiveness e. Change management?

LRWC ITGC – 2022

Guideline for Audit of IT p 17
 Control objectives COBIT
Tests of controls Evaluation Documents required
ref.

4. Control objective: Establish transparent, PO4.1 1. Is the IT department appropriately placed within the  IT process
flexible and responsive IT organizational PO4.3 organization, given the organization’s size and framework,
structures and define and implement IT PO4.4 mission? documented roles
processes equipped with owners, roles PO4.5 and responsibilities
2. Is there an IT steering committee composed of
and responsibilities. PO4.6
executive, business and IT management and  IT job descriptions
PO4.8
charged with ensuring business alignment (with
PO4.11  IT human resources
supervision of IT plans and policies) and
PO7.1 policy and procedures
Related information criteria: monitoring IT services and projects?
PO7.4
Effectiveness and efficiency  Decision or other
PO7.8 3. Are IT processes and IT-specific roles and
ME3.1 responsibilities properly defined, exercised and document relating to
monitored? the establishment of
an IT steering
4. Has an appointed information security officer? committee
5. Are there policies and procedures for managing staff  Sample minutes of IT
recruitment and job termination? steering committee
6. Are the following roles segregated: meetings
a. Security: information security officer– system
owner – security administrator?
b. Changes: development – testing – quality
assurance – production?

LRWC ITGC – 2022

Guideline for Audit of IT p 18
 Control objectives COBIT
Tests of controls Evaluation Documents required
ref.

5. Control objective: Identify, prioritize, PO9.1 1. Are IT risks managed in accordance with the  Risk management
contain or accept relevant risks arising in PO9.2 organization’s risk management framework? framework and/or
the IT area and associated functions. PO9.3 policy
2. Is there an IT-specific risk management
PO9.4
framework?  IT risk record/map
PO9.5
Related information criteria: 3. Are IT risks defined and monitored regularly in an
Confidentiality, integrity and availability IT risk record (separately or within the
organization’s general risk record)?

6. Control objective: Identify, implement ME2.1 1. Has a set of IT controls aligned with the  Documentation of
and monitor an internal control process for ME2.2 organization’s internal control framework been internal IT controls
IT-related activities. ME2.7 established? or the organization’s
ME3.1 internal control
2. Has a set of IT controls designed to mitigate IT
risks been identified? standards

3. Is there regular monitoring of and reporting on the  Audit reports in the

Related information criteria: field of IT (last 3
effectiveness of IT controls?
Effectiveness and efficiency years)
4. Does the organization of IT conform to the
applicable rules and regulations in areas such as
data protection and intellectual property rights?
5. Have any internal or external audit reports been
produced on IT topics?

LRWC ITGC – 2022

Guideline for Audit of IT p 19
 Control objectives COBIT
Tests of controls Evaluation Documents required
ref.

7. Control objective: Define a programme PO10.2 1. Is there an IT project management  Project

and project management approach that is PO10.3 methodology? management
applicable to all IT projects, enables AI2.2 guideline/
2. Are IT projects managed in line with the project
stakeholder participation and monitors AI4.3 documentation
management methodology?
project risks and progress. AI4.4
3. Are new IT systems developed in line with a  Software
software development methodology? development
Related information criteria: methodology
Effectiveness and efficiency

8. Control objective: Monitor and report
process metrics and identify and
implement performance improvement
actions.
References to regulatory framework:
IR Art. 22a(1)(e); ICS9 and ICS15
Related information criteria:
Effectiveness and efficiency
ME.1.1 1. Are senior management (or the steering committee)  Regular progress
ME.1.4 given regular progress reports on the overall reports
ME.1.5 contribution made by IT to the business so that they
ME.4.1 can monitor the extent to which the planned
ME.4.2 objectives have been achieved, budgeted resources
have been used, performance targets have been met
and identified risks have been mitigated?

