Today’s internal auditors must have a strong understanding of IT internal control techniques supporting enterprise IT processes and systems, ranging from financial applications to control an accounting general ledger to social media processes and the all-pervasive Internet. Although the lines of separation are sometimes difficult, we can generally think of IT controls on two broad levels: application controls that cover a specific process, such as an accounts payable application to pay invoices from purchases, and what are called general IT controls. This latter category covers internal controls that do not relate only to specific IT applications but are important for all aspects of an enterprise’s IT operations infrastructure.
The concept of IT general controls goes back to the early days of centralized mainframe computers when internal auditors looked for such things as a lock on a computer center door as a general control that prevented unauthorized access to the hardware and the supporting tape and punch-card files. Today, we often think of the many and varied processes that cover all IT operations for an enterprise as the IT infrastructure.Because of the many possible variations in techniques employed, there is really no one set or rights and wrongs here, and an enterprise should establish and implement a set of best practices that will serve as guidance for establishing IT general controls.