IT General Controls

Objective
Whether employees know it or not, IT has a tremendous effect on their everyday working lives.
IT is essentially the lifeblood of a company, ensuring employees’ laptops work, procuring and installing
the applications employees need to do their jobs, and instituting and upholding rules to help the
company stay compliant.
But how does the IT team accomplish those tasks in a standardized, secure way?
The answer lies in IT general controls. IT general controls, or ITGCs, are a set of directives that govern
how an organization’s systems operate. Yet, knowing what ITGCs are and how they work in practice isn’t
always straightforward.

WHAT ARE ITGCs?

Definition of IT General Controls (ITGC)
ITGC, or IT general controls, are a set of policies and procedures that govern how a company’s IT
systems operate and ensure the confidentiality, integrity, and availability of data.
The basic principles of information security are confidentiality, integrity and availability.
confidentiality is limiting data access, integrity is ensuring your data is accurate, and availability is
making sure it is accessible to those who need it
What are IT General Controls?
IT general controls (ITGCs) are the basic controls that apply to all the system components (such as
applications, operating systems, databases), data, processes and supporting IT infrastructure. The
objectives of ITGCs are to ensure the integrity of the data and processes that the systems support.
ITGCs are IT general controls designed to protect your organization’s data from use, disclosure or
compromise. They can be applied to applications, databases, logical access rights and infrastructures
within your information system (IS). Their implementation is mandated by regulatory entities for most
companies and helps to fight against the risk of data theft or fraud.
These controls help prevent unauthorized access, data breaches, and operational disruptions. ITGC
covers every aspect of IT, including software implementation, user account creation, and data
management. Effective ITGC can improve the reliability and accuracy of financial reporting and reduce
the risk of fraud. Companies are required to establish and maintain ITGC to comply with various
regulatory requirements such as SOX, HIPAA, and PCI DSS.

One important thing to note is that Information Technology General Controls are not the same as
application controls. ITGCs govern the use of all systems within a company, from ERPs to servers,
directory platforms, and project management tools. Application controls restrict what users can do
within one particular platform, and typically these permissions are configured directly within that
application and pertain to specific features or use cases.