This week I attended my first ITGC walkthrough. During a walkthrough our goal is to understand the company’s processes so that we can later advise on risk. We can take samples and use them as evidence or we can note that we watched a process. We want to walk away understanding the applications that have or could have a financial impact. So other applications that a company uses would not be audited if they are not material in this way because they are out of scope.
One aspect of the walk though is to document changes within the application. This portion would be documented under managing changes and would include source code changes, updates, security patches etc. These type of audits are done yearly because the prior year and current year will contain different information. We use the information from the prior year as a guide only because software applications can change and companies can change how they use software.
Another area we document is managing access. This will describe who has access to the application as well as the approval process for both access and termination of access. This section also covers access modifications, such as elevated privileges. It is in the company’s interest to be keep logs so that they can prove access isn’t modified without approval. We can’t depend on word alone so we challenge SOP’s and ask for evidence to prove that the applications do not have access issues. Internally, for example, the CFO could periodically go over user lists, on top of having a log and then provide us with evidence that this has been done.
Another component involves IT operations in which review how software/applications are being backed up. This would me that we not only review how and when the applications are backed-up but what software the company is using to do so. Other factors we note is the media used for the backup. If the applications are being remotely backed up or even if the process is manually done or automated. Then we document how the backup are being monitored and how. Are there reports or email alerts? Does the IT admin have access to the view the server or is the backup completed by a 3rd party vendor? This area, like the rest can get confusing because what is suitable a small sized company could put a larger company at risk. I began taking notes and then document my understanding of processes based on what was disclosed in the meeting.
I would give myself a 10 for this week and I could tell that I interest was high, as I wanted to ask many clarifying questions during the meeting, but I understood that I was tasked to solely take notes.