This tool contains four sample work programs that provide best-practice steps an organization should consider when evaluating its IT general controls environment. Sample 1 of this tool focuses on evaluating the design of the IT general controls (ITGC) environment within your organization. The objective is to assess how well the infrastructure, applications, policies and procedures support the organization’s operations. This evaluation involves identifying ITGCs through discussions with key IT personnel and reviewing relevant policies and documents. The design assessment compares current practices against leading IT frameworks such as COBIT and ITGI, allowing for a thorough understanding of the organization's adherence to best practices. 

According to this tool, a limited sample of transactions is analyzed to confirm the operational effectiveness of the identified controls. The audit aims to identify control gaps where existing practices diverge from established standards or internal policies, providing recommendations for improvement based on these observations. The scope of the assessment includes critical applications deemed essential for business operations, ensuring that all aspects of security, configuration management, change management and operational processes are adequately addressed to enhance reliability and integrity in the organization's IT systems and data management.

Work steps include: 

• Obtaining a copy of the information security policy
• Confirming that the policy addresses user authentication, password complexity and system security
• Confirming that the policy has been reviewed and approved by senior management
• Confirming that access to the in-scope applications requires the use of a password