Understanding ITGC

Fundamentals
Ensuring Control and Compliance in IT Environments
 Introduction
 What are IT General Controls?
IT General Controls (ITGC) or General Computer Controls (GCC) are controls which relate
to the environment that supports IT Applications.
The appropriateness and effectiveness of ITGC’s therefore impacts on all the organisation’s
IT applications.
 IT general controls are policies and procedures that:
 Support application controls and IT components of manual controls
 Have a pervasive impact on controls at the application level
 Can relate to multiple applications ▪ Operate centrally or in multiple locations
 Support automated controls within applications

Classified: RMG – Internal

 Importance of ITGC

 Effective ITGC can improve the reliability and accuracy of financial reporting and
reduce the risk of fraud.
 Organisations are increasingly dependent on IT and have increasingly complex
operational and financial IT systems.
 IT General Controls have an impact on the controls over all financial IT systems.
 Effectiveness and efficiency of information management o Reliability of information
assets
 Compliance with applicable legal, regulatory and business requirements
 IT controls can have implications over manual as well as automated controls.

Classified: RMG – Internal

 Objectives of
ITGC
• Ensuring the effectiveness and
efficiency of IT operations
• Safeguarding assets
• Ensuring data integrity
• Maintaining confidentiality

Types of ITGC
• User Access Management
• Change Management
• Program Management
• Computer Operations

Classified: RMG – Internal

 ITGC Audit

• ITGC framework helps

organizations organize
and categorize applicable
IT general controls.

• This not only ensures that

the right controls are in
place, but also prepares
organizations for audits

Classified: RMG – Internal

 User Access Management
Definition:
User Management in ITGC refers to the processes and
controls implemented to manage the lifecycle of user
accounts and access rights within an organization's IT
systems
Key components:
• User Provisioning
• User Authentication
• User Authorization
• Password Management
• User Role Management
• User Access Reviews

Classified: RMG – Internal

 Importance in Preventing Unauthorized Access

Purpose:
1. Access Control: Ensure that only authorized individuals have access to the
organization's systems and data.
2. Security: Protect sensitive information from unauthorized access, modification, or
disclosure.
3. Compliance: Enforce regulatory requirements and internal policies related to user
access and data protection.
4. Efficiency: Streamline user provisioning, modification, and deprovisioning processes
to improve operational efficiency.
5. Risk Management: Mitigate the risk of security breaches, data breaches, and fraud by
managing user access effectively.

Classified: RMG – Internal

 Implementation of Best Practices
1. Segregation of Duties (SoD): Ensure separation of duties to prevent conflicts of
interest and reduce the risk of fraud.
2. Least Privilege: Grant users only the access rights necessary to perform their job
functions, minimizing the risk of unauthorized access.
3. Strong Authentication: Implement multi-factor authentication (MFA) or other strong
authentication methods to enhance security.
4. Regular Access Reviews: Conduct periodic reviews of user access rights to ensure
alignment with business needs and security policies.
5. Automated Provisioning and Deprovisioning: Use automated tools and workflows to
streamline user account provisioning and deprovisioning processes.
6. Auditing and Monitoring: Monitor user activity logs and audit trails to detect and
respond to unauthorized access attempts or suspicious behavior.

Classified: RMG – Internal

 Change Management

Definition:
Change Management refers to the structured approach for
managing changes to IT systems, applications, infrastructure,
or processes in a controlled and systematic manner.
Unauthorised amendments to systems or programs may result
in attacks (eg. denial of service) or fraudulent activities.
Objective:
The objective is to have robust program change management
controls to ensure all changes to systems and applications are
authorised, tested, documented and approved.

Classified: RMG – Internal

 Key components

1. Request Submission: Formal process for requesting changes, including documentation of the
change request details such as the nature of the change, its scope, and potential impacts.
2. Assessment and Approval: Evaluation of change requests to assess their feasibility, risks,
and alignment with business objectives. Approval by appropriate stakeholders based on
predefined criteria.
3. Planning and Testing: Development of a comprehensive plan for implementing the change,
including testing procedures to verify its effectiveness and identify any potential issues.
4. Implementation: Execution of the change according to the approved plan, with careful
monitoring to ensure that it is carried out smoothly and according to schedule.
5. Review and Documentation: Post-implementation review to evaluate the success of the
change and document any lessons learned or improvements needed for future changes.

