ITGC Program changes

Program changes corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.

The objective of the category is to ensure that all changes to existing systems are properly authorized, tested, approved, implemented and documented. Because changes to existing systems may be inappropriate and may result in data corruption (if an unauthorized change to a financial application represents a risk of fraud, for example).

To limit this risk, the category includes 3 controls below, on 4 layers (applications, operating system configuration, databases, network):

  • Changes to applications are tested and approved before they are released for production.
  • Changes to the applications are reviewed periodically.
  • The development, testing and production environments are separate and follow an approval process.

To carry out these controls and to ensure that their implementation is correct, the auditors proceed by sampling and request proof related to the selected changes (a recipe report, a validation email for production launch, for example).

For the second control, it is a question of checking that a change review is carried out periodically, that it is exhaustive and that it is validated by an authorized person.

The third control consists in ensuring that the environments are well separated, and that only authorized persons have access to them; this control includes a segregation of duties control.

Previous articleITGC_LA 11012020
Next articleITGC LA PW 11072020
“Sean has 9 years of experience in delivering diverse IT projects and managing IT audits as both auditee and auditor. Sean is Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), (CDPSE) Certified Data Protection Security Engineer, (PMP) Project Management Professional and has completed other related certified trainings. He has experience in implementing ISO27001 standards, executing ITGC's, PCI DSS and good knowledge of Information Systems inline with COSO & COBIT frameworks. He has managed several security tools, Access Management Review Cycle, Policies & Procedures, Audit & other integrated projects. Sean is a member of Information Systems Audit and Control Association and has completed his Bachelor’s in Management Sciences from Nigeria and currently embarking on his Master’s program at LSU. At work, his great passion is to drive process improvement, and off work he enjoys playing chess, comedy shows and spending quality time with family and friends .”