Page 119 - ITGC_Audit Guides
P. 119
Other Relevant Control Types
Other control types that are relevant to, embedded in, or built on business application control
processes include but are not limited to those described below.
Records and Information Management
The organization’s records and information management (RIM) program should recognize the
following items as official records and establish requirements for their retention:
• Application architecture diagrams.
• Data flow diagrams.
• Quality assurance and user acceptance testing routines and results.
• Source code for approved versions.
• Baseline configurations.
• System roles and user account and permissions authorizations.
• Event logs.
A business application engagement should verify whether requirements for retaining the listed
document types are established and whether the necessary documentation for the
application(s) under review is retained properly.
Controls over record retention are mainly described in:
• COBIT 2019 Framework: Governance and Management Objectives in practices:
o BAI08.01 Identify and Classify Sources of Information for Governance and
Management of I&T.
o DSS06.05 Ensure Traceability and Accountability for Information Events.
• NIST SP 800-53r5 in controls:
o SI-12 Information Management and Retention.
o SA-5 System Documentation.
• CIS Controls covers similar guidance in safeguards:
o 3.4 Enforce Data Retention.
o 12.4 Establish and Maintain Architecture Diagram(s).
Vendor Management
Wherever external personnel or entities help develop or support business applications, contracts
and related documents should explain security and performance requirements sufficiently. A
business application engagement should verify whether contracts include service level
agreements and whether ongoing oversight, communication, and remediation processes have
been exercised, as appropriate. The GTAG “Information Technology Outsourcing” describes
controls over vendors in detail.
19 — theiia.org
