IT General Controls (ITGC) – are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. These controls apply to mainframe, server, and end-user environments. General IT controls commonly include:

  • Controls over data center and network operations

  • System software acquisition, change and maintenance

  • Access security

  • Application system acquisition, development, and maintenance.

  • Physical security of assets, including adequate safeguards such as secured facilities over access to assets and records,

  • Authorization for access to computer programs and data files.

Separation of the duties performed by analysts, programmers and operators is another important IT general control. The general idea is that anyone who designs a processing system should not do the technical programming work, and anyone who performs either of these tasks should not be the computer operator when “live” data are being processed. Persons performing each function should not have access to the equipment. Computer systems are susceptible to manipulative handling, and the lack of separation of duties along the lines described should be considered a serious weakness in general control. The control group or similar monitoring by the user departments can be an important compensating factor for weaknesses arising from lack of separation of duties in computerized systems”.

IT Application Controls (ITAC) – these are controls that relate to specific computer software applications and the individual transactions. For example, a company would usually place restrictions on which personnel have authorization to access its general ledger so as to revise its chart of accounts, posting / approving journal entries etc. In order to enact this policy and restrict access, the general ledger software package would require the necessary functionality. Furthermore, assuming the functionality exists, does the company have a policy in place, and is there evidence that the general ledger authorizations align with the policy? Controls around application access are obviously very important and need to be reviewed closely as part of the certification process.

The literature and regulations pertaining to the review and testing of IT Application controls by auditors and management, addresses 3 types of application controls; Input Controls (transactions captured, accurately recorded, and properly authorized), Processing Controls (transaction processing has been performed as intended), and Output Controls (accuracy of processing result). These control tests are typically performed when a new system has been implemented. Afterwards, once the controls have been confirmed to be operating effectively, for purposes of expediency, the focus tends to be on the “key” controls, such as who has system access to make changes to the various applications, and are the policies being followed.