Assessment of IT General Controls (ITGC)

It is very important to scope and address IT controls deficiencies, as IT risk is increasing day by day. The main purpose of ITGC control testing is to provide an organization high level of assurance that the controls are operating effectively by ensuring security, confidentiality, availability and integrity of corporate data.

In 2004, nine public companies developed a methodology for evaluating ITGC deficiencies. Known as "A Framework for Evaluating Control Exceptions and Deficiencies" (the Framework), this methodology can help companies assess the effectiveness of ITGCs and detect the presence of gaps.

Below are some of the ITGC controls and their objectives:

Change Management: This controls provides reasonable assurance that changes to IT systems are authorized and implemented only after following documented change management procedures.

Security Policy: Controls provide reasonable assurance that security policies and procedures are documented and approved by authorized personal

Incident & Problem Management: Controls provide reasonable assurance that reported IT incidents and related problems are analysed, resolved and RCA has been documented

Backup Management: Controls provide reasonable assurance that procedures for data backup, restoration and disposal are documented, approved and adhered to.

Access Management: Controls provide reasonable assurance that user access management procedures are documented, approved and adhered to.

Patch Management: Controls provide reasonable assurance that patch management procedures are documented, approved and adhered to.

Physical & Environmental Control: Controls provide reasonable assurance that physical access to computer and other resources is restricted to authorized and appropriate personnel also data and applications are protected against environmental threats.

Is there any Role of Organization to reduce risk of ITGC?

Yes, organization is responsible to implement and reduce risk of their ITGC controls. Below two are most important roles and responsibilities:


  • Ownership of  IT Policy,  standards, procedures, process document etc.
  • Supporting implementations of the IT general control manual
  • Reviewing and approving exception requests
  • Consolidating and reporting of Controls Status
  • Performing  controls assessments, risk assessments, and risk mitigation plans etc

Internal Audit:

  • Assessment of design and effectiveness of Controls
  • Reporting to relevant management
  • Review of effectiveness, efficiency and appropriateness of information management processes and controls


Impact of ITGC deficiencies:

  • Deficiencies in ITGC can indirectly lead to financial impact
  • ITGC deficiencies can lead directly or indirectly to operational failures

So to minimize the deficiency of ITGC controls an organization should establish a life-cycle to periodically test their IT controls and mitigate the gap. Hence, to achieve security and compliance towards legal and regulatory requirements.

Views by Tapasi Chavan

Rate this article: 
Average: 1.3 (251 votes)
Article category: 

There are 2 Comments

ITGC also encompasses controls pertaining to "Operations" which can further be divided to 
a) Disaster Recovery Planning
b) Business Continuity Planning
c) Production Control

I appreciate your comment. As I had mentioned only some of the examples of ITGC controls in above article hence not all ITGC controls have been listed like you have mentioned production control which is also known as job scheduling.Disaster recovery and Business Continunity comes under backup management in ITGC control.