IT General Control Domains and Related Deficiency Analysis

This chapter covers the standard ITGC domains that support reliance on application controls and system output. ISC questions in this area often depend on understanding how broad technology controls support or undermine more specific financial or operational controls.

In This Chapter

• Access to Programs and Data explains the control foundation for limiting unauthorized use and changes.
• Program Changes covers authorization, testing, and approval over updates to systems.
• Program Development Key Phases and Sign-Off Gates introduces structured development controls.
• Computer Operations focuses on day-to-day operational controls that support stable processing.
• Aligning ITGCs with COSO and COBIT connects domain-level controls to larger governance frameworks.
• Identifying Control Deficiencies and Mitigation explains how weaknesses are evaluated and addressed.

How to Use This Chapter

• Read this chapter carefully because ITGC logic appears throughout ISC.
• Focus on why a deficiency in one domain can affect confidence in the broader system.
• Return here whenever a question asks whether a control environment supports reliance on system output.

In this section

• Access Controls Over Programs, Data, and Privileged Capabilities
  Access controls over programs, data, and privileged capabilities.
• Program Change Controls, Approvals, Testing, and Audit Trails
  Program change controls, approvals, testing, and audit trails.
• Program Development Phases, Sign-Off Gates, and Acceptance Testing
  Program development phases, sign-off gates, and acceptance testing.
• Computer Operations, Scheduling, Backups, and Daily Monitoring
  Computer operations, scheduling, backups, and daily monitoring.
• Mapping IT General Controls to COSO and COBIT
  How IT general controls map to COSO and COBIT.
• Identifying IT General Control Deficiencies and Mitigation Responses
  IT general control deficiencies and mitigation responses.