IT Change Management

Questions and Answers

Within IT change management, what is the primary risk associated with inadequately tested changes to existing IT application programs?

• Unauthorized developers moving untested changes into production.
• Changes not functioning as described or requested. (correct)
• Configuration changes being made by unauthorized personnel.
• Multiple instances of the same IT application not remaining identical.

Why is it important to validate changes immediately after installation within IT change management?

• To permit developers to move unauthorized changes.
• To identify and rectify any discrepancies or failures promptly. (correct)
• To ensure changes are approved by business management.
• To avoid reviewing and updating the SDLC process periodically.

What is the purpose of restricting programs in the test environment to a limited number of authorized personnel?

• To prevent inappropriate or unauthorized changes to configurations.
• To ensure developers can move unauthorized changes into the production environment.
• To prevent unauthorized access and modifications by individuals without development responsibilities. (correct)
• To allow changes to be pushed to all instances at the same time.

What control should be implemented to ensure configuration changes are appropriate and authorized?

Logging and reviewing configurations regularly. (C)

Why is it vital to ensure that multiple instances of the same IT application remain identical?

To ensure consistent functionality and data integrity across the organization. (A)

Which ITGC is MOST directly related to ensuring that changes to IT systems do not adversely affect financial reporting?

Change Management (B)

What is the primary purpose of IT access controls?

To ensure that only authorized users have appropriate access to IT resources. (D)

Why is segregation of duties a critical concern in IT access management?

To prevent any single individual from having excessive control over critical processes. (C)

Why are authentication and validation important concepts in IT access controls?

To restrict authorized users to performing appropriate actions aligned with their roles. (B)

What type of control requires passwords to be reset every 90 days?

Access control. (C)

What is the purpose of periodically reviewing user access rights?

To validate that access levels still align with current job responsibilities. (B)

Which common ITGC deficiency relates to inconsistent enforcement of IT policies and standards across the organization?

Lack of consistent IT governance (A)

What does Identity Management primarily define?

The who, what, where, and how of an identity within an organization (D)

Which of the following is a common example of outsourcing?

IT services such as data storage and network support (B)

Which of the following is a benefit of outsourcing for an organization?

Elimination of the need for capital expenditures on hardware and software (C)

Which of the following is a key risk associated with outsourcing?

Vendor exploitation (B)

What is Infrastructure as a Service (IaaS)?

Renting the IT infrastructure, such as servers and storage (D)

What is the primary focus of a SOC 2 report?

Controls relevant to security, availability, processing integrity, confidentiality, or privacy (A)

What does CUEC stand for and what is its significance in the context of SOC reports?

Complimentary User Entity Controls; outlines controls that user entities must implement (C)

What are CSOCs in the context of SOC reports?

Controls assumed to be implemented by the subservice organization. (B)

Flashcards

IT Change Management

Ensures changes to IT systems are properly tested, approved, and implemented to avoid disruptions or errors.

Risk: Insecure Programs

Programs aren't safe, allowing unauthorized or untested changes to be moved into the production environment.

IT Access Management

Ensures that access to IT systems and data is limited to authorized individuals, preventing unauthorized access or data breaches.

Risk: Inadequate Authentication

Risks that people who don't belong in the IT environment are there because security settings or authentication is bad.

Segregation of Duties

Ensures duties are divided so no single person can compromise a critical process.

Authentication/Validation

Confirms IT access is restricted to appropriate users.

Password Reset Control

A control requires users to reset passwords periodically, (e.g., every 90 days).

IDM System

An information system used for identity management across an enterprise or network.

Outsourcing

Using external resources for specific business functions or processes.

Examples of Outsourcing

IT services, HR, or bookkeeping

Benefit of Outsourcing: Costs

The business doesn't need capital expenditures such as: hardware, software, site data centers, etc.

Benefit of Outsourcing: Reliability

Data backup, disaster recovery, and business continuity is easier and less expensive.

Risks of Outsourcing: Costs

Your costs could exceed benefits.

Risks of Outsourcing: Vendor Exploitation

The vendor is exploited due to reduced security

Public Cloud

A cloud computing service provided by a third party

Hybrid Cloud

Combine public and private cloud deployments together.

