The following guide is meant to be a primer on the subject of general computer controls and general application controls, it is by no...

General Computer & Application Controls, A Primer

The following guide is meant to be a primer on the subject of general computer controls and general application controls, it is by no means a complete guide to these controls but rather aims to provide a foundation by which to build upon.

Businesses rely on technology to operate and achieve their goals, and with all technology come risks. To mitigate the risks every IT system and environment requires controls to be in place to keep the system and data within it secure, maintain continuous operations, and reduce the chance of errors in data processing and transactions.  These types of controls are commonly called general computer controls and general application controls, and ensure IT systems are functioning reliably and as management intended.

In Information Security and Information Technology audits most things boil down to the CIA triad… Confidentiality, Integrity, and Availability.  The blend of general and applications controls in every system are the measures put in place to support the CIA triad and ensure IT systems can be relied on to sustain business operations.  We also test to ensure the controls are functional, effective, and comply with policies and procedures.

Compliance is also a reason why general computer controls and application controls are important, regulations such as HIPAA, SOX, GLBA as well as PCI-DSS compliance require the attestation of the effectiveness of certain general computer and application controls.

General Computer Controls

General controls are the controls applied over the IT infrastructure of a system, without them it is possible unauthorized changes may occur, users with privileged access may go unknown, measures would not be taken to ensure systems are available, and data may be accessible to unauthorized users.  General controls form the control environment to ensure these risks are appropriately mitigated.  The following list is a high level description of the controls you should expect to see in just about every IT system.

Along with best practices, all of the following general computer controls should be tested against documented company policies, procedures, and standards.

Physical security

Controls should be in place to ensure physical access is limited and controlled (ID badges, locks, man-traps, guards), fire suppression systems are in place, and power systems are adequate.  I'm not going to go into more detail here because most of the time when reviewing general controls for systems, they are located in a data center which should have it's own review performed.

Change and patch management

Generally speaking changes to a system, including installing patches, should be performed in accordance to change management policies and procedures with proper approvals and separation of duties. System owners should ensure they are made aware of patches, specifically security patches, timely and evaluate them based on criticality and risk to the organization.

Performance monitoring and capacity management

Key performance indicators (KPIs) should be monitored based on the function of a system and its criticality with automated alerting for the timely response to any problems.  Monitoring should also be performed for capacity management of resources such as disk, processor, memory, bandwidth, and license usage.  This should be done periodically to ensure the capacity of the system supports its current and projected usage.

Backup & recovery and high availability

IT systems should have data and configuration backed up appropriately to support the recovery of the system in the event of a disaster or loss of data.  If the system has an associated Recovery Point Objective (RPO), which is a specified maximum amount of time the business can afford to lose data, backup jobs should be scheduled accordingly.  For example if a system has an RPO of 1 hour, data must be backed up at a minimum, every hour.  For high availability, based on risk, systems and infrastructure should be configured to be highly available in support of business continuity.  Examples included clustered or fail-over system configurations, redundant network connections, disk arrays, etc.

Security configuration, administration, and access review

Security configuration within IT systems is made up of the configuration for how users are authenticated (centrally or local),  secure communications of the authentication traffic (e.g. Secure LDAP, Kerberos, SSH, SSL/TLS),  password policies, audit logging, etc. Systems should comply with documented security standards and analyzed based on risk.

Security administration concerns the granting and removal of access to systems, access should be based on least privileged with the use of groups or roles where applicable. There should be a separation of duties between the grantors of access and the users with privileged access.

Security access reviews should be performed periodically to verify the access of users within the system is appropriate and access has been granted or removed timely.  There should be a separation of duties here as well between the reviewers of access and the grantors of access.

General Application Controls

Application controls center around the accuracy and validity of data as it is processed through a system.  The objective is to ensure that data is accurate and approved when sent to a system, processed, and output.  It's very important to walk-through and understand the process flow and flow of data when it comes to reviewing general application controls.  To properly test them you should have a full understanding of the flows and know where and when specific controls should apply.

Controls for input data include validity and approval of the input, its accuracy, as well as it's completeness and management overrides. In many cases there should be segregation of duties between initiation and approval of transactions.  For the processing of transactions there should be controls in place which record every transaction as well as check for completeness, and accuracy.  There are many ways to test transactions and calculation including re-performance through the use of computer aided auditing techniques (CAATs).

The same controls apply for the output data, they should ensure completeness and accuracy of the data.  A couple additional controls which apply to output data are error reporting and the security over the new data wherever it has been output.  No matter on where the data is stored or its location in a database, controls should be in place to ensure only authorized uses should have access.

Final Thoughts

General computer and application controls can quickly become a very involved topic and noticeably I have not covered everything in this guide, including controls over operations and systems development, acquisition, and maintenance. Nor have I covered approaches to testing the controls such as compliance or attribute and substantive testing, however the purpose was to provide solid overview and foundation which could easily be built on and translated to multiple environments.  Feel free to leave your comments below, happy auditing!

Photo by Faramarz Hashemi   / CC BY