Many businesses have relied on technology to run mission-critical business processes for years, and the pandemic only accelerated that digital evolution. And the more important technology becomes to business operations, the more management must also rely on strong, effective I.T. general controls.
In this post we review “ITGCs” and the processes that companies can use to develop, implement, and monitor ITGCs. We also explore how ITGCs are crucial for effective cybersecurity and data integrity – and how that fact will only become more important in the future, as digital transformation of business processes continues.
What Does ITGC Mean and How Does it Apply to Information Technology?
I.T. General Controls (ITGCs) are the set of policies and controls that guide how your organization uses I.T. and protects the data in its possession. For example, ITGCs spell out how the company implements access and security controls for its I.T. systems, and how software is developed and deployed generally across the enterprise.
ITGCs are especially important if you work at a publicly traded company subject to compliance with the Sarbanes-Oxley Act. To comply with SOX, companies must declare every year whether they have effective internal control over financial reporting, and an assessment of ITGCs is part of that annual review. Larger public companies must also have an external audit of their internal controls, and auditors will assess ITGCs as well.
The Four Areas of General Controls
ITGCs are often divided into four categories, which closely resemble the categories of other I.T. internal controls used to safeguard sensitive data. The categories are:
- Physical Security. This is about controlling who has access to the physical environment where business processes take place and sensitive information is stored. For example, not everyone on your staff needs access to the server room. Locks and keys go far in preventing unauthorized access to these areas.
- Information Technology Security. This is where a strong internal password policy helps restrict access to the various I.T. processes your company uses every day. ITGCs also govern software patches to maintain ERP software systems, and segregation of duties in software development so no single person or team has too much power to write and deploy the software your company might use.
- Recovery Security. You probably already have a disaster recovery plan, to address how the company will maintain business continuity amid major breakdowns or security failures. Strong ITGCs will help protect the sensitive data you handle, and assure that your business operations can continue as usual even after a major security incident.
- Incident Response Security. Cyber breaches will happen sooner or later, so businesses must have incident response plans (written in advance of any breach) to guide how they respond to those attacks. The plans should include assignment of roles and responsibilities for various response steps, including policies about what third parties can manage data or systems on your behalf during a crisis.
The main objective of strong ITGCs is to govern your I.T. wisely and efficiently, to keep operations running and data protected. If you take the time to develop clear control objectives, strong ITGCs will drive better business performance and regulatory compliance at the same time.
The General Areas of Information Technology Internal Controls:
- Change Management. Systems change as your business grows. Strong I.T. general controls will govern who makes changes to your I.T. systems and applications (such as upgrades or software patches), so unauthorized people don’t tinker with the software code and so the changes happen as smoothly as possible.
- Access Controls. These are controls such as requiring auto-generated passwords and two-factor authentication of end-users, to govern who accesses I.T. systems and sensitive data.
- System Operation Controls. These are information technology security controls that most often are operated by people (checking on your servers, monitoring access and data flow). Hardware monitoring such as temperature control in server rooms is most often automatic.
- Backup Controls. Think of two kinds of backup : a backup of your data and also backup for your I.T. systems. Without strong backup plans any disaster recovery is shot before it even gets started. Backups also include routine audits of your I.T. environment.
- Third-party Provider Controls. These controls govern how third parties access your I.T. systems (say, a vendor sending payment or invoice information automatically to your finance department).
Make ZenGRC Part of Your Control Process
I.T. general controls can be complicated to understand, develop, implement, and monitor. They should evolve over time as the company’s technology changes, to keep pace with whatever new risks come along.
The good news is that ZenGRC can help, by establishing which I.T. general controls you need or identifying ones that are failing; and then helping you to remediate those weak spots and monitor ITGCs’ performance over the long term. ZenGRC uses artificial intelligence to provide 24-7 I.T. risk monitoring while you focus on running your business.
Peace of mind, it’s the ZenGRC way. Worry-free control management is the Zen way. For more information on ZenGRC contact us for a free demo today.