LRWC ITGC – 2022

Guideline for Audit of IT p 20
 B. DATA MANAGEMENT CONTROLS

COBIT Documents
Control objectives Tests of controls Evaluation
ref. required

1. Control objective: Ensure that DS11.2 1. Are there policies established to store documents, data  Data
data are properly stored, archived DS11.4 and source programmes in accordance with the management
and disposed of. DS11.5 organization’s activities, size and mission? policy
DS11.6
2. Do adequate policies and procedures exist for the  Backup
backup of systems, applications, data and procedures
documentation:
a. Do backup procedures provide guarantees of data  Procedures for
recovery (with frequencies, copies, verifications, disposal of
Related information criteria: media
Integrity etc.) and correspond to the business continuity
plan?  Contracts with
b. Are all relevant data backed up (e.g. by means of third parties or
audit logs, documents, spreadsheets)? service-level
c. Is there well-defined logical and physical security agreements
for data sources and backup copies? (data
d. Has responsibility been assigned for the making and management
monitoring of backups? clauses)
3. Are systems, applications, data and documentation
maintained or processed by third parties adequately backed
up and/or secured?
4. Does the organization have policies to ensure the
protection of sensitive data and software when data and
hardware are disposed of or transferred?
5. Are the retention periods for data in line with contractual,
legal and regulatory requirements?

LRWC ITGC – 2022

Guideline for Audit of IT p 21
 COBIT Documents
Control objectives Tests of controls Evaluation
ref. required

2. Control objective: Establish an
enterprise data model
incorporating a data classification
scheme to ensure the integrity
and consistency of all data.
Related information criteria:
Confidentiality and integrity
3. Control objective (non-COBIT):
Ensure reliable production of
financial and management
information.
Related information criteria:
Confidentiality and integrity
PO2.3 1. Has a data dictionary been defined so that data  Data
PO2.4 redundancy/incompatibility can be identified and data management
DS5.11 elements can be shared among applications and policy
DS11.1 systems?
 Data
2. Is the data dictionary applied to existing systems, classification
application development projects and major changes scheme
to IT applications?
 Assigned data
3. Are owners identified for each data element (files, classifications
folders, applications, etc.)?
 Data dictionary
4. Are data classified by information criterion:
a. confidentiality (public, limited, etc.);
b. integrity (moderate, sensitive, etc.);
c. availability (moderate, critical, etc.)?
5. Is there a document showing the classification of
each data element in accordance with the data
classification scheme?
AC2 1. Have controls been designed to ensure the reliability
AC5 of computerized data, including controls over source
documents?
2. Have controls been designed to ensure the integrity and
security of documents or files (such as spreadsheets)
which are kept on personal computers or shared drives
and are relied on by the organization in its financial
workflow where:
a. those files are used to gather financial data or
make calculations and serve as a basis for
manual entries in financial systems
instead of source documents?
b. the files are used for financial reporting?

LRWC ITGC – 2022

Guideline for Audit of IT p 22
 C. BUSINESS CONTINUITY CONTROLS
Control objectives
1. Control objective: Build the
capabilities to carry out day-
to-day automated business
activities with minimal,
acceptable interruption.
Related information criteria:
Availability and effectiveness
NB: in the absence of a suitable BCP the audited entity should be advised of the risk without delay.
LRWC ITGC – 2022
COBIT
Tests of controls Evaluation Documents required
ref.
DS2.5 1. Are there a written and formally approved business  BCP and DRP
DS4.2 continuity plan (BCP) and disaster recovery plan
DS4.3 (DRP)?  Test reports
DS4.4 2. Does the BCP cover:
DS4.5 a. Business impact analysis (BIA)?
b. All key business functions and processes?
c. Roles, responsibilities and communication
processes?
3. Are BCP tests scheduled and completed on a regular
basis?
4. Is the BCP kept updated so that it continually reflects
actual business requirements?
5. Are all critical backup media, documentation, data
and other IT resources necessary for IT recovery
stored offsite?
6. Do the BCP and DRP define recovery point objectives
(RPOs) and recovery time objectives (RTOs)?
7. Are backup policies defined in accordance with RPOs
and RTOs?
Guideline for Audit of IT p 23
 D. INFORMATION SECURITY CONTROLS

