What Are IT General Controls?
If you have ever sat through an audit and watched an external assessor dig into your access provisioning records, change management logs, or backup procedures, you have already encountered IT general controls in action. The term gets used often but rarely explained well. This guide cuts through the jargon so compliance managers, finance leaders, and executives at federal contractors and regulated organizations can speak to the topic with confidence.
IT general controls (ITGCs) are the foundational policies, procedures, and technical safeguards that ensure information systems operate reliably, securely, and in alignment with applicable regulatory requirements. They are called "general" because they apply broadly across systems and applications rather than to a single business process or software function. Think of them as the organizational bedrock upon which every other compliance control rests.
Without strong ITGCs, application-level controls — the ones that prevent duplicate payments, enforce segregation of duties in your ERP, or restrict access to sensitive health records — cannot be trusted. Auditors know this, and so do regulators.
Why IT General Controls Matter for Regulated Organizations
Whether your organization is subject to SOX, HIPAA, CMMC, DFARS, ISO 27001, or a combination of frameworks, ITGCs are evaluated in virtually every compliance audit. The reason is straightforward: if your underlying IT environment is poorly controlled, the outputs it produces cannot be relied upon for financial reporting, security attestation, or regulatory certification.
For defense contractors in particular, weak ITGCs can jeopardize contract eligibility. Our IT compliance services team regularly encounters organizations that have implemented strong application-layer controls only to receive audit findings because foundational IT controls were missing or inconsistently applied.
Finance teams have a direct stake in ITGCs as well. Under Sarbanes-Oxley (SOX), IT general controls are a mandatory component of the internal controls over financial reporting (ICFR) assessment. A deficiency in ITGC can escalate to a material weakness, triggering regulatory scrutiny and reputational damage.
The Four Core Categories of IT General Controls
While different frameworks and auditing standards may organize ITGCs slightly differently, most assessors organize them into four primary categories. Understanding each helps compliance teams prioritize remediation and demonstrate readiness.
1. Access Controls
Access controls govern who can access systems, data, and applications — and what they can do once inside. This category includes:
- User provisioning and deprovisioning processes
- Role-based access control (RBAC) design and enforcement
- Privileged access management (PAM) for administrators and service accounts
- Multi-factor authentication (MFA) requirements
- Periodic access reviews and recertification
Access controls are consistently among the most frequently cited ITGC deficiencies. Organizations often struggle with terminated employee accounts that remain active, excessive privileges granted for convenience, and missing documentation of who approved access and why. ISO 27001 addresses access control directly in Annex A, and CMMC Level 2 contains an entire access control domain with 22 practices.
2. Change Management Controls
Change management controls ensure that modifications to systems, applications, and infrastructure follow a documented, reviewed, and authorized process. Without them, unauthorized or untested changes can introduce errors into financial data or create security vulnerabilities that go undetected.
Key elements of change management ITGCs include:
- Formal change request and approval workflows
- Segregation of duties between developers and production environments
- Testing requirements before deployment
- Emergency change procedures with post-hoc review
- Audit trails for all changes deployed to production
SOX auditors pay close attention to whether the individuals who write code have the ability to promote it to production. If the same person can develop and deploy, that represents a segregation of duties failure that can result in a significant audit finding.
3. IT Operations Controls
IT operations controls address the reliability and continuity of the IT environment. They cover the day-to-day processes that keep systems running and data protected. This category typically includes:
- Backup and recovery procedures, with documented testing
- Job scheduling and monitoring for batch processes
- Incident management and escalation procedures
- Patch management and vulnerability remediation timelines
- System availability and performance monitoring
For organizations pursuing ISO 27001 certification or CMMC compliance, IT operations controls directly map to multiple control domains. A well-documented System Security Plan and POA&M will reference these operational controls extensively.
4. Program Development and Acquisition Controls
This category addresses the controls in place when new systems are built, purchased, or significantly modified. It ensures that security and compliance requirements are incorporated into the development lifecycle rather than bolted on after deployment.
- Requirements documentation and security review before development begins
- Vendor due diligence for third-party software acquisitions
- Security testing (including penetration testing) prior to go-live
- User acceptance testing (UAT) sign-off processes
- Post-implementation reviews
How IT General Controls Map to Major Compliance Frameworks
One of the most practical things compliance managers can do is understand how ITGCs translate across the frameworks their organization must satisfy. Most organizations we work with are subject to more than one regulatory requirement simultaneously.
