Why IT General Controls Are Important for Compliance and Cybersecurity

IT general controls are among the most important elements of effective compliance and IT security. So it’s a bit strange that many businesses — and compliance professionals, for that matter — struggle to understand exactly how “ITGCs” support compliance and the many ways they can fail. 

So today let’s take a deep dive into IT general controls, and how organizations should govern their ITGCs to prevent those failures.

What are IT general controls? 

ITGCs are controls that govern how technology is designed, implemented, and used in your organization. ITGCs shape everything from configuration management to password policy, the adoption of artificial intelligence to user account creation. They govern issues such as how technology is acquired and developed, or how security protocols are rolled out across the enterprise.

Without ITGCs, employees can’t rely on the data and reports that IT systems provide; you’ll never know whether the information you’re reading is in fact correct. That can cause any number of compliance disasters, such as privacy breaches, theft of company assets, regulatory non-compliance, and more — plus the operational disruption visited upon business units that can’t trust how their IT systems are performing.

Hence the need for a clear understanding of ITGCs, and how to maintain effective ITGCs in your business. Without them, you’re sunk.

What exactly do ITGCs do? 

ITGCs govern the technology that other parts of the enterprise use to do their jobs. For example, a large business might have applications that support finance, procurement, inventory, research, sales & marketing, and human resources. All of those teams use their own IT applications, and depend on those applications operating in certain ways. At most large businesses, each of those applications will be part of one enterprise resource planning (ERP) system, such as Oracle or SAP.

The ITGCs govern how that ERP system operates. They would control tasks such as:

• The creation of administrator accounts or “super-users,” who could then create other user accounts for each IT application.
• Software lifecycle management, which dictates how a new application is developed, tested, and implemented in your enterprise.
• Patch management, to ensure that security or software upgrades are rolled out promptly to all systems that need the upgrade.
• Password management and other identity authentication, to assure that each application has appropriate access controls.
• Audit logs, so that all transactions or changes to the IT systems are recorded and available for audits or other reviews at a later time.

You can see why ITGCs are so important to cybersecurity and regulatory compliance. For example, if every employee has the power to create new user accounts, anyone could create a “stealth user” to peek at confidential data or to wire company funds to an offshore account. With sloppy patch management, you might leave a system connected to the Internet with outdated security; then attackers can use an exploit they found on the dark web to infiltrate your ERP system and abscond with data or erase valuable intellectual property.

ITGCs will become even more important as the corporate world adopts artificial intelligence. Given the host of risks that careless adoption of AI could introduce — regulatory enforcement over privacy violations or discriminatory AI behavior; litigation risks from untrustworthy AI results; security risks from flawed AI software someone implements without telling the IT team — strong governance of AI will be crucial. That starts with thoughtful, effective, battle-tested ITGCs.

Walking the tightrope of using AI in cybersecurity? You are not alone. Our data underscores this nuanced reality. Learn more in our annual IT benchmark report.

A more immediate problem with ITGCs is that external audit firms routinely examine ITCGs as part of their audits over financial reporting or security controls (SOX audits) — so if you have poor ITGCs, you flunk the audit. That can lead to awkward disclosures to investors if the ITGCs are cited in a financial audit; or lost business if poor ITGCs spook would-be customers concerned about security risks. It will lead to costly remediation either way.

So wise companies will take ITGCs seriously from the start, and build a strong, well-governed set of ITGCs to avoid those headaches.

What does strong ITGC management entail?

First, start with a compliance framework that includes all the “standard” ITGC risks and potential controls. The COSO framework for internal controls is one example; the COBIT framework specifically for IT controls is another. NIST, the National Institute for Standards and Technology, has developed an AI-specific risk framework. This allows the CISO (or the IT auditor or internal auditor) to conduct a basic risk assessment and identify weaknesses in your ITGCs. Some common weaknesses include:

• Failure to govern user-account creation, so somebody might create a user account without proper permissions or leave a user account active even after the associated employee has left.
• Poor patch and configuration management, either of which could leave your ERP system vulnerable to exploits from attackers. 
• Inadequate audit logs, so that if something does go awry and you want to investigate exactly what happened, you can’t. 
• Poor software development controls, which could allow someone to alter how an application works or what transactional data is recorded.
• Weak IT acquisition policies, which allow employees to implement open-source software or to sign up for cloud-based technology without first alerting the IT team.

Those weaknesses turn up time and again in data breaches and other security incidents. For example, poor patch management leaves businesses exposed to the RECON vulnerability if you use SAP, or the BigDebIT vulnerability if you use Oracle. Both allow attackers to evade standard access controls to manipulate your data directly — including stealing your data (privacy breach) or altering financial records (fraud, theft, and bribery risk). 

Remediating weaknesses can often be the tricky part. Some remediation steps are straightforward and can be done by the CISO alone, such as configuring the ERP system to generate audit logs or scanning the IT system at regular intervals to catalog all the technology assets the firm has. Implementing those steps, testing their success, documenting that they’ve happened — that can be tedious, and you’d do well to rely on a technology tool to assure that it all happens correctly. But they’re still straightforward steps a CISO can take without controversy.

Other remediation steps, such as controls governing the implementation of AI or other new technology, will be more complicated becase they touch on how employees go about their jobs. The CISO would do well to have a compliance or IT risk committee that meets regularly to talk about internal control, where executives across the enterprise can collectively agree on a strategy for ITGC implementation.

For example, policies about password complexity or multi-factor authentication are important IT general controls. They can also exasperate employees or customers. So the CISO and other executives need to decide on an appropriate amount of control given the risk — “Do we really need 19-character passwords updated monthly? Is the data we’re protecting that important?” — and then follow up with suitable messaging and training so employees understand the need for whatever ITGCs you implement.

Related article: Defining and Building Your In-House Compliance Committee 

Moreover, your organization will need some governance process that keeps your ITGCs tied to the regulatory and operational risks you face. This is another job for the in-house compliance or risk committee. Meet regularly to see how business operations or regulatory requirements have changed, and map those changes to your existing ITGCs. 

Mastering IT general controls essential for security, compliance, and competitive edge

ITGCs work out of sight from most employees, but they’re incredibly important for security, compliance, and operational success. 

Compliance officers, therefore, need a keen appreciation of how ITGCs support a strong compliance program. They need tools to assess the performance of ITGCs and to mitigate any weaknesses that might endanger your ERP system or other technology your business units use. And as always, compliance officers also need to understand how their internal control actions will affect the people within your organization, or else your work won’t go very far.

The one overriding fact, however, is that the modern business enterprise will only rely more on technology as we move into the future. The stronger your grasp over the ITGCs that support your business, the better your business will be able to compete in our highly regulated, highly risky world.

Strengthen your compliance program with Hyperproof

It is essential to consider the impact of internal control actions on your workforce and the overall organization to drive meaningful results. Don’t miss out on the opportunity to enhance your compliance program. Request your free demo of Hyperproof now.