It is very important to scope and address IT controls deficiencies, as IT risk is increasing day by day. The main purpose of ITGC control testing is to provide an organization high level of assurance that the controls are operating effectively by ensuring security, confidentiality, availability and integrity of corporate data.
In 2004, nine public companies developed a methodology for evaluating ITGC deficiencies. Known as "A Framework for Evaluating Control Exceptions and Deficiencies" (the Framework), this methodology can help companies assess the effectiveness of ITGCs and detect the presence of gaps.
Below are some of the ITGC controls and their objectives:
Change Management: This controls provides reasonable assurance that changes to IT systems are authorized and implemented only after following documented change management procedures.
Security Policy: Controls provide reasonable assurance that security policies and procedures are documented and approved by authorized personal
Incident & Problem Management: Controls provide reasonable assurance that reported IT incidents and related problems are analysed, resolved and RCA has been documented
Backup Management: Controls provide reasonable assurance that procedures for data backup, restoration and disposal are documented, approved and adhered to.
Access Management: Controls provide reasonable assurance that user access management procedures are documented, approved and adhered to.
Patch Management: Controls provide reasonable assurance that patch management procedures are documented, approved and adhered to.
Physical & Environmental Control: Controls provide reasonable assurance that physical access to computer and other resources is restricted to authorized and appropriate personnel also data and applications are protected against environmental threats.
Is there any Role of Organization to reduce risk of ITGC?
Yes, organization is responsible to implement and reduce risk of their ITGC controls. Below two are most important roles and responsibilities:
- Ownership of IT Policy, standards, procedures, process document etc.
- Supporting implementations of the IT general control manual
- Reviewing and approving exception requests
- Consolidating and reporting of Controls Status
- Performing controls assessments, risk assessments, and risk mitigation plans etc
- Assessment of design and effectiveness of Controls
- Reporting to relevant management
- Review of effectiveness, efficiency and appropriateness of information management processes and controls
Impact of ITGC deficiencies:
- Deficiencies in ITGC can indirectly lead to financial impact
- ITGC deficiencies can lead directly or indirectly to operational failures
So to minimize the deficiency of ITGC controls an organization should establish a life-cycle to periodically test their IT controls and mitigate the gap. Hence, to achieve security and compliance towards legal and regulatory requirements.
Views by Tapasi Chavan