As part of the overall control environment, ITGC information technology general controls have a major role to play. I had explained in one of my earlier posts here about evaluating IT controls. Scoping IT controls correctly can be key to successful 404 compliance. If ITGC's are not defined appropriately, same can not only result in a lot of work but also security and control issues. These security and control issues can then result in errors in financial statements. In extreme cases, deficiencies in ITGC's can even result in material errors if same are not mitigated.

Scoping for ITGC should begin with identifying the control objectives which address each of the areas of information technology general controls. Suzie, an expert on general computer controls at our firm gave me a list of areas in ITGC which can be starting point for companies scoping for ITGC. The lists looks something like this -

1. Management and organization of IT within the enterprise.
2. Management of Changes to operating systems, databases, and the overall IT infrastructure.
3. Development, maintenance and further customization of existing as well as new applications.
4. Approach towards network security.
5. Management of overall computer operations which would include taking backups, server room security, handling application bugs and errors, database security etc.
6. Segregation of duties, role of IT security, threat management can also be considered.
7. Application user management which includes user management i.e. user ID approval, removal in case of terminated or transferred employees, setting up users, providing access to new employees etc.

Related Posts

Risk Treatment Plans for SOX Compliance
IT Governance for Sarbanes Oxley
Sarbanes Oxley 404 Project Maturity Framework
Technology Tools for Sarbanes Oxley