You would need to consider the frequency of the activity itself to decide on the frequency of the testing of the control. If the activity happens many times, you would typically test quarterly. If an activity happens twice per year, test 1 time in the first half of the year and 1 time in the second half of the year. Treat testing of IT controls the same way that the business controls are tested that would give you an opportunity to fix any issues that arise through testing. Scanning is left to departmental decisions, controls are usually tested annual at 1/3 test to be compliant. But if a control is compliant, you may not need to test it again unless something in the configuration or process has changed Business impact and business risk are the major drivers in determining the frequency of testing an IT control. Testing involves money but failures can cost a lot more. Not all controls are created equal. In very high risk situations you might need to test weekly or monthly (although that would suggest that the controls aren't adequate); in others annual will be sufficient.
Apart from the annual timelines one of the other important points to be considered for the ITGC testing will depend on the level an organisation is.
For eg:- For an organisation which does not have a well organized IT division, it would be advisable to have the review / testing / audit of the IT controls on 6 months basis. For a matured organisation, a year’s time frame is suitable.
To make it short, in an matured organisation the IT controls gets tested on regular interval depending on the certification and level a company has. In a year it can undergo SOX audit, SAS Attestation, IT Audit. All these do t ouch bases on few of the very important controls which do overlap. So the IT controls do get tested.
Currently rated 5.0 by 2 people
- Currently 5/5 Stars.
- 1
- 2
- 3
- 4
- 5