ITGC Audit: Types & Audit Process Breakdown

‍Unsure whether the logical IT general controls you've implemented can restrict unauthorized users from accessing your system? Or perhaps you want to find out if the implemented ITGCs can create a secure barrier between your data and potential threats. Consider performing an IT general control audit if these are your concerns or if you have similar concerns regarding ITGCs. What is an ITGC audit? In this article, we'll discuss this in detail.

Most organizations' prime concern is protecting their IT infrastructure against potential threats, which is why they take extensive measures—implementing a range of IT general controls to maintain security.

But with so many layers of controls in place, did it ever occur to you as an organization that – 'Are these controls truly able to serve their purpose?' Or 'Are you just waiting for a breach to expose their flaws?'

See, don't wait for the worst-case scenario to strike! Rather, conduct an IT general control audit – the most ideal and effective way to gain full visibility into your ITGC's performance. However, this is just a glimpse of the ITGC audit – there's more to explore. So, let's dive in.

What Is ITGC Audit?

An IT general controls audit, commonly known as an ITGC audit, is a reviewing process that organizations undergo to demonstrate how effectively their foundational controls (ITGCs that they have implemented) are functioning in their IT infrastructure.

During this audit process, various aspects of ITGCs are examined—access controls, change management controls, physical controls, and a few more—to ensure they are able to maintain the security, confidentiality, integrity, or availability (TSCs) of sensitive information.

However, you need to understand that there are two forms of ITGC audit on the ground level—internal ITGC audit and external ITGC audit. Depending on the situation you are in, you as an organization have to undergo one of them. But what are the internal and external IT general control audits? Which situations are we talking about? Let’s quickly find out.

Types Of ITGC Audit

Below, we’ve explained both internal and external IT general control audits briefly, along with the situation in which they are applicable:

Type 1: Internal ITGC Audit

An internal IT general control audit is a foundational control assessment performed by an organization's internal staff (generally a dedicated team of auditors).

• When an internal ITGC audit is conducted?

This assessment is generally conducted when organizations want to check whether the implemented controls are performing as intended or if any adjustment, modification, or configuration needs to be made. It is just like a regular form of assessment (routine checkup); the only difference is that this audit dives deeper into details (in-depth analysis of ITGCs).

Note: If you don’t have a dedicated team of expert auditors to perform internal audits, you can always hire an external auditor.

• How frequently internal ITGC audits are conducted?

IT general control audits can be conducted quarterly, bi-annually, or annually. If needed, they can be performed right after ITGC implementation—there are no restrictions on when they should take place (it entirely depends on the organization's needs).

Type 2: External ITGC Audit

Unlike internal IT general control audits, external IT general control audits are foundation control reviews performed by an external certified auditor (who is not part of the organization).

• When an external ITGC audit is performed?

This assessment is carried out when organizations want to attain compliance certification (SOX, GDPR, or PCI DSS certification) to gain ‘investors', partners', or clients' trust and avoid non-compliance penalties. 

This compliance certification serves as proof that the organization adheres to legal standards, is committed to safeguarding data, and operates as a credible, trustworthy business with which partners can confidently engage.

Now, you may have a question —  'Can't an internal auditor issue these certifications?' Well, the answer is – No! They can't; only a certified auditor has the authority to issue compliance certification. So, if you want that compliance certificate, you have to hire a certified independent auditor and request them to evaluate your ITGC effectiveness (checking every aspect). Post-evaluation, based on the findings, they will issue a certification of compliance.

Note: Make sure to choose an external auditor certified by accredited bodies like the PCI Security Standards Council (PCI SSC), the Information Systems Audit and Control Association (ISACA), and the International Register of Certificated Auditors (IRCA).

• How often external ITGC audits are performed?

External IT general control audits are generally conducted yearly, as most compliance certifications are valid for one year only. Basically, to stay compliant, organizations have to undergo the external audit again at the end of each year and renew their certification of compliance.

Now that you are familiar with the types of ITGC audits, let’s proceed further and understand what auditors do during these audits.

Breakdown Of ITGC Audit Process: Following Plan-Do-Check-Act (PDCA) Approach

Below, we have outlined 4 different stages of the ITGC audit process (which follows the plan-do-check-act (PDCA) method) and mentioned what auditors do during each stage.

Note: Below, we’ve shared a perspective of what your audit team needs to do because we have assumed external auditors are already familiar with the process. However, you can keep track of whether the external audit team has followed the steps below during the ITGC audit.

1: Audit Preparation: Evaluating ITGC Control’s Structure & Gathering Information

Firstly, your audit team needs to evaluate what type of IT general controls your organizations have implemented to secure the IT infrastructure. Now, these foundational control types can be:

Note: Organizations may choose to implement either one of the controls or the full set (depending on what best aligns with their specific requirements). However, regardless of the type the organizations choose, you, as an auditor, have to review them.

