Skip to content

How To Scope an IT General Controls Assessment

August 30, 2023

An IT general controls (ITGC) assessment is crucial for ensuring the reliability, integrity, security, and confidentiality of an organization’s IT infrastructure and data. It can help organizations manage risks associated with their technologies, promote efficient IT operations, and build trust among key stakeholders. It’s not just best practice – it’s a strategic move to ensure the long-term viability and success of an organization.

Effectively scoping an ITGC assessment, however, can be a complex task that requires careful planning and consideration. To allow the best chance of success, the following steps should be taken when scoping an ITGC assessment.

Understand the Organization’s Objectives and Compliance Requirements

The organization and third-party assessors should begin by gaining a thorough understanding of the organization’s structure, operations, and objectives. Identify the key business processes, critical applications, and IT systems that support these processes. These can be identified by asking, “If this doesn’t work, can normal business operations continue?” Answering this question can help determine the ITGCs that are relevant and significant to achieving the organization’s objectives.

As part of the assessment activity, the organization has the responsibility to identify the regulatory and compliance requirements that apply to the organization. This includes industry-specific standards, legal obligations, and internal policies. An understanding of the control objectives and guidelines set forth by these requirements is needed to ensure that the ITGC assessment addresses all necessary compliance aspects.

Assessment Plan Creation

Based on the information gathered in the previous steps, the scope of the ITGC assessment can begin to be defined. The assessor should determine the specific control domains, applications, systems, and processes that will be included within the assessment. Risk factors associated with each area and the potential impact on the organization’s objectives must be considered. This allows the boundaries and limitations of the assessment to be identified, which leads to realistic expectations and efficient resource allocation.

Once the specific domains, applications, systems, and process are identified, clear and measurable objectives that align with the organization’s goals and compliance requirements can be established. During this step, the assessor must define the criteria against which the effectiveness and adequacy of ITGCs will be evaluated. This may include control frameworks such as COBIT (Control Objectives for Information and Related Technologies) or COSO (Committee of Sponsoring Organizations of the Treadway Commission).

An equally important step is to identify the key stakeholders involved in the ITGC assessment process. This includes management, IT personnel, compliance officers, and any external parties such as regulators or IT managed service providers. It is critical to understand their expectations and concerns to ensure their involvement and cooperation throughout the assessment. Additionally, understanding who the audience is for any potential findings allows for the deliverable to be constructed at a level of detail that allows for all stakeholders to gain a complete understanding of the assessment.

The final process in the creation of the assessment program is to define a detailed plan for executing the ITGC assessment. The assessment procedures, methodologies, and tools that will be utilized must be determined. The necessary resources should be allocated to perform the assessment effectively. Consider the timeline, budget, and any dependencies that may impact the assessment plan.

Assess the Environment

Once the preliminary assessment plan is in place:

  1. Assess the organization’s control environment in order to understand the existing control framework and its effectiveness. This includes assessing the organization’s risk management processes, policies, and procedures. During this step, control gaps or weaknesses that may require additional attention during the assessment are identified.
  2. Perform a risk assessment to identify and prioritize the key risks associated with the organization’s IT systems and processes. This helps determine the focus areas of the ITGC assessment and allocate resources accordingly. Inherent risks and control risks to assess the likelihood and impact of potential control failures should be considered.
  3. Document the entire assessment plan, including the scope, objectives, criteria, procedures, and resources. This serves as a roadmap for the assessment team and provides a reference for stakeholders. Be sure that the plan is communicated and agreed upon by all relevant parties.

Periodically, the assessment scope must be reviewed and adjusted as necessary. This may be required due to changes in the organization’s objectives, regulatory requirements, or emerging risks. It is important to maintain open communication with stakeholders and management throughout the assessment process to address any scope adjustments effectively.

Long-Term Success

Following a systematic approach that encompasses an understanding of the IT environment and an organization’s goals and objectives, an ITGC assessment can provide the steppingstones for improving the control environment, leading to long-term success.

Don’t underestimate the importance of protecting your organization’s data. Contact us today to make sure your ITGCs are doing just that.

Bobby Brown Manager, IT Risk Advisory Services

We're Looking for
Remarkable People

At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.

Explore a Career Full of Possibilities