Internal controls

ITGCs
Part 1 – Introduction to ITGCs

What are information technology general controls (ITGCs)?

In the simplest sense, ITGCs are controls that protect an entity’s data and IT systems (all software, IT
operations and physical hardware). ITGCs exist to make sure that the IT environment functions as
intended and is protected from unauthorized access or manipulation due to error and fraud. ITGCs are an
entity’s controls designed to manage (i.e., control) that (1) changes (e.g., updates, implementations) to a
software program are properly authorized and correctly made; (2) access to the IT environment (e.g.,
software, data, hardware) is properly granted or removed; and (3) the IT environment operates as
intended, including being backed up timely.

Why are ITGCs important and relevant to a business?

The IT component of a control ecosystem typically includes ITGCs and application controls. Application
controls can be thought of as the proper or intended functioning of a software programs. Said another
way, application controls are the various automated functions performed by a particular software
component. ITGCs make sure that those functions continue to operate correctly and that any changes
made to them are properly authorized and tested.

An example of a software program and its various application controls is as follows: a revenue software
application processes an order by first checking a customer’s credit (maintained in a customer credit limit
database), it interfaces with the inventory IT application to assess if the ordered goods are in stock, it
accesses a pricing database to price the selected items on the customer’s order, it calculates the cost of
the order to the customer (creates the invoice), and adds applicable taxes and shipping costs (likely by
accessing other databases). These automated processes (i.e., operations) performed by the revenue
software application are thought of as “application controls” (i.e., the proper functioning of the software).
So, where do ITGCs fit in this scenario? ITGCs are the controls that make sure that, for example, only
authorized persons can establish and change customer credit limits (i.e., the ITGCs make sure that the
customer credit database is secure). They are the controls that make sure that the interface between the
inventory and revenue program is operating; they are the controls that make sure that the pricing
database is updated with the correct prices on a timely basis and the same for customer credit limits,
taxes and shipping cost databases. ITGCs also make sure that any changes to the revenue application
(i.e., functions) have proper authorization and are tested so that invoice calculations remain accurate
(e.g., price multiplied by quantity) and that postings of a sale to a customer’s account and the general
ledger occur timely. The ITGCs also ensure that the day’s sales were in fact posted (recorded) in the
day’s financial statements.

As another example, think about when you create a spreadsheet that you will use to make an important
decision. You will likely download or input data from an external source (e.g., bank account or credit card
data), create formulas in cells and link cell inputs to other parts of the spreadsheet. If ITGCs existed for
the creation and maintenance of your spreadsheet, there would be checks to validate the downloaded
data, validate the cell inputs, make sure that the formulas are correct and likely a password to protect
Internal controls ITGCs Part 1 – Introduction to ITGCs – Handouts 1
© 2021 Ernst & Young Foundation (US). All Rights Reserved.
SCORE no. 13206-211US_26
against unwanted access to your spreadsheet. And, if changes are made to the spreadsheet formulas or
its inputs, ITGCs would check and test those too. That is, in essence, what ITGCs do in a business
setting.
So, if ITGCs do not adequately function, it is very possible that IT systems might generate inaccurate
information for any number of reasons. A good IT ecosystem depends on ITGCs to support the accurate
functioning of the various software programs in processing correct data on a timely basis. Strong ITGCs
are the backbone of an entity’s IT environment.

To whom are ITGCs important?

We might first think that ITGCs are important to the IT department. It is true that ITGCs are largely the
domain of the IT department. However, as is likely evident from the previous discussion, adequate ITGCs
are, if not explicitly, implicitly important to anyone who engages with an entity in a substantial way. How
can management adequately manage a business if it does not have correct and timely information? How
does the operations group plan for inventory purchases? Uncollectible receivables are likely to occur if
credit limits are not properly maintained. A company’s sales and marketing efforts might be made difficult
if IT system problems resulted in delays and uncertainly about when or if certain goods would be
available for sale. Payroll information and, ultimately, paychecks may be inaccurate. For an entity’s
planning or data analysis groups, if certain historical data is not maintained properly, their ability to
perform critical analyses and assessments may be hampered. How will financial management generate
and publish timely and accurate financial statements if IT systems fail to generate timely and accurate
financial data? Companies and those responsible for them who have provided inaccurate financial
information (due to error or fraud) to outsiders (e.g., investors, the Securities Exchange Commission
(SEC), bank regulators, banks, vendors) are subject to a wide variety of negative consequences. Would
you want to be on the board or otherwise advise an entity that cannot generate timely, accurate financial
information? Would you invest in or sell or loan money to such an entity?

Who is responsible for ITGCs?

It is true, to a significant extent, that the IT group of an entity is responsible for ITGCs. Without a proper
effort by the IT group, ITGCs are at risk of being inadequate, meaning that data and IT systems are
vulnerable to producing incorrect data due to error or fraud. However, the effectiveness of ITGCs
ultimately relies on more than the IT department. It is the combination of control efforts by the IT group
and various business groups within an entity that create a strong ITGC environment.

Take, for example, customer credit limits. If incorrect or fraudulent credit limits are input into the customer
credit limit database, it is likely that uncollectible receivables will result, potentially causing financial
statement errors, as well as losses and cash flow problems. A company’s credit department (referred to
here as the “business” to distinguish from the IT department) typically sets and approves credit limits for
each customer using standards established by the company (the IT department has no role in these
activities). Updated or new customer credit limits that have been approved by the business are provided
to the IT department to be uploaded into the customer credit limit database. Similarly, the various
business departments typically approve which employees have access to which databases or programs,
as well as the level of access within those databases and programs. The IT department’s role is to
provide access as granted by the business authority responsible. The role of IT is to make the changes
authorized by the respective business (e.g., grant access to the system or data, upload new prices into
the pricing database, upload new or revised customer credit limits).
Internal controls ITGCs Part 1 – Introduction to ITGCs – Handouts 2
© 2021 Ernst & Young Foundation (US). All Rights Reserved.
SCORE no. 13206-211US_26
Another important ITGC is making sure that software programs used in the business are tested to make
certain they accurately and completely perform as intended and that programs and applications are
protected from unauthorized changes. Testing software program changes typically includes: (1)
authorization by the related business group, (2) the IT department making the technical (e.g., coding)
changes, (3) followed by acceptance and validation of the changes performed together by the IT and
requesting business departments.
Making accurate and intended changes to programs and access to data is typically a combined effort of
the IT group and the respective business department. Consequently, the responsibility for effective ITGCs
often lies with both the IT department and the respective business department (which likely has
ownership or the responsibility for the IT programs and data of its business department).

Internal controls ITGCs Part 1 – Introduction to ITGCs – Handouts 3

© 2021 Ernst & Young Foundation (US). All Rights Reserved.
SCORE no. 13206-211US_26