Classified: RMG – Internal

 Importance in Managing Changes to IT Systems
Purpose:
• Improved Stability and Reliability: Minimize the risk of disruptions or failures caused by
poorly managed changes.
• Enhanced Security and Compliance: Ensure that changes do not introduce vulnerabilities or
compliance violations.
• Increased Agility: Enable the organization to adapt to evolving business needs and
technological advancements more effectively.
• Greater Confidence: Build trust among stakeholders by demonstrating a disciplined and
transparent approach to managing changes.

Change Management is a critical process within ITGC that helps organizations balance the need for
innovation and improvement with the imperative to maintain stability, security, and compliance.

Classified: RMG – Internal

 Implementation of Best Practices

 Establish Clear Policies and Procedures

 Implement a Change Advisory Board (CAB)
 Prioritize Changes Based on Impact and Risk
 Conduct Rigorous Testing and Validation
 Communicate Effectively
 Implement Rollback Plans
 Monitor and Measure Change Performance
 Foster a Culture of Continuous Improvement

Classified: RMG – Internal

 Program Management
Definition:
Progress Management refers to the systematic process of tracking, monitoring, and reporting
on the advancement of IT initiatives, projects, or tasks to ensure they meet predefined
objectives and timelines.
Key components:
• Project planning: Defining project scope, objectives, deliverables, and timelines, as well
as identifying resources and establishing a comprehensive project plan.
• Execution: Implementation of the project plan to accomplish project objectives and
deliverables
• Monitoring: Tracking project progress, performance, and compliance with the project
plan and identifying and assessing any deviations or variances.
• Control :corrective actions to address deviations from the project plan, managing
changes, and ensuring project objectives are met within scope, schedule, and budget
constraints.

Classified: RMG – Internal

 Importance in Aligning IT Initiatives with Business Objectives

Purpose:
1. Tracking Milestones: Progress Management enables the tracking of key milestones and
deliverables throughout the lifecycle of IT projects, ensuring alignment with project
timelines and objectives.
2. Resource Allocation: It facilitates effective resource allocation by providing insights into
resource utilization, identifying potential bottlenecks, and optimizing resource allocation
to enhance project efficiency.
3. Risk Management: By monitoring progress, organizations can identify and address
potential risks or issues early in the project lifecycle, minimizing the impact on project
timelines and outcomes.
4. Communication and Transparency: Progress Management promotes effective
communication and transparency by providing stakeholders with timely updates on
project status, enabling informed decision-making and fostering stakeholder engagement.

Classified: RMG – Internal

 Implementation of Best Practices
 Define clear project objectives, scope, and deliverables during the planning phase.
 Establish effective communication channels and project governance structures.
 Utilize project management tools and techniques for planning, scheduling, and
monitoring.
 Regularly review project progress and performance metrics to identify areas for
improvement.
 Implement change control processes to manage scope changes and minimize project
risks.

Classified: RMG – Internal

 Computer Operations
Definition:
Computer Operations ITGC refers to the set of controls and
processes implemented to ensure the efficient, secure, and reliable
operation of computer systems and infrastructure within an
organization's IT environment.
Key components:
 Batch Processing: Execution of a series of computer programs
or tasks in a predefined sequence without user intervention.
 Job Scheduling: Process of coordinating and managing the
execution of computer jobs or tasks within an IT environment.
 Monitoring: Monitoring involves the continuous observation
and analysis of IT systems, infrastructure, and applications to
detect and address performance issues, security threats, and
compliance deviations.

