Set the Groundwork for Success Through IT General Controls

Information technology general controls (ITGCs) are integral to business processes, shaping everything from the creation of user accounts to security protocols to technology application development and beyond. ITGCs impact how organizations design, implement, and use technology, and their purpose is to automate business controls and govern all technology-enabled operations and infrastructure. Without proper ITGCs in place, an organization’s data might be unreliable or unusable, hindering business activities and strategies. In addition, ITGCs can directly prevent adverse events such as privacy breaches, theft of company assets, failure to comply with regulations, and other undesirable issues, further underscoring the need to implement and maintain strong controls.

While integral to an organization’s overall success, ITGCs can be complex to implement. Organizations and compliance professionals should understand how ITGCs can support business strategies and internal controls compliance while preventing future breakdowns and weaknesses.

To unravel the mystery of ITGCs, here are five key elements that business and IT leaders can use to set the groundwork for success:

1. IT governance – An IT organization’s strategies and capabilities are intimately woven together with established goals. For example, an IT organization’s top management could periodically meet with other business functions to understand their needs and execute timely changes. One of the benefits of this practice is to increase transparency and avoid any miscommunication or misunderstandings between all parties. Creating an IT governance framework ensures that IT functions have the resources needed to support the organization’s goals and establish a culture of transparency, risk consciousness, and increased control awareness. IT governance considerations include:

• Establish policies and procedures mandated for all areas of the organization (such as HR, finance, operations, IT, and risk compliance management) to create consistency and standards. By contrast, non-compliance with IT policies could lead to control breakdowns and open the door for unwanted risk.
• Continuously monitor IT processes and information technology infrastructure. This helps to ensure data integrity and reliability, which is important for valid decision-making, accurate financial reporting, and other desirable business outcomes.
• Drive ongoing communication between business leaders and IT leaders to achieve success. Communication and cooperation feed off each other, and regular discussions keep everyone aligned on current events as well as proactively prepare for emergent risks.

2. Logical security controls are available to protect the data at the application and database level and prevent unauthorized transactions through a process of access rights administration and technical controls. A critical first step is to evaluate currently accessible information and whether it should be available to each user—but before being able to effectively apply any logical security controls, all regulatory matters and business policies should be scrutinized. This scrutiny must be translated into thorough system access documentation, well-designed access profiles, user access provisioning processes, and periodic user access reviews. More importantly, system administrators and users need ongoing training to understand how each role contributes to the security and integrity of the information systems. For example, to safeguard system access, an organization will require all employees to pass a multifactor authentication before gaining access to its systems, or in-place processes will automatically validate and ensure employees create strong passwords. When designing and implementing logical security controls, some key considerations are :

• Review the existing corporate information security policy and information security program, making sure that it clearly establishes the role and responsibilities of application administrators.
• Align the existing information security program with applicable regulations, standards, and requirements (such as protecting health-related information per HIPAA guidelines, ensuring compliance with Sarbanes-Oxley, or meeting other industry-specific regulations).
• Provide training to all system owners, application administrators, and users about their responsibilities, information security risks, and IT controls in the context of the organization. This training will also help the IT management to receive feedback from their trainees, which will allow them to modify policy language or instructions that are confusing.

3. Cybersecurity controls can prevent, detect, correct, and help respond to known cyberattacks and digital threats. These controls support the confidentiality, integrity, availability, and privacy of the IT assets and users. Examples of cybersecurity controls are: IT risk management, vulnerability assessments, penetration testing, anti-malware or anti-virus software, patch management, event logging and monitoring, data loss prevention controls, and data classification controls, among others. Cybersecurity professionals must understand the business processes, how the data flows through the organization, and the impacts of key regulatory and compliance matters. Here, the most important pillars are:

• Business and IT management should continually assess the IT program and the controls to ensure relevance within the current environment.
• Implement a data classification program; this will help to establish how different types of data should be protected, retained, accessed, stored, transmitted, and decommissioned.
• Create corrective action plans for any findings discovered through risk assessments, vulnerability scans, or penetration tests.
• Address unique and evolving threats by creating cybersecurity-focused controls such as patch management, vulnerability management, endpoint detection and response programs, and anti-malware software.

