Skip to main content

IT GENERAL CONTROLS (ITGCs)

IT General Controls (ITGCs) form the bedrock of reliable and secure system operations. These are foundational controls that ensure the integrity, security, availability, and proper functioning of IT systems that support financial reporting and operational processes. When ITGCs are weak, even well-designed business and application controls fail, because the environment that supports them is unreliable. This module explains the most critical ITGC areas—Access Management, Change Management, and IT Operations—using practical examples and real-world scenarios relevant for young Chartered Accountants beginning their IS/IT Audit journey.

SECTION 1: ACCESS MANAGEMENT

2.1 Introduction to Access Management

Access management refers to the set of processes and controls that govern who can access systems, what level of access they have, and whether that access is appropriate for their job role. In modern organisations, user permissions determine who can view data, create transactions, modify master data, approve workflows, or administer systems. Weak access controls can lead to fraud, data leakage, manipulation of financial information, and operational breakdowns. For auditors, understanding access management is fundamental because inappropriate access is often one of the biggest contributors to financial reporting risk.

2.2 User Provisioning and Role-Based Access

User provisioning is the process through which users are created in systems and granted access rights. This includes the activities of adding new users, modifying existing user roles, and disabling access when it is no longer required. Role-based access ensures that users receive permissions strictly aligned with their job responsibilities. For example, a finance executive may require access to create vendor invoices, but not to approve payments. When provisioning follows clear workflows and approvals, the organisation significantly reduces the risk of unauthorized transactions or exposure of sensitive data.

Role-based access also requires that every role within the system be clearly documented, configured, and periodically validated. If a role unintentionally contains powerful permissions—such as the ability to change master data or modify control settings—it may allow users to bypass important checks and balances.

2.3 Privileged Access and Why It Must Be Strictly Controlled

Privileged access refers to high-level system permissions typically held by administrators, super-users, or IT personnel. These roles have the ability to create or modify users, change system configurations, override workflows, modify audit logs, or perform system-level operations. If privileged access is provided to users without strong justification and monitoring, it presents a significant risk to system integrity.

For instance, a system administrator with access to change vendor bank account details can potentially redirect payments without leaving obvious approval traces. During audits, privileged access is examined closely to ensure that only authorized personnel hold such rights, and that their activities are logged, reviewed, and monitored.

2.4 Segregation of Duties (SOD)

Segregation of Duties prevents conflicts of interest and reduces the risk of fraud by ensuring that no single individual controls all key steps in a transaction process. In a typical procure-to-pay cycle, creating a vendor, raising purchase orders, approving them, recording invoices, and releasing payments should involve different individuals or roles.

In ERP systems like Tally or SAP, mixing incompatible roles—such as allowing a cashier to approve payments or granting an accountant the ability to alter master settings—introduces serious SOD conflicts. SOD failures are common audit findings because organisations often overlook hidden role conflicts within the system. As auditors, the goal is to identify and document such conflicts and evaluate whether compensating controls exist.

2.5 Periodic Access Review

Even when access is granted correctly during onboarding, it may become inappropriate over time due to role changes, promotions, transfers, or restructuring. A periodic access review ensures that user rights remain aligned with job responsibilities. During this review, management evaluates all users, their roles, last login details, privileged access, and whether terminated employees have been removed promptly.

Periodic reviews are crucial because outdated access often presents hidden risks. Users may accumulate excess privileges over time or retain access to systems they no longer use, opening doors to misuse or accidental damage.

2.6 Termination and Revocation Controls

One of the most critical aspects of access management is timely revocation of access when an employee resigns, is terminated, or changes departments. Delays in access revocation are among the top causes of fraud, data leakage, and policy violations. A standard termination process ensures that HR notifies IT promptly, and IT disables all system access immediately or within a defined SLA.

Practical Case Study: Access Revocation Failure

In one organisation, an employee who resigned continued to retain admin access to the ERP system for three months due to a communication gap between HR and IT. During this period, he downloaded sensitive debtor reports, which were later traced to an external leak incident. This incident clearly illustrates how a failure in access revocation becomes an ITGC deficiency with significant operational impact.

