For years, most businesses have connected their operations to technology, and the pandemic accelerated this digital shift. The great significance of technology in business functions results in the need to rely on robust and efficient Information Technology General Controls (ITGCs).
ITGCs and their related methodologies need to be established, executed, and overseen by the organization to ensure the controls are working as intended. Furthermore, ITGCs play a pivotal role in the effective cybersecurity and data integrity strategies of the organization. As the digital transformation of business operations continues, the relevance of ITGCs will only continue to grow.
What is the Significance of ITGC and How Does it Relate to Information Technology?
ITGCs encompass the policies and measures governing your organization's utilization of information technology and the safeguarding of its data assets. These controls dictate the implementation of access and security measures for IT systems and the general procedures for software development and deployment across the organization.
ITGCs hold particular significance for publicly traded companies subject to compliance with the Sarbanes-Oxley Act (SOX). As part of the annual review required by SOX, companies must affirm the effectiveness of their internal controls over financial reporting, which includes an evaluation of ITGCs. Larger publicly traded corporations must also undergo external audits of their internal controls, where auditors will assess the adequacy of ITGCs.
The Four Areas of General Controls
ITGCs typically fall into four key categories, closely mirroring other internal controls within the realm of information technology designed to safeguard sensitive data.
Information Technology Security: Encompassing the enforcement of a robust internal password policy to restrict access to the various IT processes routinely utilized by your company. ITGCs also dictate the management of software patches for maintaining Enterprise Resource Planning (ERP) systems, and the segregation of duties in software development to prevent any single individual or team from wielding excessive power in writing and deploying company software.
- Physical Security: Addressing control over access to the physical environments where critical business processes occur, and sensitive data is housed. For instance, not all staff members require entry to the server room; locks and keys play a pivotal role in avoiding unauthorized access to such areas.
- Incident Response Security: Recognizing that cyber breaches are an eventuality, businesses should establish incident response plans well in advance of any breach. These plans provide guidance on how to respond to such attacks and include the allocation of roles and responsibilities for various response stages. Additionally, they define policies governing third-party management of data or systems during a crisis.
- Recovery Security: Focusing on disaster recovery planning, which outlines how the company will sustain business continuity in the face of major breakdowns or security breaches. Effective ITGCs serve to safeguard the sensitive data you manage and ensure seamless business operations even in the wake of significant security incidents.
The primary goal of robust ITGCs is to administer your information technology in a careful and effective manner, ensuring the continuity of operations and safeguarding valuable data. By dedicating the effort to establish well-defined control objectives, strong ITGCs simultaneously enhance business performance and promote adherence to regulatory standards.
High-level Categories of Internal Controls in Information Technology
- Access Controls: Access controls encompass measures like auto-generated passwords and two-factor authentication for end-users, regulating who can access IT systems and sensitive data.
- System Operation Controls: These controls, primarily managed by individuals, involve activities like server monitoring and oversight of data access and flow. Hardware monitoring, such as temperature control in server rooms, is often automated.
- Backup Controls: Backup controls pertain to both data and IT system backups. A solid backup plan is essential for disaster recovery preparedness. Routine audits of the IT environment are also part of backup controls.
- Change Management: With the evolution of your business, systems undergo changes. Robust IT general controls oversee the individuals responsible for making alterations to IT systems and applications, such as upgrades or software patches. This helps prevent unauthorized modifications to software code and ensures smooth transitions.
- Third-party Provider Controls: These controls dictate the procedures for third-party access to your IT systems, such as vendors automatically transmitting payment or invoice information to your finance department.
Understanding, establishing, existing, and overseeing ITGCs can pose great complexities. Controls need to be adapted as the organizations’ technology landscape evolves to address emerging risks, including the specific risks unique to artificial intelligence and other emerging technologies. By identifying the necessary IT general controls or addressing areas of weakness, we can assist in rectifying those vulnerabilities and ensuring the sustained effectiveness of ITGCs in the long run.