When it comes to establishing a solid internal control environment, companies really need to focus on two key areas: Information Technology General Controls (ITGC’s) and Business Process controls. At my firm, SSAE 16 Professionals, LLP, we work with many clients who are new to the SSAE 16 audit process. For those without much experience with internal controls, discussing ITGC’s and Business Process controls is like speaking a foreign language. The control identification process can seem daunting and intimidating. Whereas ITGC’s should apply to all companies, regardless of industry, Business Process controls should be specifically tailored to the service organization’s industry, business size, or complexity of IT systems. For example, providers and administrators to the F&I industry will have very different Business Process controls than a company in the digital media industry. However, both companies will have similar, if not many of the same, ITGC’s.
Effective ITGC’s help ensure the reliability of your key IT systems and the data generated by those systems. Without effective ITGC’s, your customers may not be able to gain comfort around your system operations and may not place reliance on the output that is generated from the IT systems. This is a double-edged sword, since without effective ITGC’s which can be proven through a third party audit (e.g. SSAE 16), your company may lose sales based on clients not wanting to do business with your company. Furthermore, you also put your company at risk from an information security perspective, which can cost a significant amount of money to remediate, not counting reputational risk to your current client base.
When it comes time to identify controls for your audit, the first step we perform is the readiness assessment phase of the SSAE 16 audit. The primary purpose of the Readiness Assessment is to document the key risks associated with your service offering and identify a control to mitigate each risk. By obtaining documentation and performing a detailed walk through of each control, the CPA firm will be able to provide you with a gap matrix on what would pass right away and what would fail. All failed controls should be listed in priority order and provide a detailed action plan which will allow you to remediate the gaps. Once the issues have been fixed, it is important for the CPA firm to walk through each control again to ensure there is documented evidence available to support the control conclusion. Some companies jump right into the SSAE 16 audit and realize there are issues which result in a qualified opinion. By that time, you have spent a lot of time and money only to get a qualified report, which is useless to your company. The Readiness Assessment slows the entire process down and allows for a more controlled approach to the audit, including identifying key ITGC controls.
Below, I have listed the most widely accepted ITGC control objectives and a couple of sample ITGC controls most companies have in place. Although this is just a small snippet of controls most companies will have in place, this list should provide you some insight into what it takes to create a strong internal control environment.
Organization and Administration Controls
For organization and administration controls, management will need to identify control activities which provide reasonable assurance that the organizational structure provides for management oversight, segregation of duties and administrative practices. A few common organization and administration controls include:
- Organization charts are documented for each department and are available to management personnel.
- The Entity performs background checks on employees and subcontractors.
Logical Access Controls over Infrastructure, Applications, and Data
For logical access controls, management will need to identify controls activities which provide reasonable assurance that logical security tools and techniques are implemented and configured to enable restriction of access to production systems and data. A few common logical access controls include:
- The Entity maintains a security plan that lays out a structure for information security policies and guidelines within an organization in regards to its Information System.
- A user access review of all network accounts is performed semi-annually.
- Employee access to the network is disabled when the employee leaves the company.
System Development Lifecycle (SDLC) Controls
For SDLC controls, management will need to identify controls activities which provide reasonable assurance that new systems are authorized by the Company and then implemented, tested, documented and approved by the Company. A few common SDLC controls include:
- The Entity has a defined Software Development Lifecycle process.
- Release planning for significant new or upgraded applications includes an introduction to the project, use cases, and supplementary requirements.
- Testing is completed to ensure the project is ready for implementation. Test results are evaluated before installation of new or revised applications.
Program Change Management Controls
For program change management controls, management will need to identify controls activities which provide reasonable assurance that changes to network and infrastructure systems are reviewed and approved by management. A few common program change management controls include:
- A formal change management plan has been developed which defines how changes are to be coordinated within the organization.
- After the implementation of the change, a full test will be conducted to verify that the expected results were achieved.
- After the implementation of the change has been verified, the change manager will close the project file and notify all stakeholders.
Environmental and Physical Security Controls
For data center and physical security controls, management will need to identify controls activities which provide reasonable assurance that physical access to the building and primary data center are limited to authorized personnel and protected from environmental hazards. A few common environmental and physical security controls include:
- Only a selected group of IT and management teams have access to the data center.
- The data center is equipped with Uninterrupted Power Supply (UPS) to backup and power normalization.
- The data center is outfitted with dedicated air conditioning to maintain a suitable environment for hardware operations.
Technical Security Controls
For technical security controls, management will need to identify controls activities which provide reasonable assurance that individual client data is adequately segregated, and that data flows properly from source to destination. A few common technical security controls include:
- Data traffic movement is controlled and routed through a secured connection or through a virtual private network (VPN).
- Customer information/data is segregated through the use of domain security controls.
- Availability of network data transport is reasonably assured through a redundant system of routers and gateways.
System Availability and Recovery Controls
For system availability and recovery controls, management will need to identify control activities which provide reasonable assurance that effective backup and recovery processes are in place and operating effectively. A few common system availability and recovery controls include:
- The Entity maintains policy and procedures for server backup.
- IT maintains a back-up log to track the daily success of the back-up system.
- Data restore tests are performed quarterly.
Support and Maintenance Controls
For support and maintenance controls, management will need to identify controls activities which provide reasonable assurance that production systems are effectively monitored and maintained. A few common support and maintenance controls include:
- Issues and support requests are managed via online ticketing and problem management systems.
- In-house tracking mechanisms are available to measure uptime, capacity and performance metrics for the call center and servers.
- All critical applications are routinely monitored with automated notification upon system failures.
Computer Operation Controls
For computer operation controls, management will need to identify controls activities which provide reasonable assurance that a system is in place to track network, system, and application problems, and ensure effective and timely resolution. A few common computer operation controls include:
- Issues and support requests are managed via ticketing and problem management systems.
- Urgent requests are thoroughly documented and management reviews emergency fixes and corrective actions.
- Response times for customer problem tickets are addressed within 15 minutes for urgent problems and up to 24 hours for non-urgent problems.
Okay, now that you have read some sample ITGC controls, I am sure you are more comfortable that you have more controls in place than you had previously thought. Many of our clients are pleasantly surprised during the readiness assessment, because they grossly overestimated the amount of time, effort, and expense it takes to undergo the SSAE 16 audit. Whether in preparation for an audit, or a different strategic initiative, a solid internal control environment will help you sleep better at night.