Interview Prep

IT General Controls (ITGCs)

Foundational controls that support system reliability and financial reporting, including access management, change management, and IT operations.

Access Management

Controls ensuring only authorized users can access systems and data, including provisioning, deprovisioning, MFA, and password policies.

Change Management

The process ensuring system changes are approved, tested, and implemented properly to prevent unauthorized or faulty changes.

IT Operations Controls

Controls over backups, batch processing, incident management, and job scheduling.

Computer Operations Controls

Controls related to system monitoring, error handling, and maintaining system availability.

SOX (Sarbanes–Oxley Act)

A U.S. law requiring companies to maintain strong internal controls over financial reporting.

SOX Section 404

Requirement for management to assess and report on internal controls over financial reporting.

Importance of ITGCs for SOX

ITGCs support the reliability of financial systems and ensure accurate financial reporting.

SOC 1 Report

Evaluates controls relevant to financial reporting (ICFR).

SOC 2 Report

Evaluates controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 3 Report

Public-facing version of SOC 2 with less detail.

Internal Controls

Processes designed to ensure accurate financial reporting, compliance, asset protection, and operational efficiency.

Control Design

Whether a control is structured effectively to address a risk.

Operating Effectiveness

Whether a control works consistently in practice.

Walkthrough

Following a transaction end-to-end to understand the process and controls.

Design Testing

Evaluating whether a control is logically designed to mitigate a risk.

Operating Effectiveness Testing

Testing whether a control functions consistently over time.

Control Exception

A failure or deviation in how a control operates.

Risk

A potential event that could negatively impact objectives.

Inherent Risk

Risk before any controls are applied.

Residual Risk

Risk remaining after controls are applied.

Risk Mitigation

Actions taken to reduce risk.

Emerging Risks

New or evolving risks such as AI, cloud, or cybersecurity threats.

ERP System

Enterprise software like SAP, Oracle, or Workday that manages core business processes.

Cloud Computing

Using remote servers (AWS, Azure, GCP) to store and process data, introducing shared responsibility risks.

Cybersecurity Controls

Controls like firewalls, encryption, MFA, and monitoring to protect systems and data.

Data Integrity

Ensuring data is accurate, complete, and consistent.

Segregation of Duties (SoD)

Ensuring no single person controls all steps of a critical process.

Workpapers

Documentation supporting audit conclusions and testing.

Examples of Change Management Controls

Formal Change Request Form, Approval Workflow, Segregation of Duties, Testing before Deployment, Rollback Procedures, Change Logs/Audit Trails

Formal Change Request Form

Every system change must be documented with purpose, impact, and approval.

Approval Workflow

Changes require sign‑off from management, system owners, and sometimes security teams.

Testing Before Deployment

All changes must be tested in a QA or staging environment before going live.

Rollback Procedures

A documented plan exists to revert the system if the change fails.

Change Logs / Audit Trails

Systems automatically record who made a change, when, and what was changed.

Emergency Change Controls

Urgent fixes are allowed but must be documented and reviewed afterward

Examples of IT Operations Controls

Backup and Recover Procedures, Job Scheduling Controls, Incident Management Process, Capacity Monitoring, Patch Management, Service Level Agreements (SLAs), Access Review for Operational Tools

Backup and Recovery Procedures

Regular backups of critical systems with periodic restoration testing.

Job Scheduling Controls

Automated jobs (e.g., payroll runs, data loads) are monitored for success or failure.

Incident Management Process

A structured workflow for logging, prioritizing, and resolving IT issues

Capacity Monitoring

Monitoring storage, CPU, and memory to prevent system outages.

Patch Management

Regular updates to operating systems and applications to address vulnerabilities.

Service Level Agreements (SLAs)

Defined expectations for system uptime and response times

Access Review for Operational Tools

Ensuring only authorized staff can run or modify operational jobs

Computer Operations Controls examples

system monitoring dashboards, error handling procedures, batch processing controls, environmental controls, file integrity checks, automated alerts, system restart/recovery procedures

System Monitoring Dashboards

Real‑time monitoring of servers, applications, and network performance.

Error Handling Procedures

Defined steps for addressing failed jobs, corrupted files, or system errors

Batch Processing Controls

Ensuring batch jobs run in the correct order and complete successfully.

Environmental Controls

Physical controls like temperature monitoring, fire suppression, and power backups in data centers.

File Integrity Checks

Automated checks to ensure files are complete and unaltered before processing.

Automated Alerts

Notifications sent to IT staff when systems exceed thresholds or fail

System Restart/Recovery Procedures

Documented steps for restarting systems after outages.