Understanding IT General Controls (ITGC) in Cybersecurity

January 26, 2023
In this article:

To protect your assets and reputation from hackers and cybercriminals, you need to have the right processes and tools to keep your data secure — and alert you to any potential risks.

One important way to establish security is through your IT department’s general controls, or ITGC. These controls are the specific processes and steps you have in place through your IT protocols to keep you compliant and help you reduce the risk of a cyber attack. In this article, we’ll explain why ITGC are so critical for your business and give you some actionable instructions to help you prepare for an ITGC audit and maintain long-term compliance.

What are IT general controls (ITGC)?

IT general controls, or ITGC, are a set of directives that determine how a business’s systems operate. They prevent data theft, unauthorized access, operational disruption, and data breaches. They influence every aspect of IT, from setting up new software to user account creation.

ITGC also impacts vendor management, as new applications and procurement must also meet the standards set by the controls. Having ITGC in place ensures that your systems are protected, tested, and implemented correctly, and security and network updates happen at the right times.

What is the difference between ITGC and SOX?

SOX (Sarbanes-Oxley Act) is a compliance audit that protects shareholders in your organization by requiring yearly mandated assessments of how well you manage your IT controls. It also ensures your reporting and disclosures are accurate and reliable, which protects investors.

SOX is not the same thing as ITGC. You use your ITGC to ensure that you remain compliant with the standards set by SOX. The two work together to help protect businesses, shareholders, and customers from data breaches and other cyberattacks.

Why ITGC are important

ITGC are incredibly important to the success of your business operations and the security of your data. These internal controls ensure that your IT environment and other business processes are protected and any vulnerabilities are addressed. Here are a few ways that ITGC protect you and your information systems from risks.

Reputational risks

Your business reputation is built on trust between customers and shareholders. You can have severe reputational risks if your company lacks the right cybersecurity or physical security to keep your data centers secure. This can hurt your industry standing, which can ultimately cause you to lose revenue. 

Operational risks

ITGC also protect your business operations. If your systems are damaged by a cyberattack or a lack of compliance, it can slow down or halt your entire operation and put you at risk of even more damage. The control objectives help to keep your organization running smoothly and ensure that your IT systems are up-to-date and delivering accurate information.

Financial risks

When your business suffers from reputational or operational risks, it trickles down to your finances. You can lose business, investors, and grants from non-compliance or data breaches. Your financial reporting can also suffer a hit if you cannot access the information you need to make a report. Even with disaster recovery plans, it might be too little or too late to save your bottom line.


Compliance requirements depend on internal audits, vendor checklists, remediation steps, and risk assessments. Without the right IT controls, you risk being non-compliant with SOX or other regulatory compliance objectives. This can result in massive fines, reputational damage, and other serious consequences.

How ITGC audits are conducted

You need to conduct assessments and audits on your ITGC to understand whether your access controls are adequate and how to improve. An IT audit can help you authenticate your controls and the current security in place. Here are the typical steps you will see in an audit.

Step 1: Determine audit scope

Set the scope of your audit and ensure you know the reliability required from each control to complete the tasks at hand.

Step 2: Test with a consistent process

Use the same process or similar test for all of your control audits so that you can follow the same process for change management.

Step 3: Prioritize defective controls

If the audit returns with defective controls, prioritize which ones are most important to your business operations and begin remediating those controls first.

Step 4: Create a baseline

Create a baseline for your controls that helps you understand when they are not working as they should, so you can reduce the need to audit.

Step 5: Continually test controls

Test controls continually to remain proactive with your cybersecurity and IT management.

Areas of IT general controls: Types of ITGC to audit

Now that you know why ITGC are important and what an audit of them typically looks like, let’s dive into the different types of ITGC you should be prepared to audit.

Information security controls

Your information security controls are the specific measures to secure your data and prevent any theft or breaches. This is essential to protecting your business. An audit will likely run a scenario in which the auditing party attempts a data breach to see how your systems handle the false attack.

Access to programs and data

Your access controls help you determine who should access different data and systems. This can help prevent unauthorized access and reduce the risk of a data breach. For example, password management and least-privilege access policies fall under this category. An audit might reevaluate your current access controls.

Change management controls

Your IT environment will change over time, so you need to have change management controls in place to document and authorize changes. An audit will determine if your change management process is effective or if there is a vulnerability.

System lifecycle controls

These controls deal with the updates to your applications, systems, and networks. When programs aren’t updated, they can become at risk of vulnerability without patch management in place. An audit might look at your regular updating procedures and system monitoring.

Computer operation controls

This type of control examines how your computers are programmed to help you store, process, and access data from your network. It is important to ensure that your systems work as intended and your processes can operate smoothly. An audit will examine computer processes and storage to see if they are capable of running programs correctly.

Incident management controls

When an incident occurs, it’s important to have a plan in place to record, recover, and process the incident so it doesn't happen again. An audit will examine the types of management you have in place for an incident and how you address the incident after the fact.

Backup and recovery controls

Cyberattacks, natural disasters, and accidents can all impact data, so you need to have a backup and recovery plan prepared to avoid significant losses or process slowdowns. An audit will examine what data protection features you have in place currently and their effectiveness.

Physical data center security controls

Not all hackers work from behind a keyboard, so you need to have physical security measures in place to protect sensitive areas. An audit will examine physical access to see how a potential hacker can enter your buildings and secure rooms.

How to maintain strong IT general controls: 3 crucial steps

Maintaining your IT controls depends on a few crucial steps. Here's how to ensure everyone in your organization is ready to step up and that your processes and tools will support your IT.

1) Train employees and determine roles, responsibilities, and authorizations

The first step is to ensure that your employees are trained on all ITGC regulations. You also need to make sure that roles are determined, responsibilities are assigned, and the right authorizations are put in place to ensure that every member of staff is aware of what they need to do in the case of a breach or a cyberattack. 

Security awareness training can come in the form of online webinars, in-person meetings, and special authorizations.

2) Develop your control strategy and processes

Beginning from the top with a control strategy and a clear vision of the process is another important step to ensuring that your controls are strong. This will allow you to develop a high-level plan for your IT controls, give you a solid foundation, and allow you to build up from there. 

Consider taking a step back and envisioning what you want your control process to look like. Then, you can develop strategies that help take you to the next level and cover all of your bases.

3) Utilize the right tools and technology to mitigate risk

Trying to manage your IT controls, stay on top of compliance, and protect your business is only possible with the right tools. Different technology and software can help you stay on top of mitigating risks and even notice potential issues before you can by manually looking at controls. 

The right tool will also help you be better than you were before you used the tool. For example, at HyperComply, we use AI technology to help accelerate security reviews and keep your business processes flowing (learn more about how we do it here).

Establish top-notch cybersecurity practices with HyperComply

Cybersecurity is one of the most important components of running a modern business. Without the right protocols, tools, controls, and processes, you leave your business vulnerable to attack and the serious damages that can occur if cybercriminals and hackers target you. Having IT controls and an audit process to monitor them is a powerful way to reduce risks and protect your business.

At HyperComply, we understand the value of top-notch cybersecurity practices. That’s why we’ve created tools that make auditing and staying compliant easier for your business. To learn more about what we can do for you, get started with us and discover what HyperComply can offer.