What are IT General

Controls? ITGC
IT General Controls, ITGC for short, are the IT controls in place to ensure the
proper development and implementation of applications, as well as the integrity
of programs, data files and computer operations. ITGC is also sometimes
referred to GITC (General IT Controls) and so we will use the two terms
interchangeably. ITGC audits are usually done in support of a financial
statements audit, where the purpose of the ITGC audit is to review the controls in
place for the IT systems that have a direct affect on the financial statements. So
what are IT General Controls ITGC?
There are typically 3 main control elements, namely:

Access to Programs and Data

Computer Operations

Program Changes

Program Development

Let us look at each of these ITGC elements and the specific control areas
underneath it in detail.
Access to Programs and Data
This element groups the controls that deal with how access, both logical and
physical, is managed to systems and data. The objective of these controls are to
reduce the risk of unauthorized or inappropriate access to information systems
and prevent people from committing and concealing an error or irregularity.The
control areas relevant to this element include:
IT Policy
A formalized security policy has been adopted, which is reviewed and approved
by management. The policy must be communicated throughout the organization.
Data Center
Physical access to the Data Center is restricted to appropriate personnel.

Password Parameters
Password parameters to the network are appropriately configured.
Password parameters for relevant systems and underlying infrastructure (such as
the databases and operating systems) are appropriately configured.
Powerful Accounts
Access to powerful/privileged user accounts for the network, relevant systems,
operating systems and databases is restricted to a defined set of system
administration personnel.
User Provisioning/Modification of Access
There are procedures in place for the provisioning of access and access rights to
users for relevant systems. Procedures require formal approvals for granting or
modifying access.
User De-Provisioning
There are procedures in place for the termination of access and access rights to
users for the relevant systems. Revocation of access occurs in a timely manner.
Periodic User Access Reviews
Periodic reviews are performed of active users and user access rights to identify
and remove inappropriate access to relevant systems and their underlying
infrastructure (databases and operating systems).
The organization performs a periodic review of active users and user access
rights to identify and remove inappropriate access to the network.
Computer Operations
This element groups the controls that deal with operational matters like backups
and batch jobs. The objective of these controls are to ensure system or
application processing is appropriately authorized and scheduled; and that
deviations from the schedule processing is identified and resolved. The control
areas relevant to this element include:
Batch Job Processing/Monitoring
Monitoring procedures are designed to provide reasonable assurance around
completeness and timeliness of system and data processing.
Incident Management
The organization has established incident management processes to address
any high or medium priority incidents within a defined timeline.
System Backups
Management has implemented appropriate backup and recovery procedures to

ensure that data, transactions and programs that are necessary for financial
reporting can be recovered.
The backup and recovery procedures for relevant systems are tested
periodically.
Off-Site Storage
Procedures are in place to rotate backup tapes to an offsite facility, on a periodic
basis. Management restricts access to maintain offsite tapes to authorized
personnel based on job responsibility.
Program Change
This element is relevant to the controls for changes made to existing systems or
applications. The objective of these controls are to ensure change made are
authorized, tested, approved, properly implemented and documented.
Program Change Management
Changes made to systems follow the change management policy and
procedures established by management (including emergency and configuration
changes). Changes are logged, approved, and tested prior to being promoted
into production.
Segregation of Duties
Segregation of Duties exists between personnel developing changes and
personnel moving changes into production.
Program Development
This element is relevant to the controls for developing new systems or
applications. The objective of these controls are to ensure new systems that are
developed or acquired are authorized, tested, approved, properly implemented
and documented.
Methodology
The System Development Life Cycle (SDLC) follows a methodology for the
acquisition or development of new systems or applications.
Similar to the Program Change Management element, any new developments or
acquisitions implemented are approved, tested and documented.
What do you think?
IT General Controls ITGC are the foundation controls needed to ensure
completeness, integrity and availability of IT systems and data. The controls
provide assurance to organization as well as outsiders that IT systems process

data appropriately and accurately, and that the output of the systems can be
trusted. We recommend you check out our article on what to consider when
testing IT General Controls, as it highlights some important points that need to
be consider for such controls.
What is your experience of ITGC or what questions might you have about them?
Post a comment below and share with the rest of us!