Difference between revisions of "Information Technology Controls (IT Controls)"

Definition of Information Technology Controls (IT Controls)^[1]

Information Technology Controls (IT Controls) are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In today’s global market and regulatory environment, these things are too easy to lose.

IT controls do not exist in isolation. They form an interdependent continuum of protection, but they also may be subject to compromise due to weak links. IT controls are subject to error and management override, range from simple to highly technical, and exist in a dynamic environment. IT controls have two significant elements:

• the automation of business controls (which support business management and governance) and
• control of the IT environment and operations (which support the IT applications and infrastructures).

Categories of IT Controls^[2]

IT controls are often described in two categories:

• IT General Controls (ITGC): ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:
  • Control environment, or those controls designed to shape the corporate culture or "tone at the top."
  • Change management procedures - controls designed to ensure the changes meet business requirements and are authorized.
  • Source code/document version control procedures - controls designed to protect the integrity of program code
  • Software development life cycle standards - controls designed to ensure IT projects are effectively managed.
  • Logical access policies, standards and processes - controls designed to manage access based on business need.
  • Incident management policies and procedures - controls designed to address operational processing errors.
  • Problem management policies and procedures - controls designed to identify and address the root cause of incidents.
  • Technical support policies and procedures - policies to help users perform more efficiently and report problems.
  • Hardware/software configuration, installation, testing, management standards, policies and procedures.
  • Disaster recovery/backup and recovery procedures, to enable continued processing despite adverse conditions.
  • Physical security - controls to ensure the physical security of information technology from individuals and from environmental risks.
• IT Application Controls: IT application or program controls are fully automated (i.e., performed automatically by the systems) designed to ensure the complete and accurate processing of data, from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include:
  • Completeness checks - controls that ensure all records were processed from initiation to completion.
  • Validity checks - controls that ensure only valid data is input or processed.
  • Identification - controls that ensure all users are uniquely and irrefutably identified.
  • Authentication - controls that provide an authentication mechanism in the application system.
  • Authorization - controls that ensure only approved business users have access to the application system.
  • Input controls - controls that ensure data integrity fed from upstream sources into the application system.
  • Forensic controls - control that ensure data is scientifically correct and mathematically correct based on inputs and outputs