HomeServicesAudit & AssuranceInformation Systems Audit (ISA) & IT General Controls (ITGC) Review

Audit & Assurance · Information Systems & IT Audit

Information Systems Audit (ISA) & IT General Controls (ITGC) Review

Every financial control in a modern business now runs through a system — an ERP posting rule, an access role, a batch job, an API integration.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Every financial control in a modern business now runs through a system — an ERP posting rule, an access role, a batch job, an API integration. If the technology layer underneath is not independently tested, no amount of manual control testing tells the full story. At PNPC Global, we conduct Information Systems Audits and IT General Controls (ITGC) reviews that examine the access, change-management, and operations layer your financial reporting, statutory audit, and regulatory obligations quietly depend on. We have supported Boards, Audit Committees, and statutory auditors across India and the UAE since 1986 — we test what actually runs in your environment, not a generic questionnaire response.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Information Systems Audit (ISA) & IT General Controls (ITGC) Review is

An Information Systems Audit (IS Audit) is an independent examination of an organisation's IT environment — infrastructure, applications, data, and the processes that govern them — to assess whether information systems are adequately controlled, secure, and aligned to business and regulatory requirements. IT General Controls (ITGC) review is its most common form in a financial-reporting context: a focused assessment of the controls that operate across an entire IT environment rather than within a single application — principally access management, change management, IT operations (backup, batch processing, incident management), and, where relevant, program development controls. ITGC matters because financial statement controls (three-way match in procurement, automated revenue recognition, system-calculated depreciation, segregation of duties enforced through ERP roles) are only as reliable as the IT environment that executes them. A well-designed approval matrix is meaningless if a developer can push an unauthorised change to the posting logic, or if a terminated employee's ERP access was never revoked.

In the Indian statutory context, ITGC sits inside the broader Internal Financial Controls (IFC) framework under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013. The Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of India (ICAI) explicitly requires auditors to evaluate the general IT controls environment as part of forming an opinion on internal financial controls, because automated and IT-dependent manual controls cannot be relied upon if the general controls environment around them is weak. Standard on Auditing SA 315 (Identifying and Assessing the Risks of Material Misstatement) similarly requires the auditor to understand the entity's IT environment as part of understanding internal control relevant to the audit. For companies where the statutory auditor's own IFC opinion depends on placing reliance on system-generated reports and automated controls, a weak ITGC environment can cascade into extended substantive testing, audit qualifications, or reportable material weaknesses.

Beyond the audit-support use case, IS Audit is also commissioned as a standalone assurance and risk-management exercise — for regulated entities (banks, NBFCs, insurance companies, payment aggregators) where the Reserve Bank of India (RBI) and other regulators mandate periodic IS audit under specific circulars and master directions; for companies pursuing ISO/IEC 27001 certification, where an internal or external ITGC-style review is a natural precursor to the formal certification audit; for organisations that have suffered a security incident or data breach and need an independent root-cause and control-gap assessment; and for boards and Audit Committees that simply want independent assurance that the technology environment underpinning the business is not a silent point of failure. In each case, the review methodology is broadly similar — access controls, change management, IT operations, and (for regulated entities) cybersecurity and business continuity controls — but the depth, framework references, and reporting audience differ by context.

A rigorous ITGC/IS Audit engagement typically references one or more recognised frameworks — COBIT (Control Objectives for Information and Related Technologies) issued by ISACA for IT governance and control objectives, ISO/IEC 27001 for information security management systems, and, for RBI-regulated entities, the specific IS audit circulars and master directions the regulator has issued for that category of institution. The output is not a generic "IT is fine" letter — it is a control-by-control assessment (user access provisioning and de-provisioning, privileged access management, password and authentication policy, change management approval and testing discipline, backup and restore testing, batch job monitoring, incident and problem management, physical and environmental security of the data centre or cloud environment) with each gap rated by severity and mapped to the business or financial-reporting risk it creates, so that the Board, the Audit Committee, and — where relevant — the statutory auditor can rely on the work.

When an ISA / ITGC review is the right engagement

Your statutory auditor's IFC opinion under Section 143(3)(i) depends on placing reliance on ERP-driven controls, system-calculated figures, or automated three-way matches — a weak ITGC environment undermines that reliance and risks audit qualification

You are a bank, NBFC, payment aggregator, or other RBI-regulated entity subject to periodic Information Systems Audit under the applicable RBI master direction or circular for your category of institution

You are preparing for ISO/IEC 27001 certification, or need to demonstrate information security control maturity to an enterprise customer, investor, or regulator as part of a vendor security assessment

Your organisation has grown from a manual or spreadsheet-based finance function into a full ERP (SAP, Oracle, Microsoft Dynamics, Tally Prime with multi-user access, Zoho Books/NetSuite, or similar) and access controls have not kept pace with headcount growth

A recent security incident, suspected data breach, unauthorised access event, or ransomware exposure has occurred and the Board wants an independent root-cause and control-gap assessment, not just an IT team's internal account of events

You are consolidating multiple subsidiaries or business units on different ERP/IT platforms and the parent's statutory auditor needs assurance that each entity's IT control environment can be relied upon for group reporting purposes

Your internal audit function has flagged IT-related risk areas — segregation of duties conflicts within ERP roles, dormant or excessive privileged accounts, undocumented change management — that need a dedicated, deeper-dive IS Audit beyond the scope of a general internal audit cycle

Investors or lenders conducting technology and operational due diligence ahead of a funding round, acquisition, or credit facility have specifically asked for an independent IT controls assessment

When a lighter-touch alternative may fit better

Very early-stage business running on a single off-the-shelf accounting package with one or two users and no meaningful segregation-of-duties risk — a basic access-hygiene checklist within the accounting engagement is more proportionate than a formal ITGC engagement

Organisation has not yet implemented any ERP or centralised system and finance runs substantially on spreadsheets — the priority should be system implementation and basic control design, not a formal audit of controls that do not yet exist

You need a penetration test or vulnerability assessment of a specific application or network perimeter — that is a specialised cybersecurity/VAPT engagement with a different skill set and toolset than an ITGC review, though the two are complementary and often sequenced together

