Direct Inward Dialing: +1 408 916 9393
IT general controls (ITGCs) refer to the foundational controls that apply across an organization's IT environment to ensure the integrity, security, and reliability of information systems. They support the proper development and functioning of application controls and help ensure the overall control environment is sound.
These controls are broad in their scope and affect all systems and users across the organization. They typically include policies, procedures, and activities related to system access, operations, change management, and data backup.
ITGCs form the baseline of internal control in IT systems. Without them, even the best application-level controls may be rendered ineffective. Their importance is evident in the areas mentioned below.
There are several core categories of ITGCs, each targeting a critical aspect of system management and security.
These controls ensure that only authorized individuals have access to IT systems and data, based on the roles and responsibilities assigned to them.
Change management controls govern how modifications to systems, applications, and infrastructure are introduced.
SoD ensures that critical tasks are divided among different people to prevent conflicts of interest, fraud, or errors.
These controls are associated with the day-to-day functioning and maintenance of IT systems.
These controls ensure that data is regularly backed up and can be recovered in case of disasters or failures.
These controls ensure that all system activities are logged and monitored for suspicious or unauthorized behavior.
Although ITGCs and application controls may sound similar, they are different when it comes to their scope.
Both are necessary to maintain the security posture of an organization, but ITGCs provide the structure in which application controls can operate effectively.
| Compliance regulation | How it relates to ITGCs | Key ITGC areas impacted | What do auditors look for |
|---|---|---|---|
| Sarbanes-Oxley Act (SOX) | Ensures financial data accuracy through reliable IT systems | Access controls, change management, audit logging, and SoD | Evidence of restricted access to financial systems, proper change approvals, and audit trails of modifications |
| Health Insurance Portability and Accountability Act (HIPAA) | Protects the integrity and confidentiality of electronic protected health information (ePHI) | Access controls, audit logging, system operations, backup and recovery | Role-based access to patient data, records of access attempts, and disaster recovery readiness |
| General Data Protection Regulation (GDPR) | Requires organizations to safeguard personal data and demonstrate accountability | Access controls, audit logging, backup and recovery | Controlled access to personal data, breach detection capabilities, and rights to access/modification logs |
| Payment Card Industry Data Security Standard (PCI DSS) | Ensures secure handling of credit card data and related information systems | Access controls, audit logging, and change management | Restricted access to cardholder data, real-time activity monitoring, and formal change control processes |
| Control Objectives for Information and Related Technologies (COBIT) | Framework for IT governance and management that emphasizes aligning IT with business goals | All ITGCs, especially SoD and change control | Governance structures, control activities, and performance metrics tied to IT risks |
Although ITGCs are important for maintaining the security posture of an organization, it can come with challenges such as:
While understanding ITGCs is crucial, putting them into practice across your Active Directory (AD) environment can be challenging without the right tool by your side. This is where ManageEngine ADManager Plus steps in.
ADManager Plus is a comprehensive AD management and reporting solution that helps organizations enforce ITGCs effectively.
Access controls
Change management controls
System operations
Audit logging and accountability
