If your organization is preparing for a SOX audit, a SOC report engagement, or any kind of financial compliance review, there is one area that consistently catches companies off guard: IT General Controls. Most organizations focus their audit prep on financial data and documentation. But auditors need to trust the systems that produced that data before they can rely on it. That is where IT General Controls — or ITGCs — come in. And if your controls are weak, undocumented, or inconsistently applied, your entire audit is at risk.

Here is exactly what auditors look for in an IT General Controls audit, and how to make sure you are ready.

What Is an IT General Controls Audit?

IT General Controls are the foundational policies, procedures, and technical safeguards that govern how your organization manages its IT systems. They are not application-specific — they apply broadly across your environment and establish whether your systems can be trusted to produce accurate, reliable data. An ITGC audit evaluates both the design of your controls (are they built correctly?) and their operational effectiveness (are they actually working, consistently, over time?).

Auditors from external firms test your controls through documentation review, interviews, and direct observation. Gaps in any area can result in findings that escalate all the way to your board. According to ISACA research, organizations with robust IT governance are 50% more likely to successfully pass IT audits and maintain regulatory compliance.

The 5 Control Areas Every IT General Controls Audit Covers

1. Access Management

This is consistently the area with the most findings. Auditors examine who has access to your systems, how that access was granted, and whether it has been reviewed and updated regularly. They look at user provisioning and de-provisioning (especially for terminated employees), whether least-privilege access principles are enforced, MFA implementation across all critical systems, periodic access reviews and certifications, and privileged account management. A former employee who can still approve invoices after leaving the company is the kind of finding auditors actively look for — and find more often than organizations expect.

2. Change Management

Auditors want to see that changes to your systems go through a controlled, documented, and tested process before reaching production. They review change logs, testing procedures, approval workflows, and rollback plans. Unauthorized or undocumented changes are a significant concern for data integrity: if someone can push a change to your financial reporting system without approval or documentation, auditors cannot trust the output of that system. Every change should have a ticket, an approver, a test record, and a deployment log.

3. IT Operations and Backup Controls

Business continuity is not just a security concept — it is an audit requirement. Auditors assess the frequency and scope of your data backups, verify that offsite or cloud-based backup solutions are in place, and look for evidence that recovery procedures are actually tested, not just documented. IDC estimates that unplanned downtime costs businesses an average of $100,000 per hour. The critical word in backup testing is "restore" — the backup that was never tested as a recovery is just data in storage, not a continuity plan.

4. IT Governance and Risk Management

This area evaluates the big picture: how your organization identifies, manages, and monitors IT risk. Auditors review your IT policies, risk assessment processes, and whether your IT strategy aligns with your business objectives. One of the most frequently cited governance controls is the annual SOC report review for critical vendors. If you rely on a cloud provider, payroll platform, or any third-party system that touches financial data, auditors will want to see that you have reviewed their SOC report and mapped their controls to your own environment. Missing vendor SOC reports are among the most common findings in ITGC audits.

5. Physical and Environmental Security

Often overlooked, physical controls are still part of every ITGC audit. Auditors assess access controls to server rooms and data centers — badge access, surveillance, visitor logs — as well as environmental protections like HVAC systems and fire suppression. Hardware disposal procedures also fall here: decommissioned laptops and servers that leave the organization without being properly wiped are a finding waiting to happen.

What Auditors Are Actually Testing

For each control area, auditors will request documentation (policies, procedures, screenshots, access logs, change tickets), conduct interviews with IT staff and system administrators, perform walkthroughs to observe processes in real time, and sample specific transactions — selecting access events, change records, or backup logs and tracing them through your documented process. In 2025, 59% of organizations shifted to testing all controls rather than only the most critical ones. Auditors are more thorough than they used to be, and incomplete documentation will surface.

The Most Common IT General Controls Audit Failures

Based on patterns seen across ITGC engagements, the most frequent findings come down to terminated employees with active accounts, no formal access review process or evidence of the last review, changes promoted to production without documented approvals, backups scheduled but never tested for recoverability, missing or outdated vendor SOC reports, and privileged accounts shared among multiple users with no individual accountability. None of these require sophisticated attacks to exploit. They are process and documentation gaps — and they are entirely preventable.

Ready to Get Audit-Ready?

An IT General Controls audit does not have to be a stressful scramble. With the right preparation and the right partner, it can be a straightforward demonstration of a well-run IT environment. OCD Tech helps organizations across Boston assess their ITGC posture, identify gaps before auditors do, and build the documentation and controls that hold up under scrutiny. Talk to our team today and walk into your next audit with confidence.