Classified: RMG – Internal

 Purpose
1. Ensure Availability: Computer Operations ITGC aims to ensure that IT systems and services are available when needed by
the organization. This involves maintaining uptime, minimizing downtime, and quickly restoring services in case of
disruptions.
2. Optimize Performance: It focuses on optimizing the performance of IT systems and infrastructure to meet business
requirements. This includes monitoring system performance, capacity planning, and implementing performance tuning
measures.
3. Ensure Data Integrity: Computer Operations ITGC is responsible for ensuring the integrity of data processed and stored
within IT systems. This involves implementing controls to prevent data corruption, loss, or unauthorized access.
4. Enforce Security Measures: It includes implementing security measures to protect IT systems and infrastructure from
unauthorized access, malware, and other security threats.
5. Compliance with Policies and Standards: Computer Operations ITGC ensures compliance with internal policies, industry
standards, and regulatory requirements governing IT operations. This includes adhering to best practices, conducting regular
audits, and documenting procedures.
6. Support Business Continuity: It plays a critical role in supporting business continuity and disaster recovery efforts. This
involves implementing backup and recovery procedures, maintaining redundant systems, and testing disaster recovery plans
regularly.
7. Facilitate Incident Management: Computer Operations ITGC helps in the detection, reporting, and resolution of IT
incidents and service disruptions. This includes establishing incident management processes, conducting root cause
analysis, and implementing corrective actions.
Classified: RMG – Internal
 Ensuring Smooth and Efficient IT Operations

 Job Scheduling and automation: Implement a centralized job scheduling system to

automate routine tasks, batch processing, and system maintenance activities.
 Monitoring and alerting: Monitoring involves the continuous observation and
analysis of IT systems, infrastructure, and applications to detect and address
performance issues, security threats, and compliance deviations.
 Incident and Problem Management: Establish formal incident and problem
management processes to effectively respond to and resolve IT incidents and service
disruption
 Backup and Recovery: Implement regular backup procedures to protect critical data
and system configurations.
 Access Controls: Enforce strict access controls to limit privileges and permissions
based on the principle of least privilege.

Classified: RMG – Internal

 Implementation of Best Practices

 Establish Clear Policies and Procedures

 Implement a Change Advisory Board (CAB)
 Prioritize Changes Based on Impact and Risk
 Conduct Rigorous Testing and Validation
 Communicate Effectively
 Implement Rollback Plans
 Monitor and Measure Change Performance
 Foster a Culture of Continuous Improvement

Classified: RMG – Internal

 ITGC Implementation Challenges

• Lack of Awareness
• Resource Constraints
• Complexity of IT Environments
• Resistance to Change

Classified: RMG – Internal

 Best Practices for ITGC Implementation

• Executive Leadership and Support

• Comprehensive Risk Assessment
• Regular Monitoring and Testing
• Continuous Improvement

Classified: RMG – Internal

 Quiz
 Question 1:
What does ITGC stand for?
a) Information Technology General Certification b) Integrated Technology Governance Controls
c) Information Technology General Controls d) Internal Technology Governance Criteria
 Question2
Which of the following is an example of an ITGC?
a) Employee training programs b) Firewall configuration
b) c) Marketing strategies d) Office layout design
 Question 3:
Why are ITGCs important?
a) To increase sales revenue b) To ensure compliance with legal regulations
c) To improve customer service d) To reduce employee turnover

Classified: RMG – Internal

 Quiz
 Question4
Which ITGC is primarily concerned with preventing unauthorized access to systems and
data?
a)Access Controls b) Change Management
c) Program Management d) Computer Operations
 Question 5:
What is the purpose of Change Management controls in ITGC?
a) To manage changes to IT systems b) To improve employee morale
c) To increase shareholder value d) To reduce marketing expenses
Question 6
Which ITGC involves ensuring the smooth and efficient operation of IT systems?
a) Access Controls b) Change Management
c) Program Management d) Computer Operations

Classified: RMG – Internal

 Quiz
 Question7
Which of the following is a best practice for ITGC implementation?
a)Ignoring industry standards and regulations b) Conducting regular monitoring and testing
c) Allowing unauthorized access to sensitive data d) Avoiding documentation of IT procedures
 Question 8:
Which ITGC involves managing schedules, backups, and system monitoring?
a)Access Controls b) Change Management
c) Program Management d) Computer Operations
 Question 9
What is the primary goal of ITGCs related to User Access Management?
a) To maximize system performance b) To ensure the availability of IT resources
c) To prevent unauthorized access to systems and data d) To streamline administrative processes

Classified: RMG – Internal