IT General Controls (ITGC): A Complete Guide for Auditors
IT General Controls (ITGC): A Complete Guide
IT General Controls (ITGC) at a Glance
IT General Controls (ITGC) are internal policies and procedures that ensure an organisation's IT systems operate reliably, securely, and in compliance with regulatory frameworks such as SOX, SOC, and COSO. The seven core ITGC categories are: Access Controls, Change Management, IT Operations, Program Development, Physical & Environmental Security, Vendor Management, and Disaster Recovery/BCP.
Key Takeaways
- ITGC forms the foundation of IT risk management — covering access, change, operations, development, physical security, vendors, and DR/BCP.
- An ITGC audit tests whether these controls are designed and operating effectively across all in-scope systems.
- Key frameworks driving ITGC requirements include SOX (Section 404), SOC 1/SOC 2, ISO 27001, and COBIT.
- Common deficiencies include excessive access privileges, undocumented changes, and untested disaster recovery plans.
- CIA Part 2 candidates must understand ITGC as a core component of the IT audit syllabus.
- Using CAATs (Computer Assisted Audit Techniques) can significantly improve ITGC testing efficiency.
Table of Contents
- What Are IT General Controls (ITGC)?
- Why ITGC Matters for Auditors
- The 7 Categories of IT General Controls
- ITGC Audit Process: Step-by-Step
- ITGC Audit Checklist
- ITGC and Compliance Frameworks (SOX, SOC, ISO 27001)
- Common ITGC Deficiencies and How to Address Them
- Frequently Asked Questions
What Are IT General Controls (ITGC)?
IT General Controls (ITGC) — sometimes called General IT Controls (GITC) — are the foundational policies, procedures, and technical safeguards that govern how an organisation’s technology infrastructure is managed, secured, and maintained. Unlike application-level controls that target specific software, ITGCs operate across the entire IT environment.
Think of ITGC as the umbrella framework ensuring that every system, database, and network component follows consistent security and operational standards. Without robust ITGCs, even well-designed application controls can be rendered ineffective.
For internal auditors, understanding ITGC is non-negotiable. It appears as a core topic in the CIA Part 2 exam syllabus under Domain II: Managing Individual Engagements, and is tested extensively in IT audit engagements.
The full form of ITGC is Information Technology General Controls. You may also encounter the term GITC (General Information Technology Controls) — they refer to the same concept.
Why ITGC Matters for Auditors
ITGCs are the bedrock upon which all other IT and financial controls rely. Here is why every auditor — whether internal, external, or IT-focused — must master them:
- Financial statement reliability: Under SOX Section 404, public companies must demonstrate that IT controls supporting financial reporting are effective. Weak ITGCs can trigger material weakness findings.
- Regulatory compliance: Frameworks like SOC 1, SOC 2, ISO 27001, and COBIT all require organisations to demonstrate robust general IT controls.
- Risk mitigation: ITGCs help prevent unauthorised access, unapproved system changes, and data loss — the three biggest IT risk categories. Understanding enterprise risk management principles helps auditors evaluate ITGC effectiveness.
- Audit efficiency: When ITGCs are strong, auditors can place greater reliance on automated controls and reduce substantive testing. Tools like CAATs become even more powerful when underlying ITGCs are sound.
- Fraud prevention: Proper segregation of duties and access controls — both ITGC components — are critical defences against fraud. A thorough fraud risk assessment should always evaluate ITGC adequacy.
The 7 Categories of IT General Controls
While different frameworks may group ITGCs differently, the following seven categories represent the most comprehensive classification used by auditors globally. Each category addresses a distinct area of IT risk.
| ITGC Category | Purpose | Key Controls | Common Audit Tests |
|---|---|---|---|
| 1. Access Controls | Ensure only authorised users can access systems and data | RBAC, MFA, password policies, user provisioning/deprovisioning, periodic access reviews | Review user access lists, test terminated employee access removal, verify SoD enforcement |
| 2. Change Management | Ensure system changes are authorised, tested, and documented | Change request forms, approval workflows, CAB reviews, version control, testing environments | Sample change tickets for approvals, verify testing before production deployment, check emergency change procedures |
| 3. IT Operations | Ensure daily IT processes run reliably | Job scheduling, batch processing, incident management, logging and monitoring, patch management | Review incident logs, verify patch currency, test log retention and review processes |
| 4. Program Development | Ensure new systems/applications are developed securely | SDLC methodology, code reviews, testing protocols, user acceptance testing (UAT), go-live approvals | Review SDLC documentation, verify UAT sign-offs, check security testing evidence |
| 5. Physical & Environmental Security | Protect IT assets from physical threats | Data centre access controls, CCTV, environmental monitoring (fire, flood, temperature), visitor logs | Inspect physical access logs, verify environmental controls, test alarm systems |
| 6. Vendor/Third-Party Management | Manage risks from external service providers | Vendor risk assessments, NDA/SLA/MSA reviews, SOC 2 report reviews, periodic vendor audits | Review vendor contracts for security clauses, verify SOC report coverage, assess fourth-party risk |
| 7. Backup, Recovery & BCP | Ensure data can be restored and operations continue after disruption | Backup schedules, offsite storage, DR plans, RTO/RPO definitions, BCP testing | Verify backup completion logs, test restore procedures, review DR drill results vs RTO/RPO targets |
Let us examine each category in detail.
