How to Perform an Information Technology General Control (ITGC) Review

Training Introduction

Background

Information Technology General Controls (ITGCs) form the foundation of an organization’s IT environment. These controls ensure the integrity, confidentiality, and availability of systems and data. Effective ITGCs support financial reporting accuracy, data reliability, and cybersecurity. As such, reviewing ITGCs is a critical internal audit function, especially for organizations that rely heavily on IT for core operations and compliance obligations.

This training program equips auditors and IT professionals with the knowledge and skills needed to plan, perform, and report on ITGC reviews in accordance with industry standards and best practices.

 

Purpose of the Training

To provide a practical, risk-based approach for reviewing Information Technology General Controls, enabling internal auditors and IT risk professionals to assess control design and operating effectiveness across IT domains.

 

Learning Objectives

By the end of this course, participants will be able to:

• Understand the key domains of IT general controls
• Identify and assess risks related to access, change, and operations management
• Plan and execute a structured ITGC review
• Evaluate control effectiveness and gather appropriate audit evidence
• Report findings clearly and recommend improvements

 

Target Audience

• Internal and external auditors
• IT auditors and IT risk professionals
• Compliance and assurance officers
• Professionals preparing for SOX, ISO 27001, or similar audits

 

Training Format

• Modules: 5 practical and focused modules
• Delivery: In-person or online (live or self-paced)
• Methodology: Lecture, case studies, walkthroughs, and control testing exercises

 

Course Content:

Module 1: Introduction to I.T. General Controls and Audit Frameworks

Objectives:

• Understand the scope and purpose of ITGCs
• Learn about key frameworks and compliance drivers

Key Topics:

• Definition and role of IT General Controls
• Difference between ITGCs and application controls
• Common frameworks: COBIT, NIST, ISO 27001, COSO
• Relevance to SOX, GDPR, HIPAA, and financial audit

Activities:

• Group discussion: How ITGCs support audit and compliance
• Mapping ITGCs to key frameworks and regulations

Module 2: Access Controls: User, Privilege and Authentication Management

Objectives:

• Evaluate user access controls across systems
• Assess identity and access management (IAM) practices

Key Topics:

• Logical access controls: provisioning, deprovisioning, and recertification
• Password policies and multifactor authentication (MFA)
• Privileged user access review and monitoring
• Role-based access control (RBAC) and segregation of duties (SoD)

Exercises:

• Review a sample user access matrix
• Simulated audit test: Identify excess access rights

Module 3: Change Management Controls

Objectives:

• Audit processes for system and application changes
• Assess controls over development, testing, and deployment

Key Topics:

• Change request documentation and approvals
• Development and test environment separation
• Version control and change tracking tools
• Emergency change handling and logging

Exercises:

• Walkthrough: Change management lifecycle audit steps
• Identify gaps in a sample change request documentation

Module 4: I.T. Operations and Backup Controls

Objectives:

• Evaluate I.T operations controls related to backups, jobs, and incident handling
• Understand how to test system availability and recovery procedures

Key Topics:

• Job scheduling and automated task controls
• Data backup procedures, testing, and retention
• Incident and problem management controls
• Disaster recovery and business continuity overview

Exercises:

• Review and assess a backup policy and test log
• Tabletop scenario: System outage response audit

Module 5: Performing and Reporting an I.T.G.C. Audit

Objectives:

• Plan and execute an effective ITGC review
• Document, evaluate, and communicate audit findings

Key Topics:

• Scoping and planning the ITGC review
• Walkthroughs, control testing, and evidence collection
• Control deficiency evaluation and risk rating
• Writing audit findings and recommendations
• Reporting to IT and executive stakeholders

Exercises:

• Create an audit test plan for a sample ITGC area
• Draft a finding with condition, criteria, cause, effect, and recommendation (5 Cs)

 

Conclusion and Certification

• Review of ITGC domains and key takeaways
• Q&A session and lessons learned
• Certificate of Completion awarded

 

Optional Training Materials

• ITGC audit programs and checklists
• Sample test scripts and evidence templates
• ITGC walkthrough guides
• Reporting templates and risk rating matrices