Why IT General Controls Failures Cost Organizations More Than They Expect
IT general controls — commonly referred to as ITGCs — form the backbone of any credible compliance program. They are the foundational controls that ensure financial reporting systems, operational technology, and sensitive data environments function reliably, securely, and in accordance with regulatory requirements. Yet year after year, across SOX audits, ISO 27001 assessments, CMMC reviews, and FedRAMP authorizations, the same five ITGC categories produce the most deficiencies, the most material weaknesses, and the most remediation costs.
As someone who has spent years helping defense contractors, healthcare organizations, and federal agencies build and repair compliance programs, I can tell you this with confidence: most ITGC failures are preventable. They stem not from lack of technology, but from lack of process discipline, poor documentation habits, and insufficient governance. This post breaks down each category, explains why organizations stumble, and gives you actionable direction to fix what is broken before your next audit.
For a broader orientation to the controls landscape, our post on what IT general controls are is a good starting point before diving into the failure patterns below.
Category 1: Access Controls
Where Organizations Fail
Access control deficiencies are the single most common ITGC finding across every framework we work with. The root causes are predictable: orphaned accounts that were never deprovisioned after an employee departure, excessive privileged access granted without documented business justification, shared credentials used across multiple administrators, and user access reviews that exist on paper but have not been executed in months or years.
In regulated environments, access failures carry compounding consequences. Under ISO 27001, inadequate access management directly violates Annex A controls. Under CMMC and NIST SP 800-171, failure to enforce least privilege can result in audit findings that threaten contract eligibility. Under SOX, an access control deficiency tied to a financial system can escalate to a material weakness that requires public disclosure.
How to Fix It
- Implement a formal access provisioning and deprovisioning workflow tied directly to HR onboarding and offboarding events. Automation is preferred, but a manual process with documented sign-offs is acceptable if it is consistently followed.
- Conduct quarterly user access reviews for all systems in scope. Document the review, document who approved continued access, and document any removals made as a result.
- Enforce least privilege by auditing privileged accounts at least twice per year and requiring written business justification for any administrative role assignment.
- Eliminate shared credentials entirely. Each user should have a unique identity with MFA enforced for all privileged and remote access.
Category 2: Change Management Controls
Where Organizations Fail
Change management is where technically proficient teams frequently underestimate audit expectations. The failure pattern is consistent: developers or system administrators make configuration changes, patch deployments, or code updates without a formal change ticket, without documented testing, and without an approval record. In some cases, emergency changes are made correctly in the moment but never retroactively documented.
Auditors examining change management controls want to see evidence that every material change to an in-scope system went through a defined process — request, testing, approval, implementation, and post-implementation review. When that evidence does not exist, the control is considered not operating effectively, regardless of how technically sound the underlying change was.
How to Fix It
- Define and enforce a tiered change management process that distinguishes between standard, non-standard, and emergency changes. Each category should have a defined approval path and documentation requirement.
- Require testing evidence prior to production deployment, including test plans and test results stored in your change management system.
- Separate duties between those who develop or configure changes and those who approve them. This is non-negotiable for financial systems and CUI environments.
- Establish a retroactive documentation requirement for emergency changes with a defined closure window, typically 24 to 72 hours post-implementation.
Category 3: IT Operations Controls
Where Organizations Fail
IT operations controls cover the day-to-day processes that keep systems running reliably and securely: job scheduling and monitoring, backup and recovery, incident management, and system availability. Failures here tend to be less visible than access or change management issues, which is precisely why they catch organizations off guard during audits.
Common deficiencies include backup processes that are configured but never tested for restorability, job failure alerts that fire but are not acted upon or documented, and incident records that are incomplete or inconsistently maintained. For defense contractors subject to DFARS and NIST SP 800-171, inadequate incident tracking creates direct compliance exposure. Our post on SSP and POA&M requirements covers how incident and operational findings should be reflected in your security program documentation.
How to Fix It
- Test backup restorability at least quarterly and document the results. A backup that has not been tested is not a control — it is an assumption.
- Establish a formal job monitoring process with defined escalation paths for critical job failures. Document who reviews alerts, when, and what action was taken.
- Maintain a complete incident log that captures detection date, classification, response actions, resolution, and lessons learned. This log is a primary artifact in most compliance audits.
- Review capacity and availability metrics on a defined schedule and document that review.
Category 4: Program Development and Acquisition Controls
Where Organizations Fail
This category addresses how organizations develop, acquire, and implement new systems or applications. Deficiencies here often surface when organizations grow quickly — through contract awards, mergers, or technology modernization efforts — and bring new systems into scope without applying the same control rigor used for existing environments.
The most common failures involve missing security requirements in project planning documents, lack of security testing prior to go-live, and insufficient documentation of how new systems handle sensitive data. For organizations pursuing ISO 27001 or CMMC, CUI, and DFARS compliance, the absence of security-by-design practices in acquisition and development is a recurring gap that delays certification timelines.
How to Fix It
- Include security requirements as a mandatory element of every project initiation document, regardless of system size or expected scope.
- Require a security review or assessment gate prior to production deployment of any new system that touches sensitive data, financial records, or controlled environments.
- Establish vendor due diligence procedures for any acquired software or cloud service, including review of security certifications, data handling practices, and contractual security obligations.
- Document the data classification and handling requirements for every new system before go-live, not after the audit finding.
Category 5: Computer Operations and Physical Security Controls
Where Organizations Fail
Physical security controls are perhaps the most underestimated category in the ITGC universe. Compliance managers focused on logical controls often overlook the physical layer until an auditor asks for data center access logs, visitor records, or media disposal documentation — and discovers those records do not exist or are inconsistently maintained.
For organizations in the defense industrial base, physical security failures carry particular weight. CMMC physical protection requirements, ITAR facility standards, and ISO 27001 Annex A physical controls all require documented processes for controlling physical access to systems that store or process sensitive information. Our guide to CMMC 2.0 and NIST SP 800-171 physical security requirements provides a detailed look at what assessors expect to find.
How to Fix It
- Maintain access logs for all physical locations where in-scope systems reside, including server rooms, network closets, and restricted work areas.
- Implement and document a formal media handling and disposal process that covers hard drives, portable storage, printed output, and backup media.
- Conduct periodic physical security walkthroughs and document findings. This demonstrates operating effectiveness, not just the existence of a policy.
- Control visitor access to sensitive areas with documented authorization, escort requirements, and visitor logs that are retained for audit purposes.
The Common Thread: Documentation and Operating Effectiveness
Across all five categories, the most consistent finding is not that controls do not exist — it is that controls cannot be demonstrated to have operated effectively over the audit period. Auditors do not take your word for it. They require evidence: access review sign-offs, change tickets with approval timestamps, backup test results, physical access logs, and incident records. When that evidence is missing, the control fails — even if the underlying process is sound.
This is why building a structured compliance program matters more than any individual control implementation. Controls need to be embedded in repeatable processes, supported by trained staff, and verified through ongoing monitoring. A one-time configuration is not a control. A consistently executed, documented, and monitored process is.
For organizations looking to benchmark their current state before an audit, our IT general controls checklist outlines exactly what external auditors expect to see in 2026. If you want to understand how these controls interact with your specific regulatory obligations, our IT compliance services team works with organizations across defense, healthcare, and regulated industries to close gaps before they become findings.
Take the Next Step Before Your Next Audit
ITGC failures are costly, but they are fixable — provided you identify and address them before an auditor does. The organizations that consistently pass audits with minimal findings are not necessarily the ones with the most sophisticated technology. They are the ones with disciplined processes, consistent documentation habits, and executive-level commitment to compliance as an operational priority.
If you are not confident in the current state of your IT general controls, the time to act is now. Request a quote to discuss a controls assessment or compliance program review with the Cleared Systems team, or explore our engagement models to find the right fit for your organization's size and regulatory obligations. We have helped contractors, agencies, and healthcare organizations build defensible control environments — and we can help yours.
