Skip to main content

*By Lucas Bezerra


The digitization of companies around the world, through the implementation of various technological resources to their business processes, brings numerous benefits, such as increased information processing capacity and, consequently, increased capacity to meet demands, reduced the chance of eventual errors and omissions related to manual processes and a lower cost with human labor.

The digitization of an organization's business processes, however, results in the emergence of new risks associated with the assets (people, processes and technologies) in charge of supporting its technological environment. To ensure that these risks are mapped, in order to mitigate the probability and/or reduce the impact of harmful events, organizations must structure a series of controls related to Information Technology (IT).

IT Controls

The concept of ITGC (Information Technology General Controls – Information Technology General Controls) serves as support for the identification of controls that aim to mitigate IT-related risks within organizations. The identification of these controls as "general" is due to the fact that they are designed to cover risk in several factors within the organization, such as, for example, physical and logical security of the technological environment, backup copies of the organization's data, management of IT and Information Security (IS) incidents.

In addition to the implementation of controls, the activity of evaluating them is recommended, in order to assess their effectiveness, keeping them updated and adequate to the business, in order to cover the identified IT risks.

ITGC Audit

The most common way to assess ITGCs implemented by the organization is through the internal audit process. This process aims to assess the effectiveness and efficiency of controls to mitigate IT risks to which the organization may be exposed.

The internal audit activity must be performed by an area and/or a third party independent from the areas and teams responsible for executing the controls, ensuring that the assessment will be performed impartially and objectively.

The ITGC implemented by the organization must be identified and associated with the risks they cover. One approach used in some organizations is to develop a Risk and Controls Matrix (MRC), where this association is described. This material serves as a starting point for the auditor responsible for performing the control assessment activities. The controls identified by the organization as applicable are listed in the document known as SOA (Statement of Applicability – Declaration of Applicability, in Portuguese). This document summarizes all the controls applicable to the business and which processes are performed by the organization that support these controls.

ITGC Audit Steps

Once in possession of the organization's MRC and/or SOA, the auditor can start the TOD phase (Test of Design – Design Test, in Portuguese), where the objective is to assess whether the processes implemented by the organization were designed in a satisfactory way to meet the controls to which they are related and good market practices. At this stage, the auditor may use one or more of the following methods to assess the design of a control:

  • Inquiry: questioning the person responsible for the process (sometimes called Control Owner) for the description and overview of this. This method is generally used in conjunction with another technique, due to the low level of reliability of the information;
  • Observation: observe the execution of the process by the person in charge or someone designated by him/her;
  • Inspection: analyzing documents, recordings, screenshots or other types of evidence of the execution of the evaluated process. This method can be associated with inquiry to obtain a more precise description of the process;
  • Reperformance: rerun the process from start to finish. This step can sometimes be identified as “walkthrough”.

In addition to the design test, the controls are also evaluated for their effectiveness, in the TOE (Test of Effectiveness – Effectiveness Test, in Portuguese), where the objective is to validate that a control, in fact, reduces or mitigates the risk(s) to which it is associated in a given period.

To evaluate the effectiveness of a control, samples are selected, based on the period of scope of the evaluation, the frequency and form of execution of the control (manual, automatic or hybrid), so that the auditor can guarantee that the control is working in the environment in which that is implemented. For example, in an audit whose evaluation period is 1 year, the expectation is that there will be only 1 execution of an annual control, 12 executions of a monthly control, and so on. Therefore, the auditor should select a reasonable number of samples and, where applicable, related to distant periods (months, weeks or days), to ensure that the effectiveness of the control has not been compromised over time.

In addition to testing the design and effectiveness of controls, the auditor may also perform the test known as “rollforward”. This test consists of the effectiveness test performed on the execution of a complementary control to the scope period, in order to cover a planned period. For example, if the scope period of an audit is from January to August of a given year, the test rollforward will be carried out over the period between September and December of this year, in order to evaluate the execution of the control throughout the evaluated year. This test requires a smaller amount of samples, compared to the design and effectiveness tests, due to the shorter scope period.

After performing the tests, the auditor must issue an audit report to formalize the result of his assessments. If controls are identified whose design does not adhere to the related risk or the organization's requirements, as well as ineffective controls, the auditor must describe the problem (also called "gap”) and can suggest a corrective action plan for this deviation.

Final considerations

The ITGC Audit is indispensable for organizations seeking compliance with various regulations, for example the Sarbanes-Oxley Act, or for companies seeking to improve IT risk management.

The dynamics of the technology industry results in the constant emergence of IT-related risks; therefore, the periodic evaluation of the efficiency of the controls implemented to minimize the probability and impact of these risks to the environment is of paramount importance for companies of different lines of business and sizes, facilitating the management of these risks and preparing companies for the constant technological renewal around them. of the world.

— Lucas Bezerra is GRC, Privacy and Information Security Senior Consultant at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!