Most organizations approach an IT General Controls audit one of two ways: either they scramble to prepare in the weeks before the auditors arrive, or they assume their environment is reasonably well-managed and find out during fieldwork that "reasonably well-managed" and "audit-ready" are not the same thing. Both approaches produce the same result — findings, remediation work, and a more stressful audit than necessary.

This guide goes beyond explaining what auditors look for in an IT General Controls audit to give you a practical framework for actually passing one — the first time, and every time after that.

What Makes an IT General Controls Audit Different From Other Audits

IT General Controls — ITGCs — are the foundational policies, procedures, and technical safeguards that govern how your organization manages its IT environment. Unlike application-level controls that are specific to a single system, ITGCs apply broadly across your environment and establish whether your IT systems can be trusted to produce accurate, reliable data. That trust is exactly what auditors are trying to verify.

An ITGC audit evaluates both the design of your controls — are they built in a way that would actually prevent or detect the risk they are meant to address? — and their operational effectiveness — are they actually working, consistently, across the entire audit period? This is the distinction that catches most organizations off guard. A well-designed control that was not operating consistently throughout the year is a finding, not a pass.

The 5 Areas Auditors Focus On — And What They Are Actually Testing

1. Access Management

Access management is the area with the most findings in virtually every ITGC engagement. Auditors are not just checking whether you have an access control policy — they are testing whether that policy is actually enforced in practice. They will request a list of all active user accounts for your critical systems, compare it against your HR records for terminated employees, and sample specific access events to verify the provisioning and de-provisioning process works as documented.

They will look for terminated employees with active system access, users with access levels beyond what their role requires, administrative accounts shared among multiple individuals, and MFA not enforced on systems that handle sensitive or financial data. For each finding in this area, auditors will ask for evidence of the most recent periodic access review — and if you cannot produce it, the finding escalates. Running quarterly access reviews and keeping documentation of each one is one of the single most impactful things you can do to prepare for an ITGC audit.

2. Change Management

Every change to a system that produces data auditors will rely on needs to go through a documented, approved, tested process before it reaches production. Auditors sample change tickets and ask to see the approval, the test results, and the deployment record. What they are looking for is a consistent, traceable process — not just for the changes that went well, but for all changes.

The most common findings here are emergency changes that bypassed normal approval workflow and were never formally documented after the fact, developers with direct access to production environments who can make changes without going through the change management process, and change records that exist but lack the evidence fields auditors need to verify — no attached test results, no named approver, no deployment confirmation. The fix is procedural discipline: every change, regardless of urgency or perceived triviality, goes through the process and generates a complete record.

3. Backup and Recovery Controls

Auditors assess the frequency and scope of your data backups, whether offsite or cloud-based backup solutions are in place, and — this is the part most organizations overlook — whether recovery procedures are actually tested. A backup that has never been restored is not a recovery capability. It is data in storage with an untested assumption that it will work when needed. Auditors will ask for evidence of recovery testing, not just backup completion logs. Organizations that cannot produce evidence of at least one full recovery test in the audit period will receive a finding.

4. IT Governance and Risk Management

This area evaluates how your organization manages IT risk at the program level. Auditors review your IT policies (are they current, comprehensive, and approved by appropriate leadership?), your risk assessment process (have you identified and assessed the risks to your IT environment?), and your third-party vendor oversight (have you reviewed the SOC reports of critical vendors and mapped their controls to your own environment?).

The vendor SOC report review is one of the most commonly missed governance controls. If you rely on any third-party system that processes or transmits data your auditors will rely on — cloud infrastructure, ERP platforms, payroll systems — you are expected to review their annual SOC report and document that review. Organizations that cannot produce evidence of vendor SOC report reviews in the audit period consistently receive governance findings.

5. Physical and Environmental Security

Physical controls remain part of every ITGC scope. Auditors assess whether access to server rooms, data closets, and areas containing network equipment is appropriately restricted and logged. They look for badge access systems, visitor logs, surveillance records, and evidence that access is reviewed periodically. Hardware disposal procedures — evidence that decommissioned systems are wiped or destroyed before leaving the organization — also fall under this area. These controls are straightforward to implement and document, and findings here are entirely preventable with minimal effort.

The Preparation Framework That Makes IT General Controls Audits Manageable

The organizations that consistently pass ITGC audits with clean reports treat audit readiness as a continuous operational practice, not an annual event. The preparation framework comes down to four disciplines maintained year-round: running quarterly access reviews and keeping documentation of each cycle; ensuring every change goes through the documented process and generates a complete record; testing backup recovery at least annually and documenting the results; and maintaining a current vendor inventory with evidence of annual SOC report reviews for each critical provider.

None of these activities require significant additional resources. They require operational discipline and a clear ownership model — someone responsible for each control area who understands that their job includes maintaining the evidence auditors will ask for, not just performing the activity.

What to Do When You Find a Gap Before the Auditors Do

A readiness assessment conducted two to three months before your ITGC audit is one of the most valuable investments an organization can make in audit preparation. It surfaces the gaps that would become findings under auditor scrutiny, gives you time to remediate before the audit period closes, and allows you to walk into fieldwork with documented evidence rather than scrambling to reconstruct it. Organizations that identify and close gaps proactively tend to have significantly cleaner audit reports than those that rely on their operational environment to speak for itself.

Ready to Get Audit-Ready?

OCD Tech helps organizations across Boston assess their ITGC posture, identify gaps before auditors do, and build the documentation and controls that hold up under scrutiny. Whether you are preparing for your first ITGC review or trying to clean up a prior year's findings, we provide the practical support that turns audit preparation from a fire drill into a manageable process. Talk to our team today.