ITGC Controls: Getting it Right
Nick Sorenson
June 10, 2021

What are ITGC Controls?

Information Technology General Controls (ITGC), a type of internal controls, are a set of policies that ensure effective implementation of control systems across an organization. ITGC audits help an organization verify that the ITGC are in place and functioning correctly, so risk is properly managed in the organization.

The scope of the ITGC commonly includes access control to physical facilities, computing infrastructure, applications and data; security and compliance aspects of the system development life cycle, change management controls, backup and recovery, and operational controls over computing systems.

There are several accepted standards for ITGC audits, including the Control Objectives for Information Technologies framework (COBIT, developed by ISACA), SP 800-34 Contingency Planning Guide for Information Technology Systems (by NIST), and the Information Technology Infrastructure Library (ITIL) framework.

ITGC audits can involve monitoring the ITGC on an ongoing basis, identifying issues and responding to them, as well as proactive internal audits of ITGC components, and adjustment of policies and controls according to audit results.

IT General Controls vs Application Controls

IT General Controls are relevant for all areas of the organization, including IT infrastructure and support services. Examples of common controls are accounting controls, administrative controls, security policies, operational controls, procedures for documenting sensitive processes, and physical security for IT resources. 

Application Controls are responsible for protecting the transactions and data associated with a specific software application. They are unique to each application, and focus on input, processing and output (IPO) functions. Application controls ensure the completeness and accuracy of records created by the application, the validity of data entered into those records, and the integrity of data throughout the lifecycle.

5 Types of ITGC Controls

Here are the main categories of ITGC controls.

Physical and Environmental Security

Data centers must be protected from unplanned environmental events and unauthorized access that could potentially compromise normal operations. Access to data centers is usually controlled by keypad access, biometric access technologies, or proximity cards. These techniques enable single-factor and or multi-factor authentication. 

Organizations often add more layers of protection against unauthorized access. For example, closed-circuit video cameras are deployed as part of the overall physical security monitoring system. Additionally, data centers need technologies that control temperature within the facility, to ensure it is suitable for human staff as well as machinery. These systems often trigger alarms when the temperature changes or an emergency occurs.

Logical Security

All company employees require access to digital assets, but they do not require the same type of privileges. When providing stakeholders with access to company assets, administrators should apply the least privileges principle, and supply exactly the level of access needed to perform the responsibilities of a certain role. 

To establish access levels, IT can work with HR to determine what assets each employee requires to perform their job. Additionally, organizations should protect credentials using several mechanisms, such as encryption, strong passwords, password rotation, multi-factor authentication, and biometric authentication.

Backup and Recovery

To maintain normal operations, organizations must establish backup and recovery strategies and practices. It is critical to protect resources, including data, business processes, databases, virtual machines (VMs), and applications. There is a wide range of backup and recovery options available, including cloud-based services, on-premises systems, and hybrid solutions. 

Incident Management

IT infrastructure is constantly targeted by attackers. Organizations should establish continuous incident management practices and tooling that enables them to constantly monitor the environment, receive alerts on anomalous events, and rapidly respond to threats. However, since systems tend to send many false positive alerts, it is critical to set up automated processes that prioritize and validate incidents before notifying human teams. 

Information Security

The term “information security” refers to all practices, processes, and tools used to protect a company’s information assets and systems. It is critical to implement standardized forms of information security, to ensure that information remains secure and protected. 

This typically involves processes that prevent data loss of all types, including data theft, exfiltration, and corruption, and accidental modification, as well as processes that protect against known cyber threats and techniques, and strategies for dealing with unknown and zero day attacks.

How to Implement ITGC Successfully in Your Organization

There are three main components of ITGC implementation: people, process, and technology.

People

A critical part of an ITGC project is people. Due to the complexity of ITGC, it is necessary to build a deep level of understanding of the control framework with all relevant peers. This includes training end users on the basic knowledge and goals of the organization’s ITGC.

In addition, you must determine the roles and responsibilities of all employees involved in the project. Authorization is critical to ITGC. Therefore, you need to set up access control and change management to prevent improper access and unauthorized changes to IT systems.

Process

Before you start implementing ITGC, you need to decide on your control strategy and processes. Engage your IT manager and business technology (BT) team to get direct feedback. As IT and business systems become more integrated, ITGC processes must meet the needs of the entire organization, not just the IT department. This requires designing control processes that work together with the organization’s operating models and does not disrupt business operations.

IGBC requires the implementation of policies and procedures across multiple departments, and must be carefully documented to ensure consistency. Documentation is also important to help new employees follow the process, and will make auditing and financial reporting easier.

Technology 

Automation can significantly improve the ITGC process and reduce human error. You can use workflows to automate existing controls such as:

  • Creating user accounts
  • Reviewing logs for anomalous activity
  • Authorization workflows
  • Identifying configuration errors

In a large organization, it is very important to automate monitoring of your IT General Controls. Instead of checking controls manually, implement an automatic monitoring solution that can alert teams when a control is missing, and can provide ongoing data about controls across the organization.

ITGC Auditing with PathLock

Reporting on ITGC is typically a manual, time consuming process which happens once a year during audit season. It doesn’t have to be. Pathlock allows companies to transform into a continuous compliance mindset by monitoring ITGC in real time, and reporting on compliance year round. This way, there are no surprises when it comes time to audit season and any potential risks are captured before they become material.

Pathlock has integrations to all of your key financial applications to which ITGC apply – SAP, Oracle, Workday Financials, NetSuite, and many more. With Pathlock, simply deploy the out-of-the-box integration to your application and choose which of the 100’s of predefined rules you want to deploy. Pathlock has all of the key ITGCs covered, so you can focus your attention on value added activities instead of painstaking manual reviews.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks. 

Real-time Access Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation