For each risk, use the list on the following page to identify the ITGCs (by letter) that would address the ITGC process risk, using the example underlying cause provided.

ITGC process risk	ITGCs
1. Reliance on systems or programs that are inaccurately processing data, processing inaccurate data or both. (Example underlying cause: new IT application programs, or changes to existing programs, do not function as described or requested because they were not adequately tested.)
2. Unauthorized access to data that may result in destruction of data, or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. (Example underlying cause: users of the IT environment are not authorized because of requests for the removal of unneeded access, e.g., employee job changes of IT personnel within an entity, are not made timely, access action requests are fulfilled inaccurately or untimely.)
3. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down the segregation of duties. (Example underlying cause: the access of IT users to the IT environment creates segregation-of-duties conflicts.)
4. Unauthorized changes to data in master files. (Example underlying cause: direct changes to data are made by IT personnel without authorization.)
5. Unauthorized changes to systems or programs. (Example underlying cause: unauthorized changes to systems or programs, including interfaces, configurations and report logic, are controlled by IT personnel.)
6. Inappropriate manual intervention. (Example underlying cause: issues with programs that cannot process through to completion are not addressed, or are not appropriately addressed.)
7. Potential loss of data, or inability to access data as required. (Example underlying cause: hardware or software issues result in loss of data or the loss of the ability to access data as needed.)

ITGCs

A. There is a defined process to change the access rights within the roles that includes approval by appropriate business management personnel. (Applicable to IT application when access rights are aggregated into roles.)

B. IT personnel monitor the execution of the job schedule and take actions appropriate for the issues that arise. (Applicable to IT environments when processing relies on job schedules and those job schedules are controlled by IT personnel.)

C. New or additional access rights are approved by an appropriate management person in advance of access being granted. (Applicable in all IT environments.)

D. Changes to the IT application are tested by business and (or) IT users, as appropriate, prior to the move into production. (Applies to most IT environments.)

E. Changes to the data made by users other than the IT application or IT application users are logged and compared with the requests and approvals for those changes by people without the access to make such changes. (Applicable to IT environments when there is routine use of direct data changes in the processing of transactions relevant to the financial statements.)

F. The production environment (including tools to move the programs into the test environment) is accessible only by a limited number of authorized, appropriate people who do not have development responsibilities. (Applies to most environments of more than minimal size that have developers.)

G. Programs and data are written to backup media at least weekly and stored in a physical location separate from the production equipment. (Applicable to environments whose backup function uses backup software.)

H. The programs in the test environment (including tools to move the programs into the test environment) are accessible only by a limited number of authorized, appropriate people who do not have development responsibilities. (Applicable in IT environments when there are many developers and the programs are moved from the development environment into the test environment and into the production environment by a more limited number of authorized personnel.)

I. Access rights no longer needed by users who are leaving the entitys employ or who have changed job responsibilities are ended timely based on notification from HR or the users supervisor or manager. (Generally, applicable to all environments, though testing may not be necessary if the periodic validation control operates effectively.)