ITGC How did it begin?

In October 2001 when the Enron scandal broke, the company specialized in energy brokerage, at the time one of the largest market capitalizations in the world. The focus of the scandal was a recurring falsification of accounts, with the collaboration of one of the largest audit firms of the era, Arthur Andersen.
As a result of this scandal Enron was declared bankrupt, and Arthur Andersen was liquidated.

This event led to the creation of a regulation in the United States, the Sabarnes Oxley Act (SOX), aimed at protecting investors by improving the accuracy and reliability of information provided by companies.

The ITGC is in part a response to this problem. The implementation of these controls is a regulatory obligation for large companies. These controls are audited annually during the statutory auditors’ audit of the financial statements.

As part of this mission, the auditors will ensure, among other things, the operational effectiveness of ITGC. Validation of the implementation and effectiveness of these controls is a prerequisite for the certification of accounts.
The stakes are therefore crucial for the audited companies.

ITGC Categories

The ITGC is composed of 4 categories:

– access to programs and data.
– program changes.
– computer operations.
– program development.

They include controls to cover major risks related to information systems.

As part of an audit assignment, IT auditors are responsible for ensuring the operational effectiveness of these controls. They will conduct their investigations on applications identified as having a significant impact on the audited company’s financial statements.
Let’s learn what these controls are by looking at each ITGC category.

ITGC Access to programs and data

Program and data access corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.

The purpose of the category is to ensure that these are properly limited to authorized persons. A common example is the case of a person who is part of the company, always has an active account and has access to sensitive data. Unauthorized access to programs and data may result in data corruption, deletion, or leakage.

To limit these risks, the category includes 5 controls on 3 layers: applications – operating systems – databases.

  • Access creations are monitored, validated by an authorized manager, and properly implemented.
  • The access rights of users who have left or are no longer legitimate (due to change of workstation for example) are deactivated in time.
  • The activity of high-privilege accounts, administrators and sensitive generic accounts is regularly monitored.
  • Access rights are subject to periodic review.
  • Passwords are correctly configured.

ITGC Program changes

Program changes corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.

The objective of the category is to ensure that all changes to existing systems are properly authorized, tested, approved, implemented and documented. Because changes to existing systems may be inappropriate and may result in data corruption (if an unauthorized change to a financial application represents a risk of fraud, for example).

To limit this risk, the category includes 3 controls below, on 4 layers (applications, operating system configuration, databases, network):

  • Changes to applications are tested and approved before they are released for production.
  • Changes to the applications are reviewed periodically.
  • The development, testing and production environments are separate and follow an approval process.

To carry out these controls and to ensure that their implementation is correct, the auditors proceed by sampling and request proof related to the selected changes (a recipe report, a validation email for production launch, for example).

For the second control, it is a question of checking that a change review is carried out periodically, that it is exhaustive and that it is validated by an authorized person.

The third control consists in ensuring that the environments are well separated, and that only authorized persons have access to them; this control includes a segregation of duties control.

ITGC Computer Operations

Computer operations corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.

The objective of the category is to ensure the availability of the information system, and that its operation is correct. This can lead to a risk of the information system malfunctioning.
In the case of an unauthorized person accessing the server room, for example.

To limit this risk, the category includes the following 4 controls:

  • The data is properly backed up and retrievable.
  • Only approved and tested changes are made to the batch scheduler.
  • Production errors are identified and resolved.
  • Physical security measures are in place

ITGC Program Development

Program Development corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.

The purpose of the category is to ensure that new systems, programs either under development or already implemented, are properly authorized, tested, approved, implemented, and documented. Due to the deployment of new systems, new inappropriate programs can lead to data corruption.

To limit this risk, the category includes the following 4 controls:

  • Major improvements to ERP systems are properly tested and approved before migration to production.
  • The data is correctly migrated.
  • Problems encountered during the development of the program are monitored and resolved.
  • Appropriate training is provided.

Conclusion

The implementation and proper functioning of these controls are essential for companies to protect them from the following risks:

  • Reputational: (example: a data leak).
  • Operational (example: SI unavailable).
  • Financial (example: fraud).
  • Compliance (in the event of control failures, the accounts may not be certified, for example).

In order to meet these control requirements, companies use tools, such as periodic access review, monitoring of high-privilege accounts, and segregation of duties control.

Brainwave GRC provides an efficient and innovative solution for the implementation and regular operation of these controls. Brainwave GRC automates and simplifies the periodic review of accounts, optimizes the process and ensures compliance.

The benefits are numerous:

  • tangible results thanks to an approach adapted to the context, processes and level of maturity.
  • reviews that are less painful, more effective.
  • federating stakeholders and promoting adoption by contextualizing interfaces and results.
  • respond effectively to auditors, reduce costs.

To learn more, sign up for our new ITGC webinar and get a demonstration.