IT general controls are among the most important elements of effective compliance and IT security. So it’s a bit strange that many businesses — and compliance professionals, for that matter — struggle to understand exactly how “ITGCs” support compliance and the many ways they can fail.
So today let’s take a deep dive into IT general controls, and how organizations should govern their ITGCs to prevent those failures.
What Are IT General Controls?
In the simplest definition, ITGCs are controls that govern how technology is designed, implemented, and used in your organization. ITGCs shape everything from configuration management to password policy, application development to user account creation. They govern issues such as how technology is acquired and developed, or how security protocols are rolled out across the enterprise.
Without ITGCs, employees can’t rely on the data and reports that IT systems provide.
That can cause any number of compliance disasters, such as privacy breaches, theft of company assets, regulatory non-compliance, and more — plus the operational disruption visited upon business units that can’t trust how their IT systems are performing.
Hence the need for a clear understanding of ITGCs, and how to maintain effective ITGCs in your business. Without them, you’re sunk.
Exactly What Do ITGCs Do?
ITGCs govern the technology that other parts of the enterprise use to do their jobs. For example, a large business might have applications that support finance, procurement, inventory, research, sales & marketing, and human resources. All of those teams use their own IT applications, and depend on those applications operating in certain ways. At most large businesses, each of those applications will be part of one enterprise resource planning (ERP) system, such as Oracle or SAP.
The ITGCs govern how that ERP system operates. They would control tasks such as:
- The creation of administrator accounts or “super-users,” who could then create other user accounts for each IT application.
- Software lifecycle management, which dictates how a new application is developed, tested, and implemented in your enterprise.
- Patch management, to ensure that security or software upgrades are rolled out promptly to all systems that need the upgrade.
- Password management and other identity authentication, to assure that each application has appropriate access controls.
- Audit logs, so that all transactions or changes to the IT systems are recorded and available for audits or other reviews at a later time.
You can see why ITGCs are so important to cybersecurity and regulatory compliance. For example, if every employee has the power to create new user accounts, anyone could create a “stealth user” to peek at confidential data or to wire company funds to an offshore account. With sloppy patch management, you might leave a system connected to the Internet with outdated security; then attackers can use an exploit they found on the dark web to infiltrate your ERP system and abscond with data or erase valuable intellectual property.
A more immediate problem with ITGCs is that external audit firms routinely examine ITCGs as part of their audits over financial reporting or security controls (SOX audits) — so if you have poor ITGCs, you flunk the audit. That can lead to awkward disclosures to investors if the ITGCs are cited in a financial audit; or lost business if poor ITGCs spook would-be customers concerned about security risks. It will also lead to costly remediation either way.
So wise companies will take ITGCs seriously from the start, and build a strong, well-governed set of ITGCs to avoid those headaches.
What Does Strong ITGC Management Entail?
First, start with a compliance framework that includes all the “standard” ITGC risks and potential controls. (The COSO framework for internal controls is one example; the COBIT framework specifically for IT controls is another.) This allows the CISO (or the IT auditor or internal auditor) to conduct a basic risk assessment and identify weaknesses in your ITGCs. Some common weaknesses include:
- Failure to govern user-account creation, so somebody might create a user account without proper permissions or leave a user account active even after the associated employee has left.
- Poor patch and configuration management, either of which could leave your ERP system vulnerable to exploits from attackers.
- Inadequate audit logs, so that if something does go awry and you want to investigate exactly what happened, you can’t.
- Poor software development controls, which could allow someone to alter how an application works or what transactional data is recorded.
Those weaknesses turn up time and again in data breaches and other security incidents. For example, poor patch management leaves businesses exposed to the RECON vulnerability if you use SAP, or the BigDebIT vulnerability if you use Oracle. Both allow attackers to evade standard access controls to manipulate your data directly — including stealing your data (privacy breach!) or altering financial records (fraud, theft, and bribery risk).
Remediating weaknesses can often be the tricky part. Some remediation steps are straightforward and can be done by the CISO alone, such as configuring the ERP system to generate audit logs or scanning the IT system at regular intervals to catalog all the technology assets the firm has. Implementing those steps, testing their success, documenting that they’ve happened — that can be tedious, and you’d do well to rely on a technology tool to assure that it all happens correctly. But they’re still straightforward steps a CISO can take without controversy.
Other remediation steps will touch on how employees go about their jobs. The CISO would do well to have a compliance or IT risk committee that meets regularly to talk about internal control, where executives across the enterprise can collectively agree on a strategy for ITGC implementation.
For example, policies about password complexity or multi-factor authentication are important IT general controls. They can also exasperate employees or customers. So the CISO and other executives need to decide on an appropriate amount of control given the risk — “Do we really need 19-character passwords updated monthly? Is the data we’re protecting that important?” — and then follow up with suitable messaging and training so employees understand the need for whatever ITGCs you implement.
Related article: Defining and Building Your In-House Compliance Committee
Moreover, your organization will need some governance process that keeps your ITGCs tied to the regulatory and operational risks you face. This is another job for the in-house compliance or risk committee. Meet regularly to see how business operations or regulatory requirements have changed, and map those changes to your existing ITGCs.
IT General Controls: Final Thoughts
ITGCs work out of sight from most employees, but they’re incredibly important for security, compliance, and operational success.
Compliance officers, therefore, need a keen appreciation of how ITGCs support a strong compliance program. They need tools to assess the performance of ITGCs and to mitigate any weaknesses that might endanger your ERP system or other technology your business units use. And as always, compliance officers also need to understand how their internal control actions will affect the people within your organization, or else your work won’t go very far.
The one overriding fact, however, is that the modern business enterprise will only rely more on technology as we move into the future. The stronger your grasp over the ITGCs that support your business, the better your business will be able to compete in our highly regulated, highly risky world.