TAKEAWAYS
In today’s digitally driven business environment, reliable financial reporting and operational resilience depend on one critical enabler: sound IT controls. As financial professionals increasingly operate in systems-dependent environments, understanding and auditing General IT Controls (GITCs) is no longer optional and has become fundamental to ensuring assurance, governance, and compliance.
This article provides a practical overview of GITCs, their relevance to audit and financial reporting, and how accountants, internal auditors, and financial professionals can effectively assess their design and operating effectiveness. Guidance is drawn from respected professional standards, including those issued by the Information Systems Audit and Control Association (ISACA), The Institute of Internal Auditors (IIA), and National Institute of Standards and Technology (NIST).
GITCs, which are sometimes called IT General Controls (ITGCs), refer to the foundational technology controls that support the effective functioning of application-level controls, data integrity, and the secure operation of IT environments.
GITCs typically include controls over:
When functioning effectively, GITCs reduce the risk of unauthorised transactions, data breaches, fraud, and processing errors, thereby safeguarding the integrity of financial reporting.
GITCs are not the exclusive concern of IT auditors. Under the Singapore Standards on Auditing (SSAs) and equivalent international standards (for example, International Standards on Auditing – ISA 315 Revised), auditors must evaluate the design and implementation of relevant IT controls when systems are used to process financial data.
For internal auditors and control professionals, ISACA’s IT Assurance Framework (ITAF) and Control Objectives for IT and Related Technologies (COBIT)® 2019 emphasise that GITCs are integral to a well-controlled IT environment. NIST’s SP 800-53 and the Cybersecurity Framework (CSF) provide robust mappings to control objectives relevant to GITCs across industries.
Access controls
Audit focus areas:
Standards reference:
Practical tip: Look out for ghost users, excessive privileges, and lack of audit logs
Change management
Audit focus areas:
Standards reference:
Practical tip: Review change logs for authorisation and user acceptance testing.
Backup and recovery
Audit focus areas:
Standards reference:
Practical tip: Ensure recovery testing is conducted and acted upon.
IT operations and incident management
Audit focus areas:
Standards reference:
Practical tip: Examine incident logs for recurring issues.
Third-party and cloud management
Audit focus areas:
Standards reference:
Practical tip: Verify roles in cloud environments; do not assume full vendor responsibility.
1) Planning and scoping: Identify systems and determine materiality.
2) Control design evaluation: Review against best practices (for example, NIST, ISACA).
3) Testing operating effectiveness: Test samples of logs and access records.
4) Identify deficiencies: Classify and assess business risk.
5) Report and followup: Recommend and prioritise based on impact.
Today’s auditors must adopt a collaborative stance with IT, cybersecurity, and governance functions. According to the IIA’s Three Lines Model, internal auditors provide independent assurance while validating that GITCs align with business objectives. With modern threats like ransomware and AI-driven phishing, audit teams must embrace continuous learning and cross-functional collaboration.
Auditing General IT Controls is no longer just an “IT audit” task and it is a core element of financial governance and risk management. As technology increasingly shapes how we work and report, finance professionals must be equipped to assess, challenge, and strengthen GITCs.
By aligning audit approaches with global standards – ISACA, IIA, NIST – and applying a risk-based mindset, accountants and auditors can deliver assurance that keeps pace with digital transformation, protects financial data, and upholds public trust.
Yoong Ee Chuan, FCA (Singapore), CIA, CISA, CISM, ISCA(FFP), CFE, ASEAN CPA, is Founder and Managing Director, RxE Integrity Advisory.