Information technology control (IT control) is to use and maintain information systems in a company in a sound manner by means of IT.
Overview of IT Control
IT control is defined in "Execution criteria of evaluation and supervision concerning internal control over financial reports" (Financial Service Agency, Japan).
"Adaptation to IT," which is one of the "Six components of internal control" is met by
- "Adaptation to IT environment"
- "Use of IT and control over it"
In addition, "use of IT and control over it" is achieved by "five viewpoints concerning use of IT" and "two viewpoints concerning IT control."
<Use of IT>
<Control over IT>
According to the definitions, IT control is to set objectives for realizing effective internal control, and to manage information systems in companies by taking advantage of IT. IT control is basically automated control activities, and therefore, it includes access control to the mission-critical system or management of IDs or passwords, which effectively functionalizes the access control etc.
Objectives of IT Control to Accomplish Organization Goal
"IT control objectives" are set by the manager to effectively functionalize IT control. The manager sets objectives in order to assure credibility of financial statements, as well as to execute effective business activities. "IT control objectives" are as follows:
- Effectiveness/efficiency: Information should be effectively and efficiently offered upon business execution.
- Compliance: Information should be processed in conformity with related acts, accounting criteria, company policy, etc.
- Reliability: Information should be approved based on the organization intentions/purposes, and it is to be completely and accurately recorded and processed.
- Availability: Information should be available when necessary.
- Confidentiality: Information should be protected to allow accesses from authorized people only.
Establishment of IT Control
The manager carries out "establishment of IT control" to accomplish "objectives of IT control." Activities for "establishment of IT control" include general control and application control, and it is important that they both work together.
General Control of IT
- Management of information systems development and maintenance
- Operation and administration of information systems
- Guarantee of security of information systems such as access control
- Management of contracts regarding outsourcing of information systems
Application Control of IT
Application control is control over proper processing and storing of tasks in systems controlling business, and it is built in business processes.
- Management of completeness, accuracy, validity of input information
- Correction and re-processing of errors
- Maintenance of master data
- Access control, e.g., authentication for use of systems, limitation of operating range
- Financial Service Agency, "Execution criteria of evaluation and supervision concerning internal control over financial reports" (Japanese, PDF)