Table of Contents
A common question that arises is: when do we “perform” the ITGC audit?
The ITGC process is cyclical, resembling the seasons of the year , with each stage being a distinct “season.” Based on my experience, the standard process typically looks like this:
Control Design
Whether establishing the control from scratch or validating it for the year, we ensure that what’s documented in the control description actually occurs in reality. This may involve updating relevant parties and adjusting documentation to reflect real-world changes, or modifying reality to align with the documentation—though the latter is more challenging and reserved for skilled professionals who can effect meaningful change. Coordination with the auditor is also essential to ensure alignment with their methodology. From my own experience, the best way is to use the standard controls and avoid special customization that will be a good short-term solution but costly in the long run.
Control Design Testing
Often referred to as walkthroughs, at this stage we validate that the theoretical control description matches reality, focusing on at least one item from the population. The population can range widely, from zero items to potentially infinite. In practice, we typically deal with dozens, hundreds, or thousands. The best way, in this case, would be to automatically test 100% of the items and tackle risk early and effectively.
Control Testing
Controls are usually tested internally by the company. The aim is to ensure the control functions properly and to document findings per professional standards. Simultaneously, the auditor conducts independent tests, either relying on the company’s processes or challenging them to ensure everything is executed correctly, both materially and procedurally. If the step of “Control Design Testing” is done properly, there is no need to worry.
Control Documentation
The entire testing process must be accurately documented and organized according to strict professional standards. We refer to PCAOB guidelines to emphasize the importance of meticulous documentation. This stage of the audit is often more engaging, as junior auditors compile all relevant information into a single Excel file. They narrate the updated findings and ensure that every sample includes the necessary supporting documents and screenshots.
Compensatory Controls
When gaps are identified during testing, we aim to minimize the associated risks and address any discovered sampling holes. For example, if an employee leaves but retains access, we review their actions to confirm they were legitimate, ensuring that risks do not materialize. Successful ITGC consultants proactively connect control testing with compensatory measures, preventing external auditors from identifying gaps.
Audit Findings
At this stage, both internal and external auditors present their findings, share them with the company, and debate where necessary, usually until reaching consensus (though this is not always required). We must ensure that we can address both significant and minor findings, preventing their recurrence in future audits. If no major issues remain unaddressed, the opinion will be favorable, and the company can take pride in its effective internal control environment. However, if issues arise, they may receive a “weakness” or “material weakness,” which is less than ideal.