Agent skill

audit-support-it-general-controls-itgcs

Sub-skill of audit-support: IT General Controls (ITGCs) (+4).

Stars 4
Forks 4

Install this agent skill to your Project

npx add-skill https://github.com/vamseeachanta/workspace-hub/tree/main/.claude/skills/_archive/business/finance/audit-support/it-general-controls-itgcs

SKILL.md

IT General Controls (ITGCs) (+4)

IT General Controls (ITGCs)

Controls over the IT environment that support the reliable functioning of application controls and automated processes.

Access Controls:

  • User access provisioning (new access requests require approval)
  • User access de-provisioning (terminated users removed timely)
  • Privileged access management (admin/superuser access restricted and monitored)
  • Periodic access reviews (user access recertified on a defined schedule)
  • Password policies (complexity, rotation, lockout)
  • Segregation of duties enforcement (conflicting access prevented)

Change Management:

  • Change requests documented and approved before implementation
  • Changes tested in a non-production environment before promotion
  • Separation of development and production environments
  • Emergency change procedures (documented, approved post-implementation)
  • Change review and post-implementation validation

IT Operations:

  • Batch job monitoring and exception handling
  • Backup and recovery procedures (regular backups, tested restores)
  • System availability and performance monitoring
  • Incident management and escalation procedures
  • Disaster recovery planning and testing

Manual Controls

Controls performed by people using judgment, typically involving review and approval.

Examples:

  • Management review of financial statements and key metrics
  • Supervisory approval of journal entries above a threshold
  • Three-way match verification (PO, receipt, invoice)
  • Account reconciliation preparation and review
  • Physical inventory observation and count
  • Vendor master data change approval
  • Customer credit approval

Key attributes to test:

  • Was the control performed by the right person (proper authority)?
  • Was it performed timely (within the required timeframe)?
  • Is there evidence of the review (signature, initials, email, system log)?
  • Did the reviewer have sufficient information to perform an effective review?
  • Were exceptions identified and appropriately addressed?

Automated Controls

Controls enforced by IT systems without human intervention.

Examples:

  • System-enforced approval workflows (cannot proceed without required approvals)
  • Three-way match automation (system blocks payment if PO/receipt/invoice don't match)
  • Duplicate payment detection (system flags or blocks duplicate invoices)
  • Credit limit enforcement (system prevents orders exceeding credit limit)
  • Automated calculations (depreciation, amortization, interest, tax)
  • System-enforced segregation of duties (conflicting roles prevented)
  • Input validation controls (required fields, format checks, range checks)
  • Automated reconciliation matching

Testing approach:

  • Test design: Confirm the system configuration enforces the control as intended
  • Test operating effectiveness: For automated controls, if the system configuration has not changed, one test of the control is typically sufficient for the period (supplemented by ITGC testing of change management)
  • Verify change management ITGCs are effective (if system changed, re-test the control)

IT-Dependent Manual Controls

Manual controls that rely on the completeness and accuracy of system-generated information.

Examples:

  • Management review of a system-generated exception report
  • Supervisor review of a system-generated aging report to assess reserves
  • Reconciliation using system-generated trial balance data
  • Approval of transactions identified by a system-generated workflow

Testing approach:

  • Test the manual control (review, approval, follow-up on exceptions)
  • AND test the completeness and accuracy of the underlying report/data (IPE — Information Produced by the Entity)
  • IPE testing confirms the data the reviewer relied on was complete and accurate

Entity-Level Controls

Broad controls that operate at the organizational level and affect multiple processes.

Examples:

  • Tone at the top / code of conduct
  • Risk assessment process
  • Audit committee oversight of financial reporting
  • Internal audit function and activities
  • Fraud risk assessment and anti-fraud programs
  • Whistleblower/ethics hotline
  • Management monitoring of control effectiveness
  • Financial reporting competence (staffing, training, qualifications)
  • Period-end financial reporting process (close procedures, GAAP compliance reviews)

Significance:

  • Entity-level controls can mitigate but typically cannot replace process-level controls
  • Ineffective entity-level controls (especially audit committee oversight and tone at the top) are strong indicators of a material weakness
  • Effective entity-level controls may reduce the extent of testing needed for process-level controls

Expand your agent's capabilities with these related and highly-rated skills.

Didn't find tool you were looking for?

Be as detailed as possible for better results