The Audit Service of the Kingdom (Auditdienst Rijk) is implementing a renewed IT General Controls (ITGC) framework. In 2017, the Auditdienst Rijk created an ITGC framework to standardise IT activities for financial statement audits. With the introduction of the BIO2 (Baseline Information Security for Government), this framework has now been updated.
The BIO2 emphasises risk management more than it did before. Unlike its predecessor, the BIO2 offers guiding principles rather than prescriptive requirements. As a result, organisations are now responsible for determining their own appropriate security levels. The updated ITGC framework aligns with this approach by centring risk management and assessing relevant control measures, such as change, user, and authentication management.
The ITGC Framework
As business processes become more digital, IT risks are increasing. To protect sensitive systems and data, IT General Controls are crucial. They ensure the integrity, availability, and confidentiality of digital data processing. This framework clarifies key control measures, especially for financial statement audits and IT governance reviews. These measures help organisations comply with laws and regulations while also boosting their resilience. In this way, the framework forms the foundation for IT audits and internal controls.
To make the updated ITGC framework widely applicable, topics such as security management, incident management, and continuity management have been further refined. Its standardised structure allows for easy comparison of audit findings across different information systems and applications. This helps identify improvement opportunities quickly.
Getting started with the framework
The framework is designed for anyone required to comply with the BIO2, from Chief Information Security Officers (CISOs) and IT managers to developers and auditors. You can find the ITGC framework and further guidance on its use on the Auditdienst Rijk website (Dutch).