Private Cloud

Cloud computing recourses used exclusively by a single business

IaaS

Rent the IT infrastructure

PaaS

Supply an on-demand environment for developing, testing, delivering, and managing software applications

SaaS

A method for delivering software applications over the internet

Study Notes

ITGCs - IT Manage Change

• New IT applications or changes may fail due to inadequate testing
• Control: Changes should be validated directly after installation
• Test: Obtain a list of changes
• New IT applications or changes may be unsuitable for the business or IT environment
• Control: Changes need approval and testing by business management before implementation
• Test: Inspect evidence and lists of changes
• Programs in production may be unsecured, leading to unauthorized or untested changes
• Control: Test environment programs needs limited access to authorized personnel without development duties
• Test: Review lists of user IDs
• Configuration changes by IT staff may be inappropriate or unauthorized
• Control: Configurations are logged and reviewed
• Test: Check configuration settings
• Multiple instances of an IT application should be identical
• Control: Changes gets pushed to every instance simultaneously; comparisons should occur periodically
• Test: Inspect settings
• Implementation failures of new systems, upgrades, or key integrations can impact financial reporting controls
• Control: The SDLC process is reviewed/updated periodically

ITGCs - IT Access (aka Manage Access or Logical Access)

• Typical risks include users of the IT environment being unintended due to inadequate authentication and security
• Access granted might not match approved access levels, or users may be generally inappropriate
• Concerns arise in segregation of duties due to IT user access
• Combining IT application functions into roles can cause segregation of duties issues, risking misstatements
• Direct data changes are made without authorization
• Authentication and validation concepts are in place for authorized users
• Validated users are restricted to authorized actions aligned with their roles (authorization/access rights)
• Controls, such as password resets every 90 days and annual user access reviews, need evaluation

Deloitte Review Slides - Considerations for Acceptable Deviation Levels

• Risk associated with the control
• Complexity
• Extent of reliance on the control
• Testing approach
• Nature of the control

Common GITC (ITGC) Deficiency Themes

• Lack of consistent IT governance
• Cybersecurity breach leading to compromise of financial systems
• Management of end-user segregation of duties
• Highly privileged access management
• Developer access to production environments
• SDLC failures due to major system implementation issues

Identity Management

• Defines who, what, where, and how of an identity within an organization
• It defines what an identity is, what it can do, and how to track and report on the entity
• IDM systems include info systems used for enterprise or cross-network identity management

Third-Party Risk

• Outsourcing includes IT services, HR functions, and bookkeeping
• Benefits include lower capital expenditures on hardware, software, and data centers
• Global scale provides the right amount of IT resources and capacity
• Regularly updated cloud services improves performance
• Updated security via a broad set of policies and technologies
• Speed provides vast computing resources on demand
• Productivity enables focus on core business goals by removing the need to "rack and stack" additional resources
• Reliability with built-in data backup, disaster recovery, and business continuity
• Risks include costs exceeding benefits and failure to perform
• Vendor exploitation and reduced security can occur
• A loss of strategic advantage and reduced ability to reestablish outsourced function is a possibility
• Lower employee loyalty, quality, consistency, and oversight issues are risks

Cloud Computing/Service Types

• Public clouds are owned and operated by a third-party cloud provider
• Hybrid clouds combine public and private clouds, sharing data via technology
• Private clouds are exclusively for a single business or organization
• IaaS is the most basic, involving renting IT infrastructure
• PaaS supplies an on-demand environment for developing, testing, delivering, and managing applications
• SaaS is a method for delivering software applications over the internet

SOC Reports

• SOC reports are included under the SOC Suite of Service Offerings
• Organizations may need SOC reports for various reasons
• SOC 1 reports are used by customers and auditors to conduct audits of financial statements
• SOC 1 includes ICFR, Type 1 (as of a specific date), and Type 2 (throughout a period)
• SOC 2 reports on controls related to security, availability, processing integrity, confidentiality, or privacy
• SOC 2 includes Type 1 (design of controls) and Type 2 (design and operating effectiveness)
• Customers utilize these reports to understand processing controls
• SOC 2+ includes the criteria of SOC 2 alongside additional criteria
• SOC 3 reports provide confidence to stakeholders regarding a service organization's systems
• SOC 3 reports are intended for general use
• Trust Services Criteria are used in SOC 2 and 3 engagements
• SOC 1 and SOC 2 reports have 5 sections
• CUECs are complimentary user entity controls, where the service organization assumes controls will be implemented by user entities
• CUECs Example: User Access, Sign-on credentialing such as PWs and multifactor authentication
• CSOCs are supplementary subservice organization controls, where the service organization assumes controls will be implemented by the subservice organization
• CSOCs Example: Physical Security, Data Backup and Recovery