IT Risks and Audit Procedures

Suppose a user was granted administrative access rights in a system without documented approval and no review was done to validate their access. Identify the IT Risk.

access- unauthorized access can lead to data breaches or inappropriate changes.

Suppose a user was granted administrative access rights in a system without documented approval and no review was done to validate their access. Identify the recommended ITGC Risk.

New access rights must be approved by appropriate management before being granted. Periodic access reviews should be performed.

Suppose a user was granted administrative access rights in a system without documented approval and no review was done to validate their access. Explain audit procedure.

obtain a user lists of granted access during audit. select a sample and check documentation showing management approval. Verify appropriated access based on job role.

Suppose a company has daily backups but there is no formal monitoring or verification process to endsure backups are succesfully completed and stored securely. Identify risk.

Operations- failure to complete backups could lead to data loss and inability to recover systems after a failure

Suppose a company has daily backups but there is no formal monitoring or verification process to endsure backups are succesfully completed and stored securely. Recommend an ITGC.

Backup jobs should be monitored with regular reviews of backup logs. Failed backups should be explained.

Suppose a company has daily backups but there is no formal monitoring or verification process to endsure backups are succesfully completed and stored securely. Audit Procedure.

Review backup logs for a sample period. Verify that backups were correct. Review documenation of any failures. Interview IT about verification procedures.

A terminated employee’s Active Directory account remained active for three weeks after
separation. During that time, the user still had access to the ERP system, including customer
master data. Identify Risk.

Access risk- Unauthorized access to sensitive data by former employees leading to potential data manipulation or fraud.

A terminated employee’s Active Directory account remained active for three weeks after
separation. During that time, the user still had access to the ERP system, including customer
master data. Recommend ITGC.

Create offloading procedures to ensure terminated employees lose access to all systems immediately upon termination. Ensure segregation of duties, HR notified IT of user termination. IT removes user.

A terminated employee’s Active Directory account remained active for three weeks after
separation. During that time, the user still had access to the ERP system, including customer
master data. Audit Procedure.

Obtain a list of terminated employees and compare with system access logs to identify accounts still active post-termination.

2. A new feature was added to the sales module of the ERP system. The feature was pushed
to production by a developer who also coded the change. No record of user acceptance
testing or approval from business management was found. Identify Risk.

Operational Risk. Lack of proper testing and approval could lead to undetected issues in the new feature, impacting business operations.

2. A new feature was added to the sales module of the ERP system. The feature was pushed
to production by a developer who also coded the change. No record of user acceptance
testing or approval from business management was found. Identify ITGC.

Implement change management procedures to ensure that all modifications are tested and approved before deployment.Enforce segregation of duties so that the developer cannot deploy their own code. Require:

• Documented business approval

• A controlled migration process

• UAT- User Acceptance Testing (UAT), or application testing, is the final stage of any software development or change request lifecycle before go-live

2. A new feature was added to the sales module of the ERP system. The feature was pushed
to production by a developer who also coded the change. No record of user acceptance
testing or approval from business management was found. Audit Practices

• Review a sample of changes made to production (e.g., Jira or change log system).

• Check for:

  • Business approval signatures or tickets

  • UAT evidence (test results or sign-offs)

  • Whether the same person coded and deployed the change

• Confirm access controls that restrict developers from pushing to production.

The company discovered that its automated data backup system had not successfully run
for over a week. In the event of a system failure, this could have resulted in significant data
loss, as there was no recent recovery point. Identify Risk.

Operation risk- leads to potential data losses. Threatens availability of data, so affects compliance. in regulatory requirements for data protection and integrity.

The company discovered that its automated data backup system had not successfully run
for over a week. In the event of a system failure, this could have resulted in significant data
loss, as there was no recent recovery point. Recommend ITGC

Implement automated backup monitoring with alert notifications for failures. Perform regular backup verification and restore tests.Ensure routine testing of backups and establish a recovery plan.

The company discovered that its automated data backup system had not successfully run
for over a week. In the event of a system failure, this could have resulted in significant data
loss, as there was no recent recovery point. Audit Procedure.

Conduct a review of the backup system's logs to verify the schedule and success of backup operations. Ensure that documented recovery procedures are tested and validated regularly to minimize the impact of data loss.