IT General Controls Review

IT Controls exist within an organisation’s internal control framework to provide assurance over the confidentiality, integrity and availability of data.

There are 2 main categories of IT controls:

  1. IT General Controls – providing general control over the IT environment (e.g. change management, user and access management etc); and
  2. IT Application Controls – providing automated system-based controls over business transaction processing (e.g. system configuration settings).

IT General Controls are the foundation for the overall IT control environment as they provide the assurance that systems operate as intended and that output is reliable. Failure to ensure these controls are designed and operating effectively means you will not have assurance over the IT Application Controls, or any reports supporting IT Dependent manual controls, both of which directly support your business processes.

The Turnkey Consulting Solution

Our SAP IT General Controls Review is designed to help you identify issues, as well as areas in need of improvement, before risks are realised and become a problem for the integrity of your data. This can impact the quality of business decisions and, ultimately, the achievement of business objectives. We assist in highlighting control weaknesses before they turn up on your audit report, avoiding any unwanted surprises and giving you the insight required to implement best practices in security, controls and information management. The output of our General Controls Review is prepared in such a way that it canbe used subsequently by either external or internal auditors.

Using in-depth knowledge of the latest SAP auditing techniques, our experienced consultants will conduct a risk-based assessment of your current SAP security environment. This will determine how well it meets your security governance and compliance obligations, and uncover your greatest risk exposures.

Our consultants are dedicated professionals having a “Big 4” background with extensive audit, security and controls experience. This review will cover the following key areas:

  • Change management
  • User and access management
  • Systems management

Our review also covers non-ABAP systems such as SAP Master Data Management (MDM) and SAP Portal, as our expertise extends to such environments. Our consultants apply the latest proven audit methodologies to identify key risk areas in your SAP control environment. We quickly identify current levels of security in your SAP system and assess how that compares to both internal policies and security good practice.

We don't apply blanket best practice recommendations as we understand that every organisation is unique and encounters different risks, has varying concerns and desired levels of control. Instead we make recommendations that take into account the industry, size and nature of your organisation, as well as any compensating controls which might serve to mitigate risk.

We understand that in order to ensure continual improvements are made and maintained in a control environment, organisations need to “buy in” to the concept of internal controls so the business can retain overall ownership. We suggest carefully considered recommendations which are both pragmatic and effective in mitigating risk.


Related Insights & Services


Start growing with Turnkey

A managed service for GRC can give you a strong platform from which to solve these challenges and close your capability gap quickly, without a large upfront investment.

See more