News Image

Auditing General IT Controls

A Practical Guide For Finance And Audit Professionals
YOONG EE CHUAN
BY YOONG EE CHUAN


In today’s digitally driven business environment, reliable financial reporting and operational resilience depend on one critical enabler: sound IT controls. As financial professionals increasingly operate in systems-dependent environments, understanding and auditing General IT Controls (GITCs) is no longer optional and has become fundamental to ensuring assurance, governance, and compliance.

This article provides a practical overview of GITCs, their relevance to audit and financial reporting, and how accountants, internal auditors, and financial professionals can effectively assess their design and operating effectiveness. Guidance is drawn from respected professional standards, including those issued by the Information Systems Audit and Control Association (ISACA), The Institute of Internal Auditors (IIA), and National Institute of Standards and Technology (NIST).

WHAT ARE GENERAL IT CONTROLS?

GITCs, which are sometimes called IT General Controls (ITGCs), refer to the foundational technology controls that support the effective functioning of application-level controls, data integrity, and the secure operation of IT environments.

GITCs typically include controls over:

  • Access management
  • Change management
  • Backup and recovery
  • IT operations
  • System development life cycle (SDLC) controls
  • Third-party management

When functioning effectively, GITCs reduce the risk of unauthorised transactions, data breaches, fraud, and processing errors, thereby safeguarding the integrity of financial reporting.

WHY GITCS MATTER FOR FINANCIAL PROFESSIONALS

GITCs are not the exclusive concern of IT auditors. Under the Singapore Standards on Auditing (SSAs) and equivalent international standards (for example, International Standards on Auditing – ISA 315 Revised), auditors must evaluate the design and implementation of relevant IT controls when systems are used to process financial data.

For internal auditors and control professionals, ISACA’s IT Assurance Framework (ITAF) and Control Objectives for IT and Related Technologies (COBIT)® 2019 emphasise that GITCs are integral to a well-controlled IT environment. NIST’s SP 800-53 and the Cybersecurity Framework (CSF) provide robust mappings to control objectives relevant to GITCs across industries.

KEY DOMAINS OF GITC AUDITS

Audit focus areas:

  • User account provisioning and de-provisioning
  • Role-based access
  • Multi-factor authentication
  • Segregation of duties

Standards reference:

  • ISACA ITAF Section 2300
  • NIST SP 800-53: AC family
  • IIA GTAG 9

Practical tip: Look out for ghost users, excessive privileges, and lack of audit logs

Audit focus areas:

  • Change request and approval
  • Pre-deployment testing
  • Rollback procedures
  • Emergency change documentation

Standards reference:

  • ISACA COBIT® 2019: BAI06
  • NIST SP 800-128

Practical tip: Review change logs for authorisation and user acceptance testing.

Audit focus areas:

  • Regular backups
  • Offsite/Cloud storage
  • Disaster recovery plans
  • Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics

Standards reference:

  • NIST SP 800-34 Rev. 1
  • ISACA ITAF Section 3400

Practical tip: Ensure recovery testing is conducted and acted upon.

Audit focus areas:

  • Job scheduling and monitoring
  • Incident escalation
  • Audit trail retention
  • End-of-day checks

Standards reference:

  • IIA GTAG 1
  • NIST SP 800-61 Rev. 2

Practical tip: Examine incident logs for recurring issues.

Audit focus areas:

  • Vendor due diligence
  • System and Organisation Controls (SOC) reports
  • Security clauses in contracts
  • Shared responsibility models

Standards reference:

  • ISACA COBIT® 2019: EDM04, APO10
  • NIST CSF ID.RA-3, ID.SC-4
  • AICPA Trust Services Criteria

Practical tip: Verify roles in cloud environments; do not assume full vendor responsibility.

HOW TO CONDUCT A GITC AUDIT: A STEP-BY-STEP APPROACH

1) Planning and scoping: Identify systems and determine materiality.

2) Control design evaluation: Review against best practices (for example, NIST, ISACA).

3) Testing operating effectiveness: Test samples of logs and access records.

4) Identify deficiencies: Classify and assess business risk.

5) Report and followup: Recommend and prioritise based on impact.

THE AUDITOR’S EVOLVING ROLE: PARTNERING WITH IT FOR ASSURANCE

Today’s auditors must adopt a collaborative stance with IT, cybersecurity, and governance functions. According to the IIA’s Three Lines Model, internal auditors provide independent assurance while validating that GITCs align with business objectives. With modern threats like ransomware and AI-driven phishing, audit teams must embrace continuous learning and cross-functional collaboration.

CONCLUSION: RAISING THE BAR FOR ASSURANCE

Auditing General IT Controls is no longer just an “IT audit” task and it is a core element of financial governance and risk management. As technology increasingly shapes how we work and report, finance professionals must be equipped to assess, challenge, and strengthen GITCs.

By aligning audit approaches with global standards – ISACA, IIA, NIST – and applying a risk-based mindset, accountants and auditors can deliver assurance that keeps pace with digital transformation, protects financial data, and upholds public trust.


Yoong Ee Chuan, FCA (Singapore), CIA, CISA, CISM, ISCA(FFP), CFE, ASEAN CPA, is Founder and Managing Director, RxE Integrity Advisory.

Loading spinner