IT General Controls (ITGC): What Internal Auditors Need to Know

IT General Controls — commonly abbreviated as ITGCs — are among the most frequently tested and most frequently misunderstood areas of a SOX program. For internal auditors and compliance professionals, understanding what ITGCs are, why they matter, and how they are tested is foundational to building and executing a credible controls program.

What Are IT General Controls?

IT General Controls are controls that apply broadly across IT systems and infrastructure rather than to specific applications or business processes. They establish the foundation of reliability and security on which application-level controls depend. If ITGCs are weak, automated controls and system-generated reports cannot be relied upon — which can cascade into broader control failures across the SOX program.

ITGCs fall into four primary categories: logical access controls, change management controls, computer operations controls, and program development controls. Each category addresses a different dimension of IT risk.

Logical Access Controls

Logical access controls govern who can access systems, data, and applications, and what they can do once they have access. For SOX purposes, the key risks are unauthorized access to financial systems and data, and the failure to separate incompatible functions (segregation of duties).

Key controls in this area include user provisioning and deprovisioning processes, periodic user access reviews, privileged access management, password policies and multi-factor authentication requirements, and controls over generic or shared accounts. Access to financial systems — particularly ERP systems like SAP, Oracle, or Workday — receives the most scrutiny.

A common deficiency in this area is failure to revoke access promptly when employees terminate or change roles. Auditors will typically look at joiner-mover-leaver processes and test a sample of terminations and role changes to verify that access was removed on a timely basis.

Change Management Controls

Change management controls ensure that changes to production systems, applications, and data are authorized, tested, and implemented in a controlled manner. Unauthorized or untested changes to financial systems can introduce errors or create vulnerabilities.

Key controls include change request authorization processes, separation of development and production environments, testing and quality assurance requirements before deployment, emergency change procedures, and post-implementation reviews. Auditors typically test a sample of changes deployed during the audit period to verify that each change followed the approved process.

A common issue is emergency changes that bypass normal controls. Emergency change procedures should exist, but they must include compensating controls — such as expedited approval and post-deployment review — and should not be overused.

Computer Operations Controls

Computer operations controls address the reliable and secure operation of IT systems, including job scheduling, backup and recovery, and incident management. For SOX purposes, the focus is on whether financial data is processed accurately and completely, and whether it can be recovered in the event of a failure.

Key controls include automated job scheduling and exception monitoring, backup procedures and periodic recovery testing, and controls over batch processing of financial data. Auditors will test whether scheduled jobs completed successfully, whether failures were identified and resolved, and whether backup and recovery processes function as designed.

Program Development Controls

Program development controls cover the development and implementation of new systems and major system upgrades. These controls ensure that new systems are developed according to requirements, adequately tested before go-live, and properly authorized before deployment.

For SOX programs, the focus is typically on new systems that impact financial reporting. A new ERP implementation, for example, would receive significant ITGC attention, including review of project governance, testing methodology, and parallel processing results.

Why ITGCs Matter for SOX

Under SOX, many financial controls are automated — they rely on system-generated reports, system-enforced limits, or automated calculations. If the ITGCs that support those systems are weak, the automated controls cannot be considered reliable. This means a deficiency in ITGCs can create a ripple effect, weakening the evidence base for automated controls across multiple financial processes.

This is why external auditors place significant weight on ITGC testing. If the external auditor cannot rely on ITGCs, they may need to expand substantive testing — increasing audit hours and cost — or may find it difficult to issue a clean opinion on internal controls.

How ITGCs Are Tested

ITGC testing follows the same structure as other SOX control testing: evaluate design effectiveness (is the control designed to address the risk?), then test operating effectiveness (is the control actually operating as designed?). Testing typically includes inquiry, observation, inspection of documentation, and re-performance.

For access controls, this often means pulling lists of users with access to financial systems and verifying that access is appropriate, reviewing user provisioning tickets, and inspecting evidence of user access reviews. For change management, it means selecting a sample of changes and tracing each through the approval and testing process.

The Role of the IT Auditor

Effective ITGC testing requires a combination of audit methodology knowledge and IT literacy. Many internal audit functions address this through co-sourcing — bringing in IT audit specialists to lead ITGC testing while the internal team handles financial and operational controls. Others build internal IT audit capability over time.

Regardless of resourcing model, the CAE and audit committee should understand the scope and results of ITGC testing, the deficiencies identified, and the remediation plans in place — because ITGC weaknesses can have significant implications for the entire SOX program.

Veridian Advisory LLC provides ITGC assessment, testing, and remediation support as part of our SOX and internal audit advisory services. Contact us to discuss how we can help strengthen your IT control environment.