The immediate need is a one-time technology architecture review or software selection advisory ahead of an ERP implementation — that is a pre-implementation advisory engagement, not a post-implementation controls audit

Your only requirement is a management representation letter for a bank or tender that does not call for actual control testing — a narrower scoped confirmation may be sufficient without a full IS Audit

Structure Comparison

ISA / ITGC Review vs related audit and assurance engagements

FeatureISA / ITGC ReviewIFC Review (Financial Controls)Internal AuditVAPT / Cybersecurity AuditStatutory Audit (Sec 143)
Primary objectiveAssess design & effectiveness of IT general controls — access, change, operationsAssess design & effectiveness of controls over financial reporting (COSO-based)Assurance on risk management, governance, controls across all functionsIdentify technical vulnerabilities and exploitable weaknesses in systems/networkOpine on true & fair view of financial statements
Governing frameworkCOBIT (ISACA), ISO/IEC 27001, RBI IS audit circulars where applicableCOSO 2013 Internal Control – Integrated FrameworkStandards on Internal Audit (SIA) issued by ICAIOWASP, PTES, ISO 27001 Annex A controlsStandards on Auditing (SAs) issued by ICAI
Statutory basisFeeds Section 143(3)(i)/IFC opinion; mandatory for RBI-regulated entities per applicable circularSection 134(5)(e) — Board certification; Section 143(3)(i) — auditor reportingSection 138, Companies Act 2013 (mandatory for prescribed class of companies)Not mandated under Companies Act — driven by security policy, client, or regulatory requirementSection 139–147, Companies Act 2013
Who performs itIS-audit qualified CA/CISA professional or specialised technology risk teamIndependent CA firm or specialised risk advisory teamIn-house internal audit function or outsourced CA firm reporting to Audit CommitteeCertified ethical hackers / security testers, often with CA-firm technology risk teamsIndependent statutory auditor appointed under Sec 139
Scope focusAccess management, change management, IT operations, backup/DR, physical/environmental securityRevenue, procurement, payroll, treasury, financial close process controlsRisk-based — processes, controls, governance, compliance, IT, across the businessTechnical — exploitable vulnerabilities in applications, networks, and infrastructureFinancial statement assertions — accuracy, completeness, valuation
OutputITGC gap report, control matrix mapped to COBIT/ISO objectives, remediation roadmapRisk Control Matrix (RCM), gap report, remediation roadmap, management letterInternal audit reports to Audit Committee each quarter/half-yearVulnerability report with CVSS-rated findings and remediation guidanceAudit opinion + CARO report + Annexure on IFC (where applicable)
Mandatory for which entitiesRBI-regulated entities per specific master direction; effectively required wherever Sec 143(3)(i) relies on IT controlsEffectively mandatory support work for companies where Sec 143(3)(i) applies to the auditorListed companies, and public/private companies meeting prescribed capital/turnover/borrowing thresholds under Sec 138Not mandatory — increasingly expected by enterprise customers, investors, and cyber-insurersStatutory audit itself is mandatory for every company under Sec 139; only the auditor's IFC opinion under Sec 143(3)(i) is exempted for OPCs, small companies, and certain private companies below prescribed turnover/borrowing thresholds
Timing relative to year-endTypically pre-audit (Q3/Q4) so gaps are fixed before year-end IFC testingTypically conducted pre-audit (Q3/Q4) so gaps are fixed before year-end testingOngoing, throughout the yearAd hoc or periodic (annual/half-yearly) per security policyPost year-end, on completed financial statements
Relationship to statutory auditDirectly de-risks the auditor's reliance on IT-dependent and automated controlsFeeds directly into and de-risks the auditor's Sec 143(3)(i) opinion and CARO commentaryIndependent function; statutory auditor may place limited reliance on internal audit workGenerally outside statutory audit scope, though findings may be relevant to IFC risk assessmentThe audit itself
Typical engagement length3–8 weeks depending on number of applications/systems in scope4–10 weeks depending on process scope and entity sizeContinuous / cyclical through the year1–4 weeks per application or network segment testedConcurrent with year-end audit — several weeks to months

