ITGC Testing Audit Checklist

1. Planning and Preparation

Define the scope of the ITGC audit.

Identify key stakeholders and their roles.

Gather relevant documentation (policies, procedures, system descriptions).

Review prior audit findings and management responses.

2. Control Environment Assessment

Evaluate the overall IT control environment.

Assess the competence and resources of the IT team.

Review organizational structure and reporting lines.

Analyze the effectiveness of communication regarding IT controls.

3. Access Controls

Verify user access provisioning processes.

Review user access rights for critical systems.

Test for timely removal of access for terminated employees.

Assess multi-factor authentication implementation.

4. Change Management

Review change management policies and procedures.

Test the approval process for changes to IT systems.

Verify documentation and testing of changes before implementation.

Assess the monitoring of changes post-implementation.

5. Data Backup and Recovery

Evaluate data backup policies and procedures.

Test the frequency and completeness of backups.

Review the restoration process and conduct a test restore.

Assess the security of backup storage (on-site and off-site).

6. Incident Management

Review incident management policies and procedures.

Assess the logging and tracking of incidents.

Verify the escalation process for critical incidents.

Evaluate response times and resolution effectiveness.

7. System Development and Maintenance

Review SDLC (Software Development Life Cycle) practices.

Assess testing procedures for new and modified applications.

Verify documentation and approval for system changes.

Evaluate post-implementation reviews and lessons learned.

8. Monitoring and Reporting

Assess monitoring controls for IT systems and applications.

Review the reporting process for control deficiencies.

Evaluate the frequency and content of IT control reports.

Verify follow-up actions on identified issues.

9. Documentation and Evidence Gathering

Ensure all control procedures are documented.

Collect evidence for each control tested.

Document findings and recommendations.

Prepare a summary report for stakeholders.

10. Follow-up and Continuous Improvement

Schedule follow-up reviews for remediation of findings.

Evaluate the effectiveness of implemented changes.

Foster a culture of continuous improvement in IT controls.

Update the ITGC audit checklist based on lessons learned.