Optimize Your IT General Controls

Posted on September 9, 2020July 6, 2022

Information Technology General Controls (ITGCs) help organizations guard their systems and operations against IT-related risks in critical business areas like finance, purchasing, and payroll. ITGCs are the foundation for the overall IT control environment as they provide the assurance that systems operate as intended and that output is reliable. (For public companies, these controls support financial auditing, as they collectively uphold Sarbanes-Oxley (SOX) compliance requirements.)

Five Main Categories:

AAFCPAs groups ITGCs into five major categories: Access to Programs and Data, Change Management, Program Development, IT Operations, and Network and Systems Security.

1. Access to Programs and Data

AAFCPAs provides guidance to clients related to risks associated with system access. Only the most appropriate and authorized users should have permissions to access applications and sensitive data. Further, these users should be made aware of their responsibilities to maintain the security of these applications and sensitive data.

To address these risks, AAFCPAs assesses controls related to five objectives:

We determine if information security is managed to guide consistent implementation of security practices and that users are aware of the organization’s position with regard to information security, as it pertains to financial or sensitive data.
We determine if logical access to applications and data is appropriately restricted by the implementation of identification, authentication, and authorization mechanisms to reduce the risk of unauthorized/inappropriate access to the organization’s relevant systems.
We determine if procedures have been established so user accounts are added, modified, and deleted in a timely manner to reduce the risk of unauthorized/inappropriate access to the organization’s relevant financial reporting or sensitive data.
We determine if effective controls are in place to monitor the maintenance of access rights to the organization’s relevant financial applications or sensitive data.
We determine if controls are used to provide appropriate segregation of duties within key processes and that they are followed.

AAFCPAs advises clients to implement a least permissive, and resource-appropriate approach related to programs and data access for employees based on best practices and mandated regulations.

2. Program Changes

AAFCPAs provides guidance to clients on identifying and addressing risks related to program changes, including that they are authorized, tested and approved, and are restricted to being performed by properly authorized and appropriate staff who are independent from those that developed the changes.

To address these risks, AAFCPAs assesses controls related to three objectives:

We determine if controls are in place to ensure that any changes to the systems/applications providing control over financial reporting or sensitive data have been properly authorized by an appropriate level of management.
We determine if controls are in place to ensure that changes to applications and systems used during the financial reporting process—or which process or store sensitive data—are tested, validated, and approved prior to being placed into production.
We determine if controls are in place to restrict access for migrating changes into the production environment for systems and applications used during the financial reporting process—or which process or store sensitive data.

3. Program Development

AAFCPAs provides guidance to clients on addressing risks related to program development initiatives to ensure they are authorized, tested and approved, and that migrated data has maintained its integrity.

To address these risks, AAFCPAs assesses controls related to four objectives:

We determine if management has controls in place to ensure that new program and infrastructure development projects and acquisitions have been approved by an appropriate level of both IT and business management.
We determine if management has controls in place to ensure that an adequate program development methodology is in place and is followed for the development or acquisition of systems/applications used during the financial reporting process.
We determine if management has controls in place to ensure there is adequate testing for the development or acquisition of systems/applications used during the financial reporting process and that testing is signed off by both of the users at an appropriate level of IT and business management.
We determine if management has controls in place to ensure that data migrated to the new application or system used during the financial reporting process retains its integrity.

4. Computer Operations

AAFCPAs provides guidance to clients related to risks associated with computer operations. This includes ensuring that batch jobs are controlled, data is available when needed, and end user computing such as excel or report writing tools are governed by the same level of IT General Controls that the application uses.

To address these risks, AAFCPAs assesses controls related to five objectives:

We determine if management has implemented procedures to ensure accuracy, completeness, and timely processing of system jobs, including batch jobs and interfaces, for relevant financial reporting applications or data.
We determine if management has implemented appropriate backup and recovery procedures so that data, transactions, and programs that are necessary for financial reporting can be recovered.
We determine if effective procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of backup media relevant to systems and applications used during the financial reporting process.
We determine if appropriate controls are in place over the backup media for systems and applications used during the financial reporting process. This includes ensuring that only authorized people have access to the tapes and tape-storage or to electronic storage systems containing backups.
We determine if management has implemented appropriate policies and procedures to ensure ITGCs are properly applied to the end-user computing environment.

5. Network Security

AAFCPAs provides guidance to clients to ensure IT systems are not vulnerable to attack or penetration.

To address these risks, AAFCPAs determines if management has implemented safeguards to prevent access to systems and data by unauthorized parties. Such safeguards could include firewalls and firewall patch management, network segmentation, intrusion prevention and detection, minimum requirements to connect to the network, vulnerability assessments or penetration tests, wireless encryption method, and network monitoring.

Your best line of defense in protecting your organization from risks associated with the failure of ITGCs (and failure of a SOX audit) is to annually test the design, implementation, and operating effectiveness of your controls.

AAFCPAs evaluates clients’ ITGCs in order to provide assurance over the security, confidentiality, processing integrity, and availability of data. Our evaluations identify, and where needed, document each control, test the design, and where desired, assess operating effectiveness. AAFCPAs provides management reporting related to all findings, risks associated, and recommendations to improve and implement changes.

If you have any questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062, jjumes@nullaafcpa.com; Vassilis Kontoglis at 774.512.4069, vkontoglis@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Vassilis Kontoglis

Vassilis has 20+ years’ proven experience providing business intelligence, productivity, information risk management, and cybersecurity solutions. He is a critical resource in keeping clients and the firm on the forefront of transformative technologies while mitigating risks that come along with these advancements. Vassilis leads the delivery of Robotic Process Automation solutions at AAFCPAs. He understands the unique requirements to achieve RPA success, including proper design, planning, implementation, and governance. He works collaboratively with clients and cross-functional …

Related Insights

Streamlining Operations: How Modern ERP Systems Solve Inefficiencies and Drive Growth

In this article: Complex nonprofits, especially multi-service health and human services agencies, face the daunting task of managing diverse programs, complex funding streams, and stringent compliance requirements. Fragmented systems and disjointed processes can compound these challenges, leading to inefficiencies and increased administrative workloads. The implementation of a well-designed enterprise resource planning (ERP) system offers a […]

Is your chart of accounts an unnecessarily complex maze?

In the fast-paced world of business, growth often leads to complex challenges, especially in accounting. A common issue many organizations face as they expand is the management of increasingly lengthy account numbers. These numbers, which detail segments of transactions such as location, department, and grants, can become unwieldy as organizations rise to meet new challenges. […]

Safeguarding Against Holiday Season Phishing and Cyber Threats

AAFCPAs would like to remind clients that the period between Thanksgiving and New Year’s is a prime time for phishing and other malicious cyberattacks. Cybercriminals take advantage of increased internet shopping, debit/credit card use, and the influx of holiday offers to deceive individuals into disclosing sensitive information. Now more than ever, vigilance is required in […]