How IT Controls Keep Your Systems and Data Safe

Posted on December 18, 2025December 18, 2025

During AAFCPAs’ recent webinar, Understanding Your ITGCs: Why They Matter and How to Strengthen Them (November 2025), Lisa Whittemore, CFE, CRMA, MBA and Vassilis Kontoglis presented a practical framework for assessing, strengthening, and monitoring IT general controls to protect data, ensure operational continuity, and support regulatory compliance.

The full session was recorded and may be viewed as a webcast at your convenience.

A single misstep in IT General Controls (ITGCs) can derail a company’s operations. One overlooked permission, one unsupervised system update, one missed backup, or a click on a link from a phishing email can ripple across finance, operations, and compliance, creating gaps that criminals—or an intentional inside job—can exploit. The stakes are high, and the costs of inaction are real.

Strong ITGCs are the quiet guardians of business continuity. They do more than satisfy auditors or meet regulatory checklists. They protect sensitive data, maintain trust with partners and clients, and ensure operations keep running even when unexpected disruptions hit. Companies that approach ITGCs with foresight and discipline reduce risk and are better able to respond quickly when threats emerge.

How IT General Controls Safeguard Business Operations

Operational disruptions often begin in unexpected places—an unapproved system change, an overlooked configuration, or unauthorized access. IT general controls serve as a framework to prevent these vulnerabilities from affecting critical processes. Rather than reacting to issues after they occur, ITGCs establish a disciplined environment that safeguards systems, data, and organizational integrity, reducing the risk of an incident.

ITGCs focus on multiple pillars: system access, change management, program development, computer operations, and network security.

Access controls ensure only authorized individuals can reach sensitive systems or information.
Change management tracks and validates updates to applications and infrastructure, reducing the risk of errors or unauthorized modifications.
Program development tracks and validates whether updates to system development and acquisitions have been appropriately approved, developed, and tested.
Computer operations ensure appropriate controls are in place for system backups including frequency, retention, and recovery testing of such backups.
Network security validates the correct use of secure authentication protocols along with wireless and network security.

Consider a scenario where the least privilege access principle into a financial system is not implemented. That translates into personnel having too much access including both the AR and AP modules which, in turn, allows for a break into the segregation of duties model allowing for an elevated risk of fraud. With robust IT general controls, the mistake would be identified and corrected before it escalates, preserving accuracy and operational confidence.

Practical Steps to Strengthen IT Controls

Building stronger IT general controls begins with a clear understanding of current systems and processes. Organizations may start with an assessment to identify gaps, outdated procedures, or areas of risk. This baseline provides the insight needed to prioritize improvements and allocate resources effectively.

Access management is often the first area to address. Regularly reviewing user accounts, adjusting permissions to match roles, and promptly removing access for departing team members reduces the risk of unauthorized activity. Multi-factor authentication and strong password policies further reinforce security without disrupting workflow.

Change management benefits from formalized processes. Documenting proposed system updates, requiring approvals, and maintaining version histories ensure changes are deliberate and traceable. Testing changes in controlled environments before deployment helps prevent unintended disruptions.

Program development is the backbone of how internal projects progress through the system development lifecycle. But it doesn’t stop there. It also encompasses new system acquisitions and their ripple effects on existing environments, including data migrations and extended support requirements. In short, program development ensures that every change, whether internal or external, is seamlessly integrated without disrupting business continuity.

Operational controls rely on continuous monitoring and documentation. Routine system audits, automated alerts for anomalies, and consistent backup verification allow organizations to detect issues early and respond quickly. Establishing clear responsibilities for IT oversight ensures accountability and reinforces adherence to policies.

Network security may be the last pillar on our list, but it is by no means the least important. In fact, it demands your highest level of attention because it remains one of the most relentlessly targeted areas by cybercriminals. Threat actors are constantly probing for weaknesses, and new vulnerabilities emerge almost every week. This makes network security a fast-moving target, one you must actively control and monitor to safeguard your organization’s integrity and resilience.

