TLDW logo

IT Risks | ITGC Risk Management| IT General Controls | Information Technology Risks

By Auditing Tricks

Summary

## Key takeaways - **IT Asset Management Risks**: Risks in IT asset management include inadequate control over asset records, unauthorized modifications, and failure to recover assets from departing employees, leading to potential financial loss. [01:47], [02:58] - **Antivirus Management Risks**: Antivirus management risks involve potential data loss or leakage from hacking/virus attacks and legal action from using pirated software. Unauthorized downloads or browsing inappropriate websites also pose threats. [04:29], [05:13] - **Backup and Restoration Risks**: Risks in backup and restoration include data loss due to incomplete backups or corrupted media, and theft of data from unauthorized movement of backups. Loss of financial data is also a high-rated risk. [05:58], [06:37] - **User Access Management Risks**: User access management risks encompass unauthorized user ID creation, incorrect access rights, segregation of duty conflicts, and failure to revoke access for departing employees, all contributing to potential data loss and fraud. [07:22], [08:13] - **Password Management Risks**: Password management risks include not implementing strong password policies, leaving laptops and desktops unprotected, and failing to secure highly sensitive systems physically. Sharing super user IDs is also a significant fraud risk. [12:27], [13:15]

Topics Covered

  • IT asset risks: Unauthorized procurement and returns lead to financial loss.
  • Antivirus management risks: Pirated software and unauthorized downloads lead to data loss.
  • Backup and restoration risks: Corrupted media and unauthorized movement endanger data.
  • User access risks: Unauthorized creation, segregation of duty, and delayed deactivation.
  • Password management risks: Weak policies and lack of physical security compromise data.

Full Transcript

Hello friends and welcome back to my

channel auditing tricks which is

one-stop solution for all your audit

related queries.

In this video we will see and learn what

are the risk related to IT general

controls

audit professional or working in an MNC

or a big for firm then you can buy our

resources which will be useful for your

internal audit professional journey. We

have internoid checklist in internoid

reports risk registers RCMs and SOPs. We

also have templates which have 40 type

of templates. More than 800 slides we

are offering in PPT format which you can

buy. So you can mail us for the rate

list at auditingtricks@gmail.com.

In this video, we will cover the risk of

ITGC related to the following

subprocesses

including IT asset management, antivirus

management, backup and restoration, user

access management, incident reporting

management, user ID maintenance and

password maintenance.

Before starting the video, do subscribe

to my YouTube channel. Hit like button

to this video and you can post your

comments in the comment section with

your queries or your appreciations.

Also, you can share this video link with

your friends and family members who are

interested in the auditing.

So, let's start learning the risk of the

ITGC controls. The first subprocess

which we'll be covering is related to IT

asset management.

The first risk is inadequate control

over IT asset records and its movements.

Here the control objective is to ensure

that a detailed list is maintained to

track all the IT assets. It is not a

fraud risk and it can be classified as a

medium risk.

The next one is unauthorized

modifications in IT asset records. Here

we need controls to ensure that access

of IT asset tracker is restricted. Yes,

it can be a fraud risk and it can be a

high rated risk as well.

The next one is unauthorized procurement

of IT assets.

This is required to ensure that all the

IT assets are procured based on required

approvals.

This is not a fraud risk and can be

rated as a medium risk.

The next one is IT assets are not

returned by the levers or separators

leading to financial loss to the

company. Here we need control to ensure

that assets are given to the employees

and other users are returned at the time

of their separation or termination.

This is a fraud risk and can be

classified as a high rated risk.

The next risk in the IT asset management

is periodic verification of unused IT

assets not done. This is required to

ensure that the stock is available and

reconciled with the books. This is not a

fraud risk and can be rated as a low

risk.

Next risk is IT assets not purchased at

the competitive price. This control is

required to procure quality products at

a competitive price. This is not a fraud

risk and can be rated as a high risk.

The next one is all IT assets not

labeled or serially numbered.

This control is required to ensure the

correctness of the IT stock. This is a

mediumrated risk. And the next one is

unauthorized issuance of IT assets to

the individuals. Here the control is

required to ensure that the assets are

transferred only to the authorized

people. This can be a fraud risk and can

be rated to a highrated risk. I hope

you're liking the video. Do subscribe to

my channel and hit the bell icon so that

you receive all the notifications and

hit like to the video if you like the

content.

The next subprocess which we will

covering is related to the antivirus

management of the ITGC controls. Here

the first risk is hacking or virus

attacks which may lead to leakage of the

information or loss of data. Here the

control is required to ensure that the

controls are put in place for protection

of data from any hacking or any kind of

virus attack possibilities. This is not

a fraud risk and can be classified as a

mediumrated risk.

The next one is loss of sensitive

information due to virus attack or legal

action in case of usage of pirated

software. Here the control is required

to ensure that the controls are in place

for protection of data and information

from the theft or leakage of any

software hardware or any user account.

Yes, it can be rated as a fraud risk and

can be classified as a highrated risk.

The next one in this category is

possibility of loss of data information

due to unauthorized software download or

any inappropriate website browsing. Here

we need the control to ensure that the

company have a firewall policy to

protect systems from inappropriate

content or to ensure that antivirus

blocks the websites which are not

allowed as per the company norms. It is

not a fraud risk and can be rated as a

mediumrated risk.

The next subprocess is related to the

backup and restoration management. Here

the first risk is possibility of data

loss or incomplete data backup. Here we

need to ensure that the data is

adequately backed up as per defined

processes. This is not a fraud risk and

can be rated as a highrated risk.

