The Value of IT General Controls within an Organization

The Value of IT General Controls within an Organization

Flavio Gerbino
by Flavio Gerbino
time to read: 12 minutes

The concept of IT General Controls (ITGC) is getting more and more important in companies and organizations. The increasing IT regulations and the need for an effective and efficient IT Governance implies that an organization knows very well and has full control of the maturity of implemented controls across the whole organization.

With the help of well-established ITGCs an organization can leverage many complex topics, such as Information- and IT- Security, Internal- and external Audit, IT-Compliance, Risk Management and IT-Governance Management etc.

Because the ITGCs consist of procedures or policies that provide a reasonable assurance that:

This article is an attempt to give a brief overview of what is important when dealing with the concept of ITGCs, their organizational aspects, as well as structure and handling.

Introduction and definition

An overall IT General Control Manual (ITGCM) as a kind of Policy should define the standards for the implementation of an effective and efficient Control System across an organization.

The ITGCM provides the reference for an organization implementing control procedures and Policies in their respective area of responsibility:

The scope of the ITGCM includes many organizational activities related to the management of IT Systems or other Information Assets as well non-IT Assets:

Therefore the implementation of the ITGCM should be mandatory across the whole Organization.

Deviations should be subject to exception request and approval in accordance with an established standard process.

The ITGCM consists of elements including:

This all means that an ITGCM is defining the standards for an effective and efficient IT Governance Management Control System.

And management is of course accountable to make sure that the ITGCs are implemented, documented, tested and evidenced according to an overall ITGCM.

ITGC Controls Matrix

The ITGC Controls Matrix as the key element defines all applicable controls as well as additional information that may be used for the implementation, testing and assessment of the controls. Its purpose is to:

An ITGC Controls Matrix should integrate at least these 3 types of information:

The ITGCs can be structured in many different ways the following table illustrates a typical individual set of activity domains and the set recommended by Institute of Internal Auditors:

Typical Set Global Technology Audit Guide *
IT Business Continuity GTAG 1: Information Technology Controls
Backup Management GTAG 2: Change and Patch Management Controls: Critical for Organizational Success
Change Management GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
Configuration Management GTAG 4: Management of IT Auditing
Information Management Organization and Processes GTAG 5: Managing and Auditing Privacy Risks
Incident / Problem Management GTAG 6: Managing and Auditing IT Vulnerabilities
IT Organization GTAG 7: Information Technology Outsourcing
IT Operations GTAG 8: Auditing Application Controls
Project Management GTAG 9: Identity and Access Management
Physical Security GTAG 10: Business Continuity Management
Risk Management GTAG 11: Developing the IT Audit Plan
Service Provider Management GTAG 12: Auditing IT Projects
System and Information Security GTAG 13: Fraud Prevention and Detection in the Automated World
GTAG 14: Auditing User-developed Applications
GTAG 15: Information Security Governance
GTAG 16: Data Analysis Technologies
GTAG 17: Auditing IT Governance

* The Global Technology Audit Guide (GTAG) is released by the Institute of Internal Auditors.

An IT Governance team should be responsible for defining the Controls by providing objectives and requirements for each Control. They will be used for reviews by Internal Audit as part of the audit criteria.

The implementation of the IT general controls matrix is mandatory for the whole Organization.

These procedures and policies should be designed to provide reasonable assurance regarding the achievement of control objectives set for:

Updates of the IT general Controls Matrix are subject to formal change management and deviations are subject to formal exception request approval in accordance with established Standards.

The following parameters of the IT general Controls Matrix, with their possible values, or similar can be used to classify and categorize information assets and to identify the list of applicable Controls for these assets:

Information Asset Categories Information Asset Classes
Information Asset Categories IT Unit
Information/Record
IT Application
Platform/Service
Server/Database/Storage
Network/Communication Service
End-User Device
Data Center
Service Provider
Information Asset Classes No Classification
Group Policies
SOX, PCI-DSS or NFCM or any other applicable regulation
Confidentiality
Integrity
Availability
Accountability
Non-repudiation
Data Privacy
Records Management
Other classification

Each ITGC can then be mapped to one or more pre-defined asset categories and classification with an indicator (Applicable or Not Applicable).

ITGC objectives and the related requirements for the implementation of controls (i.e. the control activities, including possible validation steps and recommended evidence) are defined for each Control of the IT general Controls Matrix.

The Assessment of the Controls should then use the following standard maturity parameters

These standard parameters of the IT General Controls Matrix must be used to document the results of the controls assessment, to track the results of the controls testing, and may be used to track the progress of the Control Gap remediation (included in the Risk Management process).

Roles and Responsibilities

Who is responsible? What do they take care of?
Governance Ownership of the IT Policy Framework, incl. policies, directives, standards, and procedures, and in particular the IT general control manual which establishes the information management internal control standards
Obtaining agreement with the various audit, governance and policy-making groups within the organization regarding the contents and use of the IT general control manual
Supporting implementations of the IT general control manual
Providing IT general control manual training material where required
Performing spot checks on asset classifications, controls assessments, controls testing, risk assessments, and risk mitigation plans to ensure a balanced approach across Organization
Reviewing and approving exception requests
Consolidating and reporting of Controls Status.
Internal Audit Assessment of design and effectiveness of Controls
Reporting to relevant management
Reporting to the Audit and Compliance Committee of the Board
Review of effectiveness, efficiency and appropriateness of information management processes and controls, focusing on:
* Reliability of information management processes
* Adherence to group policies and requirements
* Protection of information assets.

The IT general control manual provides a baseline for Internal Audit to audit against in respect of IT activities. However the scope of an Internal Audit is not limited to this baseline and may include other non-It and non-governance activities.

Who is responsible? What do they take care of?
External Audit Opinion on the Controls
Review of the IT general control manual documentation in support of their assessment of the Organization
A review of the documentary evidence of Control Procedures and Policies to support compliance
Advice on controls and system weaknesses
An Audit and Compliance Committee of the Board may review issues raised by the external auditors

An Audit and Compliance Committee of the Board may review issues raised by the external auditors.

IT general control Assessment procedures

An IT general Controls Assessment Process is built on the three major process steps:

  1. Initial Risk Assessment: The information assets of an Organizational Entity are identified, categorized and classified, and analyzed to determine the risks related to the usage of this asset. This step forms the basis for the identification of Information Assets and their classification and categorization.
  2. Controls Assessment: Based on the results of step 1 and for each Information Asset of the Organizational Entity, all applicable Controls are identified, and their implementation assessed and tested. The current control environment is compared against the Control Objectives to determine the maturity of the control.
  3. Remediation Management: Remediation actions are defined where necessary and implemented after evaluation of the risk associated with the Control Gaps identified. This process would normally be contained within the Risk Management Process.

The Controls Assessment process is triggered either through the annual re-assessment cycle of the Controls, or by changes affecting the Organization or information assets, for example:

The Controls Assessment process is executed for individual Information Assets. Its purpose is to:

The key Output of the Assessment includes

Reporting and monitoring is a continuous process that should occur during the whole risk treatment process.

Divisions must ensure that risk reporting is in place to keep track of the progress of the remediation plans and the degree of risk to which the organization is exposed.

Conclusion

By establishing a life-cycle with well selected Controls it is possible to continuously improve the quality and maturity of multiple critical domains of an organization. It can be a crucial instrument to assure compliance to the increasing amount of mandatory and complex regulations. It is absolutely worthwhile to establish an organization and concept around this governance topic generating many synergies to other important areas, as internal audit, information security, risk management, quality assurance etc.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

You need support in such a project?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here