IT Audit - ITGC

1. Planning and Preparation

Define the scope of the IT audit.

Identify relevant stakeholders and schedule meetings.

Review previous audit findings and recommendations.

Gather necessary documentation (policies, procedures, and architecture diagrams).

2. Risk Assessment

Identify critical IT systems and applications.

Assess the risk associated with each system/application.

Determine the control environment and existing controls in place.

Document potential risks and their impact on the organization.

3. Control Environment

Evaluate the organizational structure and IT governance.

Review the IT policies and procedures for effectiveness.

Assess the overall IT culture and awareness among employees.

Verify the alignment of IT objectives with business objectives.

4. Access Controls

Review user access management processes (user provisioning and deprovisioning).

Check for role-based access controls and segregation of duties.

Evaluate password management policies and practices.

Test access controls by reviewing user access logs and permissions.

5. Change Management

Assess the change management process for IT systems.

Review documentation for approved changes and their implementation.

Verify the testing and approval of changes before deployment.

Evaluate emergency change procedures and their effectiveness.

6. Incident Management

Review the incident management process and response procedures.

Assess the tracking and resolution of IT incidents.

Evaluate communication protocols during incidents.

Analyze incident trends for recurring issues.

7. Backup and Recovery

Review the backup policies and procedures.

Test the effectiveness of backup processes and restoration capabilities.

Assess the physical and logical security of backup media.

Evaluate the disaster recovery plan and its testing frequency.

8. Compliance and Monitoring

Verify compliance with relevant laws and regulations (e.g., GDPR, HIPAA).

Review monitoring tools and processes for IT systems.

Assess the frequency and effectiveness of internal audits and assessments.

Document any compliance gaps and recommend corrective actions.

9. Reporting and Follow-up

Compile findings and observations from the audit.

Prepare an audit report with actionable recommendations.

Schedule a meeting with stakeholders to present findings.

Follow up on the implementation of audit recommendations.

This checklist provides a structured approach to conducting an IT audit focusing on IT General Controls, ensuring comprehensive coverage of essential areas.