It is impossible to overstate the value of information technology (IT) to the world of businesses and industries today. IT facilitates and enhances communication within an organization between management, partners and employees, as well as externally between clients, prospective clients, service providers and the community at large. When applied to data analysis, IT can help companies answer their most pressing questions and solve their most stubborn problems.
Good IT properly used makes everything more efficient. It can enhance revenue, help optimize direct and indirect marketing efforts, assist in the creation of new products and services, improve logistics, and generally make a business nimbler and more responsive.
While IT represents a significant investment, there can be no doubt it has been and will continue to be a boon to any successful business. The best, most efficient companies get the most out of their IT investment by taking IT governance seriously. They develop IT control policies, follow a comprehensive IT control management process and use tested IT control procedures. In short, they institute a strict set of best practices and IT controls, and they audit results.
Defining IT Controls
Stated very simply, IT controls are sets of rules, guidelines, policies and procedures put in place to assure that IT assets and the work product they generate are being used efficiently, in a cost-effective manner and (only) for the reasons intended.
IT controls are grouped into two categories: IT general controls and IT application controls.
IT General Controls (ITGC)
ITGC, as the name implies, cover an organization's broad IT environment. They are used to demonstrate a company’s commitment to IT governance and create awareness of overall IT control risks. By their nature, ITGC are comprehensive and not applied to specific IT platforms. So, ITGC might speak to IT security, but it wouldn’t explicitly address email security as one example, or data security as another.
Large, wide-ranging, but vitally important topics such as an extensive IT disaster recovery plan, IT hardware and software lifecycle policies, an IT change management plan, or an outline of IT risk management all fall under the category of ITGC.
IT Application Controls (ITAC)
ITAC are controls that are specific to certain vital applications, software or data sets. They are, of course, critically important and should run automatically, seamlessly and continuously in the background of IT functions. When it comes to ITAC, spot-checking or periodic auditing is inadequate in the modern world of constant digital threats and instant communication.
This is most pronounced in the realm of IT risk mitigation. A hacker or a digital information thief can strike anytime, day or night. A firm’s ITAC must be designed to see threats as they are developing and take precautions instantly. Among other things, automatic ITAC should be designed, on an ongoing basis, to achieve these goals:
- Input and Output Integrity: Information coming in and going out is from reliable sources.
- Validation: Only “good” data and information are processed.
- Authentication: An authentication process is a must.
- Authorization: Only approved, authorized individuals should be granted access.
- Identification: Identities are checked, not taken for granted.
- Forensic Integrity: Anything stated as “fact” is verified.
Virtually, every IT function or application should have quality ITAC, but some of the most important that need proactive protection are:
- Internal and external digital communications
- Messaging (over slack channels)
- Social networking
- Remote meetings (via Zoom)
- Payroll
- System access
- Banking information
- Data
- Proprietary intellectual property (company secrets)
- Sensitive client information
- Sensitive employee information (such as employment files)
- Financials
- Banking information and funds access
- Passwords and administrative access
Who Is Responsible for IT Controls?
While it’s true that following IT control procedures is everybody’s job, there should be a single individual or a small collection of people who have responsibility for IT governance. No matter what the size of an organization, someone should be designated to ensure that IT assets are used as intended and that data security is maintained.
The bigger and more sophisticated a company is, the more specialized the IT management position becomes. Big firms with many divisions that might do business all over the country or all over the world will usually create a chief information officer (CIO) position and may also implement a chief information security officer (CISO).
In addition, it is the job of the accounting department to perform periodic audits, tests and risk assessments and to report their findings to the CIO, the CISO and other management as necessary.
Your Guide to Proper IT Governance and Controls
Establishing proper, comprehensive IT controls and following best practices in IT governance can seem like a daunting, almost impossible task. But it isn’t. At least it doesn’t have to be.
KnowledgeLeader has developed a wide-ranging, thorough IT controls tool to help you implement necessary IT policies and procedures. Our IT Controls and Governance Guide is fully customizable and available for download.
It’s designed to give information officers advance knowledge of the many challenges and risks that can disrupt IT efficiency and render IT governance ineffective. We created it to be a road map for the development and implementation of a sound and effective IT controls regime that can cover the entirety of an organization regardless of size.
A wide range of topics is covered in our guide, including:
- IT Governance
- Increased Regulatory Requirements
- Pressures on Business Today
- Risk and Challenges
- IT Risk Management
- Five Elements of IT Governance
- IT Governance Maturity Matrix
- IT Governance Vs. Compliance
- Common Governance Implementation Strategy
- How to Get Started
- Best Practices for Managing Risk and Achieving Value
- Key Success Factors
- Business Drivers for IT Best Practices Adoption