ISA/ITGC and IFC reviews are frequently run together, since IT general controls are a foundational input to the financial-controls opinion. Whether your organisation needs a standalone IS Audit, an ITGC component within a broader IFC review, or a regulator-mandated Information Systems Audit depends on your sector, regulatory status, and system landscape. A scoping conversation with a practising CA is the right starting point.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Scoping & Regulatory Mapping — understanding which framework governs your reviewWe first confirm which driver applies to you — Section 143(3)(i)/IFC support, an RBI IS audit circular specific to your category of regulated entity, ISO/IEC 27001 certification readiness, or a standalone Board-requested assurance review — because the applicable framework, evidence standard, and reporting format differ meaningfully across these drivers. A generic checklist vendor applies the same template regardless of which driver actually applies to you.Week 1
2IT Environment & Application Landscape MappingWe build a complete inventory of in-scope systems — ERP, core banking/lending system, payment gateway, HRMS, data warehouse, cloud infrastructure (AWS/Azure/GCP), and the interfaces between them — because ITGC risk concentrates at integration points and legacy systems that generic reviews often miss entirely.Week 1–2
3Entity-Level IT Governance AssessmentBefore testing individual controls, we assess IT governance at the entity level — is there a documented IT policy, an IT steering committee, a defined CISO/IT head with reporting line to the Board or Audit Committee, and a risk register that actually gets reviewed? A control matrix built without this foundation gives false comfort, the same way a financial control matrix without entity-level controls does.Week 2
4User Access Management Review — provisioning, de-provisioning, privileged accessWe test the full access lifecycle: is access granted only after documented approval, mapped to a defined role, and revoked promptly on transfer or exit? We specifically test for dormant accounts, shared/generic logins, and excessive privileged (admin/superuser) access — the single most common ITGC finding across Indian mid-market companies, and one that manual walkthroughs alone routinely miss because the access list itself is never pulled and reconciled against the current HR headcount.Week 2–3
5Segregation of Duties (SoD) Analysis Within ERP RolesA well-designed maker-checker control on paper is worthless if the same user's ERP role permits both creating a vendor master and approving a payment to that vendor. We extract the actual role-to-transaction mapping from the system and test for SoD conflicts — not just review the documented policy, which is frequently aspirational rather than descriptive of the live configuration.Week 3
6Change Management Review — application, infrastructure, and configuration changesWe test whether changes to applications, database configurations, or infrastructure follow a documented change request, approval, testing, and deployment process, with segregation between the developer/requester and the approver, and evidence retained for each change in the review period — not just a sample of two or three "clean" changes selected by the IT team itself.Week 3–4
7IT Operations Review — backup, batch processing, incident and problem managementWe test backup frequency, retention, and — critically — whether a restore has actually been tested (a backup that has never been restored is an unverified assumption, not a control), batch job monitoring and exception handling, and whether IT incidents are logged, triaged, and tracked to closure through a formal process rather than ad hoc WhatsApp messages to the IT team.Week 4
8Physical & Environmental Security AssessmentFor on-premise data centres or server rooms: access control logs, CCTV coverage, fire suppression, and environmental monitoring (temperature, humidity, power). For cloud-hosted environments, we review the shared-responsibility boundary and the client's own controls over cloud console access, key management, and configuration — since "it's in the cloud" is not itself a control.Week 4–5
9Cybersecurity & Regulatory-Specific Testing (Where Applicable)For RBI-regulated entities, we test against the specific circular applicable to that category of institution — covering areas such as cyber-security framework compliance, vendor/outsourcing risk management, and business continuity/disaster recovery testing. For entities pursuing ISO/IEC 27001, we map findings against the relevant Annex A control objectives to give a head start on formal certification readiness.Week 4–6
10Gap Classification — mapped to COBIT/ISO control objectives and financial-reporting riskEvery finding is classified by severity and explicitly mapped to the business or financial-reporting risk it creates — a dormant privileged account is not just an "IT hygiene" item, it is a fraud and unauthorised-transaction risk that the statutory auditor and Audit Committee need framed in those terms, not buried in technical jargon.Week 5–6
11Draft Report & Process Owner ValidationWe walk every finding through with the IT team and relevant process owners before finalising the report — both to validate the facts (system configurations can be misread without the right context) and to begin remediation planning immediately rather than after a surprise report lands on the CIO's desk.Week 6–7
12Remediation Roadmap — prioritised, owner-assigned, dated action planA list of ITGC gaps without a remediation plan and named owner simply recurs next year — and, for RBI-regulated entities, an unremediated finding from a prior IS audit cycle draws heightened regulatory scrutiny. We build a dated roadmap with interim compensating controls flagged for any material weakness pending permanent fix.Week 7
13Audit Committee / Board Presentation and Statutory Auditor HandoverWe present findings directly to the Audit Committee or Board, and — where the review is intended to support the year-end statutory audit — hand over our workpapers and testing evidence directly to the statutory auditor's team in the format they need to place reliance on the work, avoiding duplicate testing effort and audit fee escalation.Week 7–8

Realistic timeline: 3–4 weeks for a focused single-ERP ITGC review at a mid-sized company; 6–8 weeks for a multi-entity or RBI-regulated engagement covering core banking/lending systems, cybersecurity framework compliance, and business continuity testing. Timelines depend materially on the number of in-scope applications, the quality of existing IT documentation, and the responsiveness of the client's IT team in extracting system-generated access and change logs.

Document Checklist
IT Governance & Policy Documents

Board-approved IT policy / Information Security Policy, and evidence of periodic review

IT organisation chart — CISO/IT Head, reporting lines to Board/Audit Committee, and defined roles and responsibilities

IT risk register and any prior internal audit, ITGC, or ISO 27001 gap assessment reports, with closure status

List of all in-scope applications, systems, and cloud environments — ERP, core system, payment gateway, HRMS, data warehouse, and key integrations between them

Vendor/outsourcing register for any IT services, data processing, or infrastructure hosted or managed by third parties

User Access Management

Current user access list for each in-scope system, with role/privilege level for every user

Access request, approval, and provisioning records for new joiners and role changes during the review period

Employee exit list from HR, cross-referenced against system de-provisioning timestamps for the same period

List of privileged/administrator accounts, with justification for each and evidence of periodic access recertification

Password policy configuration and evidence of enforcement (complexity, expiry, multi-factor authentication settings)

Change Management Records

Change management policy/SOP describing the request, approval, testing, and deployment process

Log of all application, configuration, and infrastructure changes made during the review period, with approver identity and date

Evidence of testing/UAT (user acceptance testing) sign-off prior to production deployment for a sample of changes

Emergency/break-glass change records, if any, with post-facto approval and justification

IT Operations & Business Continuity

Backup policy, backup logs/schedule for the review period, and evidence of at least one restore test performed

Batch job schedule and exception/failure logs, with evidence of monitoring and resolution

Incident and problem management log — security incidents, system outages, and their resolution timeline

Business Continuity Plan (BCP) and Disaster Recovery (DR) plan, with evidence of the last DR drill/test performed

Data centre or cloud hosting agreement, and — for cloud environments — the shared-responsibility matrix with the cloud provider

Segregation of Duties & System Configuration

ERP/system role definitions and the transaction codes or permissions mapped to each role

Any existing SoD conflict matrix or rule set configured within the ERP (e.g., GRC modules in SAP/Oracle), if in use

Sample of key automated/system controls relied upon for financial reporting — three-way match configuration, system-calculated depreciation, automated revenue recognition rules — with configuration evidence

List of interfaces between systems (e.g., e-commerce platform to ERP, payroll to accounting) with reconciliation controls documented

Regulatory & Compliance-Specific (Where Applicable)

RBI IS audit circular/master direction applicable to your category of regulated entity, and any prior RBI inspection or IS audit observations

ISO/IEC 27001 Statement of Applicability (SoA) and internal audit reports, if the organisation already holds or is pursuing certification

Data protection and privacy policy, and any Digital Personal Data Protection Act, 2023 (DPDP Act) compliance documentation relevant to personal data processed within in-scope systems

Cyber-insurance policy documentation and any breach notification or incident-reporting obligations applicable to the entity's sector

