IT general control domains, framework alignment, and deficiency analysis.
This chapter covers the standard ITGC domains that support reliance on application controls and system output. ISC questions in this area often depend on understanding how broad technology controls support or undermine more specific financial or operational controls.
ITGC questions should identify the control domain before the deficiency. Weak access, weak change control, weak development discipline, or unstable operations can undermine reliance on otherwise well-designed application controls.
| ITGC domain | What it supports | Common ISC trap |
|---|---|---|
| Access to programs and data | Limits unauthorized use, disclosure, and modification. | Testing application output while ignoring broad access weakness. |
| Program changes | Ensures changes are authorized, tested, approved, and migrated properly. | Assuming a correct current output proves change controls were effective. |
| Program development | Provides disciplined design, testing, sign-off, and implementation. | Treating development projects as separate from control reliability. |
| Computer operations | Supports complete, accurate, timely, and recoverable processing. | Ignoring batch failures, job monitoring, backups, and incident handling. |
| COSO and COBIT alignment | Connects ITGC domains to governance and control objectives. | Memorizing framework names without mapping them to control issues. |
| Deficiency mitigation | Evaluates whether a weakness affects reliance and what compensates for it. | Recommending a fix that does not address the failed domain. |
| Step | What to do | Why it matters on ISC |
|---|---|---|
| 1. Identify the affected ITGC domain | Classify the weakness as access, change, development, operations, governance alignment, or mitigation. | The domain determines what reliance problem the deficiency creates. |
| 2. Trace downstream reliance | Determine which applications, reports, automated controls, or data outputs depend on the weak control. | Broad ITGC failures can undermine multiple application controls. |
| 3. Evaluate severity and compensating controls | Decide whether the weakness is isolated, pervasive, mitigated, or still exposure-producing. | The conclusion depends on residual risk, not just the presence of a weakness. |
| 4. Match the remediation | Recommend access cleanup, change approval, monitoring, backup, development sign-off, or governance action that addresses the domain. | A remediation must solve the specific failure mode. |
| 5. Reassess evidence reliability | Decide whether system-generated evidence can still be used or needs additional validation. | ISC and audit questions often turn on whether reports and outputs remain reliable. |