4. Software development lifecycle controls (SDLCs) focus on the methodologies for designing and building software with acceptable quality and accuracy, and SLDCs remain necessary whether or not companies develop software in-house.

For companies developing software in-house, an SDLC framework is necessary to establish all system design practices, implementation or integration standards, software development methodologies, and software maintenance standards. A robust SDLC framework can prevent security and data integrity issues that arise during the design stages of a system and throughout the life of the software.

Beyond in-house software development practices, most companies today must consider and manage software controls. In the era of the software-as-a-service (SaaS), not all companies have developed or maintained an SDLC program because the software development and supporting infrastructure is made available from the SaaS provider responsible for its own SDLC framework. That said, any organization acquiring software from these service providers must oversee the provider’s SDLC practices (prior to and during the time of the relationship), making sure the SaaS provider is aligned with the organization’s standards and regulatory requirements. Some SaaS solutions (such as Oracle NetSuite, Microsoft Dynamics 365, and several other favored business technology platforms) are complex and typically call for an organized strategy to integrate and maintain the solution throughout its life. Ultimately, this means any SaaS acquisition, integration, or implementation requires careful planning.

Whether managing the software development lifecycle through in-house teams or SaaS providers, key controls considerations include:

• Ensure the SDLC framework is up to date and evaluated by competent IT experts to ensure compliance with all regulatory and information security requirements.
• Perform information security due diligence prior to any SaaS implementation to ensure the service provider’s SDLC practices satisfy the organization’s requirements.
• Review and test the controls on the initial stages, from pre-deployment to live production, to confirm compliance, involving subject matter experts (SMEs), business management, and consulting with auditors. Involving these parties during review and testing of controls will reduce last-minute scope changes, speed up implementations or acquisitions, and minimize problematic audit findings or observations.
• Require a service organization controls (SOC) report from all SaaS providers. A review of the SOC report will help a company identify the relevant control activities performed by the SaaS provider and in turn identify those complementary user entity controls (CUECs) necessary within the company’s control environment to ensure completeness of coverage.

5. Technology operations controls monitor the health of the IT infrastructure that supports the applications and services used by the organization. These controls address the most vulnerable area, which is constantly influenced by the policies and procedures dictated through related mechanisms of IT governance, logical security, cybersecurity, and SDLCs. Technology operations controls focus on complex functions such as computer operations (batch job processing controls, incident management, and data backup procedures), network infrastructure management, server management, device management, and the IT service desk. Related risks include inaccurate data processing, telecommunication issues, lack of physical security, and lack of system availability due to internal or external factors. Technology operations controls require special attention from the IT management as the IT environment is constantly evolving and is highly regulated in most industries, and failures in any of these activities would have an enormous impact on any business and its clients. Related considerations include:

• Align all emergency access protocols, change management controls, and incident management procedures with the SDLC framework.
• Keep appropriate segregation of duties between IT infrastructure, information security, and development teams.
• Avoid granting “super user” access to development team members, although management might find it appealing to do this to fix production issues as soon as they appear. This approach could reduce the number of production incidents (because restricted access can help cut out human error, malpractice, or abuse as the main causes of IT incidents) and could help shift focus toward projects that add value and improve IT performance.
• Train IT administrators and users to properly identify, report, assess, prioritize, and fix production issues. A strong incident and problem management program can help IT management on diagnosing the root of the problems and reduce future incidents.

Information systems and other technological advances continue unabated, and this increases the expectation for organizations to address risks and strategically enact proper controls. Understanding the relevance of ITGCs and how to appropriately set the groundwork will assure future success. The foundational ITGC considerations outlined above will benefit IT management when implementing or reinforcing these concepts through the organization—whether it impacts workforce tasks as simple as checking an email for collaborating with coworkers or complex processes like preparing annual financial statements.