COBIT
Control objectives Tests of controls Evaluation Documents required
ref.
1. Control objective: Establish and maintain PO6.3 1. Has an IT security policy and/or plan  IT security policy
IT security roles, responsibilities, policies, DS5.1 been drawn up and approved at the and/or plan
standards and procedures. DS5.2 appropriate level?
 Relevant security
2. Does the IT security plan include/cover policies and
the following: procedures
a. A complete set of security policies and
standards in line with the established IT
Related information criteria: security policy framework?
Confidentiality, integrity and effectiveness b. Procedures for implementing and
enforcing those policies and
standards?
c. Roles and responsibilities?
d. Staffing requirements?
e. Security awareness and training?
f. Enforcement procedures?
g. Investment in the necessary security
resources?
2. Control objective: Implement procedures DS5.3 1. Are there procedures for defining access rights  User access rights
for controlling access based on the DS5.4 (view/add/change/delete) to policy/ user
individual’s need to view, add, change or financial/operational systems and management policy
delete data. data/documents?
 Access control lists
(for
Related information criteria: financial/operational
Confidentiality and integrity systems and data)

LRWC ITGC – 2022

Guideline for Audit of IT p 24
 COBIT
Control objectives Tests of controls Evaluation Documents required
ref.
3. Control objective: Ensure that all users DS5.3 1. Are there authentication and authorisation
(internal, external and temporary) and their AC6 mechanisms, such as passwords, tokens or
activity on IT systems are uniquely digital signatures, for enforcing access rights
identifiable. according to the sensitivity and criticality of
information?
2. Are IDs unique and individual and
Related information criteria:
Confidentiality and integrity passwords known only to the persons
concerned?

4. Control objective: Controls on the DS5.3 1. Are user access rights requested by user  Access control lists
appropriate segregation of duties for DS5.4 management, approved by system/data (for financial
requesting and granting access to systems PO4.11 owners and implemented by the security systems and data)
and data exist and are followed. administrator?
 Job descriptions
2. Are the following roles segregated:
a. Infrastructure: security officer –
Related information criteria:
system owner – security administrator?
Confidentiality and integrity
b. Applications: system owner
(authorisation and monitoring) –
security administrator?

LRWC ITGC – 2022

Guideline for Audit of IT p 25

Control objectives
5. Control objective: Make sure one person
(security administrator) is responsible for
managing all user accounts and security
tokens (passwords, cards, devices, etc.)
and that appropriate emergency procedures
are defined. Periodically review/confirm
his/her actions and authority.
Related information criteria:
Confidentiality and integrity
6. Control objective: Provide and maintain a
suitable physical environment to protect IT
assets from access, damage or theft.
Related information criteria:
Confidentiality and integrity
LRWC ITGC – 2022
Guideline for Audit of IT
COBIT
Tests of controls Evaluation Documents required
ref.
DS5.4 1. Is there a security officer in charge of the  Job descriptions of
DS13.4 organization’s IT security who obtains security officer and
his/her authority from the senior security
management? administrator
2. Is only the security officer able to manage
user accounts and passwords?
3. Are the actions of the security
administrator periodically reviewed,
attention being given to the segregation of
duties?
DS12.2 1. Has a policy been defined, and is it  Policies relating to
DS12.3 implemented, concerning the physical physical security
DS12.5 security and access control measures that are
to be followed to prevent fire, water damage,
power outages, theft, etc. at IT premises?
2. Is access to IT premises (IT rooms and
facilities) granted, limited and revoked in
accordance with physical security policies?
3. Is there a procedure for logging and
monitoring all access to IT premises
(including by contractors and vendors)?
p 26
 E. CHANGE MANAGEMENT CONTROLS
Control objectives
1. Control objective:
Control the impact
assessment,
authorisation and
implementation of all
changes to IT
infrastructure,
applications and
technical solutions;
minimize errors due to
incomplete request
specifications; and halt
implementation of
unauthorized changes.
Related information
criteria: Integrity,
availability, effectiveness
and efficiency
LRWC ITGC – 2022
COBIT
Tests of controls Evaluation Documents required
ref.
AI6.1 1. Is there a formally approved, implemented and monitored  Change
AI6.2 framework/procedures for managing changes to IT applications, management
AI6.3 programs and databases? framework/
AI6.4 procedures
AI6.5 2. Does the change management framework include/cover:
AI6.6 a. Roles and responsibilities?  All records of a
b. Change request procedures? sample of
c. The assessment of risks and the impacts of changes? changes (from
d. Management authorisation for change requests? change request
e. Approval by the key stakeholders, such as users and system log to move into
owners, before changes move into production? production)
f. Management review and approval of changes before they move
into production?
g. The classification of changes (major, minor, emergency
changes, etc.)?
h. The tracking of changes?
i. Version control mechanisms?
j. The definition of rollback procedures?
k. The use of emergency change procedures?
l. Audit trails?
Guideline for Audit of IT p 27

