Top Five IT General Controls for Critical Business Applications

Business applications, like ERP systems, that generate financial reports, and process and store master data are necessary for accurate and reliable financial statements. IT General Controls (ITGC) form the backbone of a secure, compliant environment in these systems. They help prevent unauthorized access, ensure data integrity, and uphold organizational policies.

Without ITGCs, an organization is more vulnerable to cyber threats and financial fraud. Poorly managed access controls, lack of monitoring, and insufficient data protection measures create security gaps that malicious insiders and external attackers can exploit.

Whether you are a public or private company, internal controls are the parts of your business process that provide checks and roadblocks to prevent inaccuracies or fraud. For a business process owner, understanding and implementing key IT General Controls is critical for managing risk and staying compliant with regulations.

Many companies are subject to regulations like GDPR, HIPAA, SOX, and PCI-DSS, which mandate certain ITGCs to protect systems and sensitive information. Non-compliance due to inadequate controls can lead to penalties, fines, reputation damage, and legal consequences.

During an internal or external audit, you should expect to be asked about IT General Controls. So, how do you ensure your ITGC framework aligns with industry standards and regulatory requirements? What steps should you take if an audit identifies gaps or deficiencies in ITGCs?

To answer these questions, this list of top five IT General Controls provides a good starting point for a practical, risk-based approach.

Five essential IT General Controls business process owners should prioritize

1. Segregation of Duties (SoD)

Segregation of Duties prevents a single person from having multiple conflicting responsibilities that could lead to fraud, misuse of assets, or error. By dividing tasks and access privileges, organizations reduce the risk of unauthorized or unintentional changes.

For example, in business applications such as financial systems, one employee should not have the authority to both approve and process payments. Instead, one person may submit a request, while another must approve it, creating a checks-and-balances system.

Expect an auditor to ask:

• How do you define and enforce Segregation of Duties within critical systems?
• What specific controls are in place to prevent a single user from having conflicting responsibilities?
• How often are SoD policies reviewed, and who is involved in that review process?
• What steps do you take to remediate identified SoD conflicts?
• Can you provide evidence of recent SoD reviews, including any actions taken to address conflicts?
  Download our whitepaper: Segregation of Duties - Basics and Applications.

2. User Access Reviews (UAR)

User Access Reviews involve regularly auditing user access rights to ensure that permissions align with job responsibilities and security policies. These reviews prevent privilege creep and reduce the risk of insider threats.

For example, quarterly reviews in a healthcare organization may involve auditing all user access to Electronic Health Records (EHR) to verify that only authorized staff have access to sensitive patient information.

Expect an auditor to ask:

• How frequently are user access reviews conducted, and who is responsible for them?
• What criteria are used to determine which user accounts are reviewed?
• What steps are taken if a user’s access no longer aligns with their job responsibilities?
• How do you document the results of access reviews and the actions taken?
• Can you provide evidence of completed access reviews and any resulting changes to access permissions?

3. Reviewing Administrative Access (Elevated Privileges)

Reviewing administrative access ensures that users with elevated privileges have the appropriate authorization and that their access remains necessary and controlled. This prevents misuse of powerful permissions that can alter system configurations or access critical data.

Expect an auditor to ask:

• Who is responsible for reviewing users with elevated (administrative) access?
• What controls are in place to ensure only authorized users have elevated privileges?
• How often do you review administrative accounts, and how are findings documented?
• What is the process for granting, modifying, and revoking administrative access?
• Can you provide logs or reports of recent administrative access reviews and any access adjustments made?

4. Tracking Changes to Critical Data

Tracking changes to critical data involves monitoring and documenting any modifications to sensitive or high-value data. This control is crucial for ensuring data integrity and forensics in case of unauthorized access or accidental changes. If an unauthorized modification occurs, it can be traced back, ensuring accountability and quick remediation.

