Does your accountant also talk about generic IT controls or IT General Controls (ITGCs) that they want to assess? If you want to know which framework is used or if you ask for a list of the IT controls, an answer is hard to find. It is a secret list that apparently every IT auditor and many accountants know, but what and how is unknown. The International Federation of Accountants (IFAC) reveals the secrets surrounding the ITGCs.
What are the IT General Controls for?
ITGCs are generic IT controls to determine the reliability of IT systems. Are these the systems that matter to the business? Not always, because it mainly concerns systems that are important to the accountant. Can you state that your IT systems are safe and that the IT is in order if you pass the IT audit unscathed? No, it is not that simple either.
ITGCs are controls that the IT auditor deems relevant in the IT management process, in which the most important risks – risks related to the annual financial statements – are covered. This concerns risks such as unauthorized access to data, which can lead to incorrect data, including non-existing transactions that end up in financial reporting. This also concerns risks related to conflicts in segregation of duties, risks related to the implementation of changes in the IT system, and risks related to the availability of data. It is undesirable that automatic booking processes suddenly run differently or that data cannot be recovered due to a lack of backup and recovery controls. In conclusion, ITGCs are generic IT controls that the IT auditor or accountant identifies to understand what important risks in the IT systems are being managed in the context of the annual financial statements.
Which controls should be implemented?
The IFAC has compiled a list with examples of generic IT controls that the auditor may consider when determining the ITGCs (Annex 6; ISA 315; IFAC). It is not a ready-made list of controls that you should implement. It sounds vague, but this list is a guideline that accountants and IT auditors often use. These controls/ITGCs can be found at all accountancy firms (such as Deloitte, who wrote a paper on this), but auditors should always have the freedom to look for multiple controls when they map the risks in the context of the annual financial statement audit. The controls mentioned in the International Standard on Auditing 315 form the basis that is always looked at (see figure 1). These controls are often tested at the application level, but a subset of these controls is also tested at the database, operating system, and network level.
This list of management measures thus serves as a good basis for the accountant. It is often checked whether the management measures that the customer has implemented match with this list or whether management measures are not tested because they do not cover a risk that is of added value for the annual financial statement audit. Hence it is not a standard prescribed list, and every auditor has their own variation on it. However, it is very handy to use and a good guideline that IT auditors and accountants are looking for!
Are ITGCs of any use to you?
The IT audit in the context of the annual financial statement audit in which ITGCs are tested is particularly relevant for the auditor. It can be said that this set of management measures forms a basis for the reliability of the IT environment. Applying the management measures to the entire IT environment is therefore highly recommended. Of course there are more extensive frameworks to help get information security in order (such as ISO 27001/27002) and COBIT for managing the overall IT environment.