Every year, your external financial auditors spend time reviewing your IT systems. Not because they are cybersecurity specialists, and not because they are interested in your technology for its own sake — but because the reliability of your financial statements depends on the reliability of the IT systems that process financial data. If those systems are poorly controlled, the data they produce cannot be relied upon.
The controls they are reviewing are called IT General Controls — ITGCs. They cover four domains that financial auditors assess as the foundation of IT-related audit risk. Understanding what they are, what auditors look for, and where weaknesses commonly arise is essential for any finance or technology team preparing for or responding to an IT component of a financial audit.
Domain 1: Access Management
Access management controls govern who can access which systems and data, what they can do within those systems, and how those access rights are granted, reviewed, and removed. From a financial audit perspective, access controls are critical because inappropriate access creates the opportunity for unauthorised transactions, data manipulation, or financial fraud.
Auditors will look for: formal processes for granting access to financial systems (appropriate approval, documented business need); timely removal of access when people leave the organisation or change roles; periodic access reviews that confirm current access rights are still appropriate; and separation of duties — ensuring that no single individual has the ability to both initiate and approve a financial transaction, or both process payroll and approve payroll changes.
Privileged access — administrator accounts in financial systems and the databases that underlie them — receives particular scrutiny. Privileged users can bypass application controls, modify data directly, and cover their tracks. Privileged access management weaknesses are among the most commonly identified ITGC findings.
Domain 2: Change Management
Change management controls govern how changes to IT systems — software updates, configuration changes, patches, new deployments — are authorised, tested, and moved into production. From a financial audit perspective, uncontrolled changes to financial systems create the risk that system functionality is altered in ways that affect the accuracy or completeness of financial processing without adequate oversight.
Auditors will look for: a formal change request and approval process, with evidence that changes were authorised before implementation; a testing phase that verifies changes work correctly before deployment to production; segregation between development and production environments (developers should not be able to deploy changes to production themselves); and an emergency change process that maintains controls even for urgent deployments.
A common finding: developers with direct access to production systems or databases, allowing code changes to be made without the normal approval and testing process. This is a significant ITGC weakness that financial auditors will not accept without compensating controls.
Domain 3: IT Operations
IT operations controls cover the day-to-day management of systems that process financial data — monitoring, backup and recovery, job scheduling, and system availability. These controls ensure that financial processing runs correctly and that data is protected against loss.
Auditors will look for: evidence that scheduled processing jobs (batch processing, interface transfers, financial close jobs) are monitored for completion and that failures are detected and resolved; backup procedures that protect financial data and are tested regularly; recovery time objectives that ensure systems can be restored within business-acceptable timeframes; and capacity management that prevents performance issues from affecting financial processing.
Domain 4: System Acquisition and Development
Controls over how new systems or significant system changes are acquired, developed, and implemented. These controls ensure that new systems meet business requirements and that the implementation process does not compromise data integrity.
Auditors review whether system development projects follow a defined methodology, whether user acceptance testing is conducted and documented before systems go live, and whether data migration from legacy systems is validated for completeness and accuracy.
Why ITGC Weaknesses Affect Your Financial Audit
When ITGCs are weak, financial auditors cannot rely on IT-processed data to the extent they would otherwise. They must perform additional manual substantive testing — testing transactions and balances directly — to obtain the assurance they need. This is more time-consuming, more expensive, and more disruptive than an audit that can rely on strong ITGCs.
More significantly, material ITGC weaknesses may need to be disclosed in public financial reporting. For listed companies and regulated entities, ITGC findings are not internal matters — they have external reporting consequences.
At Bitsecura, our IT audit team has deep experience conducting ITGC reviews across financial services, retail, and technology sectors — bringing the same rigour and methodology that a Big-4 audit team applies, with the responsiveness and engagement that an in-house or specialist firm provides. If you want to understand the state of your ITGCs before your financial auditors review them, we can help. Reach out here.
Bitsecura provides IT audit, IT general controls review, and cybersecurity assurance services. Learn more about our IT audit services.