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Scoping & Readiness (Week 1–2)Engagement kick-off — statutory driver, regulatory mandate, or Board request identifiedConfirm the governing framework (IFC support, RBI circular, ISO 27001 readiness, or standalone assurance), map the full application landscape, and assess IT governance maturity before any control testing begins.Scoping the wrong framework wastes engagement time and produces a report the statutory auditor or regulator cannot rely on, forcing a repeat exercise.
Access & Change Testing (Week 2–4)Fieldwork beginsFull-population extraction and testing of user access lists, privileged accounts, joiner/leaver reconciliation, SoD conflicts within ERP roles, and change management records — not a token sample selected by the IT team.Dormant privileged accounts and unrevoked exit access are the most common vector for unauthorised transactions and fraud; undocumented changes undermine the statutory auditor's ability to rely on system-generated financial figures.
Operations, BCP/DR & Physical Security (Week 4–5)Fieldwork continuesBackup restore testing (not just backup completion logs), batch monitoring review, incident management assessment, and — for on-premise environments — physical/environmental security walkthrough.An untested backup is an unverified assumption; a business disruption without a tested DR plan can halt operations and financial reporting for an extended, unplanned period.
Reporting & Remediation (Week 6–8)Fieldwork completeFindings classified by severity and mapped to financial-reporting or regulatory risk, validated with process owners, and converted into a dated remediation roadmap with named owners before Audit Committee presentation.Unclassified or unranked findings get deprioritised by management; an unremediated finding carried into the next statutory audit or RBI inspection cycle draws materially heightened scrutiny.
Statutory Audit HandoverYear-end audit beginsWorkpapers and testing evidence shared directly with the statutory auditor's team in a format that supports reliance on the ITGC work, reducing duplicate testing and controlling audit fee escalation.Statutory auditor unable to place reliance re-performs testing independently — extending audit timelines, increasing audit fees, and risking a qualified IFC opinion if gaps surface late in the audit cycle.
Regulatory Filing (RBI-Regulated Entities)Annual or periodic IS audit due under applicable RBI circularIS audit report finalised and filed per the timeline and format prescribed by the relevant RBI master direction for that category of regulated entity, with Board/Audit Committee sign-off documented.Missed or inadequate IS audit filing can trigger regulatory scrutiny, supervisory action, or restrictions specific to the regulated entity's licence conditions.
Annual Refresh & Continuous MonitoringNext audit cycle or material IT environment changeRisk assessment and scope refreshed for new systems implemented, cloud migrations, or M&A-driven IT integration since the last review; prior-cycle findings re-tested for actual closure, not just management assertion.A static, unchanged scope misses new risk introduced by system changes; unverified 'closed' findings that were never actually remediated resurface — often discovered by the statutory auditor or regulator instead of by the company.
Frequently asked
What is the difference between an Information Systems Audit and an IT General Controls (ITGC) review?

Information Systems Audit (IS Audit) is the broader term — an independent examination of an organisation's IT environment covering governance, security, applications, infrastructure, and data. ITGC review is typically the specific subset of an IS Audit that focuses on controls operating across the entire IT environment (access management, change management, IT operations) rather than within a single application — and is the form most directly relevant to financial-reporting reliance under Section 143(3)(i) of the Companies Act. In practice, an ITGC review is one component of a fuller IS Audit; the two terms are often used together because the scope substantially overlaps for most engagements.

Practitioner noteWhen a client asks for 'an IT audit', we always start by clarifying which driver applies — statutory IFC support, an RBI mandate, ISO 27001 readiness, or general assurance — because the term is used loosely in the market and the right scope differs meaningfully by driver.
Is ITGC review mandatory for our company, or is it only relevant for banks and NBFCs?

There is no standalone Companies Act section that makes ITGC review mandatory by name. It becomes effectively necessary wherever Section 143(3)(i) requires your statutory auditor to opine on the adequacy and operating effectiveness of internal financial controls, and your financial reporting relies on automated or IT-dependent manual controls — which is the case for the large majority of companies running any ERP today. Separately, it is directly mandatory (in the sense of being required under specific regulatory circulars) for RBI-regulated entities — banks, NBFCs, payment aggregators, and similar categories — under the applicable master direction for that category of institution.

Practitioner noteWe have seen companies assume ITGC is 'a bank thing' and skip it entirely, only to have their statutory auditor extend the year-end audit timeline and fees significantly because system-generated figures could not be relied upon without independent IT control testing.
We are a mid-sized private company using Tally or Zoho Books with a handful of users. Do we really need a formal ITGC review?

It depends on scale and reliance, not just the software name. A single-entity company with two or three users on a straightforward accounting package and no meaningful segregation-of-duties risk generally does not need a formal COBIT/ISO-referenced ITGC engagement — a lighter access-hygiene review within the regular audit or accounting engagement is proportionate. The calculus changes once you add multiple locations, multiple users with differentiated roles, integrations to e-commerce or payment systems, or investor/lender requirements for control assurance.

Practitioner noteWe scope this honestly. If a full ITGC engagement is disproportionate to your risk profile, we say so and recommend the lighter-touch alternative — a generic package sold regardless of fit does not serve the client well.
What framework does PNPC use for ITGC and IS Audit engagements?

We reference COBIT (Control Objectives for Information and Related Technologies), issued by ISACA, as the primary control-objective framework for ITGC engagements, since it maps cleanly to the IT governance and control domains referenced in the ICAI Guidance Note on Audit of Internal Financial Controls. For engagements focused on information security maturity or ISO/IEC 27001 certification readiness, we additionally map findings against the relevant ISO 27001 Annex A control objectives. For RBI-regulated entities, we test against the specific circular or master direction applicable to that category of institution.

Practitioner noteFramework choice is not cosmetic — it determines the vocabulary and structure the statutory auditor or regulator expects in the final report. We agree the framework mapping upfront during scoping, not after fieldwork is complete.
How does ITGC review relate to our statutory auditor's work — will it reduce our audit fees or timeline?

