General Control

General Control is to establish and maintain the environment in which control over business execution is effectively done through appropriately maintaining and operating information systems using IT. IT General Control.

Overview of General Control
In Internal Control, General Control is establishing the foundation on which the control works effectively. General Control establishes and maintains the environment in which Application Control, which is a framework to manage business execution itself by appropriately establishing and maintaining information system environments using IT, can work effectively. More specifically, the environment is maintained and controlled from the following four perspectives.

System development, modification, operation, access management, etc., on which General Control is focusing, are the routine tasks of an IT department, so, in that sense, practicing General Control implies to visualize and maintain the tasks of the IT department.

Position of General Control in Japan
General Control is defined in "Execution criteria of evaluation and supervision concerning internal control over financial reports" by Financial Service Agency.

In other words, "adaptation to IT," which is one of "six elements of Internal Control" is achieved by practicing the following two. Furthermore, "Use of IT and control over it" is guaranteed by "five perspectives concerning the use of IT" and "two perspectives about the control over IT." General Control is defined in "Establishment of IT Control," which is one of the perspectives about "the control over IT."
 * "Adaptation to IT environment"
 * "Use of IT and control over it"

In addition, in "Establishment of IT Control," two activities shown below are explained in detail. The former is defined as "an activity to manage each business process system so that the data input, processing, and output are correctly done," and the latter is defined as "an activity to establish the environment and foundation on which application control works soundly and effectively." Sometimes the former is simply called "Application Control," and the latter is called "General Control."
 * "Application Control concerning IT"
 * "General Control concerning IT"

Practice of General Control
COSO is often used as a framework for Internal Control in general, but COBIT is frequently used for General Control. COBIT defines an IT management process by using the four domains, "planning and organization," "procurement and introduction," "delivery and support," and "monitoring and evaluation," and multiple processes that are derived from the domains by subdividing them. In the U.S., it is introduced upon the enforcement of SOX Act and is used as a framework to establish the internal control of IT. Moreover, a framework called "COBIT for SOX" is also created by improving COBIT to adapt to SOX Act in such a way that goals of IT Control are extracted and organized from the perspective of "Internal Control concerning financial reports." The specific procedure for the execution is shown below.

Planning Phase of General Control
In this phase, we need to identify business processes related to financial reports and then identify application systems that support the business processes. Based on them, application systems to be controlled and infrastructure on which the systems are operated can be identified. In addition to identifying "software," "databases," "OS," and "hardware," we should also grasp the following.
 * Business process used
 * Package / In-house development
 * Necessity and unnecessity of customization
 * Participant in charge

By taking them into consideration, we must evaluate "General Control" in the company and plot a concrete plan about the degree to which the control should be done. To do that, we can use the criteria of "evaluation phase" described later.

System Development and Modification
The reliability of the system must be tested and approved before it is used in the production environment.
 * Development and procurement of software
 * Establishment of IT infrastructure
 * Modification management
 * Test
 * Planning and maintenance of procedures concerning development and maintenance
 * Contract with external contractors
 * Service Level Agreement with external contractors and management of it

System Operation
System operation prevents unauthorized processes and dishonest processes.
 * Operation management
 * Architecture management (Maintenance of software and IT infrastructure)
 * Data management

Access to System

 * Information security (countermeasures against virus etc.)
 * Secure access control: Only participants authorized in advance are granted the access privilege (Proactive control). Then, monitoring the access violation enables us to prevent programs and data from being tampered (Heuristic control).

Evaluation and Improvement Phase of General Control
In this phase, General Control is evaluated from the four perspectives shown below and improved when problems are detected.
 * 1) System development
 * Evaluate whether the purchase process and development process of information systems are appropriately managed or not
 * Evaluate selection criteria of a contractor, acceptance inspection procedure of outcomes, and control done by the contractor in case the system development is committed to an external party
 * 1) System modification
 * Evaluate whether modification management, including system upgrade, information update, and so on, are appropriately done or not
 * 1) System operation
 * Evaluate whether the appropriate data are processed by appropriate programs to obtain correct processing results or not
 * Evaluate whether the developer and manager are different or not
 * 1) Access to system
 * Evaluate whether there are appropriate access control mechanisms to prevent dishonest usage and tampering of data, software, hardware, and related equipments and measures (control) to prevent financial information from being lost owing to natural disaster etc. or not

The scale of the evaluation is as follows In SOX Act compliance in the U.S., the level 3 status is targeted.
 * Level 0 = None (No process)
 * Level 1 = Primitive (Ad hoc)
 * Level 2 = Repeatable (Standardized pattern)
 * Level 3 = Defined (Documented and announced)
 * Level 4 = Managed (Monitored)
 * Level 5 = Optimized (Best practice, automated)

Related Articles

 * Internal Control
 * SOX Act
 * J-SOX
 * IT Control
 * Application Control
 * COBIT
 * Internal Control System
 * Three-piece Set