The purpose of this memo is to outline minimum IT controls process teams should be assessing when performing their reviews. Specifically, it covers minimum controls process owners should have in place around user access, change control, backup, privacy, licenses and document retention for the primary accounting and informational systems that are within the scope of the review.

Implementing these minimum IT control standards into each work program creates consistency across reviews and verifies that internal auditors are assessing key areas of IT risk within the client’s key informational and accounting systems.