Where an ITGC review is completed before year-end fieldwork and the statutory auditor is satisfied with the scope, methodology, and evidence, the auditor may place reliance on the work to reduce the extent of their own IT-related substantive testing — which can help control fee escalation and compress the audit timeline. This is not automatic: the statutory auditor independently assesses whether to rely on any third-party work, including our own, based on their own risk assessment and professional judgement under the applicable Standards on Auditing.

Practitioner noteWe coordinate directly with the statutory auditor's team during scoping — even when PNPC is not the statutory auditor — specifically so our workpapers are built in a form they can actually use, rather than discovering post-fieldwork that the format does not meet their evidentiary needs.
Can PNPC perform an ITGC review if PNPC is also the statutory auditor for the same company?

Independence rules under the Companies Act and the ICAI Code of Ethics restrict a statutory auditor's ability to provide certain non-audit services to the same audit client, and the specific restrictions depend on the client's listing status and the nature of the service. Where PNPC is the statutory auditor, we assess independence requirements before agreeing to also perform an ITGC review for the same entity, and in some cases will recommend a different qualified firm perform the ITGC work to preserve auditor independence — particularly for listed companies and companies meeting the thresholds under Section 144 of the Companies Act.

Practitioner noteWe flag this proactively rather than waiting for a client or regulator to raise it. Independence is not a formality to us — a compromised independence position undermines the very assurance the client is paying for.
What does PNPC actually test during a user access review, beyond just requesting the access list?

We extract the current, system-generated user access list (not a manually maintained spreadsheet that may be stale) for every in-scope system, cross-reference it against the current HR headcount to identify access held by employees who have since exited, review the approval trail for access granted during the review period, identify dormant accounts that have not logged in for an extended period, and specifically test privileged/administrator accounts for business justification and periodic recertification. This is full-population testing wherever the system allows extraction, not a small manually-selected sample.

Practitioner noteUnrevoked access for exited employees is, in our experience, the single most frequently identified ITGC finding across mid-market Indian companies. It is also one of the easiest to remediate once flagged — the gap is almost always a missing process trigger between HR exit processing and IT de-provisioning, not a technology limitation.
What is segregation of duties (SoD) testing within an ERP, and why does it need a specialist rather than a general auditor?

SoD testing examines whether a single user's system role permits them to perform conflicting functions that should be split between two people — for example, creating a vendor master record and approving payment to that same vendor, or posting a journal entry and approving it. Testing this properly requires extracting the actual role-to-transaction-code mapping configured in the system (SAP, Oracle, or similar) and analysing it for conflicts — a documented policy statement that 'maker and checker are separate' is not evidence that the system configuration actually enforces it. This requires familiarity with how ERP role and authorisation objects are structured, which is a distinct skill set from general financial statement auditing.

Practitioner noteWe have found SoD conflicts in systems where the client's own IT team genuinely believed the roles were properly segregated — the conflict existed several authorisation layers deep in a custom role that was cloned from a standard role years earlier and never re-reviewed.
What counts as a 'material weakness' versus a 'significant deficiency' versus a 'control deficiency' in ITGC findings?

These classifications follow the same severity framework used in the broader IFC review context. A Control Deficiency exists when a control is designed or operating in a way that does not allow timely prevention or detection of a misstatement, but the impact is limited. A Significant Deficiency is a deficiency, or combination of deficiencies, that is less severe than a material weakness but merits attention by those responsible for governance. A Material Weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. ITGC findings are classified using this same scale because ITGC gaps ultimately create financial-reporting risk, not just an operational IT inconvenience.

Practitioner noteWe deliberately frame ITGC findings in financial-reporting-risk language, not just technical IT language — a Board or Audit Committee member without a technology background needs to understand why a dormant admin account matters to the integrity of the balance sheet, not just that it is 'a security best-practice gap'.
How long does a typical ISA/ITGC engagement take, and what does it depend on?

A focused ITGC review at a single-entity company running one ERP typically takes 3–4 weeks from scoping to final report. A multi-entity engagement, or one involving a core banking/lending system with RBI-specific cybersecurity and business continuity testing, typically runs 6–8 weeks. The main variables are the number of in-scope applications and integrations, the quality and completeness of existing IT documentation, and — most significantly in our experience — how quickly the client's IT team can extract system-generated access and change logs rather than relying on manually maintained records.

Practitioner noteThe single biggest timeline driver we see is not our fieldwork pace — it is how quickly the client's IT team can pull clean, system-generated data extracts. We share the exact extract specifications on Day 1 to avoid weeks of back-and-forth over incomplete exports.
Do you test cloud environments (AWS, Azure, GCP) the same way as on-premise data centres?

No — the testing approach differs because responsibility is shared with the cloud provider. For cloud environments, we review the shared-responsibility boundary (the provider secures the underlying infrastructure; the client remains responsible for configuration, access management, and data within their environment), and focus our testing on client-side controls — cloud console/IAM access management, key and secrets management, security group and network configuration, and logging/monitoring of the cloud environment. For on-premise data centres or server rooms, we additionally test physical access controls, environmental monitoring, and fire suppression systems, which are not relevant in a cloud context.

Practitioner note"It's in the cloud, so it's secure" is a phrase we hear often and gently push back on every time. Cloud misconfiguration — an overly permissive IAM policy or an exposed storage bucket — is one of the most common findings in cloud-hosted ITGC reviews, and it is entirely the client's responsibility, not the cloud provider's.
What RBI circulars or master directions govern IS Audit for regulated entities?

RBI has issued sector-specific master directions and circulars covering information security, cyber-security frameworks, and IS audit requirements for different categories of regulated entities — including banks, NBFCs, and payment system operators — with the specific requirements, frequency, and reporting format varying by the category and risk profile of the institution. Because these requirements are periodically updated by RBI and differ by entity category, we confirm the current applicable circular for your specific licence category and asset size at the start of every regulated-entity engagement rather than relying on a generic checklist.

Practitioner noteRBI's regulatory framework for IS audit has evolved over time and continues to be refined for different categories of regulated entities. We treat 'confirm the current applicable circular for this specific entity' as a mandatory first step on every regulated engagement — not an assumption carried over from a prior year's scope.
Does an ITGC review help with ISO/IEC 27001 certification, or are they completely separate exercises?

