What Are IT General Controls?
IT general controls (ITGCs) are controls that apply across IT systems, infrastructure, and processes rather than being specific to individual applications or business functions. They create the environment in which application controls can function reliably. When ITGCs are ineffective, the reliability of all application-level controls that depend on the same IT environment is compromised — regardless of how well-designed those application controls are.
The analogy most frequently used is building security: application controls are like the locks on individual doors, while IT general controls are the building's overall security system. If the security system is compromised, the individual door locks provide incomplete protection regardless of their own design quality.
The Four Major ITGC Categories
Access Management: Controls over who can access IT systems, what they can do once they have access, and how access rights are granted, modified, and removed. Effective access management requires a formal process for onboarding new users, a mechanism for promptly removing access when staff leave or change roles, regular reviews of access rights to detect accumulation over time, and privileged access controls for system administrators who have elevated capabilities. Access management failures are one of the most common categories of IT audit finding — and one of the most consequential, because inappropriate access creates the opportunity for a wide range of fraud and error.
Change Management: Controls over the development, testing, and deployment of changes to IT systems and applications. The purpose of change management controls is to ensure that only authorised, tested, and approved changes are implemented in production environments. Key controls include segregation of duties between development and production environments, mandatory testing in a separate test environment before deployment, formal change approval documentation, and post-implementation review. Weak change management is a frequent source of system failures and unintended control gaps introduced through system updates.
Computer Operations: Controls over the day-to-day operation of IT infrastructure — including batch processing, job scheduling, backup and recovery, and incident management. Computer operations controls ensure that IT systems are operating as intended and that data is protected against loss. For audit purposes, the key questions are whether critical processes run as scheduled and exceptions are managed, whether backup processes are regularly tested, and whether incident response processes ensure business continuity.
Program Development: Controls over the acquisition, development, and implementation of new IT systems and significant modifications to existing ones. These controls ensure that new systems are properly specified, tested, and approved before deployment. In organisations where system development is frequent or involves significant business process change, this category can be one of the highest areas of IT-related risk.
Why ITGCs Matter to Financial Auditors
The direct relevance of ITGCs to financial reporting assurance is significant. When IT general controls are effective, external and internal auditors can rely on automated application controls and IT-generated reports with greater confidence. When ITGCs have significant deficiencies, the reliability of data produced by IT systems is reduced — meaning that manual procedures must compensate and that the overall evidence base for audit conclusions is less robust.
A finding that IT general controls have significant deficiencies is not a technical observation with limited business impact. It is a statement that the reliability of the data on which the organisation's financial reporting, operational monitoring, and risk management depend cannot be fully verified.
Auditing ITGCs Without Deep Technical Expertise
A common concern among non-IT-specialist auditors is that ITGC audits require technical expertise they do not have. In practice, the audit of most ITGC areas is process-focused rather than technically intensive. Access management audits examine processes for provisioning, de-provisioning, and reviewing access — not the technical configuration of security systems. Change management audits examine approval and testing documentation — not code. The auditor needs to understand what effective controls look like and how to test whether they are present and operating — not how to configure the systems themselves. Technical depth is valuable but not prerequisite for effective ITGC audit work.