1. Access Controls
Access controls are the most frequently tested ITGC category. They ensure that only authorised individuals can access specific systems, applications, and data based on their role and responsibilities.
Key elements include:
- Role-Based Access Control (RBAC): Assigning system privileges based on job functions rather than individual requests. This enforces the principle of least privilege.
- Multi-Factor Authentication (MFA): Requiring two or more verification methods before granting access to sensitive systems.
- User Provisioning and Deprovisioning: Formal processes for granting access when employees join and revoking access promptly when they leave or change roles.
- Periodic Access Reviews: Regular reviews (typically quarterly) to verify that user access rights remain appropriate.
- Segregation of Duties (SoD): Ensuring no single individual has conflicting responsibilities that could enable fraud or error.
Auditor tip: Always request a complete user access listing and cross-reference it against HR’s active employee roster. Stale accounts belonging to former employees are one of the most common ITGC findings.
2. Change Management Controls
Change management controls govern how modifications to IT systems, applications, and configurations are requested, approved, tested, and implemented. The goal is to prevent unauthorised or untested changes from disrupting operations.
A robust change management process includes:
- Change Request and Approval: Formal documentation of every proposed change with appropriate management sign-off before implementation.
- Change Advisory Board (CAB): A cross-functional group that reviews significant changes for risk and impact.
- Testing and Validation: Changes must be tested in a non-production environment before deployment. This includes regression testing.
- Maker-Checker Process: The person who develops a change should not be the same person who approves or deploys it.
- Emergency Change Procedures: Pre-defined protocols for urgent changes with retrospective review and documentation.
- Version Control: Tracking all modifications with change logs for audit trail purposes.
Auditor tip: Sample a selection of change tickets and verify that each one has documented approval, testing evidence, and post-implementation review. Pay special attention to emergency changes — they often bypass normal controls.
3. IT Operations Controls
IT Operations controls ensure that day-to-day technology processes run smoothly and securely. This category covers the ongoing management of IT infrastructure.
- Job Scheduling and Batch Processing: Automated processes must run as scheduled, with alerts for failures and documented resolution procedures.
- Incident Management: A structured framework for identifying, logging, escalating, and resolving IT incidents including security events.
- Logging and Monitoring: Comprehensive logging of system activities with regular review to detect anomalies and unauthorised activities.
- Patch Management: Regular application of security patches to operating systems, applications, and network devices. Patches should be tested before deployment.
- Antivirus and Endpoint Protection: Deployment and maintenance of security software across all endpoints.
4. Program Development Controls
Program development controls — also known as System Development Life Cycle (SDLC) controls — ensure that new applications and systems are developed, tested, and deployed securely.
- SDLC Methodology: A documented development framework (Agile, Waterfall, or hybrid) with defined phases and gate reviews.
- Security by Design: Security requirements built into the design phase, not bolted on after development.
- Code Reviews: Peer review of source code to identify vulnerabilities before deployment.
- User Acceptance Testing (UAT): Business stakeholders validate that the system meets functional requirements before go-live.
- Go-Live Approvals: Formal sign-off from project sponsors and IT management before production deployment.
5. Physical and Environmental Security
Physical controls protect IT hardware, data centres, and network infrastructure from physical threats such as unauthorised access, fire, flood, and power outages.
- Data Centre Access: Badge/biometric access controls with visitor logs and escort policies.
- CCTV Surveillance: Continuous video monitoring of critical facilities with adequate retention periods.
- Environmental Controls: Fire suppression systems, temperature and humidity monitoring, water leak detection, and UPS/generator backup.
- Equipment Disposal: Secure destruction of storage media containing sensitive data.