They are related but distinct. ISO/IEC 27001 is a formal Information Security Management System (ISMS) standard, and certification requires an accredited certification body to conduct the actual certification audit — PNPC does not issue ISO 27001 certificates. However, an ITGC review substantially overlaps with several ISO 27001 Annex A control domains — access control, operations security, and physical security among them — so a well-executed ITGC review gives an organisation a meaningful head start and gap-closure runway ahead of a formal certification audit, reducing the risk of nonconformities being raised for the first time by the certification body.

Practitioner noteWe are explicit with clients that we support ISO 27001 readiness — we do not certify. Any firm that offers to both prepare you for certification and issue the certificate itself has a conflict of interest worth questioning.
What is the difference between ITGC review and a penetration test (VAPT)?

ITGC review assesses whether governance processes and controls — access approval, change management, backup discipline — are properly designed and consistently followed. A penetration test (or Vulnerability Assessment and Penetration Testing, VAPT) is a technical exercise that actively attempts to identify and, in a controlled manner, exploit technical vulnerabilities in a specific application, network, or system. They are complementary rather than substitutes: an organisation can have well-documented, consistently followed change-management processes (a strong ITGC finding) and still have an unpatched, exploitable vulnerability in a public-facing application (a VAPT finding), or vice versa.

Practitioner noteWe often recommend the two be sequenced — ITGC first to establish governance maturity, VAPT second to technically validate the perimeter — but they answer different questions and neither substitutes for the other.
Our IT team says our systems are secure because we have never had an incident. Is that a reasonable basis to skip an ITGC review?

The absence of a known incident is not evidence of control adequacy — it may equally mean an incident occurred and was not detected, given weak monitoring and logging, which is itself one of the more common ITGC findings we identify. Control testing exists precisely because self-assessment by the team responsible for operating the controls carries an inherent bias, however well-intentioned. An independent review tests actual configuration and evidence, not the operating team's own confidence in their environment.

Practitioner noteWe have, more than once, identified a genuine security incident during ITGC fieldwork that the client's own IT team was unaware had occurred — surfaced through anomalies in access logs or unexplained configuration changes that nobody had reviewed until we asked for the raw log extract.
What documentation should we prepare before the ITGC review begins to avoid delays?

The most time-saving preparation is having your IT team ready to extract, rather than manually compile, system-generated data: current user access lists per system, privileged account lists, the change log for the review period, backup logs, and batch job exception logs. Alongside this, gather your Board-approved IT policy (if one exists), the current HR headcount/exit list for cross-referencing against access, and any prior internal audit or ITGC findings with their closure status. We provide a detailed document and data-extract request list at engagement kick-off, tailored to your specific application landscape.

Practitioner noteThe single biggest timeline saver is having IT pull raw system exports rather than a manually maintained spreadsheet 'summary' — manual summaries are frequently stale or incomplete, and we end up re-requesting the raw extract regardless, which costs a week of back-and-forth that could have been avoided.
Can a startup with a lean IT team realistically implement the remediation you recommend?

Yes, and we design the remediation roadmap with exactly that constraint in mind. For organisations with limited IT headcount, we prioritise findings by risk severity and recommend proportionate, often low-cost fixes first — enforcing a documented joiner/leaver access checklist, enabling multi-factor authentication on privileged accounts, scheduling a periodic access recertification — rather than prescribing an enterprise-grade control framework that assumes a much larger IT function. Compensating controls are explicitly considered where a full technical fix is not immediately feasible.

Practitioner noteA remediation roadmap the client cannot realistically execute is not useful advice — it is a document that sits in a drawer. We calibrate every recommendation to the organisation's actual operating capacity, and revisit the roadmap the following cycle to see what genuinely got implemented.
How does PNPC handle sensitive findings — for example, evidence suggesting a specific individual bypassed a control?

Any finding suggesting potential misconduct, fraud, or deliberate control circumvention by a specific individual is escalated confidentially and promptly to the Audit Committee or the Board (not routed through the process owner or department implicated), consistent with our professional obligations. Where the evidence suggests a matter requiring specialist investigation beyond the scope of an ITGC review — such as a suspected deliberate fraud — we recommend a dedicated forensic engagement rather than attempting to investigate it within the ITGC scope, which is designed for control assessment, not evidentiary fraud investigation.

Practitioner noteWe draw this boundary deliberately. ITGC testing can surface an anomaly consistent with misconduct, but converting that anomaly into a defensible, evidentiary finding requires forensic methodology and, often, legal coordination that sits outside a standard ITGC engagement scope.
Is a review of our WhatsApp-based or email-based approval process considered a valid control?

It can be, provided the approval is documented, retained, and traceable to a specific approver and decision — but email or messaging-app approvals are inherently weaker evidence than a system-enforced workflow approval, because they are easier to fabricate, backdate, or lose, and typically lack any system-enforced segregation of duties. We assess these as a design gap in most cases and recommend migrating critical approvals (payment release, vendor master changes, user access grants) into the ERP's native workflow wherever the system supports it.

Practitioner noteWe see this constantly in fast-growing companies that scaled process discipline slower than headcount — the underlying decision-making is often genuinely sound, but the evidence trail is not defensible under audit scrutiny, and that gap is what gets flagged.
What happens if the ITGC review identifies a material weakness right before our year-end statutory audit?

We flag material weaknesses to management and the Audit Committee as soon as they are identified during fieldwork — not held back for the final report — specifically so remediation, or at minimum an interim compensating control, can be put in place before year-end testing by the statutory auditor. A material weakness identified and disclosed proactively, with a credible remediation plan already underway, is viewed very differently by a statutory auditor and by the Audit Committee than the same weakness discovered independently and for the first time during year-end audit fieldwork.

Practitioner noteTiming matters enormously here. We deliberately front-load testing of the highest-risk areas — access and change management — earlier in the engagement precisely so there is runway to remediate before the statutory audit begins.
Does PNPC provide ongoing ITGC monitoring, or is this strictly a point-in-time review?

Both models are available. A point-in-time review is appropriate for a first-time engagement, a specific regulatory filing, or ISO 27001 readiness. For companies where IT controls need continuous assurance — particularly those with PE investors, lending covenants, or RBI regulatory obligations — we offer an ongoing programme with periodic (typically half-yearly or annual) re-testing cycles, tracked findings closure, and updated scope as new systems or integrations are added to the environment.

