📖 What is IT General Controls (ITGC)?
IT General Controls (ITGC) are the overarching controls that apply to all systems, applications, and infrastructure within an organization. They include policies and procedures for change management, logical access, and data center operations to ensure a stable environment.
"If ITGCs are weak, you cannot rely on the application controls. Always assess the general environment before testing specific software functions."
📚 Certification: Certified Information Systems Auditor (CISA)
🔑 What are the Key Concepts of IT General Controls (ITGC)?
- ▸ Change Management: Ensuring all system modifications are formally requested, tested, and approved before deployment to prevent unauthorized or unstable production changes.
- ▸ Logical Access: Implementing strict identity and access management to ensure only authorized users can access systems, adhering to the principle of least privilege.
- ▸ IT Operations: Managing daily tasks like system backups, job scheduling, and incident response to ensure continuous availability and data integrity across the enterprise.
- ▸ Control Dependency: The fundamental principle that application-level controls are only reliable if the underlying IT general controls are operating effectively.
- ▸ Physical and Environmental Controls: Protecting the hardware and infrastructure from unauthorized physical access and environmental hazards like fire, flooding, or power failure.
🎯 How does IT General Controls (ITGC) appear on the CISA Exam?
You may be asked to determine the impact of a failure in change management on the overall audit opinion, specifically how a lack of authorization for code changes undermines the reliability of automated application controls.
A scenario might describe a situation where application controls are functioning perfectly, but the auditor discovers that administrative passwords are shared. You must identify this as an ITGC failure that compromises the system.
Expect questions where you must distinguish between an ITGC and an application control, such as differentiating a corporate password policy from a specific input validation check in a payroll system.
❓ Frequently Asked Questions
What happens if the auditor finds ITGCs are ineffective but application controls are strong?
The auditor cannot rely on the application controls. If the general environment is insecure, there is no guarantee that the application controls haven't been bypassed or modified by unauthorized personnel.
How do I distinguish between an ITGC and an Application Control during the exam?
Ask if the control affects the entire system or just one specific business process. ITGCs are broad (e.g., backup policies), while application controls are narrow (e.g., a required field in a form).