6. Vendor and Third-Party Management
As organisations increasingly rely on cloud services and outsourced IT, vendor management has become a critical ITGC category. The organisation’s risk appetite should drive the level of vendor oversight applied.
- Vendor Risk Assessment: Evaluating third-party providers based on the sensitivity of data they handle and the criticality of their services.
- Contractual Safeguards: NDA, MSA, and SLA documents should include security requirements, audit rights, and data protection clauses.
- SOC Report Reviews: Reviewing SOC 1 or SOC 2 reports from vendors to assess their control environment, including any complementary user entity controls (CUECs).
- Ongoing Monitoring: Periodic reassessment of vendor risk and performance against SLAs.
7. Backup, Recovery, and Business Continuity
Backup and recovery controls ensure that data can be restored and operations can resume within acceptable timeframes after a disruption.
- Backup Schedules: Regular automated backups (daily, weekly) with both on-site and offsite/cloud storage.
- RTO and RPO Definitions: Recovery Time Objective (maximum acceptable downtime) and Recovery Point Objective (maximum acceptable data loss) must be defined for each critical system.
- Disaster Recovery Plans: Documented procedures for restoring IT services after a disaster, including failover to secondary sites.
- DR Testing: Regular drills to validate that recovery procedures actually work within RTO/RPO targets.
- Business Continuity Planning (BCP): Broader plans covering people, processes, and technology to maintain critical business functions during disruption.
ITGC Audit Process: Step-by-Step
Whether you are conducting an ITGC audit as part of a SOX engagement, an internal audit, or a SOC examination, the process follows a consistent methodology. The Internal Audit Excellence Framework provides useful guidance for structuring your approach.
Step 1: Planning and Scoping
Define which systems, applications, and infrastructure components are in scope. For SOX engagements, this means identifying financially significant applications and their supporting IT infrastructure. Key activities include:
- Identifying in-scope applications (ERP, financial reporting tools, databases)
- Mapping application dependencies to IT infrastructure
- Determining applicable regulatory requirements
- Reviewing prior audit findings and remediation status
Step 2: Risk Assessment
Perform an IT risk assessment to identify the most significant risks and prioritise audit testing accordingly. Consider threats to confidentiality, integrity, and availability of data. A strong understanding of the COSO Framework and ERM principles is essential at this stage.
Step 3: Walkthrough and Documentation Review
Conduct walkthroughs of each ITGC process area. Interview control owners, review policy documents, SOPs, and prior audit reports. Verify that documented controls align with actual practice.
Step 4: Control Testing
Test the design and operating effectiveness of ITGCs. This involves:
- Inquiry: Interviewing control owners about how controls operate
- Observation: Watching controls being performed in real time
- Inspection: Examining evidence such as access logs, change tickets, and backup reports
- Re-performance: Independently executing a control to verify it produces expected results
Using CAATs at this stage can automate testing of large data sets — for example, extracting all user accounts to identify dormant or over-privileged users.
Step 5: Identify and Report Findings
Document control gaps, categorise them by severity (deficiency, significant deficiency, or material weakness), and report findings to management with actionable recommendations. The Chief Audit Executive typically presents significant ITGC findings to the audit committee.
Step 6: Follow-Up and Remediation Tracking
Monitor management’s remediation of identified issues and perform re-testing to confirm that corrective actions are effective.
ITGC Audit Checklist
Use this checklist as a starting point for your ITGC audit. Adapt it based on the specific regulatory requirements and risk profile of the organisation being audited.
