ITGC controls testing Project

Logical Access Security

Logical access security is a control area the aim at ensuring that personnel access to the company’s system is limited to only those that have authorization and the tasks to be performed are also limited to the ones that are authorized (Amasaki, 2015). There are several control points including control in the procedure, configuration and policies control. This paper discusses two of the authorities, that is User access through authentication and physical access within Maverick Investment Company.

Furthermore, the paper aims to identify the risk these controls are to mitigate, test plan basing on frequency and sample size, and finally exceptions and failure. The risk associated with Maverick Investment Company is the unauthorized access to data and programs resulting in alteration or damage of crucial data. These control mechanisms are aimed to ensure that access to applications and the company’s data are limited to authorized personnel only.

User access control

User authentication measure is one of the control measures that limit access to the company’s crucial information. Some of the steps towards controlling access are through adopting standards such as password requirements, periodic access review, de-provisioning, and provision of users and using privileged users account. The above steps are to be tested after every three months. Among the items to be used in testing throughout the 10 data centers include, personal profiles, computer systems, employees within the various department, date of employment and termination, vendors among others, also, the sample size to be tested is 400 Maverick employees. These steps are discussed below.

User access provisioning

There is a formal procedure used to grant and modify systems access that is, accessibility is limited to the ongoing employees that are in the managerial positions of the available departments. The validation is conducted by reviewing the list of approved personnel within the company. On the other hand, in the case of de-provisioning, there should be a formal procedure for discontinuing access to individual users in cases such as transfer, termination or resignation. In this case, the 380 employees who left from Maverick should be terminated from having accessibility privileges. The effectiveness of this process can be tested by checking the existing user’s accounts and cross-checking with the names of those that have exit the company.

Another step in user accessibility is the review of periodic access among administrators, users and third party individuals. Periodic reviews evidence should be checked and analyzed. For instance, Option Trax and Equity Edge are the available vendors. Furthermore, the presence of password usage should be enacted, and the password should be strong and unique to ensure effectiveness. For example, enforced passwords are Maverick_10*&.

Additionally, accounts should have a vested right of access that is limited personnel that is authorized. Such systems include servers, applications, and database among others. The team should check those accounts that have access to free rights.

Physical Access

The control measure operates through controlling physical access to certain places. This type of control limits unauthorized personnel to access areas and computer facilities that is beyond their authorized boundary. The team should conduct a work- through of these areas to ascertain the effectiveness of the control measure. Such areas include the data backup center, the data center, the command center among others (Miron, 2008).

Exceptions and way forward.

In case there are exceptions occurs when the test team finds out that the controls that were tested did not operate as expected. For instance, if the team finds that there is no password protection in place, the implication of such error may result into the unauthorized access of company’s data putting it at risk of theft of compromise. Therefore, the team should ensure that a strong password is set in place and continuously reviewed.


Works Cited

Amasaki, S. (2015, December 3). Information Technology General Controls(ITGCs) 101. Internal Audit Webinar Series.

Miron, B. (2008, September 9). Understanding IT General Control. Climbing New Heights.