Practitioner noteWe generally recommend at least an annual re-test even for companies without a strict regulatory mandate — IT environments change fast, and a control environment assessed as adequate 18 months ago is not a reliable indicator of the current state.
What is the realistic cost range for an ISA/ITGC engagement, and what drives the fee?

Fees are driven primarily by the number of in-scope applications, the complexity of the IT environment (single ERP versus multiple integrated systems), whether regulatory-specific testing (RBI circular compliance, for example) is required, and the entity's size and transaction volume. Because these variables differ so significantly between a single-location mid-market company and a multi-entity regulated financial institution, we do not quote a standard fee without first completing the scoping conversation — but we always confirm the engagement fee in writing before fieldwork begins.

Practitioner noteWe are transparent that we are not the cheapest checklist-driven provider in the market. What a client is paying for is testing that a statutory auditor and, where relevant, a regulator can actually place reliance on — a superficial review that gets rejected or re-performed costs more in the end than doing it properly once.
Can PNPC support both the India entity and a related UAE entity's IT controls review under one engagement?

Yes. For groups with operations in both India and the UAE, we coordinate the review across both entities from our Chennai/Bangalore/Hyderabad and Dubai offices under a single engagement, which is particularly useful where a shared ERP instance, shared IT infrastructure, or a common cloud environment spans both jurisdictions. UAE-specific regulatory requirements — including sector-specific cybersecurity requirements set by UAE regulators for financial and other regulated entities — are assessed separately by our Dubai team where applicable, alongside any India-specific requirements.

Practitioner noteGroups running one shared ERP instance across an Indian and a UAE entity often assume a single review covers both jurisdictions' requirements — it frequently does not, because the regulatory drivers differ. We flag this distinction explicitly during scoping rather than let a client discover the gap later.
What is the ICAI Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, and why does it matter for ITGC?

It is guidance issued by the Institute of Chartered Accountants of India to help statutory auditors form and support their opinion under Section 143(3)(i) of the Companies Act on whether a company has an adequate internal financial controls system operating effectively. The guidance explicitly addresses the role of IT general controls as a foundation for reliance on automated and IT-dependent manual controls — meaning an auditor cannot reasonably conclude financial controls are effective if the underlying IT environment (access, change management) has not been assessed. This is the direct link between ITGC work and the statutory IFC opinion your Board must ultimately stand behind.

Practitioner noteWe reference this Guidance Note explicitly in our ITGC reports for companies where the review is intended to support the statutory audit, so the statutory auditor's team can map our work directly against the evidentiary standard they are applying.
How does the Digital Personal Data Protection Act, 2023 (DPDP Act) intersect with an ITGC or IS Audit engagement?

The DPDP Act establishes obligations for entities processing personal data of individuals in India — including consent management, data security safeguards, and breach notification. While DPDP compliance is a distinct legal obligation from ITGC/IS Audit, there is meaningful overlap: access controls, encryption, and incident management practices tested during an ITGC review are also foundational to DPDP's 'reasonable security safeguards' requirement. Where personal data is processed within in-scope systems, we flag relevant DPDP-related observations as part of the review, though a dedicated DPDP compliance assessment is a distinct and more comprehensive engagement.

Practitioner noteThe DPDP Act's rules and enforcement mechanisms have continued to be operationalised progressively, and specific compliance timelines and obligations depend on the entity's data processing role and volume. We recommend clients treat DPDP as a related but separate compliance track, not something a standard ITGC review fully discharges.
What if our ITGC review finds that our IT vendor (outsourced IT support or SaaS provider) is the source of the control gap, not us?

We test both your organisation's own controls and, where feasible, request evidence of the outsourced vendor's relevant controls — for example, a SOC 1 or SOC 2 report if the vendor produces one, or direct confirmation of their access-management and change-management practices. Where a vendor will not or cannot provide adequate assurance, this itself becomes a reportable finding, because outsourcing an IT function does not outsource the accountability for the control — your Board remains responsible for the adequacy of controls over your financial reporting regardless of who operates the underlying system.

Practitioner noteWe have encountered outsourced IT vendors who resist providing any control evidence at all. That resistance is itself a red flag worth escalating to the Board — a vendor relationship without basic control transparency is a governance risk independent of whatever the vendor's actual practices are.
Do you test controls over spreadsheet-based reporting (Excel models used for consolidation, valuation, or MIS)?

Yes, where spreadsheets are used for material financial reporting purposes — such as group consolidation, complex valuation models, or key MIS feeding into the financial statements — we assess End-User Computing (EUC) controls: version control, access restriction, formula integrity checks, and independent review before the output is used. Spreadsheets sit outside the core ERP's system-enforced controls and are a frequently under-controlled area, since they can be altered by anyone with file access and without any audit trail unless specific EUC discipline is imposed.

Practitioner noteGroup consolidation spreadsheets are a recurring finding area for us — a single formula error or an overwritten hardcoded value in a master consolidation file can misstate group financials, and without version control or a locked/reviewed master copy, the error is often undetectable until it surfaces downstream.
What is the role of the Audit Committee in an ISA/ITGC engagement?

The Audit Committee (or the Board, where no Audit Committee is mandated) is the primary governance recipient of the ITGC review — approving the scope where relevant, receiving the findings and severity classification directly from the review team, and holding management accountable for the remediation roadmap. This mirrors the reporting-line design used for internal audit, and is intended to preserve independence: findings are not filtered through the same IT management whose controls are being assessed before reaching the body responsible for oversight.

Practitioner noteWe insist on presenting material and significant findings directly to the Audit Committee ourselves wherever the engagement structure allows it, rather than having management summarise our findings on our behalf — the framing and emphasis can shift meaningfully in that handoff.
Can an ITGC review be performed remotely, or does PNPC need physical access to our server room and offices?

Access management, change management, and IT operations testing can largely be performed remotely through secure access to system-generated data extracts, screen-shares for configuration walkthroughs, and video-based interviews with IT and process owners. Physical and environmental security testing of an on-premise data centre or server room does require an on-site visit, since CCTV coverage, fire suppression, and physical access controls cannot be meaningfully assessed remotely. For cloud-only environments, the engagement can typically be conducted fully remotely.

