Podcast
Questions and Answers
Within IT change management, what is the primary risk associated with inadequately tested changes to existing IT application programs?
Within IT change management, what is the primary risk associated with inadequately tested changes to existing IT application programs?
- Unauthorized developers moving untested changes into production.
- Changes not functioning as described or requested. (correct)
- Configuration changes being made by unauthorized personnel.
- Multiple instances of the same IT application not remaining identical.
Why is it important to validate changes immediately after installation within IT change management?
Why is it important to validate changes immediately after installation within IT change management?
- To permit developers to move unauthorized changes.
- To identify and rectify any discrepancies or failures promptly. (correct)
- To ensure changes are approved by business management.
- To avoid reviewing and updating the SDLC process periodically.
What is the purpose of restricting programs in the test environment to a limited number of authorized personnel?
What is the purpose of restricting programs in the test environment to a limited number of authorized personnel?
- To prevent inappropriate or unauthorized changes to configurations.
- To ensure developers can move unauthorized changes into the production environment.
- To prevent unauthorized access and modifications by individuals without development responsibilities. (correct)
- To allow changes to be pushed to all instances at the same time.
What control should be implemented to ensure configuration changes are appropriate and authorized?
What control should be implemented to ensure configuration changes are appropriate and authorized?
Why is it vital to ensure that multiple instances of the same IT application remain identical?
Why is it vital to ensure that multiple instances of the same IT application remain identical?
Which ITGC is MOST directly related to ensuring that changes to IT systems do not adversely affect financial reporting?
Which ITGC is MOST directly related to ensuring that changes to IT systems do not adversely affect financial reporting?
What is the primary purpose of IT access controls?
What is the primary purpose of IT access controls?
Why is segregation of duties a critical concern in IT access management?
Why is segregation of duties a critical concern in IT access management?
Why are authentication and validation important concepts in IT access controls?
Why are authentication and validation important concepts in IT access controls?
What type of control requires passwords to be reset every 90 days?
What type of control requires passwords to be reset every 90 days?
What is the purpose of periodically reviewing user access rights?
What is the purpose of periodically reviewing user access rights?
Which common ITGC deficiency relates to inconsistent enforcement of IT policies and standards across the organization?
Which common ITGC deficiency relates to inconsistent enforcement of IT policies and standards across the organization?
What does Identity Management primarily define?
What does Identity Management primarily define?
Which of the following is a common example of outsourcing?
Which of the following is a common example of outsourcing?
Which of the following is a benefit of outsourcing for an organization?
Which of the following is a benefit of outsourcing for an organization?
Which of the following is a key risk associated with outsourcing?
Which of the following is a key risk associated with outsourcing?
What is Infrastructure as a Service (IaaS)?
What is Infrastructure as a Service (IaaS)?
What is the primary focus of a SOC 2 report?
What is the primary focus of a SOC 2 report?
What does CUEC stand for and what is its significance in the context of SOC reports?
What does CUEC stand for and what is its significance in the context of SOC reports?
What are CSOCs in the context of SOC reports?
What are CSOCs in the context of SOC reports?
Flashcards
IT Change Management
IT Change Management
Ensures changes to IT systems are properly tested, approved, and implemented to avoid disruptions or errors.
Risk: Insecure Programs
Risk: Insecure Programs
Programs aren't safe, allowing unauthorized or untested changes to be moved into the production environment.
IT Access Management
IT Access Management
Ensures that access to IT systems and data is limited to authorized individuals, preventing unauthorized access or data breaches.
