Print Friendly, PDF & Email
 

Optimize Your IT General Controls

Information Technology General Controls (ITGCs) help organizations guard their systems and operations against IT-related risks in critical business areas like finance, purchasing, and payroll. ITGCs are the foundation for the overall IT control environment as they provide the assurance that systems operate as intended and that output is reliable. (For public companies, these controls support financial auditing, as they collectively uphold Sarbanes-Oxley (SOX) compliance requirements.)

Five Main Categories:

AAFCPAs groups ITGCs into five major categories: Access to Programs and Data, Change Management, Program Development, IT Operations, and Network and Systems Security.

1. Access to Programs and Data

AAFCPAs provides guidance to clients related to risks associated with system access. Only the most appropriate and authorized users should have permissions to access applications and sensitive data. Further, these users should be made aware of their responsibilities to maintain the security of these applications and sensitive data.

To address these risks, AAFCPAs assesses controls related to five objectives:

  1. We determine if information security is managed to guide consistent implementation of security practices and that users are aware of the organization’s position with regard to information security, as it pertains to financial or sensitive data.
  2. We determine if logical access to applications and data is appropriately restricted by the implementation of identification, authentication, and authorization mechanisms to reduce the risk of unauthorized/inappropriate access to the organization’s relevant systems.
  3. We determine if procedures have been established so user accounts are added, modified, and deleted in a timely manner to reduce the risk of unauthorized/inappropriate access to the organization’s relevant financial reporting or sensitive data.
  4. We determine if effective controls are in place to monitor the maintenance of access rights to the organization’s relevant financial applications or sensitive data.
  5. We determine if controls are used to provide appropriate segregation of duties within key processes and that they are followed.

AAFCPAs advises clients to implement a least permissive, and resource-appropriate approach related to programs and data access for employees based on best practices and mandated regulations.

2. Program Changes

AAFCPAs provides guidance to clients on identifying and addressing risks related to program changes, including that they are authorized, tested and approved, and are restricted to being performed by properly authorized and appropriate staff who are independent from those that developed the changes.

To address these risks, AAFCPAs assesses controls related to three objectives:

  1. We determine if controls are in place to ensure that any changes to the systems/applications providing control over financial reporting or sensitive data have been properly authorized by an appropriate level of management.
  2. We determine if controls are in place to ensure that changes to applications and systems used during the financial reporting process—or which process or store sensitive data—are tested, validated, and approved prior to being placed into production.
  3. We determine if controls are in place to restrict access for migrating changes into the production environment for systems and applications used during the financial reporting process—or which process or store sensitive data.

3. Program Development

AAFCPAs provides guidance to clients on addressing risks related to program development initiatives to ensure they are authorized, tested and approved, and that migrated data has maintained its integrity.

To address these risks, AAFCPAs assesses controls related to four objectives:

  1. We determine if management has controls in place to ensure that new program and infrastructure development projects and acquisitions have been approved by an appropriate level of both IT and business management.
  2. We determine if management has controls in place to ensure that an adequate program development methodology is in place and is followed for the development or acquisition of systems/applications used during the financial reporting process.
  3. We determine if management has controls in place to ensure there is adequate testing for the development or acquisition of systems/applications used during the financial reporting process and that testing is signed off by both of the users at an appropriate level of IT and business management.
  4. We determine if management has controls in place to ensure that data migrated to the new application or system used during the financial reporting process retains its integrity.

4. Computer Operations

AAFCPAs provides guidance to clients related to risks associated with computer operations. This includes ensuring that batch jobs are controlled, data is available when needed, and end user computing such as excel or report writing tools are governed by the same level of IT General Controls that the application uses.

To address these risks, AAFCPAs assesses controls related to five objectives:

  1. We determine if management has implemented procedures to ensure accuracy, completeness, and timely processing of system jobs, including batch jobs and interfaces, for relevant financial reporting applications or data.
  2. We determine if management has implemented appropriate backup and recovery procedures so that data, transactions, and programs that are necessary for financial reporting can be recovered.
  3. We determine if effective procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of backup media relevant to systems and applications used during the financial reporting process.
  4. We determine if appropriate controls are in place over the backup media for systems and applications used during the financial reporting process. This includes ensuring that only authorized people have access to the tapes and tape-storage or to electronic storage systems containing backups.
  5. We determine if management has implemented appropriate policies and procedures to ensure ITGCs are properly applied to the end-user computing environment.

5. Network Security

AAFCPAs provides guidance to clients to ensure IT systems are not vulnerable to attack or penetration.

To address these risks, AAFCPAs determines if management has implemented safeguards to prevent access to systems and data by unauthorized parties. Such safeguards could include firewalls and firewall patch management, network segmentation, intrusion prevention and detection, minimum requirements to connect to the network, vulnerability assessments or penetration tests, wireless encryption method, and network monitoring.

Your best line of defense in protecting your organization from risks associated with the failure of ITGCs (and failure of a SOX audit) is to annually test the design, implementation, and operating effectiveness of your controls.

AAFCPAs evaluates clients’ ITGCs in order to provide assurance over the security, confidentiality, processing integrity, and availability of data. Our evaluations identify, and where needed, document each control, test the design, and where desired, assess operating effectiveness. AAFCPAs provides management reporting related to all findings, risks associated, and recommendations to improve and implement changes.

If you have any questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062, jjumes@nullaafcpa.comVassilis Kontoglis at 774.512.4069, vkontoglis@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis Kontoglis
Vassilis is a highly-skilled IT professional with proven expertise in: business process improvement and change management, information systems gap analyses, cyber security and IT risk assessments, systems selection & implementation, IT auditing, and special attestation reporting (SSAE 18 and SOC 2). Vassilis performs comprehensive and thorough reviews of technology systems and environments, and advises clients on how to use technology to best achieve business goals and objectives.  He elicits input from stakeholders at all levels of the organizational hierarchy in order to thoroughly evaluate business performance across functional boundaries.  He analyzes current and potential business and IT processes to identify clear opportunities for improvement, which may include streamlining and automation, productivity increases, strategic alignment and cost reductions.