I am curious if other companies have taken a risk-based approach to categorizing applications by the function it plays in the control environment, and then applying certain controls based on that risk category. For example, all ITGCs are applied to financial applications that directly impact financial reporting and a subset of key controls are applied to tools supporting ITGCs (identity and access services, change management records tool, tool used for code development and deployment, etc) on those financial applications. Or, do companies apply all standard ITGCs to all in-scope financial applications and supporting tools. Thanks!
Thank you, Nick, for putting this out there – much more succinct than my post and I am curious as well, having scoured forums for something to adopt (rather than start from ground zero). Unfortunately, we are pressured by the audit teams towards the latter and the work-intensive, more-than-reasonable assurance it entails. Documenting, executing, and maintaining evidence of a full suite of ITGCs for tools, not only supporting ITGCs as you state, but also supporting the execution of review or application controls (i.e., user access reviews, API-based interface of revenue data) is burdensome. Admittedly, the struggle to bring all stakeholders together to assess, define, and deploy such a framework/approach delays progress towards maturity. If anyone is willing to share a starting point towards categorization and an appropriate subset, it would be welcomed and appreciated.
2900 University BlvdAmes, IA 50010