Information Technology General Controls (ITGC)
Information Technology General Controls (ITGC) are critical controls that support the reliability of systems and information within an organization. They typically encompass a range of policies and procedures that ensure the effective and secure operation of an organization’s IT systems and safeguard data integrity.
Definition and purpose
The primary purpose of ITGC is to ensure the proper development and implementation of applications, as well as the integrity of program and data files and computer operations. ITGCs are typically categorized into various areas such as change management, access controls, backup and recovery, and network security. They are fundamental for achieving financial, operational, and compliance objectives.
While ITGCs are not governed by a single body, they are often aligned with standards and frameworks established by organizations like the International Organization for Standardization (ISO), the Information Systems Audit and Control Association (ISACA), and aligned with regulations such as Sarbanes-Oxley Act (SOX).
ITGC practices and requirements evolve continuously due to changes in technology and regulatory environments.
ITGCs apply to all organizations that use information systems to support their business processes. This includes a wide range of industries such as finance, healthcare, manufacturing, and technology. They are especially critical for publicly traded companies due to regulatory requirements.
Controls and requirements
Typical ITGC areas and their associated controls include:
- Change Management Controls: Ensuring changes to systems and applications are authorized, tested, approved, and properly implemented.
- Access Controls: Restrictions on who can view and alter specific data or system configurations.
- Network and Systems Security Controls: Measures to protect against unauthorized access to systems and data.
- Backup and Recovery Controls: Ensuring data is regularly backed up and can be restored in case of loss or damage.
- Data Processing Controls: Ensuring data processing operations are accurate, complete, and authorized.
- Physical Security Controls: Protecting physical IT assets and infrastructure.
Audit type, frequency, and duration
ITGC audits are typically conducted internally or by external auditors, focusing on compliance with internal policies and external regulations. Regular audits are recommended, often on an annual basis, especially for organizations subject to regulations like SOX.
The duration of an ITGC audit depends on the organization's size, the complexity of its IT environment, and the scope of the audit.