IT Controls
Two major categories of IT Controls are general IT controls and application IT controls. What’s the difference? General IT controls focus on an organization’s control environment as a whole. They benefit the entire company, and they are not controls specific to a software application. For example, there might be a general IT control for how individuals can log into the company’s network or a control that uses security cameras to prevent unauthorized access to facilities.
On the other hand, application IT controls are controls specific to particular applications. For instance, our accounting software might automatically detect an error if someone tries to input 400 hours of work instead of the normal 40 hours. This would be an application IT control.
Study Tip: General IT controls focus on an organization’s control environment as a whole. Application IT controls are controls specific to particular applications.
A key general control is having proper segregation of duties. Segregation of duties means that one person doesn’t complete too much of a task, which prevents one individual from having excessive control or access. We discussed the segregation of duties in the corporate governance section, but here we’ll discuss it in the context of a company’s IT setting.
There are three major areas that should be separated: Authorization, recording, and custody. The person with authorization is the one who has access to the company’s software coding and is allowed to make changes to the coding and update it
The individual responsible for recording, on the other hand, is the one who uses the program daily. For instance, if we’re talking about accounting software, then the staff accountant is making journal entries into the software. They shouldn’t have access to the software’s coding because only the person with authorization should have that.
Finally, the individual with custody has access to the system’s output. For instance, in an accounting system, they would have access to reports such as the income statement.
The employee responsible for recording, such as the staff accountant, records all revenues and expenses into the software. Once they export it, the individual with custody has access to the reports. It’s crucial that the individual with custody doesn’t have access to recording, as they could manipulate the reports.