IT CONTROL TERMINATED USER TESTING (ITGC CONTROL TESTING)
In this project, I took on the role of Senior Auditor within the IT audit team, with a specific focus on conducting IT access control management terminated user testing. This testing initiative involves defining its scope, determining the schedule, assembling the appropriate team, and allocating the necessary financial resources.
In alignment with the UOT audit methodology, the IT audit will execute the subsequent procedures for the Burco company:
- Understanding the Business Environment: This involves comprehending the intricacies of the company’s IT landscape, highlighting any substantial modifications within the IT environment.
- Determining IT Engagement: This step assesses the necessity for IT involvement and the extent to which the business entity needs to be engaged.
- Identifying Relevant IT Applications: The IT audit team will collaborate in identifying various classes of transactions, the disclosure process, and IT-related applications. This is achieved through documenting the pertinent IT applications that hold relevance to the audit.
- IT General Controls Assessment: The team will actively participate in identifying, conducting walkthroughs, testing, and evaluating the IT general controls (ITGCs).
- Risk Evaluation: The process involves assisting in making an overall risk assessment. This is accomplished by documenting the collective ITGC evaluation for every application alongside manual controls.
The subsequent controls are encompassed within the scope of this audit and will undergo testing:
- Access Control: This includes testing aspects like new user authentication, privileged user access, backup and recovery procedures, as well as logical security measures and log reviews.
- Change Management (CM 1–4): This control area, comprising four stages, will also be examined.
The initial phase of this audit is the planning stage. During this phase, the audit team will meticulously outline the step-by-step plan for the audit engagement post risk assessment and scoping. This encompasses the development of the audit plan, audit program, defining objectives, determining risk and control metrics, as well as updating risk assessments.
Within the planning phase, the audit team will draft an engagement letter. This engagement letter serves as the inauguration of the audit. It encapsulates essential elements like the planning process, the budget allocation, and a comprehensive breakdown of the audit’s procedural steps.
The subsequent phase of our audit will involve the fieldwork, during which the IT audit team will adopt a front-end approach to comprehending the control testing process and its taxonomy. In this context, the alignment between business processes and business objectives is rooted in their respective goals and aims. The crux of this phase lies in scrutinizing the intricate details concerning the design and operational efficacy of controls. This meticulous assessment enables us to ascertain whether the controls effectively mitigate risks and fulfill their intended purpose.
Central to our evaluation process are the risk control metrics, which furnish critical insights into the controls under examination. These metrics act as a roadmap for the controls we are subjecting to testing. Each risk control metric encompasses essential information, such as the control reference number, a comprehensive description of the control, its specific objectives, an elaboration of the associated risks, and, crucially, the testing procedures we intend to employ. This holistic framework not only facilitates an organized and systematic approach to our testing but also ensures that the outcomes of our assessments are methodically aligned with the predefined criteria and objectives.
The testing matrix will encompass several crucial components that guide our assessment process. Firstly, it will outline the type of control we are employing, specifically characterized as a preventive control. Secondly, it will identify the individual responsible for overseeing and maintaining the control, referred to as the control owner. Lastly, the matrix will elucidate the inherent nature of the control itself.
It’s important to highlight that the focus of our evaluation will be on the SAP ERP application. This comprehensive testing matrix serves as a cornerstone for our testing strategy, providing a clear roadmap that ensures our efforts are well-coordinated and aligned with the objectives of our audit.
The Control description: Semi annually, the access control team verifies that all terminated employees are removed from the active directory within 24 hours of termination. In the event an employee quits, the manager will be sending a ticket to the IT help desk with the necessary information to remove the user in the active directory. Any fault found in the system will be reported to the management and remediation will be follow anywhere applicable.
The risk that terminated employees are still active in the active directory can lead to lose of data, theft, unwanted and unapproved hacking into the system, financial lose, data theft. The management seeks to remove all terminated employees in the active directory to comply with company's standard and improved security around access management.
Test steps:
- Validate that semi-annually the access control team verifies that all terminated employees are removed from the active directory within 24 hours of termination.
2. Validate that in the event an employee quits, the manager will send a ticket to the IT help desk with the necessary information to remove the user from the active directory.
3. Validate that any fault found in the system will be reported to the management and remediation will be followed anywhere applicable.
To conduct our preventive control testing, we have opted to select two employees from the larger population. This selection process will be executed using a randomizer, ensuring an unbiased and representative sample. These two chosen individuals will serve as our test subjects for evaluating the efficacy of the preventive control. This approach allows us to gauge the control’s functionality and effectiveness across a subset of the population, enabling us to draw insights and conclusions that can be extrapolated to the broader population.
Once we have identified the two employees from the larger population, our next step involves applying the designated test steps to assess and validate specific attributes. These test steps have been carefully designed to ensure a comprehensive evaluation of the preventive control. By following these structured procedures and leveraging the samples provided by the human resources department for testing purposes, we aim to substantiate our testing outcomes and arrive at well-founded conclusions. This methodological approach enhances the reliability and accuracy of our assessment, contributing to a robust and insightful evaluation of the control’s performance.
Following the validation of the test attributes using the selected samples, our focus shifts to corroborating evidence that supports the conclusions drawn from the test steps. This verification process aims to ascertain whether our control test has been successful or unsuccessful. By sourcing and analyzing relevant supporting evidence, we can establish a solid foundation for our assessment outcomes. This meticulous scrutiny of evidence contributes to the determination of whether the control has effectively met its intended objectives or has encountered deficiencies. This holistic approach adds depth and credibility to our control testing process, enabling us to make informed and reliable judgments about the control’s performance.
Using the provided evidence, we proceed to examine the attributes within the context of the control being evaluated. This step involves a rigorous testing process aimed at ensuring the control’s successful implementation. By aligning the observed evidence with the control’s intended outcomes, we aim to validate that the control has indeed passed and is functioning as intended. This evidence-based approach lends a high degree of confidence to our assessment, allowing us to affirm the control’s effectiveness and its alignment with established standards and objectives.
Upon thorough examination of our test attributes in conjunction with the provided supporting evidence, we arrive at a definitive conclusion. It can be confidently stated that our testing has demonstrated success across all test attributes. As a result, we can affirm that our control testing has passed without encountering any exceptions or discrepancies. This culmination underscores the effectiveness and robustness of the control measures we’ve assessed, providing a positive outcome for the overall control evaluation process.
Following the successful completion of our fieldwork, where we confirmed that the control has passed all assessments, our audit process moves on to the reporting phase. Subsequently, we engage in the Follow-up and Remediation stage, collaborating with the client to identify any potential remedial actions based on the outcomes of our testing.
The final procedural step involves drawing a conclusion, a pivotal phase in which we assess whether the control can be deemed effective and if it satisfies all attributes. The primary objective of this testing is to substantiate audit findings and gauge the overall effectiveness of the control measures in place. To this end, our findings are meticulously documented and communicated, aligning with established protocols.
The audit’s ultimate aim is to provide valuable insights, facilitating informed decision-making and bolstering the assurance of the control environment. Through meticulous reporting, collaboration, and conclusion-drawing, we contribute to strengthening controls and promoting a robust risk management framework within the audited organization.
#Consulting #Audit #ITGC #Controls #Governance #Cybersecurity #Riskmanagment #Soc2 #Compliance #SOX Compliance Testing