2.7 Template: Access Review Checklist

This checklist helps in performing an access review:

  • Complete user list extracted from the system

  • Last login date and activity

  • Appropriateness of roles assigned

  • List of terminated users and status of access removal

  • Privileged accounts and justification for each

Auditors typically request system-generated reports and validate whether access aligns with job responsibilities and organisational policy.

SECTION 2: CHANGE MANAGEMENT

2.8 Overview of Change Management Controls

Change management ensures that any modification to applications, systems, configurations, or infrastructure is performed in a controlled, documented, and approved manner. Without an effective change management process, untested or unauthorized system changes can disrupt operations, distort financial information, or introduce security vulnerabilities.

Changes include ERP configuration updates, workflow changes, GST rate changes, patches, enhancements, user role modifications, and system integrations. A structured change management process ensures that every change passes through planning, impact analysis, testing, approval, deployment, and post-review.

2.9 Key Steps in Change Management

A change typically begins with a change request, which is documented and logged in a change management system. The request outlines the reason for the change, its impact on systems, and the urgency. Next, an impact assessment evaluates whether the change affects financial reporting, critical workflows, system performance, or integration points.

Once approved, the change moves into testing, where it is validated in a test environment to ensure it behaves as expected. Approval from stakeholders—such as business owners or IT managers—is necessary before deployment. After deployment, a post-deployment review ensures that the change has been implemented correctly and did not cause unexpected issues.

2.10 Practical Example: Risks in Poorly Managed Changes

Consider a scenario where a company implements a new vendor approval workflow in their ERP. The workflow was not tested properly, and due to a configuration oversight, new vendors were being auto-approved by the system instead of requiring two levels of authorization. This created a material risk where fictitious vendors could be created and used to process fraudulent payments. Such examples underline the need for thorough testing and proper approval before changes are made live.

2.11 Template: Change Management Test Sheet

A standard test sheet for auditors includes:

  • Change Request (CR) number and description

  • Evidence of approvals

  • Screenshots of testing performed

  • Deployment record or migration logs

  • Confirmation of post-deployment validation

This documentation helps auditors verify that changes were processed in a controlled manner.

SECTION 3: IT OPERATIONS

2.12 Overview of IT Operations Controls

IT Operations focuses on the day-to-day activities and processes required to keep systems running smoothly and securely. These controls include backup management, restoration testing, monitoring of critical system jobs, patching of applications and operating systems, and handling IT incidents. Effective IT operations ensure system availability and resilience, which is essential for accurate financial processing and business continuity.

2.13 Backup and Restore Processes

Backup controls ensure that critical data is stored safely and can be retrieved in case of system failure, accidental deletion, or cyberattacks. However, many organisations perform backups but fail to test restoration. Without regular restore testing, there is no assurance that backups are usable when needed. A common metaphor that resonates well with participants is: “Backups are like insurance—you only realise how important they are when something goes wrong.”

Case Study: Backup Without Restore Testing

In one SME, backups were taken daily but never tested. When a ransomware attack encrypted their servers, the team attempted to restore from backups only to discover that the backup files were corrupted. This resulted in total data loss for two months of operations. This case underscores why both backing up and testing restoration are essential ITGC components.

2.14 Batch Job Monitoring, Patch Management, and Incident Handling

Batch jobs include processes such as nightly billing runs, MIS report generation, data synchronization, and automated reconciliations. If batch jobs fail, users may not receive complete or accurate data. Patch management ensures systems are protected against known vulnerabilities through timely updates. Incident management ensures IT teams track, evaluate, and resolve issues efficiently, preventing prolonged system outages or security incidents.

2.15 Template: Backup Review Checklist

Auditors typically use a backup review checklist that includes:

  • Evidence of successful backup logs

  • Failure logs and remediation actions

  • Frequency and retention period

  • Restore attempt evidence

  • Verification of offsite or cloud storage

This documentation helps auditors evaluate whether the organisation can recover data reliably.

Back to top