By Andrew Wan, CPA, CFE

IT systems are now an integral part of many companies’ everyday life. From the use of the simple solutions like Square for a small businesses’ point-of-sale tracking, to more robust and dynamic integrated GL packages like SAP for large businesses that integrates all aspects of a company, IT technology has truly revolutionized the way we do business. Without appropriate safeguards to maintain the integrity of these systems, results could be detrimental to a business’s ability to succeed. As such, all companies should consider performing a self-assessment regarding the following 5 categories of IT General Controls applied in its organizations: IT entity-level controls, change management, information security, backup and recovery, and third-party providers.

IT Entity-Level Controls

IT entity-level controls deals with the structure of how a company manages its IT systems. It should define the person or group responsible for its IT oversight. This group would be charged with determining the IT roadmap of where the organization should make their technology investments, perform annual risk assessments, implementing best practices for the organization, and manage sound best practices in project management.  Smaller entities may have their IT systems managed by its original owners while companies that are more sophisticated may implement a robust group of IT professionals to help with the maintenance and management of their systems. The complexity of the type of individuals would be determined based on the amount of systems relied upon for the processing of transactions or fulfillment of performance obligations for an entity.

Change Management Controls

Change management controls are controls that deal with implementing changes to an entity’s IT environment. Because risk of introduction of system vulnerabilities exist during any changes to a Company’s systems, it is imperative that proper oversight, review, testing, and approvals be performed or obtained prior to any implementation to the Company’s production environment. Some examples of good change management controls include, but are not limited to:

  • Review of all planned changes before they are approved for developers to make changes.
  • All firewall configurations must be approved by Network Administrator before implementation.
  • All code changes are reviewed by a peer and tested before implementation into production.
  • Developers do not have access to production systems.
  • All hardware goes through a stringent updates and testing prior to its introduction into the network.

Having appropriate change management controls is critical to ensure the integrity of the system is safeguarded.

Information Security Controls

Information security controls are those that prevent unauthorized access or manipulation to information maintained by the company’s system. It is a good practice for companies to perform an annual information inventory identifying the key data, applications, and systems maintained within the system so that appropriate controls are designed and implemented to protect those critical areas from unauthorized access or manipulation. Both physical and logical security measures should be considered. Some examples of good security controls include, but are not limited to:

  • Key badge is required to access sensitive areas like the server room or datacenters.
  • Intrusion detection systems and enabled to monitor and prevent against unwanted access.
  • Robust firewall is installed to prohibit unauthorized access and network attacks.
  • Anti-virus is installed on computer systems with virus definitions updated daily.
  • Appropriate logical access (e.g. complex passwords, dual-authentication, etc.) is utilized to gain access to the appropriate applications based on an employee’s role and responsibilities.
  • E—mail filters and enabled to prevent against malicious codes, viruses, or social engineering schemes.
  • Penetration testing or vulnerability scans are performed quarterly to identify additional vulnerabilities.
  • Have appropriate encryption over data at rest and during transit.
  • Quarterly review of logical and physical access granted to determine their appropriateness based on roles and responsibility of individuals.

Having good information security controls often is the first line of defense and should be carefully considered.

Back-up and Recovery Controls

Back-up and Recovery Controls are controls in place to ensure that proper availability of information, not only in times disaster, but also in certain cases, when the company is attacked by criminals utilizing ransomware attacks. One very high-profile Ransomware attack, known as SamSam, encrypted hundreds of networks in the U.S and inflicted damages to more than 200 victims exceeding $30 million as reported by the FBI.  Proper segregation of databases and appropriate back-up and recovery controls would help minimize such threat, allowing companies to restore business to normal operations speedily. Companies should review their back-up configurations and recovery plans to ensure that mission critical information, applications, and systems are easily accessible from alternative locations. Companies should also implement a robust Business Continuity Plan and perform testing on these plans regularly to ensure appropriate resources and personnel are available to help restore services at times of need to minimize service downtimes.

Third-Party Providers Controls

With companies becoming ever more interdependent on other software as a service (SAAS) or third-party administrators (TPAs) to provide mission critical services for their business, it is imperative that the right third-party providers are the right partners. Having the wrong partner could become detrimental to a company. Therefore, companies should implement procedures and controls before engaging with third-party service providers to determine whether such providers are qualified, secure, and have the appropriate resources to help meet the needs of the client. Additionally, monitoring controls should also be implemented for companies to continually monitor the services provided to confirm verify whether service level commitments are met. Often times, a company may obtain a Service Organization Controls Report (SOC) from their service providers that details the results of the most recent audit conducted by an independent licensed professional. Companies could get comfort by reviewing such reports on an annual basis to identify any vulnerabilities of the service provider and determine whether additionally mitigating controls should be implemented. Having these controls in place would provide business owners the peace of mind that their information held by outside vendors are appropriately maintained.


While not all 5 aspects of the IT General Controls would be applicable to companies of all sizes, companies should at least consider their situation according to this framework and determine how these risks are mitigated at their organization. Having an annual assessment of an organization’s controls in the IT General Controls framework and applying mitigating controls for weaknesses identified will help a company address the appropriate areas of concerns as they continue to scale.

At Larson & Company, we are committed to helping companies of all sizes know their IT risks. If interested, we can help your organization perform an IT Risk Assessment utilizing the framework above and recommend best practices for your organization. Should you have any questions about our services, please contact Andrew Wan at