Practitioner noteWe plan the on-site component (if any) around a single focused visit rather than repeated trips — most of the substantive testing genuinely does not require physical presence once the right data extracts and access are arranged.
How does PNPC ensure the confidentiality of sensitive system access data and vulnerability information gathered during the review?

All system access lists, configuration details, and findings are handled under our standard client confidentiality obligations and, for sensitive technical findings such as unremediated access gaps, are communicated through secure channels rather than plain email attachments where the sensitivity warrants it. Draft reports identifying specific control weaknesses are shared only with the agreed engagement contacts and the Audit Committee — not broadly circulated — until remediation is substantially underway, to avoid the findings themselves becoming a roadmap for misuse before they are fixed.

Practitioner noteWe are deliberate about not creating a single unencrypted document listing every open control gap in an organisation's environment and circulating it widely — the report itself, until remediated, is sensitive information that needs to be handled with the same discipline we are recommending the client apply to their own systems.
What is the single most common finding PNPC identifies across ITGC engagements in the Indian mid-market?

Access management gaps — specifically, terminated or transferred employees whose system access was not promptly revoked, and privileged/administrator accounts with no documented business justification or periodic recertification. This consistently outranks change-management or backup-related findings in both frequency and severity, largely because the process trigger connecting HR exit processing to IT de-provisioning is often informal or entirely absent, even in companies with otherwise reasonably mature finance controls.

Practitioner noteIf a company can only afford to fix one thing before their next audit or regulatory filing, we tell them: fix the joiner/leaver access process first. It is the highest-frequency, highest-risk, and — relative to most other ITGC remediation items — genuinely the cheapest and fastest to correct.
Why should we engage PNPC rather than a pure-technology IT audit firm or a Big 4 for this review?

A pure-technology firm can test technical controls competently but often lacks the statutory-audit and Companies Act context needed to frame findings in the language your Board, Audit Committee, and statutory auditor actually need — material weakness classification, Section 143(3)(i) implications, CARO commentary risk. A large firm brings brand recognition but often at a cost and turnaround timeline disproportionate to a mid-market engagement, with more junior staff doing the actual fieldwork. PNPC combines practising-CA statutory audit context with dedicated IS-audit expertise, sized appropriately for mid-market and growth-stage companies, and backed by four decades of practice across India and the UAE.

Practitioner noteWe are not the right fit for every engagement — a Fortune 500 multinational with an in-house Big 4 relationship across dozens of jurisdictions has different needs than the clients we serve best. For India- and UAE-focused mid-market and growth-stage companies, we believe the combination of statutory-audit fluency and IS-audit depth is genuinely differentiated.
Why PNPC Global

PNPC Global vs typical alternatives for ISA / ITGC engagements

DimensionPNPC GlobalGeneric IT Audit VendorBig 4 / Large FirmIn-House IT Team Self-Assessment
Statutory-audit contextDeep — practising CA firm, findings framed for Sec 143(3)(i)/IFC relianceOften limited — technically focused, weak Companies Act framingStrong, but at premium pricing and slower turnaround for mid-market scopeNone — no independent assurance value
IS-audit / COBIT / ISO depthDedicated technology risk expertise alongside audit practiceVariable — depends heavily on individual vendorStrong, typically delivered by a separate specialist teamLimited to whatever the internal team already knows
Regulatory (RBI) familiarityDirect experience with applicable circulars for regulated-entity categoriesInconsistent — not all vendors specialise in regulated entitiesStrong, but engagement minimums may not suit smaller regulated entitiesInternal — no independent regulatory assurance
Turnaround for mid-market scope3–8 weeks, sized to the engagementFast, but often superficial checklist-based testingCan be slower and costlier relative to engagement sizeImmediate, but carries no independence or assurance value
India–UAE coordinationSingle engagement across both jurisdictions via Chennai/Bangalore/Hyderabad + Dubai officesRarely offered as a coordinated serviceAvailable, but typically via separate regional teams with handoff frictionNot applicable
Remediation partnershipNamed-owner roadmap, re-tested at next cycle, direct auditor handover supportReport delivered; follow-through often limitedThorough, but follow-up cycles priced as separate engagementsNo independent verification of remediation
Fee transparencyScoped and confirmed in writing before fieldwork beginsVaries — sometimes bundled with unclear inclusionsGenerally transparent but priced at large-firm rate cardsNo fee, but also no assurance value

This comparison reflects typical positioning in the Indian mid-market. The right fit for your organisation depends on your regulatory category, group structure, and existing statutory auditor relationship — we are happy to have that conversation directly and recommend against engaging us where we are not the best fit.

What the PNPC package includes

  1. 01

    Scoping and regulatory-driver mapping — confirming whether IFC support, RBI mandate, ISO 27001 readiness, or standalone assurance governs your engagement

  2. 02

    Full IT environment and application landscape inventory, including cloud and third-party integrations

  3. 03

    Entity-level IT governance assessment — policy, reporting lines, risk register maturity

  4. 04

    Full-population user access review with joiner/leaver reconciliation against current HR records

  5. 05

    Privileged/administrator account review and recertification assessment

  6. 06

    Segregation of duties (SoD) analysis within actual ERP role configurations, not just policy documents

  7. 07

    Change management testing across application, configuration, and infrastructure changes

  8. 08

    IT operations review — backup restore testing, batch monitoring, incident/problem management

  9. 09

    Physical and environmental security assessment for on-premise data centres, or cloud shared-responsibility review for cloud-hosted environments

  10. 10

    Findings classified by severity and mapped explicitly to financial-reporting and regulatory risk

  11. 11

    Dated remediation roadmap with named owners and interim compensating controls for material weaknesses

  12. 12

    Direct Audit Committee/Board presentation and statutory auditor workpaper handover

Your financial controls are only as strong as the IT environment running underneath them — talk to PNPC before your statutory auditor, your regulator, or an attacker finds the gap first.

← Back to Audit & Assurance
Talk to a CA