2 Control objective: Test AI7.2
that applications and AI7.6
infrastructure solutions
are fit for the intended
purpose and free from
errors, and that adequate
data conversion has
occurred.
Related information
criteria: Effectiveness
LRWC ITGC – 2022
Guideline for Audit of IT
3. Are the following criteria for the segregation of duties respected in
the context of program changes:
a. Is the segregation of duties for development, testing, quality
assurance and production tasks clearly established?
b. Do program developers and testers conduct activities on "test"
data only?
4. Do end users or system operators have direct access to
program source codes?
1. Are all major changes tested against functional and operational  Test plans and
requirements to ensure that original business goals are achieved? other documents
relevant to the
2. Are all major changes executed in accordance with a test plan which
testing of a major
covers:
change to an IT
a. Organizational standards, roles and responsibilities?
application/
b. Test preparation, including site preparation?
program
c. Training requirements, if needed?
d. Installation or update of a defined test environment?
e. Planning/performance/documentation/retention of test
cases?
f. Error and problem handling?
g. Correction and escalation?
h. Formal approval?
3. Are tests implemented on the live production system or in a test
environment?
p 28
 F. CONTROLS ON OUTSOURCING IT INFRASTRUCTURE
Control objectives
1. Control objective: Identify
services delivered by IT. Define,
agree upon and regularly review
service-level agreements, which
should cover service support
requirements, related costs,
roles and responsibilities, etc.,
and be expressed in business
terms.
Related information criteria:
Confidentiality, integrity,
efficiency and effectiveness
LRWC ITGC – 2022
Guideline for Audit of IT
COBIT
Tests of controls Evaluation Documents required
ref.
DS1.1 1. Are there clearly-defined benefits and business  Contract(s)
objectives in support of the decision to outsource?
 SLA(s)
2. Are management requirements and expectations clearly
defined in the contract/SLA?
3. Were the risks assessed when deciding to outsource and
taken into account when specifying the necessary controls?
4. Was the IT project carried out in accordance with
existing project management standards?
AI 4.1 5. Does the contract/SLA clearly define security
AI 5.2 requirements:
DS1.3 a. Network security?
DS1.6 b. Physical security?
DS2.4 c. Anti-virus protection?
d. Logical access controls?
6. Are the data backup requirements clearly defined?
7. Are provisions included for business continuity
procedures?
8. Is there a clause on compliance with personal data
protection regulations?
p 29
 COBIT
Control objectives Tests of controls Evaluation Documents required
ref.

9. Does the contract/SLA give a detailed description of the

service to be provided:
a. Hardware and software requirements?
b. Service support (help desk, incident management,
problem management)?
c. Maintenance and change management?
d. IT staffing needs?
10. Does the contract/SLA include/cover the following:
a. Formal management and legal approval?
b. Costs, with specifications for payment (including
frequency)?
c. The principal roles and responsibilities?
d. User/provider communications procedure and
frequency?
e. Contract duration?
f. Problem resolution procedures?
g. Non-performance penalties?
h. The contract dissolution procedure?
i. The contract modification procedure?
j. Non-disclosure guarantees?
k. Right to access and right to audit?

LRWC ITGC – 2022

Guideline for Audit of IT p 30
 COBIT
Control objectives Tests of controls Evaluation Documents required
ref.

2. Control objective: DS1.5 1. Does the contract/SLA define reporting procedures as  Monitoring
Continuously monitor specified ME1.4 regards the type, content, frequency and distribution of report(s)
service-level performance ME1.5 reports?
criteria. Reports on achievement ME1.6
2. Is a procedure in place for continuous monitoring and
of service levels should be
regular reporting on the achievement of objectives?
provided in a format that is
meaningful to stakeholders. 3. Have formal performance criteria been established to
facilitate and measure the achievement of the SLA
objectives?