Ultimately, strengthening IT general controls is a combination of disciplined processes, vigilant monitoring, and an organizational culture that values operational integrity. Companies that treat IT controls as a strategic priority reduce risk, safeguard sensitive data, and maintain the confidence of clients, partners, and regulators.

How We Help

AAFCPAs helps organizations turn IT general controls into practical safeguards that protect data, support business continuity, and reduce operational risk. Our risk and cybersecurity advisory team works with leadership to assess vulnerabilities, prioritize remediation, and integrate risk awareness into daily processes. We combine expertise in IT governance, internal controls, cybersecurity, compliance, and operational resilience to design controls that are effective, scalable, and aligned with organizational goals. Whether reviewing access permissions, formalizing change management, validating backup and recovery protocols, or strengthening broader enterprise risk management, our solutions reflect your risk profile and regulatory obligations. We also support audits and compliance requirements, including SOX, HIPAA, and ISO 27001 readiness, providing clarity, accountability, and actionable insight. By building practical frameworks that strengthen IT controls, AAFCPAs helps organizations operate efficiently, maintain reliable data, respond quickly to threats, and sustain the confidence of clients, partners, and regulators.

These insights were contributed by Lisa Whittemore, CFE, CRMA, MBA, Partner, Risk Advisory and Vassilis Kontoglis, Partner, AI Digital Transformation & Security.

Questions? Reach out to our authors directly or your AAFCPAs partner.

AAFCPAs offers a wealth of resources on managing risk and strengthening controls. Subscribe to get alerts and insights in your inbox.

About the Authors

Lisa Whittemore, CFE, CRMA, MBA

Lisa specializes in governance, risk, and compliance, drawing on her internal audit, enterprise risk management, and assurance experience within multi-billion-dollar global organizations. She partners with clients to strengthen internal controls, optimize processes, and navigate complex risk and regulatory environments. At AAFCPAs, Lisa leads Sarbanes-Oxley (SOX) 404 readiness and compliance, solutions in fraud and forensic accounting, litigation support and expert witness services--all while supporting internal audit and controls. She advises companies on the design and implementation of …

Vassilis Kontoglis

Vassilis brings more than 30 years of experience delivering business intelligence, productivity, information risk and change management, automation, dashboarding, and cybersecurity solutions. He leads enterprise AI strategy, guiding planning and implementation across organizations while establishing governance frameworks aligned with regulatory and operational requirements. He serves as a critical resource in helping clients navigate emerging technologies, applying strategy and governance to achieve measurable business outcomes while managing associated risks. Vassilis guides organizations through each stage of digital …

Related Insights

Carla McCall Featured in FM Magazine on Finance Roles in Cybersecurity

FM Magazine Report: 5 emerging business cyberthreats — and how to combat them FM Magazine (October 2025) – From deepfakes to payment fraud, companies are at risk of increasingly complex cyberthreats—with finance taking a leading role in mitigating risks. Carla McCall, CPA, CGMA, Managing Partner of AAFCPAs, contributed insights into five emerging business cyberthreats and […]

Watch Understanding Your ITGCs: Why They Matter and How to Strengthen Them

IT General Controls (ITGCs) are under increasing scrutiny—and the consequences of failure are growing. CEOs, CFOs, and Boards are often blindsided by assessment findings, risk exceptions, and regulatory pressure tied to weak or outdated IT controls. These issues aren’t just technical—they’re strategic, with real implications for financial integrity, compliance, and reputation. In this webinar, we […]

Take Action to Protect Your Organization During Cybersecurity Awareness Month

October marks Cybersecurity Awareness Month, a time to reflect on the safeguards that protect our organizations, communities, and critical systems. While cyber threats exist year-round, this month serves as a reminder to take concrete steps to reduce vulnerabilities and strengthen resilience. Every business, nonprofit, and mission-driven organization relies on systems and processes that must operate […]