General IT controls are designed to protect critical business applications of an organisation. According to “Control Objectives for Information and related Technology” (COBIT):
“To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g. networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on application controls. For example, poor change management could jeopardise (accidentally or deliberately) the reliability of automated integrity checks.”
COBIT therefore states that general controls are controls embedded in IT processes and services. Examples include:
- Systems development (project management and Systems Development Life Cycle (SDLC) methodologies).
- Change control management.
- Security (e.g. logical and physical security).
- Computer operations (e.g. data backups, disaster recovery etc.).
The objective of any general IT control audit is to assure the reliable, effective and efficient operation of general controls - so that reliance can be placed on application controls.
BDO South Africa understands the intrinsic value of general IT controls, how they protect critical business applications and data, plus how they impact on an organisation’s going concern. BDO’s value proposition:
- We provide more than just a technical audit – we understand the business implications of general IT control weaknesses.
- We can identify the connection between weaknesses in general IT controls and the integrity of business data.
- We can ascertain the impact of compromised (unauthorised, incomplete and/or inaccurate) data on the profitability of an organisation.