Related information criteria:

Efficiency and effectiveness

LRWC ITGC – 2022

Guideline for Audit of IT p 31
5.2 List of application controls

Note: The following is a general outline of application controls (source: “IT Assurance Guide Using COBIT”6 and “COBIT and Application Controls”7). In the case of robust IT applications,
the auditor should identify other application controls in accordance with the financial regulatory framework after evaluating the complexity of the application and the related IT risks.

A. SOURCE DATA PREPARATION AND AUTHORISATION

Control Objectives Application control requirements

Control Objective: Ensure that source 1. Design source documents in a way that they increase accuracy with which data can be recorded, control the workflow
documents are prepared by authorized and facilitate subsequent reference checking. Where appropriate, include completeness controls in the design of the source
and qualified personnel following documents.
established procedures, taking into
2. Create and document procedures for preparing source data entry, and ensure that they are effectively and properly
account adequate segregation of
communicated to appropriate and qualified personnel. These procedures should establish and communicate required
duties regarding the origination and
authorisation levels (input, editing, authorizing, accepting and rejecting source documents). The procedures should also identify
approval of these documents.
the acceptable source media for each type of transaction.
Errors and omissions can be minimized
3. Ensure that the function responsible for data entry maintains a list of authorized personnel, including their
through good input form design.
signatures.
Detect errors and irregularities so they
can be reported and corrected. 4. Ensure that all source documents include standard components, contain proper documentation (e.g., timeliness,
predetermined input codes, default values) and are authorized by management.
5. Automatically assign a unique and sequential identifier (e.g., index, date and time) to every transaction.
Related information criteria: Integrity
and efficiency. 6. Return documents that are not properly authorized or are incomplete to the submitting originators for correction, and log
the fact that they have been returned. Review logs periodically to verify that corrected documents are returned by originators
in a timely fashion, and to enable pattern analysis and root cause review.

