General Computer Controls


Critical to any organization’s control environment are General Computer Controls and ensuring that they are properly designed, tested, and monitored. Our Audit resources are experienced in not only performing the generic activities related to GCC, but also have the skills and knowledge related to the specific complexities associated with General Computer Controls. If an organization’s GCC’s are not operating effectively auditors may determine they cannot rely on your application and other key controls. Our General Computer Controls services are designed to ensure this does not happen to your organization. Our review and testing services are targeted at:

  • Verifying the adequacy of key policies and procedures,
  • Verifying the adequacy of back-up policies and procedures,
  • Verifying the adequacy of operating system and database security,
  • Ensuring controls associated with the Basis layer are properly configured, and
  • Verifying the appropriateness of activities occurring in the SAP environment that impact GCC


We use a three phase approach to ensure that the General Computer Controls are properly designed, tested, and monitored. Click on each tab for details:

Our SAP Audit resources leverage our methodologies to perform comprehensive SAP GCC design reviews and deliver a comprehensive report to management documenting the adequacy of the overall design, highlighting deficiencies, and providing actionable remediation recommendations.

To test the GCC controls and the appropriateness of key data changes we leverage our scripting tool to ensure that key parameters and settings are correctly defined, sensitive administrative access is granted correctly, and data changes are appropriate. Some of the issues our scripting tool identifies are:

  • unauthorized/untested changes in SAP production systems,
  • inappropriate profile parameter settings,
  • inappropriate table logging settings,
  • incorrect implementation of administration/ownership policies,
  • inappropriate changes to system and client settings,
  • inappropriate access to high risk Basis transactions and authorization objects, and
  • improperly secured system ids.

In order to assist organizations with monitoring their GCCs, we can deploy our GCC scripting tool or assist an organization with implementing the functionality within GRC that focuses on monitoring general computing controls.

For additional information

Get in touch forĀ General Computer Control Reviews and Testing