Home > Risk > The importance of IT General Controls

The importance of IT General Controls

Matt Kelley of Radical Compliance has shared an interview he had with a couple of people from the IIA about IT General Controls (ITGC). It’s in a podcast that you can find, with a write-up, here.

Matt’s piece is worth reading, although I have slight disagreements with these comments:

IT now drives business functions — so your ability to understand and assess IT risk is essential to govern operational, finance or compliance risks as well. You can’t assess and manage those risks independent of considering how IT systems support those business processes, and how weaknesses in IT control might undermine them too.

My problem, slight as it may be, is with the very first part, that “IT drives business functions”. It certainly should not!

Technology supports business functions, as the last part of the excerpt correctly states.

It is important to understand that, similarly, risks to IT processes, systems, and assets only matter in terms of how they affect business risks, and enterprise business risks at that.

In order to understand ITGC as a source of business risk, you need to understand how business controls rely on technology, and then how weaknesses in ITGC processes could affect the continued and proper functioning of (the automated part, including reports of) controls in business processes relied upon to manage business risks.

The IIA has a proven and broadly-adopted methodology for understanding ITGC-related risks as they relate to SOX in the GAIT Methodology (available to IIA members)[1]. It is considered recommended guidance – and I certainly recommend it[2].

The other thing that Matt says as an offhand comment is:

I understand the IIA’s commercial interest in talking up the need for better knowledge of ITGCs, since selling training and certifications is what the IIA does.

That is not “what the IIA does”. The IIA supports the profession of internal auditing and one of the ways it does that is by providing training and certification. It is not a commercial, for-profit organization.

One new training course provided by the IIA is a half-day session on IT General Controls. I realize you can only cover so much in a half day, but I am very surprised that GAIT is not mentioned.

The GAIT Methodology is only one of three GAIT family methodologies (all of which are hidden, so I will share the links). The other recommended guidance are:

You can also find a very useful FAQ on their web site.

Please note that the GAIT Methodology family dates back to 2007 and 2008, but the content is not at all dated – only the references to the PCAOB standards, which have been updated.

There is one more point to be made: increasingly technology does more than support business processes. It is an essential component of an organization’s products (think of a smart refrigerator or car) and equipment (advance manufacturing). ITGC are critical to understanding related risks here as well.

I hope you enjoy these materials. Please share your comments.

[1] In the past, it was easy to find in the section of the IIA website under Standards and Guidance, and Technology. Now it is essentially hidden from view, so you find it either with a search or using the link I provided.

[2] I should: I am the author.

  1. August 30, 2021 at 8:32 AM

    The average IT-auditor lacks knowledge of how IT works. IT has become more complex over the years, E.g. the internet has evolved largely since 2008 when GIAT was written and with that cloud computing. I bet username/password was still acceptable as means of acces control; now it should at least be 2FA.
    Often, IT General Controls are being audited by using a checklist approach. When you find username/password for acces control the score will be positive. The risk of system managers/administrators with full (root) acces and the possibility to change the audit logs is often overlooked.

    • Norman Marks
      August 30, 2021 at 8:39 AM

      The world has changed, but GAIT remains 100% relevant and valid. Have a look.

      • August 30, 2021 at 10:40 PM

        I agree, as it is presented as a methodology that contains the right steps. In practise, key controls are often assessed by using checklists like in my example, There is no check if the checklist contains the right set of key controls regarding the potential risks.
        Despite this, I’ve also seen IT-auditors of the Big 4 made mistakes when it comes to concluding whether a certain risk (or lack of controls) could even effect the financial statements, not to speak of material misstatements.

    • August 30, 2021 at 12:37 PM

      ‘The average IT-auditor lacks knowledge of how IT works’. That’s rather a sweeping statement. I used to only recruit IT auditors who came from IT, usually programmers, who would study for the ISACA qualification. Is this not generally true?

      • August 30, 2021 at 10:21 PM

        Sorry, should be INTERNAL auditor, not IT-auditor.

  1. August 30, 2021 at 7:45 AM
  2. August 30, 2021 at 9:34 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: