The controls every other audit quietly depends on.
B4Q designs and tests the access, change, operations, and development controls that SOX, SOC 2, and every other framework assume are already working underneath them.
- Access, change & operations testing
- Supports SOX 404 & SOC 2 reliance
- Sampling built for real audit scrutiny
If ITGCs fail, the controls built on top of them don't count.
Application and financial reporting controls almost always rely on the systems they run in — automated approval workflows, system-calculated figures, restricted access to sensitive data. If the underlying IT general controls aren't reliable, auditors generally can't rely on anything built on top of them either.
That's what makes ITGCs different from a standalone framework: they're not something you get certified in on their own — they're the control layer that makes SOX 404, SOC 2, and most other audits actually work.
- 01 A single ITGC gap can force an auditor to expand testing across every control that depends on it.
- 02 Strong ITGCs make every other audit — SOX, SOC 2, ISO — faster and cheaper.
- 03 Tested the way an external auditor will actually sample them, not just documented.
What it actually covers
Four domains. Every one gets sampled.
ITGCs are almost universally organized into four domains — auditors test each one independently, since a gap in one doesn't necessarily mean the others fail too.
Access Management
Who can get into systems, and how that access is granted and removed.
- User provisioning & deprovisioning
- Periodic access reviews
- Privileged access restrictions
Change Management
How changes to systems and code get approved, tested, and deployed.
- Change request & approval trail
- Testing before production release
- Emergency change procedures
Computer Operations
Whether the systems that hold financial and sensitive data actually stay up and recoverable.
- Backup & restore testing
- Job scheduling & monitoring
- Incident & problem management
Program Development
How new systems and major changes get built, tested, and moved into production.
- Dev / test / prod environment separation
- Code review & approval gates
- Post-implementation review
ITGCs and application controls test different things.
Auditors draw a clear line between the two — and application controls can only be relied on if the ITGCs supporting them pass first.
IT General Controls
Controls over the IT environment as a whole — access, change, operations, and development — that every application and financial process runs on top of.
- Apply broadly across systems, not one process
- Tested once to support reliance across many controls
- A failure here can undermine controls that otherwise look fine
Application Controls
Controls built into a specific business process or system — an automated three-way match, a system-enforced approval threshold, a calculated report total.
- Specific to one process, not the whole environment
- Their reliability depends on the ITGCs behind them
- Auditors test these alongside, not instead of, ITGCs
From environment scoping to a reliance-ready control set.
We test in the order that makes every downstream audit faster.
Scope the IT Environment
We identify the systems, applications, and infrastructure that support your in-scope financial or security controls.
Access Management Testing
Provisioning, deprovisioning, and periodic access review processes get walked through and sample-tested.
Change Management Testing
We confirm changes actually go through approval and testing before reaching production, with evidence to prove it.
Computer Operations Testing
Backup, restore, and job monitoring processes are tested against real evidence, not just documented procedure.
Program Development Testing
We confirm dev, test, and production environments stay properly separated, with a real approval gate between them.
Deficiency Remediation & Reliance
Gaps get remediated, and results are packaged to support reliance in your SOX, SOC 2, or other ongoing audit.
Common ITGC gaps we see in first-time testing.
Patterns that show up often enough to plan for before an auditor finds them first.
Orphaned access
Former employees or contractors still have active system access weeks or months after departure.
Unapproved production changes
Emergency fixes go straight to production with no documented approval trail added after the fact.
Untested backups
Backups run on schedule, but no one has actually verified a restore works when it's needed.
Shared production access
Developers retain standing access to production systems with no separation from lower environments.
ITGC testing built to hold up the rest of your audit.
Because so much else relies on it, we test ITGCs the way your external auditor actually will.
All Four Domains, Every Time
Access, change, operations, and development tested together, since gaps in one affect reliance on the rest.
Built for SOX & SOC 2 Reliance
Testing packaged so your financial and security audits can rely on it directly, without duplicate work.
Real Sample Testing
Walkthroughs backed by actual evidence sampling, not a checklist marked complete on assumption.
Deficiency Impact Analysis
We flag which downstream controls a gap actually affects, not just the gap itself.
50+ Businesses Served
From first-time ITGC testing to companies scaling a mature control environment.
Coordinated With Your Other Audits
Run alongside SOX or SOC 2 cycles so evidence gets collected once, not twice.
ITGC, answered.
Ready to test the controls everything else relies on?
Book a free strategy call and we'll map your ITGC testing scope alongside your other audits.