Internal controls - ITGC basics Exorcise 1 - Identliy the ITCC process that addresses the ITCC process risk Complete the following table, indicating which ITCC process (manage change process, manage access process or manage IT operations process) will address the stated risk, using the example underlying cause provided. Exercise 2 - Identily the ITGC to address the ITGC process risk For each risk, use the list on the following page to identify the ITGCs (by letter) that would address the ITCC process risk, using the example underlying cause provided. ITecs A. There is a defined process to change the access rights within the roles that includes approval by appropriate business management personnel. (Applicable to IT application when access rights are aggregated into roles.) B. IT personnel monitor the execution of the job schedule and take actions appropriate for the issues that arise. (Applicable to IT environments when processing relies on job schedules and those job schedules are controlled by IT personnel.) C. New or additional access rights are approved by an appropriate management person in advance of access being granted. (Applicable in all IT environments.) D. Changes to the IT application are tested by business and (or) IT users, as appropriate, prior to the move into production. (Applies to most IT environments.) E. Changes to the data made by users other than the IT application or IT application users are logged and compared with the requests and approvals for those changes by people without the access to make such changes. (Applicable to IT environments when there is routine use of direct data changes In the processing of transactions relevant to the financial statements.) F. The production environment (including tools to move the programs into the test environment) is accessible only by a limited number of authorized, appropriate people who do not have development responsibillies. (Applies to most environments of more than minimal size that have developers.) G. Programs and data are written to backup medla at least weekly and stored in a physical location separate from the production equipment. (Applicable to environments whose backup function uses backup software.) H. The programs in the test environment (including tools to move the programs into the test environment) are accessible only by a limited number of authorized, appropriate people who do not have development responsibilities. (Appilcable in IT environments when there are many developers and the programs are moved from the development environment into the test environment and into the production environment by a more limited number of authorized personnel.) 1. Access rights no longer needed by users who are leaving the entity's employ or who have changed Job responsibilities are ended timely based on notification from HR or the user's supervisor or manager. (Generally, applicable to all environments, though testing may not be necessary if the periodic validation control operates effectively.)