The next risk is possibility of data

loss due to corrupted backup media. Here

we need control to ensure that the

backup media is regularly checked and

verified to check readability of the

data. This is not a fraud risk and can

be rated as a medium risk.

The next risk is possibility of loss or

theft of data due to unauthorized

movement of data backup. Here we need to

ensure that there is no unauthorized

movement of data and data movement

should be safe and monitored by someone.

Yes, it can be classified as a fraud

risk and is a high rated risk.

The next one is possibility of loss of

financial data. Here we need to ensure

that the data backup is kept at a place

which is safe outside the premises or

the office. It is a fraud risk and can

be rated as a highrated risk.

The next subprocess which we will cover

in ITGC controls is user access

management. The first risk is

unauthorized user ID creation, access

rights allowed leading to possibility of

loss of data. Here we need the control

to ensure that no unauthorized user ID

is created and no unauthorized access

rights are allowed like any kind of a T-

code or something. Yes, it can be a

fraud risk and it's a high rated risk.

The next one is segregation of duty

conflict due to wrong allocation of T

codes access to a user. Here we need the

control to ensure that the segregation

of duty conflict is ensured while

allocating any kind of rows or t-code

access to the users. It can be a fraud

risk and can be rated as a high rated

risk.

The next one is unauthorized use of the

systems beyond his employment tenure

which may lead to leakage of sensitive

information. Here we need to ensure that

the access rights of employees leaving

the organizations are backed or blocked

on time that is from the last working

day of the employee. It can be a fraud

risk and can be classified as a high

rated risk.

The next one is super user ID and

password is shared with the multiple

users. So here we need the control to

ensure that the super user ID is access

is restricted only to IT personals and

to the restricted people only. Yes, it

can be classified in the fraud risk

category and can be rated as a high

risk.

The next subprocess which we will cover

in the ITGC risk is incident management.

So the first risk is absence of

resolution for IT related queries. Here

we need control to ensure that the

company have installed incident

management system. It is not a fraud

risk and can be rated as a low risk. The

next is delay in resolving IT issues of

the users. Here we need the control to

ensure that IT related issues of any

user are resolved within the defined

timelines and as per the satisfaction.

It is not a fraud risk and can be

classified as a low risk.

The next are it issues closed without

providing any satisfactory resolution to

the users or user dissatisfaction and

delay in operations of the company. Here

we need the control to ensure that the

users are informed after the resolution

of issues raised by them is being done.

It is not a fraud risk and can be

classified as a medium risk.

The next one is it issues tickets remain

open may impact the working operations

of the business. Here we need the

control to ensure that open ticket

status is reviewed on a periodic basis

and tickets are closed on a timely

basis. It is not a fraud risk and can be

classified as a mediumrated risk.

I hope you're liking the video. Do

subscribe my channel and hit the like

button. So the next risk category is

related to the user ID maintenance.

Here the first risk is users given

access to the services or any

applications which they are not

specifically authorized to use. Here we

need to ensure as a control that only

authorized users are given the access

rights to the applications.

It is a fraud risk and can be classified

under a high rated category.

The next one is related to the user ID

is created without approval from the

competent authority as per the chart of

authority. Here we need to ensure that

ID is created only after due approval

from the competent authority defined by

the management under the chart of

authority.

It can be a fraud risk and can be rated

as a high rated risk.

The next risk under this category is

multiple active user ids are being

created for a single employee. Here we

need to ensure that each user is

assigned only one user ID and cannot be

issued more than one.

It is not a fraud risk and can be rated

as a medium risk.

The next one is that no security

awareness to new employees before they

are allowed access to network or any

kind of applications. Here we need to

establish the controls to ensure that

the employees are aware of subsequences

of wrong usage of any kind of system or

any applications. It is not a fraud risk

and can be classified as a low risk.

The next subsection which we'll cover in

ITGC risk are password management. So

the first risk is strong password policy

not implemented to ensure that all

passwords are changed from their

defaults and are not easy to guess. Here

we need the control to ensure that the

safety of password and protection of

data.

It is not a fraud risk and can be rated

as a medium rate risk.

The next is laptops and desktops not

password protected. Here anyone cautious

or intended to access the information on

that laptop or desktop within the

premises can access it. Here we need the

control to ensure that there is a safety

of password and privacy of data.

it can be a fraud risk and can be rated

as a high risk.

The next one is that highly sensitive

systems do not keep under physical lock

and key in addition to the password

protection.

Here we are talking about the physical

security.

So the control is required to ensure the

safety and protection of the system

assets and data in physical form.

It is not a fraud risk and can be rated

as a medium risk.

The next one is password management

system. Enforcing various password

controls such as accountability,

enforcing password change at a regular

intervals or storing passwords in the

encrypted form or not displaying

password on the screen etc. is not

implemented. So here we need to ensure

the safety of password and protection of

data.

It is a fraud risk and can be rated as a

high risk.

So congratulations, you now know all the

risk related to the IT general controls

and you can do audit in your

organization related to the ITGC

controls.

I hope you like the video and the

content. So do subscribe to my channel

for more audit related content. Do share

this video link with your friends and

family who are interested in the audit

and its related topics. Do hit like to

the video and keep following me for more

content. If you want to buy our

resources, you can email us at

auditingtriicks@gmail.com.

I will see you in the next video.

Bye-bye.

Loading...

Loading video analysis...