Risk: Inadequate Authentication
Risk: Inadequate Authentication
Signup and view all the flashcards
Segregation of Duties
Segregation of Duties
Signup and view all the flashcards
Authentication/Validation
Authentication/Validation
Signup and view all the flashcards
Password Reset Control
Password Reset Control
Signup and view all the flashcards
IDM System
IDM System
Signup and view all the flashcards
Outsourcing
Outsourcing
Signup and view all the flashcards
Examples of Outsourcing
Examples of Outsourcing
Signup and view all the flashcards
Benefit of Outsourcing: Costs
Benefit of Outsourcing: Costs
Signup and view all the flashcards
Benefit of Outsourcing: Reliability
Benefit of Outsourcing: Reliability
Signup and view all the flashcards
Risks of Outsourcing: Costs
Risks of Outsourcing: Costs
Signup and view all the flashcards
Risks of Outsourcing: Vendor Exploitation
Risks of Outsourcing: Vendor Exploitation
Signup and view all the flashcards
Public Cloud
Public Cloud
Signup and view all the flashcards
Hybrid Cloud
Hybrid Cloud
Signup and view all the flashcards
Private Cloud
Private Cloud
Signup and view all the flashcards
IaaS
IaaS
Signup and view all the flashcards
PaaS
PaaS
Signup and view all the flashcards
SaaS
SaaS
Signup and view all the flashcards
Study Notes
ITGCs - IT Manage Change
- New IT applications or changes may fail due to inadequate testing
- Control: Changes should be validated directly after installation
- Test: Obtain a list of changes
- New IT applications or changes may be unsuitable for the business or IT environment
- Control: Changes need approval and testing by business management before implementation
- Test: Inspect evidence and lists of changes
- Programs in production may be unsecured, leading to unauthorized or untested changes
- Control: Test environment programs needs limited access to authorized personnel without development duties
- Test: Review lists of user IDs
- Configuration changes by IT staff may be inappropriate or unauthorized
- Control: Configurations are logged and reviewed
- Test: Check configuration settings
- Multiple instances of an IT application should be identical
- Control: Changes gets pushed to every instance simultaneously; comparisons should occur periodically
- Test: Inspect settings
- Implementation failures of new systems, upgrades, or key integrations can impact financial reporting controls
- Control: The SDLC process is reviewed/updated periodically
ITGCs - IT Access (aka Manage Access or Logical Access)
- Typical risks include users of the IT environment being unintended due to inadequate authentication and security
- Access granted might not match approved access levels, or users may be generally inappropriate
- Concerns arise in segregation of duties due to IT user access
- Combining IT application functions into roles can cause segregation of duties issues, risking misstatements
- Direct data changes are made without authorization
- Authentication and validation concepts are in place for authorized users
- Validated users are restricted to authorized actions aligned with their roles (authorization/access rights)
- Controls, such as password resets every 90 days and annual user access reviews, need evaluation
Deloitte Review Slides - Considerations for Acceptable Deviation Levels
- Risk associated with the control
- Complexity
- Extent of reliance on the control
- Testing approach
- Nature of the control
Common GITC (ITGC) Deficiency Themes
- Lack of consistent IT governance
- Cybersecurity breach leading to compromise of financial systems
- Management of end-user segregation of duties
- Highly privileged access management
- Developer access to production environments
- SDLC failures due to major system implementation issues
Identity Management
- Defines who, what, where, and how of an identity within an organization
- It defines what an identity is, what it can do, and how to track and report on the entity
- IDM systems include info systems used for enterprise or cross-network identity management
Third-Party Risk
- Outsourcing includes IT services, HR functions, and bookkeeping
- Benefits include lower capital expenditures on hardware, software, and data centers
- Global scale provides the right amount of IT resources and capacity
- Regularly updated cloud services improves performance
- Updated security via a broad set of policies and technologies
- Speed provides vast computing resources on demand
- Productivity enables focus on core business goals by removing the need to "rack and stack" additional resources
- Reliability with built-in data backup, disaster recovery, and business continuity
- Risks include costs exceeding benefits and failure to perform
- Vendor exploitation and reduced security can occur
- A loss of strategic advantage and reduced ability to reestablish outsourced function is a possibility
- Lower employee loyalty, quality, consistency, and oversight issues are risks
Cloud Computing/Service Types
- Public clouds are owned and operated by a third-party cloud provider
- Hybrid clouds combine public and private clouds, sharing data via technology
- Private clouds are exclusively for a single business or organization
- IaaS is the most basic, involving renting IT infrastructure
- PaaS supplies an on-demand environment for developing, testing, delivering, and managing applications
- SaaS is a method for delivering software applications over the internet
SOC Reports
- SOC reports are included under the SOC Suite of Service Offerings
- Organizations may need SOC reports for various reasons
- SOC 1 reports are used by customers and auditors to conduct audits of financial statements
- SOC 1 includes ICFR, Type 1 (as of a specific date), and Type 2 (throughout a period)
- SOC 2 reports on controls related to security, availability, processing integrity, confidentiality, or privacy
- SOC 2 includes Type 1 (design of controls) and Type 2 (design and operating effectiveness)
- Customers utilize these reports to understand processing controls
- SOC 2+ includes the criteria of SOC 2 alongside additional criteria
- SOC 3 reports provide confidence to stakeholders regarding a service organization's systems
- SOC 3 reports are intended for general use
- Trust Services Criteria are used in SOC 2 and 3 engagements
- SOC 1 and SOC 2 reports have 5 sections
- CUECs are complimentary user entity controls, where the service organization assumes controls will be implemented by user entities
- CUECs Example: User Access, Sign-on credentialing such as PWs and multifactor authentication
- CSOCs are supplementary subservice organization controls, where the service organization assumes controls will be implemented by the subservice organization
- CSOCs Example: Physical Security, Data Backup and Recovery
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.