Edited by: Farah Araj

shutterstock_71146456General controls are defined by COBIT as controls, other than application controls, that relate to the environment within which computer-based application systems are developed, maintained and operated, and that is therefore applicable to all applications (ISACA Glossary,2014). These controls include policies, procedures and practices (tasks and activities) established by management to provide reasonable assurance that specific objectives will be achieved [2]; which are to ensure the proper development and implementation of applications and the integrity of program and data files and of computer operations. (ISACA Glossary, 2014

General controls, in nature, can be automated, manual or hybrid [1], where in the case of an automated and/or hybrid control; further testing by an IT auditor is required in order to present assurance over any calculations and/or reports generated through an IT system, complex interfacing between several IT systems along with security access and segregation of duties.

Taking into account that general controls apply to all areas of the organization including IT infrastructure and Support services [2], each IT auditor should bear in mind obtaining an appropriate understanding over the IT control environment prior to any testing or walkthroughs covering the four key areas below:

  1. Overall Information Technology Governance

The objective of this control is to gain an overall impression on the controls surrounding the information systems within the environment in order to provide assurance of leadership, organizational structure and processes existence. A set of areas should be taken into account while auditing this control such as Information Security framework and structure, IT strategy, organizational structure, policies and procedures; including information security, IT contracting strategies, IT controls monitoring, risk management plans and business continuity plan. [2]


       2. Physical & Logical access management

The objective of this control is to verify the key components which affect the confidentiality, integrity and availability of information systems [2]. Areas such as information security policies, design and monitoring of data classification, security awareness programs, user access management; including user registration and deregistration, user access provisioning, management of access rights, management of secret authentication information of users, review of user access rights, logging and monitoring, removal or adjustment of access rights and data center access, should be addressed to provide a sufficient degree of assurance on this control.[1][2]

A fundamental aspect, within this control should be taken into account while auditing, is the roles and responsibilities proper assignment along with appropriate access rights and restrictions in order to ensure segregation of duties accomplishment. [2]

     3 .Operational Controls

The objective of this control is to verify that the expected level of service, promised to the business, will be delivered through the day to day activities of the organization.  Areas such as operational and end users procedures of both types scheduled and nonscheduled processes, automated and manual batches, backup and restore management, monitoring use of resources, malware detection activities, USB usage, Virtual Private Networks, Intrusion Prevention Systems, Intrusion Detection Systems and disaster recovery planning should be assessed by the IT auditor to provide assurance.[2]

     4.System development & change

The objective of this control is to provide appropriate degree of assurance over the changes implemented on the Information Systems. Change Management processes and policies, help desk support, Incident handling, release management and Problem management should be addressed by the auditor to ensure that the control is effective. It should be noted that this control is not limited to software changes alone where it addresses hardware changes as well.[2]

Each key area referred to above  is relevant to several information technology layers.


The importance of Information Technology General Controls has massively elevated due to the focus given to them by Sarbanes- Oxley Act. Today, ITGCs are considered to be the base of information security systems for all types of industries. ISO 27001:2013 [1] provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Therefore, IT auditors should assess the ITGCs and consider the results before progressing further in the audit plan

[1] ISO 27001:2013 Information technology — Security techniques — Information
security management systems — Requirements.
[2] ISACA, 2011, Certified Information System Auditor Review Manual, USA

MAIS BAROUQA,CRISC, CGEIT, COBIT 5, ISO27K, GRCP, is an IT Risk and Assurance senior consultant based in Jordan.