IT General Controls (ITGCs) provide important insight into an organisation’s risk and control environment. Here, we highlight three common red flags for access controls (a key aspect of ITGC) and suggest how to avoid the associated risks.
What are IT general controls?
ITGC is a subset of IT controls and forms a key part of an entities’ internal control framework. As a general rule, ITGC relates to Access Controls, Application Change Control (including implementing new applications) and Computer Operations (including anti-virus, firewalls, back-up and recovery and other areas).
It is important to look at ITGC from a stakeholder perspective.
A financial external auditor will be more interested in the impact of a breakdown of an ITGC in the context of a risk of material misstatement in the financials and the impact this will have on critical application controls being relied upon for the audit. In other words, a breakdown in ITGC may have a pervasive impact on the integrity of application controls, financial assertions such as completeness and accuracy, as well as the risk of material fraud. If this is the case, the auditor may need to increase substantive testing, apply greater sample sizes, or, in the extreme, provide a qualified opinion. It is important to understand that the level of materiality for an external audit is higher than from the perspective of management. Materiality for an external audit ill pertain only to the financial year being audited, and usually relate to a percentage of turnover or assets.
Management, on the other hand, will be concerned about risks lower than the external audit threshold, which may also occur over many financial years. They would have a lower risk appetite and would consider the impact of a breakdown in ITGC on achieving strategic and business objectives.
Three red flags for access controls
Access controls a key aspect of ITGC, which includes provisioning new users, maintaining their access and decommissioning users when they leave the organisation. This is an essential control, impacting every organisation.
Three common red flags associated with access provisioning, and how to avoid the associated risks, are detailed here:
Risk | Remedy |
Replicating a new user access based on an existing user, who may have harvested roles as they moved throughout the organisation. | Develop a functional position matrix, where each position is pre-approved with the application/s they need, and the approved roles within those application/s. This also streamlines the process of provisioning new starters and reduces the risk of fraud. |
Inadequate password management | Enforce password complexity rules and require users to change their passwords after an approved period. Alternatively, implement very long passwords and monitor usage. |
Poor Active Directory management | Ensure that your Microsoft users are required to enter a password to access the network. Decommission users that have left the organisation. Review users that have not accessed the network for a considerable time. |
While ITGCs are important foundational controls, they do not provide an all-inclusive solution to mitigate cyber security risks. Contact your local PKF office for IT Governance advice. We will help you to protect and strengthen your business.