AudITech

When Should You Perform ITGC Audits?

photo of Eli Edry CEO at AudITech

CEO and Founder, AudITech

Table of Contents

A common question that arises is: when do we “perform” the ITGC audit?

The ITGC process is cyclical, resembling the seasons of the year , with each stage being a distinct “season.” Based on my experience, the standard process typically looks like this:

Illustration for blog about when you should perform Audits

Control Design

Whether establishing the control from scratch or validating it for the year, we ensure that what’s documented in the control description actually occurs in reality. This may involve updating relevant parties and adjusting documentation to reflect real-world changes, or modifying reality to align with the documentation—though the latter is more challenging and reserved for skilled professionals who can effect meaningful change. Coordination with the auditor is also essential to ensure alignment with their methodology. From my own experiencethe best way is to use the standard controls and avoid special customization that will be a good short-term solution but costly in the long run.

Control Design Testing

Often referred to as walkthroughs, at this stage we validate that the theoretical control description matches reality, focusing on at least one item from the population. The population can range widely, from zero items to potentially infinite. In practice, we typically deal with dozens, hundreds, or thousands. The best way, in this case, would be to automatically test 100% of the items and tackle risk early and effectively.

Control Testing

 Controls are usually tested internally by the company. The aim is to ensure the control functions properly and to document findings per professional standards. Simultaneously, the auditor conducts independent tests, either relying on the company’s processes or challenging them to ensure everything is executed correctly, both materially and procedurally. If the step of “Control Design Testing” is done properly, there is no need to worry.

Control Documentation

The entire testing process must be accurately documented and organized according to strict professional standards. We refer to PCAOB guidelines to emphasize the importance of meticulous documentation. This stage of the audit is often more engaging, as junior auditors compile all relevant information into a single Excel file. They narrate the updated findings and ensure that every sample includes the necessary supporting documents and screenshots.

Compensatory Controls

When gaps are identified during testing, we aim to minimize the associated risks and address any discovered sampling holes. For example, if an employee leaves but retains access, we review their actions to confirm they were legitimate, ensuring that risks do not materialize. Successful ITGC consultants proactively connect control testing with compensatory measures, preventing external auditors from identifying gaps.

Audit Findings

At this stage, both internal and external auditors present their findings, share them with the company, and debate where necessary, usually until reaching consensus (though this is not always required). We must ensure that we can address both significant and minor findings, preventing their recurrence in future audits. If no major issues remain unaddressed, the opinion will be favorable, and the company can take pride in its effective internal control environment. However, if issues arise, they may receive a “weakness” or “material weakness,” which is less than ideal.

Newsletter

Signup our newsletter to get update information, news, insight or promotions.

Achieve full IT-audit
Independence & peace of mind

We’ll guide you through your first IT-audit in minutes. Learn to create fast, official, trusted ITGC reports recognized by IT-auditors

"*" indicates required fields

Thank you for your submission!

Our team will be in touch soon to schedule your demo.

Prefer to book now? View available time
slots below!