Home/Services/Audits & Attestation/IT General Controls (ITGC)

Audits & Attestation

IT General Controls (ITGC)

Review of the IT general controls — access, change management and IT operations — that underpin the integrity of your financial reporting.

Request this service → See our approach

Overview

The control foundation auditors rely on.

ITGCs are the controls financial auditors depend on when they rely on your systems. Weak ITGCs undermine the reliability of every application control above them.

We assess your controls over logical access, change management and IT operations across in-scope systems, identifying deficiencies before your financial-statement or SOX auditors do.

What’s covered

The areas this audit examines.

Logical access

Provisioning, reviews, privileged access and SoD.

Change management

Authorisation, testing and migration of changes.

IT operations

Job scheduling, backup and incident management.

System development

Controls over new and changed systems.

Segregation of duties

Conflicting access across key processes.

Who needs this

Does this match your needs?

Where this engagement tends to add the most value.

Listed companies (SOX/ICFR)IT controls over financial reporting.

Companies under statutory auditAuditor reliance on systems.

Subsidiaries of MNCsGroup control requirements.

Finance-system-dependent orgsERP and reporting controls.

Pre-IPO companiesStrengthening controls early.

Any org with financial systemsAccess, change and operations controls.

Regulatory drivers

Why this is required

IT general controls underpin the systems that financial statements and regulatory reporting depend on and are tested as part of statutory and SOX audits; weak ITGCs undermine reliance on every automated control above them.

SOX / ICFR

ITGCs over access, change and operations underpin internal control over financial reporting.

Companies Act 2013 & ICAI

Statutory audit and internal financial-controls reporting rely on effective IT controls.

SEBI LODR

Listed entities must maintain governance and controls over their reporting systems.

How we work

A structured path, start to finish.

An orderly lifecycle designed for a credible, defensible result.

Scoping & in-scope systems

Identifying the applications and infrastructure supporting reporting.

Walkthroughs of ITGC domains

Walking through access, change and operations control domains.

Control testing

Testing the design and operating effectiveness of ITGCs.

SoD & privileged-access review

Reviewing segregation of duties and privileged access.

Deficiency evaluation

Evaluating and classifying control deficiencies.

Report to audit & management

Reporting findings to the audit and management teams.

What you receive

Documentation built for every audience.

ITGC audit reportFindings across the ITGC domains.
Control matrixAccess, change and operations controls assessed.
Deficiency registerDeficiencies classified by severity.
SoD & privileged-access findingsSegregation-of-duties and privilege observations.
Remediation planAgreed actions to close deficiencies.

Standards & frameworks

This work maps to the standards and regulatory requirements relevant to you.

COBITCOSOSOX (ITGC)ISO 27001 (mapping)

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

In-scope financial systems listed

Access-provisioning records available

User-access review evidence

Change-management approvals

Job-scheduling and backup logs

Segregation-of-duties matrix

Privileged-access list

Prior audit findings reviewed

FAQ

Common questions

How do ITGCs relate to SOX?

Financial auditors rely on IT general controls to trust the automated controls and reports that feed the financial statements. Where ITGCs over access, change or operations are deficient, that reliance breaks down and issues can escalate into significant deficiencies or material weaknesses. They are therefore a core part of any SOX or ICFR programme.

Do you cover application controls too?

Our primary focus is ITGCs, but we can extend the scope to the key automated application controls and system interfaces that matter for financial reporting. This gives a fuller picture of how reliably your applications process and report financial data, alongside the general controls that support them.

Can you help remediate findings?

Yes. For every deficiency we provide practical, prioritised remediation guidance rather than just a list of problems. Once your fixes are in place we can re-test the affected controls and confirm closure, so you can demonstrate to auditors that the issues are genuinely resolved.