ITGCs: When did they start and why?
In October 2001, when the Enron scandal broke, the company specialized in energy brokerage and was, at the time, one of the largest market capitalizations in the world. The focus of the scandal was a recurring falsification of accounts and included the collaboration of one of the largest audit firms, Arthur Andersen. As a result of this scandal, Enron was declared bankrupt and Arthur Andersen was liquidated.
This event led to the creation of a regulation in the United States called the Sarbanes-Oxley Act (SOX) that aimed to protect investors by improving the accuracy and reliability of information provided by companies.
The proliferation of IT General Controls, or ITGCs, is, in part, a response to this problem. The implementation of these controls is a regulatory obligation for large companies who now have their financial statements audited annually.
As part of this mission, the auditors ensure, among other things, the operational effectiveness of the ITGCs. Validation of the implementation and effectiveness of these controls is a prerequisite for the certification of accounts.
The stakes are high for the audited companies. Executing and optimizing IT general controls is crucial for organizations not only to demonstrate compliance with regulatory standards but also to protect their assets. Failure to comply with these controls exposes companies to enormous risk.
ITGC: Definition and Categories
ITGCs are IT general controls designed to protect your organization’s data from use, disclosure or compromise. They can be applied to applications, databases, logical access rights and infrastructures within your information system (IS). Their implementation is mandated by regulatory entities for most companies and helps to fight against the risk of data theft or fraud.
IT general controls fall into 4 categories:
- Access to programs and data.
- Program changes.
- Computer operations.
- Program development.
They include controls to cover major risk linked with information systems.
As part of an assignment, IT auditors are responsible for ensuring the operational effectiveness of these controls. They will conduct their investigations on applications identified as having a significant impact on the audited company’s financial statements.
As an ITGC is a general computer control, its implementation is mandatory due to regulations imposed on large companies. External auditors will verify its implementation and effectiveness as part of an annual audit of the accounts.
Let’s learn what these controls are by looking at each ITGC category.
ITGC: Access to Programs and Data
This refers to program and data access corresponding to a category of ITGCs. The purpose of this category is to ensure that these accounts are properly limited to authorized personnel. A common example is the case of an employee who is part of the company, still has an active account and has access to sensitive data. Unauthorized access to programs and data may result in data corruption, deletion or leakage.
To limit these risks, the category includes five controls on three layers: applications, operating systems and databases.
- Access provisioning is monitored, validated by an authorized manager, and properly implemented.
- The access rights of users who have left the company or which are no longer legitimate (due to change of job function, for example) are deactivated in a timely manner.
- The activity of highly privileged, administrative, and sensitive, generic accounts is regularly monitored.
- Access rights are subject to periodic review.
- Passwords are correctly configured.
ITGC: Program Changes
The objective of this category is to prove that all changes to existing systems are properly authorized, tested, approved, implemented and documented because changes to existing systems may be inappropriate and may result in data corruption (for example, if an unauthorized change to a financial application represents fraud risk).
To limit this risk, the category includes three controls below on four layers (operating system configuration, applications, databases, and networks):
- Changes to applications are tested and approved before they are released into production.
- Changes to the applications are reviewed periodically.
- The development, testing and production environments are separate and must follow approval processes.
To carry out these controls and to be sure that their implementation is correct, auditors sample and request proof related to the selected changes (a receipt report or a validation email for production launch, for example).
For the second control, it is a question of checking that a change review is carried out periodically, that it is exhaustive and that it is validated by an authorized person.
The third control consists of confirming that the environments are well separated and that only authorized people have access to them. This control includes the aspect of segregation of duties (SoD).
ITGC: Computer Operations
This category deals with the availability of the information system and its correct operation. If not controlled, this can lead to the risk that the information system malfunctions. An example of this would be the case where an unauthorized person accesses the server room.
To limit this risk, the category includes the following four controls:
- The data is properly backed up and retrievable.
- Only approved and tested changes are made to the batch scheduler.
- Production errors are identified and resolved.
- Physical security measures are in place.
ITGC: Program Development
The purpose of the category is to ensure that new systems and programs, whether under development or already implemented, are properly authorized, tested, approved, implemented, and documented. With the deployment of new systems, inappropriate programs can lead to data corruption.
To limit this risk, the category includes the following four controls:
- Major improvements to ERP systems are properly tested and approved before migration to production.
- The data is correctly migrated.
- Problems encountered during the development of the program are monitored and resolved.
- Appropriate training is provided.
The implementation and proper functioning of these controls are essential for companies in protecting them from the following risks:
- Reputational (data leak).
- Operational (the information system is unavailable).
- Financial (fraud).
- Compliance (In the event of control failures, the accounts may not be certified.).
In order to meet these control requirements, companies use tools, such as periodic access review, monitoring of high-privilege accounts and segregation of duties control.
Brainwave GRC provides an efficient and innovative solution for the implementation and regular operation of these controls. We automate and simplify the periodic review of accounts, optimize the process and ensure compliance.
There are many advantages to this:
- Tangible results are provided due to an approach that is adapted to the context, processes and level of maturity.
- Reviews are less painful and more effective.
- Stakeholders are united and controls are more easily adopted by contextualizing interfaces and results.
- Responding to auditors is more effective and less costly.
Contact us to learn more about how ITGCs can help your organization maintain compliance and reduce security risk.