| Control Area | What to Verify | Evidence to Collect | Frequency |
|---|---|---|---|
| Access Controls | User access is role-based and follows least privilege | User access listings, RBAC matrices, access review sign-offs | Quarterly |
| Password Policy | Password complexity, expiry, and lockout policies enforced | System configuration screenshots, policy documents | Annual |
| User Provisioning | New user access approved before granting | Access request forms, approval emails, HR onboarding docs | Per occurrence |
| User Deprovisioning | Terminated users removed within defined SLA | Termination lists vs active user accounts, access removal timestamps | Per occurrence |
| SoD | Conflicting roles are identified and mitigated | SoD matrix, exception reports, compensating controls documentation | Quarterly |
| Change Management | Changes are requested, approved, tested, and deployed per policy | Change tickets, approval records, test results, CAB minutes | Per occurrence |
| Emergency Changes | Emergency changes follow retrospective approval process | Emergency change logs, post-implementation reviews | Per occurrence |
| Patch Management | Critical patches applied within defined timeframes | Patch status reports, vulnerability scan results | Monthly |
| Incident Management | Incidents logged, escalated, and resolved per SLA | Incident tickets, root cause analyses, resolution timelines | Per occurrence |
| Backup and Recovery | Backups completed successfully and restore tested | Backup completion logs, restore test results | Daily/Weekly |
| DR/BCP Testing | DR drills conducted and RTO/RPO targets met | DR test reports, gap analysis, remediation plans | Annual |
| Vendor Management | Vendor risk assessed and SOC reports reviewed | Vendor risk assessments, SOC 2 reports, contract review notes | Annual |
| Physical Security | Data centre access restricted to authorised personnel | Physical access logs, visitor registers, CCTV footage | Quarterly |
ITGC and Compliance Frameworks
Different regulatory frameworks require ITGCs in slightly different ways. Here is how the major frameworks map to ITGC requirements:
| Framework | ITGC Relevance | Key Requirement |
|---|---|---|
| SOX (Section 404) | Mandatory for US-listed public companies | ITGCs must support the reliability of financial reporting. Management must assess and external auditors must attest to ITGC effectiveness. |
| SOC 1 (SSAE 18) | Service organisations processing financial transactions | ITGCs are tested as part of controls over financial reporting relevant to user entities. |
| SOC 2 | Service organisations handling customer data | Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) map directly to ITGC categories. |
| ISO 27001 | Any organisation seeking information security certification | Annex A controls cover access management, change management, operations security, and supplier relationships — all ITGC domains. |
| COBIT | IT governance framework by ISACA | Provides detailed control objectives for IT processes including access, change, operations, and development. |
| COSO | Internal control framework used globally | COSO’s five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring) underpin ITGC design. |
For CIA and CISA exam candidates, understanding how these frameworks interrelate is a frequently tested concept.
Common ITGC Deficiencies and How to Address Them
Based on industry audit findings, these are the most frequently identified ITGC deficiencies and their recommended remediation:
| Deficiency | Risk | Remediation |
|---|---|---|
| Terminated employees retaining system access | Unauthorised access to sensitive data and systems | Automate deprovisioning via integration between HR and IAM systems; define SLAs for access removal |
| Excessive or inappropriate access privileges | Violation of least privilege principle; increased fraud risk | Implement quarterly access reviews; enforce RBAC; deploy automated SoD monitoring |
| Changes deployed without proper approval | Unstable or insecure system configurations | Enforce maker-checker workflows in change management tools; require CAB sign-off for significant changes |
| Missing or incomplete change documentation | Inability to trace changes for audit purposes | Mandate completion of all fields in change tickets before closure; automate documentation requirements |
| Backup failures not investigated | Data loss in the event of a disaster | Implement automated backup monitoring with alerts; assign ownership for backup failure investigation |
| DR plans not tested | Recovery targets may not be achievable | Schedule annual DR drills; compare actual recovery times against RTO/RPO targets; document lessons learned |
| No vendor risk assessment process | Unmanaged third-party risk exposure | Establish a vendor risk management programme; require SOC reports from critical vendors; include audit rights in contracts |
| Audit logs not reviewed | Security breaches go undetected | Deploy SIEM tools; define log review procedures; assign responsibility for regular log analysis |
Frequently Asked Questions
What is IT general controls (ITGC)?
IT General Controls are the foundational internal policies and procedures governing an organisation’s IT environment. They cover access controls, change management, IT operations, program development, physical security, vendor management, and backup/disaster recovery. ITGCs ensure that technology systems operate reliably, securely, and in compliance with applicable regulations.
What is the full form of ITGC?
ITGC stands for Information Technology General Controls. It is also referred to as GITC (General Information Technology Controls) in some frameworks. Both terms describe the same set of foundational IT controls.
What is the difference between ITGC and application controls?
ITGCs operate at the infrastructure level and apply across all systems — they govern access, changes, operations, and security for the entire IT environment. Application controls, on the other hand, are specific to individual applications and address things like input validation, processing accuracy, and output completeness. ITGCs support and enable application controls; if ITGCs are weak, application controls cannot be relied upon.
How do you perform an ITGC audit?
An ITGC audit follows six key steps: (1) Planning and scoping to identify in-scope systems, (2) Risk assessment to prioritise testing, (3) Walkthroughs and documentation review, (4) Control testing using inquiry, observation, inspection, and re-performance, (5) Identifying and reporting findings, and (6) Follow-up on remediation. Tools like CAATs can significantly enhance testing efficiency.
What should be included in an ITGC audit checklist?
