The concept of IT General Controls (ITGC) is getting more and more important in companies and organizations. The increasing IT regulations and the need for an effective and efficient IT Governance implies that an organization knows very well and has full control of the maturity of implemented controls across the whole organization.

With the help of well-established ITGCs an organization can leverage many complex topics, such as Information- and IT- Security, Internal- and external Audit, IT-Compliance, Risk Management and IT-Governance Management etc.

Because the ITGCs consist of procedures or policies that provide a reasonable assurance that:

• The information technology within an organization operates as intended
• Data is reliable
• The organization is in compliance with applicable laws and regulations

This article is an attempt to give a brief overview of what is important when dealing with the concept of ITGCs, their organizational aspects, as well as structure and handling.

Introduction and definition

An overall IT General Control Manual (ITGCM) as a kind of Policy should define the standards for the implementation of an effective and efficient Control System across an organization.

The ITGCM provides the reference for an organization implementing control procedures and Policies in their respective area of responsibility:

• Internal Audit perform reviews
• Compliance and monitoring functions can evaluate and report on ITGC Effectiveness

The scope of the ITGCM includes many organizational activities related to the management of IT Systems or other Information Assets as well non-IT Assets:

• Logical access controls over infrastructure, applications, and data
• System development life cycle controls
• Program change management controls
• Data center physical security controls
• System and data backup and recovery controls
• Computer operation controls

Therefore the implementation of the ITGCM should be mandatory across the whole Organization.

Deviations should be subject to exception request and approval in accordance with an established standard process.

The ITGCM consists of elements including:

• A matrix or List with ITGC Controls defining all mandatory Controls (this represents the main instrument and will be discussed below)
• ITGC Controls Assessment Process
• ITGC Control Roles and Responsibilities

This all means that an ITGCM is defining the standards for an effective and efficient IT Governance Management Control System.

And management is of course accountable to make sure that the ITGCs are implemented, documented, tested and evidenced according to an overall ITGCM.

ITGC Controls Matrix

The ITGC Controls Matrix as the key element defines all applicable controls as well as additional information that may be used for the implementation, testing and assessment of the controls. Its purpose is to:

• Define the Control Objectives and Requirements
• Provide guidance for the implementation of Control Procedures and Policies
• Provide guidance for the assessment of these procedures and policies

An ITGC Controls Matrix should integrate at least these 3 types of information:

• Asset Classification and Categorization information
• Controls Objectives and Requirements
• Controls Assessment Criteria

The ITGCs can be structured in many different ways the following table illustrates a typical individual set of activity domains and the set recommended by Institute of Internal Auditors:

* The Global Technology Audit Guide (GTAG) is released by the Institute of Internal Auditors.

An IT Governance team should be responsible for defining the Controls by providing objectives and requirements for each Control. They will be used for reviews by Internal Audit as part of the audit criteria.

The implementation of the IT general controls matrix is mandatory for the whole Organization.

These procedures and policies should be designed to provide reasonable assurance regarding the achievement of control objectives set for:

• Effectiveness and efficiency of information management operations
• Reliability of information assets
• Compliance with applicable legislations,regulations and business requirements

Updates of the IT general Controls Matrix are subject to formal change management and deviations are subject to formal exception request approval in accordance with established Standards.

The following parameters of the IT general Controls Matrix, with their possible values, or similar can be used to classify and categorize information assets and to identify the list of applicable Controls for these assets:

Each ITGC can then be mapped to one or more pre-defined asset categories and classification with an indicator (Applicable or Not Applicable).

ITGC objectives and the related requirements for the implementation of controls (i.e. the control activities, including possible validation steps and recommended evidence) are defined for each Control of the IT general Controls Matrix.

The Assessment of the Controls should then use the following standard maturity parameters

• Maturity Level
  1. Optimized
  2. Monitored
  3. Standardized
  4. Informal
  5. Unreliable
• Detailed description of the actual local control procedures and policies relevant to the control objectives
• Remediation (may be included as part of a Risk Management process):
  • Action Plan, or Justification (based on risk assessment)
  • Name of responsible person; Due date,
  • Current Status

These standard parameters of the IT General Controls Matrix must be used to document the results of the controls assessment, to track the results of the controls testing, and may be used to track the progress of the Control Gap remediation (included in the Risk Management process).

Roles and Responsibilities

The IT general control manual provides a baseline for Internal Audit to audit against in respect of IT activities. However the scope of an Internal Audit is not limited to this baseline and may include other non-It and non-governance activities.

An Audit and Compliance Committee of the Board may review issues raised by the external auditors.

IT general control Assessment procedures

An IT general Controls Assessment Process is built on the three major process steps:

1. Initial Risk Assessment: The information assets of an Organizational Entity are identified, categorized and classified, and analyzed to determine the risks related to the usage of this asset. This step forms the basis for the identification of Information Assets and their classification and categorization.
2. Controls Assessment: Based on the results of step 1 and for each Information Asset of the Organizational Entity, all applicable Controls are identified, and their implementation assessed and tested. The current control environment is compared against the Control Objectives to determine the maturity of the control.
3. Remediation Management: Remediation actions are defined where necessary and implemented after evaluation of the risk associated with the Control Gaps identified. This process would normally be contained within the Risk Management Process.

The Controls Assessment process is triggered either through the annual re-assessment cycle of the Controls, or by changes affecting the Organization or information assets, for example:

• For Organization: a major change in internal organization, people, processes, roles and responsibilities, off-shoring of activities, new outsourcing vendors, acquisition, etc.
• For IT assets: a new implementation, or a major release change, significant operational or infrastructure changes, major incident, unsatisfactory quality assurance review, new shared services, etc.
• In general after:
  • Changes in legislation or external regulations
  • Failed testing of Controls
  • Identification of Control Gaps or deficiencies
  • Re-classification of assets according to the policy and classification process
  • Unsatisfactory audit results
  • Completion of remediation actions

The Controls Assessment process is executed for individual Information Assets. Its purpose is to:

• Identify the applicable controls from the IT general Controls Matrix
• Document the actual local Control Procedures and Policies
• Assess the maturity level of the Controls
• Identify the Controls Gaps where the maturity level does not meet the target value

The key Output of the Assessment includes

• Risk Status reports
• Approved risk treatment plans

Reporting and monitoring is a continuous process that should occur during the whole risk treatment process.

Divisions must ensure that risk reporting is in place to keep track of the progress of the remediation plans and the degree of risk to which the organization is exposed.

Conclusion

By establishing a life-cycle with well selected Controls it is possible to continuously improve the quality and maturity of multiple critical domains of an organization. It can be a crucial instrument to assure compliance to the increasing amount of mandatory and complex regulations. It is absolutely worthwhile to establish an organization and concept around this governance topic generating many synergies to other important areas, as internal audit, information security, risk management, quality assurance etc.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• https://na.theiia.org/Pages/IIAHome.aspx