LRWC ITGC – 2022

Guideline for Audit of IT p 32
 B. SOURCE DATA COLLECTION AND ENTRY
Control Objectives
Control Objective: Ensure that data
input is performed in a timely
manner by authorized and qualified
staff.
Correction and resubmission of data
that were erroneously input should be
performed without compromising
original transaction authorisation
levels.
Where appropriate for reconstruction,
retain original source documents for
the appropriate amount of time.
Related information criteria: Integrity reviewed and acted upon within a specified and reasonable period of time.
LRWC ITGC – 2022
Application control requirements
1. Define and communicate criteria for timeliness, completeness and accuracy of source documents. Establish
mechanisms to ensure that data input is performed in accordance with the timeliness, accuracy and completeness criteria.
2. Use only pre-numbered source documents for critical transactions. If proper sequence is a transaction
requirement, identify and correct out-of-sequence source documents. If completeness is an application requirement,
identify and account for missing source documents.
3. Define and communicate who can input, edit, authorize, accept and reject transactions, and override errors. Implement
access controls and record supporting evidence to establish accountability in line with role and responsibility definitions.
4. Define procedures to correct errors, override errors and handle out-of-balance conditions, as well as to follow up,
correct, approve and resubmit source documents and transactions in a timely manner. These procedures should consider
things such as error message descriptions, override mechanisms and escalation levels.
5. Generate error messages in a timely manner as close to the point of origin as possible. The transactions should not be
processed unless errors are corrected or appropriately overridden or bypassed. Errors that cannot be corrected immediately
should be logged in an automated suspense log, and valid transaction processing should continue. Error logs should be
6. Ensure that errors and out-of-balance reports are reviewed by appropriate personnel, followed up and corrected
within a reasonable period of time, and, where necessary, incidents are raised for more senior-level attention. Automated
monitoring tools should be used to identify, monitor and manage errors.
7. Ensure that source documents are safe-stored (either by the business or by IT) for a sufficient period of time in line
with legal, regulatory or business requirements.
Guideline for Audit of IT p 33
 C. ACCURACY, COMPLETENESS AND AUTHENTICITY CHECKS
Control Objectives
Control Objective: Ensure that
transactions are accurate, complete
and valid.
Validate data that were input, and edit
or send back for correction as close to
the point of origination as possible.
Related information criteria: 3. Establish access control and role and responsibility mechanisms so that only authorized persons input, modify
Integrity and efficiency.
LRWC ITGC – 2022
Application control requirements
1. Ensure that transaction data are verified as close to the data entry point as possible and interactively during online
sessions. Ensure that transaction data, whether people-generated, system-generated or interfaced inputs, are subject to a
variety of controls to check for accuracy, completeness and validity. Wherever possible, do not stop transaction validation
after the first error is found. Provide understandable error messages immediately to enable efficient remediation.
2. Implement controls to ensure accuracy, completeness, validity and compliance to regulatory requirements of data
input. Controls may include sequence, limit, range, validity, reasonableness, table look-ups, existence, key verification,
check digit, completeness (e.g., total monetary amount, total items, total documents, hash totals), duplicate and logical
relationship checks, and time edits. Validation criteria and parameters should be subject to periodic reviews and
confirmation.
and authorize data.
4. Define requirements for segregation of duties for entry, modification and authorisation of transaction data as well as
for validation rules. Implement automated controls and role and responsibility requirements.
5. Report transactions failing validation and post them to a suspense file. Report all errors in a timely fashion and do
not delay processing of valid transactions.
6. Ensure that transactions failing edit and validation routines are subject to appropriate follow-up until errors are
remediated. Ensure that information on processing failures is maintained to allow for root cause analysis and help adjust
procedures and automated controls.
Guideline for Audit of IT p 34
 D. PROCESSING INTEGRITY AND VALIDITY
Control Objectives
Control Objective: Maintain the
integrity and validity of data throughout appropriate and authorized applications and tools are used.
the processing cycle.
Detection of erroneous transactions
does not disrupt the processing of valid integrity checks, control and hash totals, range checks and buffer overflow.
transactions.
Related information criteria: Integrity,
confidentiality, and availability.
LRWC ITGC – 2022
Application control requirements
1. Establish and implement mechanisms to authorize the initiation of transaction processing and to ensure that only
2. Routinely verify that processing is completely and accurately performed with automated controls, where
appropriate. Controls may include checking for sequence and duplication errors, transaction/record counts, referential
3. Ensure that transactions failing validation routines are reported and posted to a suspense file. Where a file contains
valid and invalid transactions, ensure that the processing of valid transactions is not delayed and all errors are reported in a
timely fashion. Ensure that information on processing failures is kept to allow for root cause analysis and help adjust
procedures and automated controls, to ensure early detection or prevent errors.
4. Ensure that transactions failing validation routines are subject to appropriate follow-up until errors are
remediated or the transaction is cancelled.
5. Ensure that the correct sequence of jobs has been documented and communicated to IT operations. Job output should
include sufficient information regarding subsequent jobs to ensure that data are not inappropriately added, changed or lost
during processing.
6. Verify the unique and sequential identifier to every transaction (e.g., index, date and time).
7. Maintain the audit trail of transactions processed. Include date and time of input and user identification for each
online or batch transaction. For sensitive data, the listing should contain before and after images and should be checked
by the business owner for accuracy and authorisation of changes made.
8. Maintain the integrity of data during unexpected interruptions in data processing with system and database utilities.
Ensure that controls are in place to confirm data integrity after processing failures or after use of system or database utilities
to resolve operational problems. Any changes made should be reported and approved by the business owner before they are
processed.
9. Ensure that adjustments, overrides and high-value transactions are reviewed promptly in detail for
appropriateness by a supervisor who does not perform data entry.
10. Reconcile file totals. For example, a parallel control file that records transaction counts or monetary value as data
should be processed and then compared to master file data once transactions are posted. Identify,, report and act upon out-
of-balance conditions.
Guideline for Audit of IT p 35
 E. OUTPUT REVIEW, RECONCILIATION AND ERROR HANDLING

Control Objectives Application control requirements

Control Objective: Establish 1. When handling and retaining output from IT applications, follow defined procedures and consider privacy and security
procedures and associated requirements. Define, communicate and follow procedures for the distribution of output.
responsibilities to ensure that output is
2. At appropriate intervals, take a physical inventory of all sensitive output, such as negotiable instruments, and compare
handled in an authorized manner,
it with inventory records. Create procedures with audit trails to account for all exceptions and rejections of sensitive output
delivered to the appropriate recipient
documents.
and protected during transmission;
verification, detection and correction of 3. Match control totals in the header and/or trailer records of the output to balance with the control totals produced
the accuracy of output occur; and by the system at data entry to ensure completeness and accuracy of processing. If out-of-balance control totals exist,
information provided in the output is report them to the appropriate level of management.
used.
4. Validate completeness and accuracy of processing before other operations are performed. If electronic output is reused,
ensure that validation has occurred prior to subsequent uses.
5. Define and implement procedures to ensure that the business owners review the final output for reasonableness,
accuracy and completeness, and output is handled in line with the applicable confidentiality classification. Report potential
Related information criteria: Integrity, errors; log them in an automated, centralized logging facility; and address errors in a timely manner.
confidentiality, availability and
6. If the application produces sensitive output, define who can receive it, label the output so it is recognizable by people
effectiveness.
and machines, and implement distribution accordingly. Where necessary, send it to special access- controlled output
devices.

LRWC ITGC – 2022

Guideline for Audit of IT p 36
 F. TRANSACTION AUTHENTICATION AND INTEGRITY

Control Objectives Application control requirements

Control Objective: Before passing 1. Where transactions are exchanged electronically, establish an agreed-upon standard of communication and
transaction data between internal mechanisms necessary for mutual authentication, including how transactions will be represented, the responsibilities of
applications and business/ operational both parties and how exception conditions will be handled.
functions (within or outside the
2. Tag output from transaction processing applications in accordance with industry standards to facilitate counterparty
enterprise), check the data for proper
authentication, provide evidence of non-repudiation and allow for content integrity verification upon receipt by the
addressing, authenticity of origin and
downstream application.
integrity of content.
3. Analyze input received from other transaction processing applications to determine authenticity of origin and the
Maintain authenticity and integrity
maintenance of the integrity of content during transmission.
during transmission or transport.

Related information criteria: Integrity

and confidentiality.

LRWC ITGC – 2022

Guideline for Audit of IT p 37
5.3 IT Audit Glossary

Access control list (ACL). An internal computerized table of access rules regarding the levels of
computer access permitted to logon IDs and computer terminals.
Access rights. The permission or privileges granted to users, programs or workstations to create, change,
delete or view data and files within a system, as defined by rules established by data owners and the
information security policy.
Application. A set of programs, data and clerical procedures which together form an information system
designed to handle a specific administrative or business function (e.g. accounting, payment of grants,
recording of inventory). Most applications can usefully be viewed as processes with input, processing,
stored data, and output.
Audit trail. A visible trail of evidence enabling one to trace information contained in statements or reports
back to the original input source.
Availability. The accessibility of a system, resource or file, where and when required. The time that a
system is not available is called downtime. Availability is determined by reliability, maintainability,
serviceability, performance, and security.
Backup. A duplicate copy (e.g. of a document or of an entire disc) made either for archiving purposes or for
safeguarding valuable files from loss should the active copy be damaged or destroyed. A backup is an
"insurance" copy.
Batch. A set of computer data or jobs to be processed in a single program run.
Buffer overflow. It occurs when a program or process tries to store more data in a buffer (temporary data
storage area) than it was intended to hold. Although it may occur accidentally through programming error,
buffer overflow is an increasingly common type of security attack on data integrity.
Business continuity plan (BCP). A logistical plan to recover and restore the critical business operations
within a predetermined time after a disaster or extended disruption. Some of the critical business operations
need IT services to continue: these are the critical IT services. A part of the BCP is the Disaster Recovery
Plan that addresses the restoration of the critical IT services.
Change management. The process responsible for controlling the lifecycle of all changes. The primary
objective of change management is to enable beneficial changes to be made, with minimum disruption to IT
Services.
Check digit. A numeric value, which has been calculated mathematically, is added to data to ensure that
original data have not been altered or that an incorrect, but valid match has occurred.
Control objective. A statement of the desired result or purpose to be achieved by implementing control
procedures in a particular process.
Data dictionary. A database that contains the name, type, source and authorization for access for each data
element in the organization’s files and databases. It also indicates which application programmes use that
data so that when a data structure is contemplated, a list of the affected programmes can be generated.
Disaster recovery plan (DRP). A plan used to restore the critical IT services in case of a disaster
affecting IT infrastructure. A DRP is not valid unless tested at least once a year. The DRP is a part of the
BCP.
Hash total. A figure obtained by some operations upon all the items in a collection of data and used for
control purposes. A recalculation of the hash total, and comparison with a previously computed value,
provides a check on the loss or corruption of the data.
Input. Information/data received by the computer system either from an external source or from another
area within the computer environment.
Integrity. One of the information criteria that information is valid, complete and accurate.

