## General IT Controls (GITCs)
General IT Controls are policies and procedures that relate to many applications and support the effective functioning of application controls. They apply across the entire IT environment rather than to a single application.
---
## 1. Access Security
### Objective
To ensure that access to programs and data is authenticated and authorized to meet financial reporting objectives.
### Seven Activities Under Access Security
| # | Activity |
|---|---|
| (i) | Security Organisation & Management |
| (ii) | Security Policies & Procedures |
| (iii) | Application Security |
| (iv) | Data Security |
| (v) | Operating System Security |
| (vi) | Network Security |
| (vii) | Physical Security |
---
## 2. Program Change Controls
### Objective
To ensure that modified systems continue to meet financial reporting objectives.
### Activities Under Program Change
- Change management process
- Recording, managing, and tracking change requests
- Making and testing changes
---
## Key Distinction
| Access Security | Program Change | |
|---|---|---|
| Objective | Authenticate & authorise access | Ensure modified systems remain reliable |
| Risk Addressed | Unauthorised access to data/programs | System changes introducing errors |
| Examples | Password policies, network firewalls | Change request logs, UAT testing |
---
## Audit Relevance
If GITCs are weak (e.g., poor access controls, uncontrolled program changes), the auditor cannot rely on application controls and must expand substantive testing.