A comprehensive ITGC audit checklist covers: user access controls and password policies, segregation of duties, change management workflows and approvals, patch management, incident management, backup and recovery procedures, DR/BCP testing, vendor risk management, physical security, and logging/monitoring. Each item should specify what to verify, evidence to collect, and review frequency.
What is the difference between SOX ITGC and internal audit?
SOX ITGC refers specifically to IT general controls tested as part of Sarbanes-Oxley Section 404 compliance, focusing on controls over financial reporting. Internal audit of ITGCs is broader — it may cover all IT controls relevant to the organisation’s operations, not just those supporting financial statements. Internal auditors also assess control efficiency and recommend improvements, while SOX audits focus on compliance attestation.
What qualifications are needed for ITGC audit?
The most relevant certifications for ITGC auditors include the CIA (Certified Internal Auditor), CISA (Certified Information Systems Auditor), and CISSP. The CIA Part 2 exam covers IT audit concepts including ITGCs. Many professionals also hold a CIA + CISA combination for maximum career versatility.
Master IT Audit with the Surgent CIA Review Course
IT General Controls are a core topic in the CIA Part 2 exam. The Surgent CIA Review Course uses adaptive learning technology to identify your weak areas and focus your study time where it matters most.
- Adaptive study plans tailored to your knowledge gaps
- Thousands of practice questions covering ITGC, risk management, and governance
- ReadySCORE™ technology tells you when you are ready to pass
- Unlimited access until you pass
Explore the Surgent CIA Review Course →
Use the latest Surgent discount codes to save on your purchase.
Related Articles
- Computer Assisted Audit Techniques (CAATs) | CIA Part 2 Guide
- Segregation of Duties: Complete Guide for Internal Auditors & CIA Exam
- COSO Framework: Complete Guide to Internal Controls & ERM
- Fraud Risk Assessment: A Complete Guide for Internal Auditors
- Enterprise Risk Management (ERM): Complete Guide for CIA Exam
- Internal Audit Excellence Framework 2026
- CIA Part 2 Exam 2026: Complete Study Guide & Syllabus Breakdown
- Risk Appetite vs Risk Tolerance: Key Differences Explained
- Chief Audit Executive: Role, Responsibilities & Career Path
- CIA vs CISA 2026: Which Audit Certification Fits You?
- Internal Audit: Complete Guide to Types, Process & Standards
- Best CIA Review Course 2026: Gleim vs Becker vs Surgent
Featured product
Featured product
Popular posts
Featured product
FAQs
ACCA blogs
Follow these links to help you prepare for the ACCA exams
IFRS blogs
Follow these blogs to stay updated on IFRS
Formats
Use these formats for day to day operations
- Account closure format
- Insurance claim letter format
- Transfer certification application format
- Resignation acceptance letter format
- School leaving certificate format
- Letter of experience insurance
- Insurance cancellation letter format
- format for Thank you email after an interview
- application for teaching job
- ACCA PER examples
- Leave application for office
- Marketing manager cover letter
- Nursing job cover letter
- Leave letter to class teacher
- leave letter in hindi for fever
- Leave letter for stomach pain
- Leave application in hindi
- Relieving letter format
Interview questions
Link for blogs for various interview questions with answers
- Strategic interview questions
- Accounts payable interview questions
- IFRS interview questions
- CA Articleship interview questions
- AML and KYC interview questions
- Accounts receivable interview questions
- GST interview questions
- ESG Interview questions
- IFRS 17 interview questions
- Concentric Advisors interview questions
- Questions to ask at the end of an interview
- Business Analyst interview questions
- Interview outfits for women
- Why should we hire you question
leave application format
- Leave application for office
- Leave application for school
- Leave application for sick leave
- Leave application for marriage
- leave application for personal reasons
- Maternity leave application
- Leave application for sister marriage
- Casual leave application
- Leave application for 2 days
- Leave application for urgent work
- Application for sick leave to school
- One day leave application
- Half day leave application
- Leave application for fever
- Privilege leave
- Leave letter to school due to stomach pain
- How to write leave letter
Insurance blogs
- Sample letter of appeal for reconsideration of insurance claims
- How to increase insurance agent productivity
- UAE unemployment insurance
- Insurance cancellation letter
- Insurance claim letter format
- Insured closing letter formats
- ACORD cancellation form
- Provision for insurance claim
- Cricket insurance claim
- Insurance to protect lawsuits for business owners
- Certificate holder insurance
- does homeowners insurance cover mold
- sample letter asking for homeowner right to repair for insurance
- Does homeowners insurance cover roof leaks
Leave a comment