Expect an auditor to ask:

• How do you identify which data is considered critical and requires monitoring?
• What tools or processes are in place to track changes to critical data?
• How are unauthorized or unexpected changes to critical data handled?
• What controls ensure that changes to critical data are documented and reviewed?
• Can you provide logs or audit trails of recent changes to critical data, along with approvals or explanations?

5. Data Backup and Recovery

Data backup and recovery processes ensure that data is securely backed up and can be restored after a loss event, such as a cyberattack or hardware failure. Effective backup strategies minimize downtime and data loss. An organization performing daily backups for critical customer information can restore data and systems quickly in case of a ransomware attack, minimizing operational impact. These backups are a critical part of a business continuity plan as well.

Expect an auditor to ask:

• What is your data backup policy, and how often are backups performed?
• How do you ensure that backup data is stored securely and is available for recovery if needed? 
• When was the last backup test performed, and what were the results?
• What procedures are in place to recover data after an incident, and who is responsible for recovery actions and business continuity plans?
• Can you provide documentation of backup schedules, test results, and any issues identified and resolved?

Overcoming challenges to implementing IT General Controls

Organizations encounter several challenges when implementing IT General Controls. These challenges stem from technical limitations, resource constraints, organizational resistance, and evolving threats.

Many organizations operate in complex, hybrid environments that span on-premises, cloud, and multi-cloud systems. Integrating consistent controls across these varied environments and business applications can be difficult. Legacy systems often lack integration capabilities, and cloud services introduce new security models, making it challenging to maintain uniform controls.

Different departments and systems may use varying processes, tools, and access controls, leading to inconsistent implementation of ITGCs. Without a standardized approach, leaders struggle to enforce policies across the organization, leading to gaps and inconsistencies in compliance.

Competing priorities within IT departments can limit the resources allocated to ITGC initiatives. Plus, ITGCs often require collaboration with other departments, such as HR, finance, and operations. However, these departments may resist changes that affect their processes or introduce new responsibilities. Lack of cross-departmental buy-in and understanding of ITGCs can lead to pushback, delays, or lack of adherence to security policies.

Preparation tips for demonstrating IT General Controls

Regularly assessing and enhancing these controls helps you respond to new threats and regulatory demands effectively. For business process owners, focusing on these areas not only strengthens your security posture but also promotes a culture of accountability and compliance.

• Get your house in order: Define clear roles and establish conflict matrixes to guide your SoD initiatives. Engage with data owners and legal to define what constitutes critical data.
• Have evidence ready: Make sure you can produce documented evidence of all processes, reviews, and mitigations.
• Demonstrate consistency: Show that controls are applied consistently over time with scheduled reviews and routine processes.
• Highlight improvements: Point out any recent enhancements or process improvements in response to identified risks or audit feedback.
• Use automation where possible: If you’ve implemented automated solutions, emphasize their role in maintaining compliance and improving efficiency.

Teams spend many hours responding to requests from external and internal auditors for higher volumes of detailed information regarding IT General Controls. By preparing for these questions and ensuring your documentation and processes are in order, you’ll save time, demonstrate a strong control environment, and position your organization well with respect to ITGCs during an audit.

GRC solutions strengthen IT General Controls management

IT General Controls can be especially challenging in larger organizations operating multiple business applications and dealing with complex roles and responsibilities. Defining, managing, and monitoring controls without automation can be overwhelming, and manual oversight often leads to mistakes and potential security risks.

Automated controls enable broader, more comprehensive coverage that manual processes simply can’t match. For instance, organizations can run automated checks on user access across multiple applications, quickly spotting conflicts or anomalies within seconds instead of days.

Regular access reviews, a least privilege model, and automated Governance, Risk, and Compliance (GRC) tools to monitor access are all critical components of an effective access control strategy. With GRC solutions from Fastpath, now part of Delinea, organizations can manage and automate the processes around access control and data access risk quickly and efficiently.

To learn more, download the whitepaper ‘Automating Your Control Environment: Get a Clear View of Access Risk Across Multiple Systems’.