IndexRisks Associated with System Change ITGCExamples of Control Objectives Related to System ChangeExamples of Controls for ITGCInformation technology (IT) has become prevalent in organizations and is embedded in processes business in all functional areas, replacing cumbersome and obsolete analogue procedures. Large-scale IT infrastructure has helped create significant cost savings and improve operational efficiency, while IT applications have helped spur innovation and generate competitive advantages. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an Original EssayThe advent of IT has led to our time being labeled the "information age" and every organization has had to adopt IT or risk becoming uncompetitive and irrelevant. While there are numerous benefits that can be gained from the use of IT within an organisation, it has also given rise to new and complex risks and has significant implications for the audit profession, leading to the creation of a new type of audit role overall, i.e. IT auditor. New IT-related risks include, but are not limited to, three areas: security issues, regulatory compliance requirements, and effective governance. These risks are mitigated by the use of ITGC (Information Technology General Controls). ITGCs play a crucial role in ensuring the process works according to their purpose. Specific benefits of the ITGC include financial measures such as completeness, accuracy, and validity. Non-financial objectives include confidentiality, integrity, and availability, as well as process effectiveness and efficiency (Amasaki, 2015). The use of effective ITGC produces many benefits, the most important of which is that users can reasonably rely on their IT systems, auditors will attest to the quality of readily available controls, and investors can reasonably rely on the information they receive (Miron , 2008). Furthermore, effective ITGCs will ensure that there are fewer regulatory issues to deal with, so the organisation's reputation will be improved and it can achieve its business objectives (GTAG 1). Ineffective ITGCs will have the opposite effect. Fundamentally, the organization will fail to achieve its goals and will fail to work towards achieving its long-term mission and vision. ITGCs are closely related to the “business” carried out by the organization. Since IT is embedded in virtually every process and function, IT-related risks are embedded in them as well. The use of ITGCs in these processes can reduce or even eliminate these risks, directly impacting the output of these processes and therefore influencing the performance of the organization. . ITGCs can also play a critical role in Sarbanes Oxley (SOX) audits. Section 404 of SOX specifically requires that IT-related risks and controls be considered in the overall evaluation of internal controls over financial reporting (Protiviti, 2012). In essence, ITGCs must support an environment in which data integrity can be maintained. A key part of this process is ensuring that controls are in place to help prevent unauthorized or malicious users from compromising the integrity of the data. Risks Associated with ITGC System Changes Because IT is constantly evolving, capabilities must be updated to maintain a competitive advantage. Business needs evolve and systems must evolve to meet these changing needs. In some cases, a minor modification known as a “patch” is required forfix/update minor system issues. Making changes to the system can give rise to risks that must be carefully managed to ensure the change is successful. A major risk that can derail change is the absence of a structured change management process (Miron, 2008). Just as a solid project management methodology improves the quality of a project and helps it stay on schedule, a change management process improves the success rate of the change and helps the organization maintain control of the process. The absence of this process leads to increased downtime of key systems and escalating costs, among a host of other problems. Another key risk is the inadequacy of testing changes before they are implemented (Miron, 2008). This opens the door to poor integration of the change if integration testing is not performed, a high failure rate if it is tested inadequately and in the wrong environment, and poor user acceptance of the change if testing user acceptance form is not part of the program. testing phase. Testing is key to mitigating these issues. Unauthorized and inadequately recorded changes are also risks that arise during system changes (GTAG 2). Both of these risks arise from IT staff circumventing the change management process. Changes must fit the overall philosophy of system change and the purpose of the system overall. Unauthorized changes risk creating a lower-quality deliverable because they have not been vetted through the formalized procedures that authorize changes and verify their quality. Inadequate recording of changes creates problems when you need to verify changes, train new staff, or make additional changes. It is essential for any change to have reference material, not having enough does not bode well. These risks can cause the scope of the change to deviate from what was originally planned and lead to uncertainty, something that must be minimized during system changes. Special attention must also be paid to the separation of duties during changes, as this establishes a framework of responsibility (GTAG 2). System changes can be complex undertakings that require effective coordination and constant communication. Segregation of duties helps in this regard, as it establishes clear reporting lines, supervisory roles and specifies areas of responsibility. This helps reduce errors and fraud during the process as reasonable oversight of the process is ensured. Supervisory personnel correct errors and verify that established policies and procedures are followed. A key example of separation of duties involves separating the staff who design changes from those who test them (GTAG 2), as design teams will be hesitant to report inadequacies and errors in their work – a conflict of interest. All the risks mentioned above can be mitigated by putting effective ITGCs in place and continuously improving them. Examples of control objectives related to system change To reduce the level of business risk arising from the maintenance of IT systems, it is critical to have adequate change controls in place. Having adequate controls to prevent unauthorized changes will result in reduced service disruptions. For system change controls to be effective in an organization, management must create and enforce a change management culture throughout the organization. That isit could mean that it is mandatory for changes affecting services to go through manager or product/service owner approval before implementation. By requiring administrator-only rights, the chances of unauthorized personnel making changes to critical IT systems can be significantly reduced. Appropriate testing policies/procedures, such as testing an application in a sandbox environment before launching into production, should be in place to prevent service disruptions. Enforcing policies regarding frequent system backups is another crucial element of system change. In the event that a production change fails and impacts a critical business application, an organization must have the ability to revert to the previous working version of the application. Having automated software that tracks and records system changes at all times is another important control to have. This would give an organization the ability to go back and identify the root causes of any errors found in the system. For control objectives to be effective as a whole, management must emphasize, apply, and follow up on all control objectives it has put in place. A centralized decision-making approach and active communication between different departments within an organization are extremely important to avoid the creation of silos within the company (GTAG 2). Examples of controls for ITGCITGC are controls that include operating systems, applications, supporting IT infrastructure, and databases (Li et al.180). These controls are classified into two groups. The first group is based on the nature of the implementation. In this group, controls are classified as automated, manual, and partially automated controls (Mirza et al. 46). The second group is based on the nature of using controls. Controls in this group include preventive, investigative and corrective controls. Preventive controls, as the name suggests, are designed to prevent irregularities or errors from occurring. These controls are proactive and their role is to ensure that departmental objectives are achieved (Mirza et al. 46). Examples of these controls include the separation of tasks divided between different people with the aim of reducing the risk of errors or inappropriate actions (Li et al. 182). Distributed responsibilities include accounting, approval and custody. Another example is asset security where there is limited access to inventories, equipment, cash and other types of assets. Resources are periodically inspected and the results are compared to audit records to determine if there are errors (Mirza et al. 46). Investigative controls are controls that detect irregularities or errors after they have already occurred. Examples of investigative controls include reconciliation where employees exchange different data sets with each other, look for and investigate errors, and, when necessary, take corrective action. Another example is auditing to determine errors and review performance (Mirza et al. 46). Corrective controls are controls that help mitigate damage once an error has occurred (Mirza et al. 46). Examples of corrective controls include resolving the current problem to get the processes correct. Another example is insurance programs that compensate for losses and return the insured to the original financial position (Li et al. 197). Control tests performedAny unplanned interruption or degradation of service is defined as an incident. A considerable amount of these incidents can be caused by changes. Some of these are,.