Agent skill
audit-support-it-general-controls-itgcs
Sub-skill of audit-support: IT General Controls (ITGCs) (+4).
Install this agent skill to your Project
npx add-skill https://github.com/vamseeachanta/workspace-hub/tree/main/.claude/skills/_archive/business/finance/audit-support/it-general-controls-itgcs
SKILL.md
IT General Controls (ITGCs) (+4)
IT General Controls (ITGCs)
Controls over the IT environment that support the reliable functioning of application controls and automated processes.
Access Controls:
- User access provisioning (new access requests require approval)
- User access de-provisioning (terminated users removed timely)
- Privileged access management (admin/superuser access restricted and monitored)
- Periodic access reviews (user access recertified on a defined schedule)
- Password policies (complexity, rotation, lockout)
- Segregation of duties enforcement (conflicting access prevented)
Change Management:
- Change requests documented and approved before implementation
- Changes tested in a non-production environment before promotion
- Separation of development and production environments
- Emergency change procedures (documented, approved post-implementation)
- Change review and post-implementation validation
IT Operations:
- Batch job monitoring and exception handling
- Backup and recovery procedures (regular backups, tested restores)
- System availability and performance monitoring
- Incident management and escalation procedures
- Disaster recovery planning and testing
Manual Controls
Controls performed by people using judgment, typically involving review and approval.
Examples:
- Management review of financial statements and key metrics
- Supervisory approval of journal entries above a threshold
- Three-way match verification (PO, receipt, invoice)
- Account reconciliation preparation and review
- Physical inventory observation and count
- Vendor master data change approval
- Customer credit approval
Key attributes to test:
- Was the control performed by the right person (proper authority)?
- Was it performed timely (within the required timeframe)?
- Is there evidence of the review (signature, initials, email, system log)?
- Did the reviewer have sufficient information to perform an effective review?
- Were exceptions identified and appropriately addressed?
Automated Controls
Controls enforced by IT systems without human intervention.
Examples:
- System-enforced approval workflows (cannot proceed without required approvals)
- Three-way match automation (system blocks payment if PO/receipt/invoice don't match)
- Duplicate payment detection (system flags or blocks duplicate invoices)
- Credit limit enforcement (system prevents orders exceeding credit limit)
- Automated calculations (depreciation, amortization, interest, tax)
- System-enforced segregation of duties (conflicting roles prevented)
- Input validation controls (required fields, format checks, range checks)
- Automated reconciliation matching
Testing approach:
- Test design: Confirm the system configuration enforces the control as intended
- Test operating effectiveness: For automated controls, if the system configuration has not changed, one test of the control is typically sufficient for the period (supplemented by ITGC testing of change management)
- Verify change management ITGCs are effective (if system changed, re-test the control)
IT-Dependent Manual Controls
Manual controls that rely on the completeness and accuracy of system-generated information.
Examples:
- Management review of a system-generated exception report
- Supervisor review of a system-generated aging report to assess reserves
- Reconciliation using system-generated trial balance data
- Approval of transactions identified by a system-generated workflow
Testing approach:
- Test the manual control (review, approval, follow-up on exceptions)
- AND test the completeness and accuracy of the underlying report/data (IPE — Information Produced by the Entity)
- IPE testing confirms the data the reviewer relied on was complete and accurate
Entity-Level Controls
Broad controls that operate at the organizational level and affect multiple processes.
Examples:
- Tone at the top / code of conduct
- Risk assessment process
- Audit committee oversight of financial reporting
- Internal audit function and activities
- Fraud risk assessment and anti-fraud programs
- Whistleblower/ethics hotline
- Management monitoring of control effectiveness
- Financial reporting competence (staffing, training, qualifications)
- Period-end financial reporting process (close procedures, GAAP compliance reviews)
Significance:
- Entity-level controls can mitigate but typically cannot replace process-level controls
- Ineffective entity-level controls (especially audit committee oversight and tone at the top) are strong indicators of a material weakness
- Effective entity-level controls may reduce the extent of testing needed for process-level controls
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
gsd-complete-milestone
Archive completed milestone and prepare for next version
gsd-reapply-patches
Reapply local modifications after a GSD update
gsd-verify-work
Validate built features through conversational UAT
gsd-thread
Manage persistent context threads for cross-session work
clinical-trial-protocol
Generate clinical trial protocols for medical devices or drugs through a modular, waypoint-based architecture with research-only and full protocol modes.
single-cell-rna-qc
Performs quality control on single-cell RNA-seq data (.h5ad or .h5 files) using scverse best practices with MAD-based filtering and comprehensive visualizations.
Didn't find tool you were looking for?