ITGC by Auditor: Procedures and Benefits

The Information Technology (IT) environment within a company has significantly changed with advancements in information systems (system and software) and technological advancement of utilized hardware. Due to these circumstances, understanding IT General Controls (ITGC), also known as General IT Controls, has become crucial. Additionally, information security frameworks from international organizations standards (COSO, ISACA, ISO) have seen substantial improvements.

Significant and continuous changes in the IT environment can result in increased risks to access and can impact financial reporting. Financial data (the source of financial reporting) is stored in systems like databases, and the functionality ensures that data can be accessed and processed. User access granted/obtained can affect data protection, including the following SPAP 315, A64:

• Authentication controls: Ensuring that users accessing applications or other aspects within the IT environment have the appropriate credentials.
• Authorization controls: Allowing users to access required information according to their job responsibilities and proper segregation of duties.
• Control over provisioning, revoking, and modifying access: Authorizing new users and making changes to existing user access rights, including removing user access after termination (resignation)
• Control over privileged access: Allowing administrative access (super admin) or users with elevated or special access to system or application administration.
• User access review controls: Recertifying or evaluating user access for ongoing authorization.
• Control over security configuration: Most technologies have key configuration settings that help restrict access and potential data loss or the inability to access data when needed.
• Control over physical access: Physical access to data centers, hardware, or the physical assets of other IT assets.

Understanding the client’s IT environment is mandatory for auditors through the identification of recommended ITGC frameworks, as set out in the guidelines published by the International Auditing and Assurance Standards Board (IAASB) in International Standards on Auditing (ISA) 315 (2019 revision), and focusing on data security. Auditors will assess risks and use professional judgment to determine the risk factors in the IT environment and the appropriate controls to mitigate them.

What is ITGC?

ITGC comprises policies and procedures that govern (control) an organization’s IT system operations, ensuring data confidentiality, integrity, and availability. ITGC encompasses all aspects of IT, including software implementation, user account creation, and data management.

ITGC can be divided into several categories, including:

1. General IT administration controls, related to IT system management and oversight, long-term IT strategic planning, and IT risk assessment. These controls also encompass IT security.
2. Access controls, covering various methods to prevent unauthorized access and data manipulation. Access controls also include user authentication, data encryption, account locking, and audit trails.
3. System Development Life Cycle (SDLC) controls, related to the development, testing, implementation, and maintenance of a system. SDLC controls also include documentation, approvals, change tracking, and performance evaluation.
4. Program change controls, governing program and system configuration changes. Program change controls also involve impact analysis, regression testing, segregation of duties, and activity logging.
5. Physical hardware and data center security controls, covering security measures against external and internal threats to the physical environment (hardware), including damage, power disruptions, and natural disasters. Data center physical security controls include door and window locks, alarm and CCTV systems, smoke and fire detection, and air conditioning systems.
6. Backup and system/data recovery controls, related to periodic copying and backup of data (backup and restore) that can be quickly restored in case of loss or damage. Backup and system/data recovery controls also include backup scheduling, secure storage of backup media, routine recovery testing, and disaster recovery planning.
7. Computer operations controls, related to the efficient and effective operation of IT systems. Computer operations controls also involve system performance monitoring, technical issue resolution, capacity and availability management, and incident reporting (helpdesk).

Why is ITGC important? 

ITGC is important because it helps companies ensure the effectiveness and compliance of information systems used in business processes and financial reporting. ITGC also enhances the security and integrity of data, programs, and outputs produced by information systems. ITGC helps prevent unauthorized access, data breaches, and operational disruptions. It can reduce the risk of errors, manipulation, or misuse of information technology that could negatively impact a company’s performance and reputation. Effective ITGC can improve the reliability and accuracy of financial reporting and help mitigate fraud risk. ITGC is also a requirement to meet applicable audit standards and regulations.

Who, When, and What Are the Benefits of ITGC Review?

A review or assessment of ITGC should ideally be conducted periodically by an independent external party, at least once a year (recommended before the general audit), or as needed based on the risks the company faces. ITGC must be reviewed and assessed by an independent external party because it is beneficial for the company, including:

• Building trust and credibility among stakeholders, regulators, auditors, and customers regarding the quality and compliance of the information systems used by the company. 
• Receiving objective and professional input and advice from external parties with competence and experience in IT auditing. 
• Identifying weaknesses, risks, and improvement opportunities in the implementation of ITGC and recommending appropriate corrective and preventive actions.
• Meeting applicable audit standards and regulations, such as SOX Compliance, which requires companies to conduct periodic assessment of ITGC effectiveness.

How to Conduct ITGC Assessment Done by External Independent Party?

Planning

Fieldwork

Reporting and Recommendations

SW Digital Transformation and Cybertrust are often chosen by independent parties to assess the ITGC of their clients for the following reasons:

• Deep expertise helps us understand the complexity of control systems and risks. 
• Relevance and up-to-date knowledge ensure that our services align with the latest international standards in technology and auditing.
• Measurable results with data and facts regarding the successful implementation of ITGC will become an integral part of our services with real impact.
• Support for improvement focuses not only on assessing ITGC but also on recommending improvements and enhancements to client control systems.