ISO 27001
ISO 27001's Information Security Management System (ISMS) framework is built largely around the same disciplines that ITGCs address. Annex A controls covering access management, cryptography, physical security, operations security, and supplier relationships all have direct ITGC counterparts. Organizations pursuing ISO 27001 certification will find that a mature ITGC program accelerates the certification process significantly.
SOX (Sarbanes-Oxley)
For publicly traded companies and their technology service providers, ITGCs are explicitly required under Section 404 of SOX. External auditors from the PCAOB-registered firms will test ITGC design and operating effectiveness as part of the ICFR opinion. Weaknesses in access controls, change management, or computer operations can escalate to reportable deficiencies.
CMMC and NIST SP 800-171
Defense contractors subject to CMMC, CUI, and DFARS compliance requirements will find that the 14 domains of NIST SP 800-171 closely align with ITGC categories. Access control, configuration management, audit and accountability, and system and communications protection all represent ITGC-level disciplines. A contractor that has already formalized ITGCs will have a head start in closing CMMC gaps.
HIPAA
For healthcare organizations and their business associates, the HIPAA Security Rule's administrative, physical, and technical safeguards map directly to ITGC categories. Access controls, audit controls, and integrity controls under the Security Rule are IT general controls by another name. Organizations serving both healthcare and federal defense clients need ITGCs robust enough to satisfy both regulatory environments simultaneously.
Common ITGC Deficiencies We See in Practice
After years of working with defense contractors, federal agencies, and regulated enterprises, certain ITGC gaps appear repeatedly. Compliance managers should treat this list as a self-assessment starting point:
- Stale access accounts. Former employees, contractors, and vendors with active system credentials long after separation.
- Undocumented change approvals. Changes deployed to production without evidence of authorization or testing.
- Untested backups. Backup procedures exist on paper but restoration capability has never been verified.
- Insufficient privileged access controls. Administrator accounts shared across multiple individuals with no individual accountability.
- Missing patch management evidence. No documented process or tracking system to demonstrate timely patching of critical vulnerabilities.
- Lack of segregation of duties. The same individual can request, approve, and implement IT changes without any independent oversight.
Each of these deficiencies has appeared in real audit findings at organizations that believed they were in reasonable compliance. The gap between having a policy and demonstrating consistent operating effectiveness is where most organizations get caught.
Building a Defensible ITGC Program
A functional ITGC program is not a one-time project. It is an ongoing management discipline that requires executive sponsorship, documented procedures, regular testing, and a mechanism for remediating exceptions. Organizations serious about building this capability should consider whether they have the internal resources to do it well or whether a regulatory vCISO engagement would provide better coverage and accountability at lower total cost than a full-time hire.
The foundational steps to a defensible ITGC program include:
- Scoping the ITGC universe — identify which systems are in-scope based on regulatory requirements and risk significance.
- Documenting the current state of controls for each ITGC category.
- Performing a gap assessment against the applicable framework (ISO 27001, SOX, CMMC, HIPAA).
- Remediating control gaps and producing documentation evidence.
- Testing controls on a periodic schedule to verify operating effectiveness.
- Tracking exceptions and deficiencies through a formal POA&M or remediation register.
For organizations that need to build this structure from the ground up, our compliance program development service provides a structured engagement with clear deliverables and timelines.
IT General Controls and the Finance Team's Role
Finance leaders sometimes view ITGCs as an IT department concern. That perspective is a liability. CFOs, controllers, and internal audit functions have a direct interest in the strength of ITGCs because they underpin the reliability of financial data. If the ERP system lacks strong change management controls, you cannot assert with confidence that the financials produced by that system are free from unauthorized modification. External auditors and audit committees expect finance leadership to be engaged with ITGC risk — not just aware of it.
Ready to Strengthen Your IT General Controls?
IT general controls are the foundation of every compliance program worth defending. Whether you are preparing for a SOX audit, pursuing ISO 27001 certification, achieving CMMC compliance, or simply trying to reduce audit risk across your organization, the strength of your ITGCs will determine how your assessors view the reliability of everything built on top of them. Cleared Systems works with defense contractors, federal agencies, and regulated organizations to assess, build, and maintain IT general control programs that hold up under scrutiny. Request a quote to start a conversation about where your ITGC program stands and what it will take to get it where it needs to be.
