Internal controls are important process steps, which allow companies to determine and confirm if protocols are met as per the expectation, policy, or law. In addition, the ITGC controls allow auditors to do various tests to confirm that the processes are designed and operating correctly.
Internal control or IC is an internal process that offers reasonable assurance that the objectives, related to the operations, compliance, and reporting, have been achieved. The IC’s ideally is start at the top of an organization with the Board of Directors. The primary goal of having the internal controls is setting up important points in the process that allow a company to track down the progress and sustainability of its performance.
The main key for ITGC controls is access controls. The access controls address whether risk-specific users have inappropriate access rights beyond what is necessary for performing the specified job responsibilities. Unnecessary access can result in inappropriate segregation of duties or SoD. ITGC controls are applied to IT systems like operating systems, applications, databases, and supporting IT frameworks.
- Access to the data and programs – Controls to help make sure that access to these systems, resources & data will be authorized and authenticated
The objective of the ITGC controls is to ensure the integrity of data as well as processes that these systems support. The controls need to be developed correctly to ensure that the system meets various financial reporting requirements.
The common ITGCs are:
- Program management controls to help confirm that access to these systems, resources & data will be authorized and authenticated.
- Logical access over the applications, supporting infrastructure, and data
- Computer operation controls to help to make sure that processing issues are corrected and that systems are also restarted in such a way that errors aren’t introduced
- Backup & recovery controls
Examples of the internal controls that will mitigate such risk are requesting management approval before granting any system access as well as granting access rights to perform specified job responsibilities. This also may mean revoking access to the terminated users, updating access rights to the transferred users, and performing periodic reviews of users’ access. Authentication and privileged management are a few key controls for implementing it in the right way. There are some defined practices, in terms of password management and privileged access, that must be always restricted to only system administrators.
How can you perform an IT audit?
Planning an IT audit generally involves 2 major steps: gathering information and having a proper understanding of the current internal control structure. Most organizations are now moving to a risk-based approach that can be used for assessing risk as well as helping the IT auditors to decide whether compliance testing and substantive testing need to take place.
In the risk-based approach, the IT auditors will have to rely on the internal and operational controls and knowledge of the company or business. A risk analysis decision will help relay the benefit and cost analysis of control to a known risk. In the “gathering information” step of an IT audit, the auditor will need to identify some important items:
- Historical audit results
- Knowledge of the business & industry
- Inherent risk assessments
- Current financial information
- Regulatory statutes
Examples of important risks in the ITGC controls
Providing ITGC controls is an important role in financial reporting procedures, the integrity of programs/applications or data. The application’s integrity addresses many assertions inherent for processing & reporting, like efficiency, effectiveness, confidentiality, compliance, availability, as well as reliability of the information.
Such assertions offer context for evaluating IT risks. For instance, effectiveness assertion offers information that will be relevant to the business process as well as is delivered in a timely, correct, useful, and consistent way.