ITGC Program changes
Program changes corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.
The objective of the category is to ensure that all changes to existing systems are properly authorized, tested, approved, implemented and documented. Because changes to existing systems may be inappropriate and may result in data corruption (if an unauthorized change to a financial application represents a risk of fraud, for example).
To limit this risk, the category includes 3 controls below, on 4 layers (applications, operating system configuration, databases, network):
- Changes to applications are tested and approved before they are released for production.
- Changes to the applications are reviewed periodically.
- The development, testing and production environments are separate and follow an approval process.
To carry out these controls and to ensure that their implementation is correct, the auditors proceed by sampling and request proof related to the selected changes (a recipe report, a validation email for production launch, for example).
For the second control, it is a question of checking that a change review is carried out periodically, that it is exhaustive and that it is validated by an authorized person.
The third control consists in ensuring that the environments are well separated, and that only authorized persons have access to them; this control includes a segregation of duties control.