Page 90 - CITP Review

P. 90

Exhibit 3-2 — ITAF – 3630/IT general controls

1. Introduction to 7. Information 13. Hardware support
ITGCs security
management
2. Information 8. SDLC 14. O/S management and
resource planning controls

3. IT service delivery 9. BCP/DRP 15. Physical and environment
control

4. Information systems 10. Database 16. Enterprise portals
operations management and
controls

5. IT human resources 11. Network 17. Identification and
management and authentication
controls
6. Outsourcing or third- 12. Systems software
party IT support

One of the primary goals of effective control environment is to ensure that the data processing that takes
place in systems and technologies occurs in a controlled environment, supporting data integrity and
security. This element of ITGC is basically equivalent to COSO’s control environment and COBIT’s plan
and organize (PO) domain (see exhibit 3-3).

Policies and procedures
The control environment would include not only the strategic IT plan, but also a body of policies and
procedures (P&P) related to the IT function. Normally, the entity should have a separate P&P document
for the IT function describing how the IT function will be managed for effectiveness and efficiency, and to
meet management’s expectations. The P&P should include the role, structure, and processes of IT
governance and project management, when relevant, and standards for developing, deploying, and
managing IT resources.

IT P&P
The CITP will want to review the IT P&P as part of examining the control environment. The IT P&P should
be congruent with the entity’s P&P, and they should include items that demonstrate the intent to align IT
with enterprise goals, objectives, and strategies.

P&P should cover the following:

 Professional development of staff (training, seminars, certification, and so on)
 Support services for users
 Management of IT projects (especially development procedures, testing procedures, and deployment
practices)

85 86 87 88 89 90 91 92 93 94 95