IT controls

Information technology controls

IT controls are specific activities to ensure that business objectives are met. IT control objectives tie in to the core tenets of IT security, namely:  confidentiality, integrity and availability of data, serving as a valuable tool for the IT management of any business enterprise. The IT controls are performed by persons or systems and often come in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programmes and data, programme development and programme changes. IT application gauges the processing of a transaction, checking for the accuracy of input-output routines.


IT General Controls (ITGC)

ITGC help ensure the reliability of data generated by IT systems to make sure that both their operation and output are reliable. The following types of control are common for ITGC:

Control environment -controls designed to shape the corporate culture or "tone at the top."
Change management procedures - controls designed to ensure the changes meet business requirements and are authorised.
Source code/document version control procedures - controls designed to protect the integrity of programme code
Software development life cycle standards - controls designed to ensure IT projects are effectively managed.
Logical access policies, standards and processes - controls designed to manage access based on business need.
Incident management policies and procedures - controls designed to address operational processing errors.
Problem management policies and procedures - controls designed to identify and address the root cause of incidents.
Technical support policies and procedures - policies to help users perform more efficiently and report problems.
Hardware/software maintenance - configuration, installation, testing, management standards, policies and procedures.
Disaster recovery/backup and recovery procedures - to enable continued processing despite adverse conditions.
Physical security - controls to ensure the physical security of information technology from individuals and from environmental risks.



IT application controls

These are fully automated to ensure that data are thoroughly processed with outright accuracy from input through output, also ensuring the privacy and security of transmitted data in the process. IT application controls may include the following:

Completeness checks - controls that ensure all records were processed from initiation to completion.
Validity checks - controls that ensure only valid data is input or processed.
Identification - controls that ensure all users are uniquely and irrefutably identified.
Authentication - controls that provide an authentication mechanism in the application system.
Authorisation - controls that ensure only approved business users have access to the application system.
Input controls - controls that ensure data integrity fed from upstream sources into the application system.
Forensic controls - controls that verify the logical accuracy of data based on input and output checksums.

IT controls and the CIO/CISO
The organisation's Chief Information Officer (CIO) or Chief Information Security Officer (CISO) is typically responsible for the security, accuracy and the reliability of the systems that manage and report all the company's data.

Internal control frameworks
COBIT (Control Objectives for Information Technology)
COBIT is a common framework for best practices in both IT general and application controls. Its basic premise is based on IT processes satisfying business requirements through specific IT control activities and the evaluation of said processes. The four COBIT major domains are: plan and organise, acquire and implement, deliver and support and monitor and evaluate.
 Another common framework is COSO (Committee of Sponsoring Organizations of the Treadway Commission), which uses five elements of internal control: control environment, risk assessment, control activities, information and communication and monitoring.