• Physical & Environmental Security Controls: These controls are implemented to control and protect the entryways/pathways to sensitive areas of physical premises, like data centers or data lockers. For example, these controls mandate implementing measures like motion detectors, biometric authentication scanning machines, and CCTVs to monitor and restrict unauthorized personnel's entry. In fact, they also require organizations to install and maintain HVAC systems to ensure hard copies of data stored in data lockers remain secure from environmental issues (like humidity issues).
• Logical Security Controls: Organizations implement these controls to restrict unauthorized users from accessing systems, applications, and sensitive data (e.g., financial statements or intellectual property). Some examples of logical access controls are two-factor authentication, identity access management, and access restriction controls.
• Change Management Controls: These controls are enforced to monitor the change management process (e.g., changes in application configuration) and ensure the changes don't cause operational disruption.
• Incident Management Controls: These controls are put in place to create an incident response setup that can effectively deal with security events like breaches or cyberattacks (in case one takes place).
• Backup & Recovery Controls: These controls mandate organizations to create backups of sensitive data and have disaster recovery plans ready so that they can restore the data in case any security incidents occur.

Once your auditors have identified which controls organizations have put in place, they need to list them (along with details like which measures have been used) in their report. This practice will help them plan which IT general controls need to be reviewed first.

2: Audit Fieldwork: Testing The Effectiveness

During this stage, your auditors need to examine the effectiveness of implemented IT general controls by either conducting vulnerability scans or penetration tests (or both if needed). For instance:

• Your audit team can perform a vulnerability scan to determine whether outdated firewalls or antivirus software, misconfigured applications that may expose sensitive data to potential risk, or other vulnerabilities exist. Your auditors' main purpose should be to detect weaknesses/open ports in the IT infrastructure.

Also Read: Top 14 Vulnerability Scanning Tools in 2024

• For in-depth analysis of the IT general controls, your team can further conduct penetration tests (also known as pen tests) by bringing in ethical hackers (or else, if your team has the expertise, they can perform this test on their own) to perform a simulated cyberattack. This intense test will help them determine whether the implemented controls can truly withstand real-world attack scenarios or not.

Suppose the ethical hacker successfully breaches an organization's system. This depicts that ITGC controls that have been implemented failed to serve their intended purpose or are not functioning properly.

3: Audit Reporting: Outlining Detailed Reports Based On Findings

After testing the effectiveness of IT general controls, your audit team needs to thoroughly document the findings in their report (they have to make sure every detail is recorded—nothing is missed). For example, if the intrusion detection system failed to detect a pen test attack, then they have mentioned every specific detail in the audit report, such as what type of attack was made and which particular open port allowed the attack to go undetected.

Along with these details, your audit team also needs to provide suggestions (such as corrective actions that need to be implemented) to improve the effectiveness of the ITGC controls.

Also Read: Compliance Reporting: Key To Security Controls Transparency

Note: You have to assemble another dedicated team to implement or work on the corrective actions suggested by your auditor.

4: Follow-Up Audit: Validating The Implemented Changes

Once the suggested changes have been made, your audit team needs to conduct a follow-up audit to check if they are properly executed.

Note: If your organization is going through an external compliance audit, the external auditors will conduct a follow-up audit to check if the suggested changes have been made properly. If the auditors find that these changes were applied correctly and that the IT controls function as required, they will issue a compliance certification.

Uncover The True Effectiveness Of Your Controls By Performing ITGC Audit Via Automated Solution

One thing is certain—to truly find out whether your implemented IT general controls are performing at their best, conducting an ITGC audit is a must! However, the approach you take to performing the ITGC audit can make a great difference. How?

To conduct an ITGC audit, you will either assemble an in-house team or hire an external auditor. However, the concern with this approach is that both options involve high costs (as you have to bear the cost of training your internal team or the expenses of external auditors and remember that this cost will be recurring). Since most of the evaluation, scanning, and testing will be done manually, it will be time-intensive. On top of that, because there will be human involvement, there will always be a possibility of errors/mistakes, which you cannot overlook.

However, you can avoid getting into such a hassle by opting for a more feasible, economical option — a subscription-based automated solution like Zluri. This approach will not only deliver the error-free result you are looking for but will also help you avoid straining your budget. But how does a solution like Zluri help?

Zluri offers an automated access review solution that helps determine whether your ITGCs are serving their intended purpose by automatically conducting an in-depth review. During this review process, Zluri evaluates relevant applications and users who have access to that particular app (basically, aspects on which controls are applied).

If your implemented ITGCs fail to restrict the unauthorized user or have granted excessive permissions to the user, Zluri automatically detects them and remediates those anomalies (revoke their access or modify them). The best part is that it documents each anomaly/discrepancy detail and the corrective action performed in the UAR report. Post-assessment, you can review these reports and find out where the changes or adjustments can be made to improve the effectiveness of your IT general controls (if in case any anomalies are found).

Note: To see a practical demonstration of how Zluri’s access review works, check out this access review tour!

But, at the end of the day, the decision lies in your hands—whether you prefer the precision and efficiency of an automated platform or want the personalized touch of auditors, knowing it will take a bit more time. So, choose what suits your organization best!

Also: Why Is User Access Review Important? - Zluri

‍