What are IT General Controls?
ISA 315.26(a) requires the auditor to identify ITGCs relevant to the audit when the entity uses IT in its financial reporting process. These are not controls over individual transactions. They are the controls that keep the IT environment itself reliable: who can access systems, how changes to programs are managed, how new applications are developed, and how computer operations are maintained.
ISA 315.A148 organises ITGCs into four categories: access to programs and data, program changes, program development, and computer operations. ITGCs exist to support application controls. If ITGCs fail, every automated control that depends on them becomes unreliable regardless of how well that application control is designed. A three-way match in the purchasing system means nothing if an unauthorised user can modify the matching parameters.
Teams do not test ITGCs for their own sake. They test them because ITGCs underpin every automated control and every system-generated report the audit relies on. If you plan to use a system-generated aged receivables listing as audit evidence, you need confidence that the system producing it is operating in a controlled environment.
Key Points
- ITGCs support application controls — if ITGCs fail, no automated control that depends on them is reliable.
- ISA 315.A148 defines four categories: access security, change management, program development, and computer operations.
- Testing ITGCs is not optional when you plan to rely on automated controls or system-generated reports.
- A deficient ITGC has downstream effects on every account processed by the affected system.
Why it matters in practice
The FRC has repeatedly found that engagement teams test ITGCs but do not document how deficiencies in those controls affect the planned reliance on application controls. The ITGC test is performed. The result is recorded. But the file does not show the link between an access control weakness and the decision to expand substantive testing on affected accounts.
A second common gap is scope. Teams test only access controls and ignore change management entirely. ISA 315.A149 lists change management as a distinct ITGC category. If the entity deployed a system update mid-year that altered how revenue is calculated, and the team did not evaluate the change management process, the audit evidence on revenue post-update is incomplete.
ISA 315.A154 requires the auditor to evaluate the downstream effect of ITGC deficiencies. This means tracing the deficiency forward: which application controls depend on the affected ITGC, which financial statement assertions depend on those application controls, and whether expanded substantive testing adequately addresses the resulting risk.
Key standard references
- ISA 315.26(a): Requires identification of ITGCs relevant to the audit.
- ISA 315.A148: Defines the four ITGC categories.
- ISA 315.A150: Links ITGCs to audit relevance and planned reliance.
- ISA 315.A154: Requires evaluation of the downstream impact of ITGC deficiencies.
Related terms
Related reading
Frequently asked questions
What are the main ITGC categories?
ISA 315.A148 groups ITGCs into: access to programs and data, program changes, program development, and computer operations. Most firms test access security and change management as the minimum.
What happens if ITGCs are deficient?
If ITGCs fail, no automated application control that depends on them is reliable. ISA 315.A154 requires you to evaluate the downstream effect and expand substantive testing on every affected account.