SOX IT General Controls

IT General Controls (ITGCs) are the IT controls that support the reliability of financially significant applications and data. If business process controls depend on technology — and they almost always do — ITGCs ensure that technology is reliable. ITGC failures undermine all application-level controls that depend on the affected systems.

The Four ITGC Domains

Access management controls ensure only authorized individuals can access systems and data relevant to financial reporting. Key controls include user provisioning and deprovisioning, periodic access reviews, privileged access management, password policies, and segregation of duties.

Change management controls ensure changes to applications and infrastructure are authorized, tested, and implemented correctly. Key controls include change request and approval processes, testing before production deployment, separation of development and production environments, and emergency change procedures.

Computer operations controls ensure systems operate reliably and that data is protected. Key controls include job scheduling and monitoring, backup and recovery procedures, incident management, and system monitoring.

Program development controls ensure new systems and significant modifications are properly developed, tested, and authorized. Key controls include development methodology, requirements documentation, testing procedures, and user acceptance.

Identifying In-Scope Systems

In-scope systems are those that store, process, or transmit financially significant data. This typically includes the ERP system, financial reporting tools, billing systems, payroll systems, and any system whose data feeds into financial statements. Infrastructure supporting these systems — databases, servers, networks — is also in scope.

Common ITGC Findings

The most common ITGC deficiencies are: lack of timely access removal for terminated employees, insufficient access reviews, poor separation of duties in development and production, incomplete change management documentation, and missing or untested backup procedures.

Tips for IT Teams

Automate access provisioning and deprovisioning through identity management tools. Implement a formal change management process with documented approvals. Conduct quarterly access reviews and document the results. Test backups regularly and document the tests. These practices prevent the most common ITGC findings.

In the next lesson, we will cover SOX audit preparation.