Table of ContentsRisks Associated with ITGC System ChangeExamples of Control Objectives Surrounding System ChangeExamples of Controls for ITGCInformation Technology (IT) has become prevalent in organizations and is integrated into business processes across all functional areas, replacing cumbersome and aging analog procedures. Large-scale IT infrastructure has helped drive significant savings and improve operational efficiencies, while IT applications have helped drive innovation and generate competitive advantages. Say no to plagiarism. Get a tailor-made essay on 'Why violent video games should not be banned'? Get the original essay The advent of computing has led to our times being referred to as the 'information age', and every organization has had to adopt it or risk becoming one. uncompetitive and irrelevant. Although the use of IT within an organization has many benefits, it has also given rise to new and complex risks and has significant implications for the auditing profession, so much so that it has leads to the creation of a new type of audit role. in total, that is, the IT auditor. Emerging IT risks include, but are not limited to, three areas: security concerns, regulatory compliance requirements, and effective governance. These risks are mitigated through the use of general information technology controls (ITGCs). ITGCs play a crucial role in ensuring processes operate as intended. Specific benefits of ITGC include financial measures such as completeness, accuracy, and validity. Non-financial objectives include confidentiality, integrity and availability as well as process effectiveness and efficiency (Amasaki, 2015). There are many benefits to using effective ITGCs, the most important of which is that users can rely to a reasonable extent on their IT systems, auditors will attest to the quality of readily available controls, and Investors can reasonably rely on the information provided to them. (Miron, 2008). Additionally, effective ITGCs will ensure that there are fewer regulatory issues, improving the organization's reputation and enabling it to achieve its business objectives (GTAG 1). Ineffective ITGCs will have the opposite effect. It is important to note that the organization will fail to achieve its goals and will fail to work towards achieving its long-term mission and vision. ITGCs are closely linked to the “activities” carried out by the organization. As IT is integrated into virtually every process and function, IT risks are also integrated. The use of ITGC in these processes can reduce or even eliminate these risks, directly impacting the outcome of these processes and therefore affecting the performance of the organization. . ITGCs can also play a critical role in Sarbanes Oxley (SOX) audits. SOX Section 404 specifically requires that IT-related risks and controls be considered in the overall assessment of internal controls over financial reporting (Protiviti, 2012). Essentially, ITGCs must support an environment in which data integrity can be maintained. A key part of this is ensuring controls are in place to prevent unauthorized or malicious users from compromising data integrity. Risks associated with system changesITGC As IT continually evolves, capabilities must be upgraded to maintain a competitive advantage. Business needs are changing and systems must evolve to meet these changing needs. In some cases, a minor change called a "fix" is necessary to resolve/upgrade minor issues with the system. Making changes to the system can create risks that must be carefully managed to ensure the change is successful. A major risk that can derail change is the absence of a structured change management process (Miron, 2008). Just as a robust project management methodology improves the quality of a project and contributes to its on-time delivery, a change management process improves the success rate of change and helps the organization maintain control of the process. Lack of such a process leads to increased downtime of key systems and increased costs, among other issues. Another major risk is inadequate testing of changes before implementation (Miron, 2008). This opens the door to poor integration of the change if integration testing is not performed, a high failure rate if tested inappropriately and in the wrong environment, and poor acceptance of the change by the user if user acceptance testing is not part of the process. testing phase. Testing is crucial to mitigating these issues. Unauthorized and improperly recorded changes are also risks that arise during system modifications (GTAG 2). Both of these risks result from IT staff circumventing the change management process. Changes must fit within the overall system change philosophy and the overall system goal. Unauthorized changes risk creating a lower quality deliverable because they have not been reviewed by the formalized procedures that authorize changes and verify their quality. Poor change logging creates problems when changes need to be audited, new staff need to be trained, or additional changes need to be made. It is crucial for every change to have reference material, because not having enough does not bode well. These risks can cause the goal of the change to deviate from what was initially intended and lead to uncertainty – which must be minimized during system changes. Particular attention should also be paid to the segregation of duties during changes, as it establishes a framework of accountability (GTAG 2). System changes can be complex undertakings that require effective coordination and constant communication. Segregation of duties helps this, they establish clear reporting lines, supervisory roles and specify areas of responsibility. This helps reduce errors and fraud during the process because reasonable oversight of the process is ensured. Staff in supervisory roles correct errors and verify that stipulated policy and procedures are followed. A key example of segregation of duties is separating the staff who design changes from those who test them (GTAG 2), as design teams will be reluctant to point out inadequacies and errors in their work, i.e. a conflict of interest. All the risks mentioned above can be mitigated by implementing effective ITGCs and continuously improving them. Examples of control objectives surrounding system change To reduce the level of riskbusiness related to the maintenance of IT systems, it is essential to have appropriate change controls in place. Having appropriate controls in place to prevent unauthorized changes will result in reduced service interruptions. For system change controls to be effective in an organization, management must create and enforce a culture of change management throughout the organization. This could mean making it mandatory that changes impacting the service go through the approval of the manager or product/service owners before implementation. By requiring administrator rights only, the risks of unauthorized personnel making changes to critical IT systems can be significantly reduced. Proper testing policies/procedures, such as testing an application in a sandbox environment before releasing it to production, should be in place to avoid service interruptions. Enforcing policies related to frequent system backups is another crucial element of system change. If a production change fails and impacts a critical business application, an organization should have the ability to revert to the previous working version of the application. Having automated software that tracks and records system changes at any time is another important control to have in place. This would give an organization the ability to go back and identify the root causes of any errors detected in the system. For control objectives to be effective throughout an organization, management must emphasize, apply, and monitor all control objectives it has in place. A centralized decision-making approach and active communication between different departments in an organization are extremely important to avoid the creation of silos within the company (GTAG 2). Examples of controls for ITGCITGC are controls including operating systems, applications, supporting IT infrastructure and databases. (Li et al. 180). These controls are classified into two groups. The first group is based on the nature of the implementation. In this group, controls are classified into automated, manual and partially automated controls (Mirza et al. 46). The second group is based on the nature of the use of controls. Controls in this group include preventive, detective and corrective controls. Preventive controls, as the name suggests, are designed to prevent irregularities or errors from occurring. These controls are proactive and their role is to ensure that the department's objectives are achieved (Mirza et al. 46). Examples of these controls include the separation of tasks that are distributed among different people in an attempt to reduce the risk of errors or inappropriate actions (Li et al. 182). Distributed responsibilities include accounting, approval and custody. Another example is asset security where access to inventory, equipment, cash and other types of assets is restricted. Assets are periodically inspected and the results are compared to control records to determine if there is an error (Mirza et al. 46). Detective controls are controls that detect irregularities or errors after they have already occurred. Examples of detective controls include reconciliation in which employees exchange different sets of data with each other, find and investigate errors, and, if necessary, take corrective action. Another example is the audit aimed at..