IT General Controls (ITGC) Testing

The controls every other audit quietly depends on.

B4Q designs and tests the access, change, operations, and development controls that SOX, SOC 2, and every other framework assume are already working underneath them.

  • Access, change & operations testing
  • Supports SOX 404 & SOC 2 reliance
  • Sampling built for real audit scrutiny
Access Management Change Management Computer Operations Program Development
ITGC
Tested & Documented
0Years of Experience
0Satisfied Clients
0ITGC Domains
0Foundation for Every Framework
Why It Matters

If ITGCs fail, the controls built on top of them don't count.

Application and financial reporting controls almost always rely on the systems they run in — automated approval workflows, system-calculated figures, restricted access to sensitive data. If the underlying IT general controls aren't reliable, auditors generally can't rely on anything built on top of them either.

That's what makes ITGCs different from a standalone framework: they're not something you get certified in on their own — they're the control layer that makes SOX 404, SOC 2, and most other audits actually work.

  • 01 A single ITGC gap can force an auditor to expand testing across every control that depends on it.
  • 02 Strong ITGCs make every other audit — SOX, SOC 2, ISO — faster and cheaper.
  • 03 Tested the way an external auditor will actually sample them, not just documented.
ITGC At a Glance

What it actually covers

SupportsSOX 404, SOC 2, most frameworks
Domains testedAccess, change, operations, development
Typical testing methodWalkthrough + sample testing
If a domain failsReliance on related controls breaks down
Best runAlongside your SOX or SOC 2 cycle
Review cadenceAnnual, plus material system changes
The Framework

Four domains. Every one gets sampled.

ITGCs are almost universally organized into four domains — auditors test each one independently, since a gap in one doesn't necessarily mean the others fail too.

DOMAIN 01

Access Management

Who can get into systems, and how that access is granted and removed.

  • User provisioning & deprovisioning
  • Periodic access reviews
  • Privileged access restrictions
DOMAIN 02

Change Management

How changes to systems and code get approved, tested, and deployed.

  • Change request & approval trail
  • Testing before production release
  • Emergency change procedures
DOMAIN 03

Computer Operations

Whether the systems that hold financial and sensitive data actually stay up and recoverable.

  • Backup & restore testing
  • Job scheduling & monitoring
  • Incident & problem management
DOMAIN 04

Program Development

How new systems and major changes get built, tested, and moved into production.

  • Dev / test / prod environment separation
  • Code review & approval gates
  • Post-implementation review
Understanding the Scope

ITGCs and application controls test different things.

Auditors draw a clear line between the two — and application controls can only be relied on if the ITGCs supporting them pass first.

The foundation layer

IT General Controls

Controls over the IT environment as a whole — access, change, operations, and development — that every application and financial process runs on top of.

  • Apply broadly across systems, not one process
  • Tested once to support reliance across many controls
  • A failure here can undermine controls that otherwise look fine
Access, change, operations, development
Tested as the environment layer
Passing enables reliance on application controls
The process layer

Application Controls

Controls built into a specific business process or system — an automated three-way match, a system-enforced approval threshold, a calculated report total.

  • Specific to one process, not the whole environment
  • Their reliability depends on the ITGCs behind them
  • Auditors test these alongside, not instead of, ITGCs
Automated approvals, calculations, matches
Runs inside a specific system or process
Only as reliable as the ITGCs underneath it
How We Work

From environment scoping to a reliance-ready control set.

We test in the order that makes every downstream audit faster.

01

Scope the IT Environment

We identify the systems, applications, and infrastructure that support your in-scope financial or security controls.

02

Access Management Testing

Provisioning, deprovisioning, and periodic access review processes get walked through and sample-tested.

03

Change Management Testing

We confirm changes actually go through approval and testing before reaching production, with evidence to prove it.

04

Computer Operations Testing

Backup, restore, and job monitoring processes are tested against real evidence, not just documented procedure.

05

Program Development Testing

We confirm dev, test, and production environments stay properly separated, with a real approval gate between them.

06

Deficiency Remediation & Reliance

Gaps get remediated, and results are packaged to support reliance in your SOX, SOC 2, or other ongoing audit.

What We Typically Find

Common ITGC gaps we see in first-time testing.

Patterns that show up often enough to plan for before an auditor finds them first.

General patterns we see across engagements, not a specific client's results.
01

Orphaned access

Former employees or contractors still have active system access weeks or months after departure.

02

Unapproved production changes

Emergency fixes go straight to production with no documented approval trail added after the fact.

03

Untested backups

Backups run on schedule, but no one has actually verified a restore works when it's needed.

04

Shared production access

Developers retain standing access to production systems with no separation from lower environments.

Why B4Q

ITGC testing built to hold up the rest of your audit.

Because so much else relies on it, we test ITGCs the way your external auditor actually will.

All Four Domains, Every Time

Access, change, operations, and development tested together, since gaps in one affect reliance on the rest.

Built for SOX & SOC 2 Reliance

Testing packaged so your financial and security audits can rely on it directly, without duplicate work.

Real Sample Testing

Walkthroughs backed by actual evidence sampling, not a checklist marked complete on assumption.

Deficiency Impact Analysis

We flag which downstream controls a gap actually affects, not just the gap itself.

50+ Businesses Served

From first-time ITGC testing to companies scaling a mature control environment.

Coordinated With Your Other Audits

Run alongside SOX or SOC 2 cycles so evidence gets collected once, not twice.

Questions

ITGC, answered.

Is ITGC testing its own certification?
No — ITGCs aren't a standalone certification like SOC 2 or ISO 27001. They're the foundational control layer tested as part of a SOX 404 assessment, a SOC 2 audit, or another framework that relies on IT controls being reliable.
What's the difference between ITGCs and application controls?
ITGCs cover the IT environment broadly — access, change, operations, and development. Application controls are specific to one business process, like an automated approval threshold. Application controls can only be relied on if the ITGCs supporting them pass first.
How are ITGCs actually tested?
Typically through a walkthrough of the process, followed by sample testing — pulling a set of actual access changes, code deployments, or backup logs and confirming the control operated as described for each one.
What happens if an ITGC fails?
A failed ITGC doesn't automatically mean every related control fails, but it typically forces an auditor to expand testing on anything that depends on it, since automated reliance can no longer be assumed.
Should we test ITGCs separately from our SOX or SOC 2 audit?
Usually no — ITGC testing is most efficient run alongside your SOX 404 or SOC 2 cycle, since the same evidence often supports both, and testing separately just duplicates the work.

Ready to test the controls everything else relies on?

Book a free strategy call and we'll map your ITGC testing scope alongside your other audits.