LRWC ITGC – 2022

IAD Guideline for IT Audit p 38
IT governance. The responsibility of executives and the board of directors, and consists of the leadership,
organizational structures and processes that ensure that the enterprise’s IT sustains and extends the
organization's strategies and objectives.
IT risk. The business risk associated with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise
IT risk map. A tool for ranking and displaying IT risks by defined ranges for frequency and magnitude.
IT Steering Committee. Comprising of user representatives from all areas of the business, and IT. The
steering committee would be responsible for the overall direction of IT. Involvement of the management in
this committee is indispensable to assure business alignment in IT governance. The IT steering committee
assists the executive in the delivery of the IT strategy, oversees day-to- day management of IT service
delivery and IT projects and focuses on implementation.
IT strategic plan. A long term plan, i.e., three to five-year horizon, in which business and IT management
cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals).
Job description. A document which defines the roles, responsibilities, skills and knowledge required by a
particular person.
Log. A log is to record details of information or events in an organized record-keeping system, usually
sequenced in the order they occurred.
Logical access controls. The use of software to prevent unauthorized access to IT resources
(including files, data, and programs) and the associated administrative procedures.
Output. Information/data produced by computer processing, such as graphic display on a terminal and hard
copy.
Outsourcing. A formal agreement with a third party to perform a function for an organization.
Owner. The individual (or unit) responsible for particular (IS or IT) assets.
Recovery point objective (RPO). The RPO is determined based on the acceptable data loss in case of a
disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the data.
Recovery time objective (RTO). The amount of time allowed for the recovery of a business function or
resource after a disaster occurs.
Production environment. A controlled environment containing live configuration items used to deliver it
services to customers.
Segregation of duties. is a control which aims to ensure that transactions are properly authorised,
recorded, and that assets are safeguarded. It has two dimensions: separation of the responsibility for the
controls of assets from the responsibility for maintaining the related accounting records; and separation of
functions within the IT environment.
Sequence check. A verification that the control number follows sequentially and any control numbers out
of sequence are rejected or noted on an exception report for further research.
Service level agreement (SLA). A written agreement between the provider of a service and the users. A
SLA contains “service level objectives” such as uptime (when an application must be available), and the
acceptable response time. SLAs should exist between IT and the users for each service and application.
SLAs must also be a part of the contract with external providers.
Source code. The text written in a computer programming language. The source code consists of the
programming statements that are created by a programmer with a text editor or a visual programming tool
and then saved in a file.
Source documents. The forms used to record data that have been captured. A source document may be a
piece of paper, a turnaround document or an image displayed for online data input.
Token. A device that is used to authenticate a user, typically in addition to a username and password.

LRWC ITGC – 2022

IAD Guideline for IT Audit p 39
User. Individual or unit that makes use of information systems. Specifically, in business and administration,
a managed organisational unit which uses information systems to carry out the functions for which it is
responsible in the organization, and is thus the customer for a service provided by the IT department.
Validity check. Software control over input of data to a computer system. Data is compared with the type
of data properly included in each input field, e.g., only letters in a name field.

LRWC ITGC – 2022

IAD Guideline for IT Audit p 40