Audit & Assurance · Information Systems & IT Audit
Information Systems Audit (ISA) & IT General Controls (ITGC) Review
Every financial control in a modern business now runs through a system — an ERP posting rule, an access role, a batch job, an API integration.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Every financial control in a modern business now runs through a system — an ERP posting rule, an access role, a batch job, an API integration. If the technology layer underneath is not independently tested, no amount of manual control testing tells the full story. At PNPC Global, we conduct Information Systems Audits and IT General Controls (ITGC) reviews that examine the access, change-management, and operations layer your financial reporting, statutory audit, and regulatory obligations quietly depend on. We have supported Boards, Audit Committees, and statutory auditors across India and the UAE since 1986 — we test what actually runs in your environment, not a generic questionnaire response.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
An Information Systems Audit (IS Audit) is an independent examination of an organisation's IT environment — infrastructure, applications, data, and the processes that govern them — to assess whether information systems are adequately controlled, secure, and aligned to business and regulatory requirements. IT General Controls (ITGC) review is its most common form in a financial-reporting context: a focused assessment of the controls that operate across an entire IT environment rather than within a single application — principally access management, change management, IT operations (backup, batch processing, incident management), and, where relevant, program development controls. ITGC matters because financial statement controls (three-way match in procurement, automated revenue recognition, system-calculated depreciation, segregation of duties enforced through ERP roles) are only as reliable as the IT environment that executes them. A well-designed approval matrix is meaningless if a developer can push an unauthorised change to the posting logic, or if a terminated employee's ERP access was never revoked.
In the Indian statutory context, ITGC sits inside the broader Internal Financial Controls (IFC) framework under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013. The Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of India (ICAI) explicitly requires auditors to evaluate the general IT controls environment as part of forming an opinion on internal financial controls, because automated and IT-dependent manual controls cannot be relied upon if the general controls environment around them is weak. Standard on Auditing SA 315 (Identifying and Assessing the Risks of Material Misstatement) similarly requires the auditor to understand the entity's IT environment as part of understanding internal control relevant to the audit. For companies where the statutory auditor's own IFC opinion depends on placing reliance on system-generated reports and automated controls, a weak ITGC environment can cascade into extended substantive testing, audit qualifications, or reportable material weaknesses.
Beyond the audit-support use case, IS Audit is also commissioned as a standalone assurance and risk-management exercise — for regulated entities (banks, NBFCs, insurance companies, payment aggregators) where the Reserve Bank of India (RBI) and other regulators mandate periodic IS audit under specific circulars and master directions; for companies pursuing ISO/IEC 27001 certification, where an internal or external ITGC-style review is a natural precursor to the formal certification audit; for organisations that have suffered a security incident or data breach and need an independent root-cause and control-gap assessment; and for boards and Audit Committees that simply want independent assurance that the technology environment underpinning the business is not a silent point of failure. In each case, the review methodology is broadly similar — access controls, change management, IT operations, and (for regulated entities) cybersecurity and business continuity controls — but the depth, framework references, and reporting audience differ by context.
A rigorous ITGC/IS Audit engagement typically references one or more recognised frameworks — COBIT (Control Objectives for Information and Related Technologies) issued by ISACA for IT governance and control objectives, ISO/IEC 27001 for information security management systems, and, for RBI-regulated entities, the specific IS audit circulars and master directions the regulator has issued for that category of institution. The output is not a generic "IT is fine" letter — it is a control-by-control assessment (user access provisioning and de-provisioning, privileged access management, password and authentication policy, change management approval and testing discipline, backup and restore testing, batch job monitoring, incident and problem management, physical and environmental security of the data centre or cloud environment) with each gap rated by severity and mapped to the business or financial-reporting risk it creates, so that the Board, the Audit Committee, and — where relevant — the statutory auditor can rely on the work.
When an ISA / ITGC review is the right engagement
Your statutory auditor's IFC opinion under Section 143(3)(i) depends on placing reliance on ERP-driven controls, system-calculated figures, or automated three-way matches — a weak ITGC environment undermines that reliance and risks audit qualification
You are a bank, NBFC, payment aggregator, or other RBI-regulated entity subject to periodic Information Systems Audit under the applicable RBI master direction or circular for your category of institution
You are preparing for ISO/IEC 27001 certification, or need to demonstrate information security control maturity to an enterprise customer, investor, or regulator as part of a vendor security assessment
Your organisation has grown from a manual or spreadsheet-based finance function into a full ERP (SAP, Oracle, Microsoft Dynamics, Tally Prime with multi-user access, Zoho Books/NetSuite, or similar) and access controls have not kept pace with headcount growth
A recent security incident, suspected data breach, unauthorised access event, or ransomware exposure has occurred and the Board wants an independent root-cause and control-gap assessment, not just an IT team's internal account of events
You are consolidating multiple subsidiaries or business units on different ERP/IT platforms and the parent's statutory auditor needs assurance that each entity's IT control environment can be relied upon for group reporting purposes
Your internal audit function has flagged IT-related risk areas — segregation of duties conflicts within ERP roles, dormant or excessive privileged accounts, undocumented change management — that need a dedicated, deeper-dive IS Audit beyond the scope of a general internal audit cycle
Investors or lenders conducting technology and operational due diligence ahead of a funding round, acquisition, or credit facility have specifically asked for an independent IT controls assessment
When a lighter-touch alternative may fit better
Very early-stage business running on a single off-the-shelf accounting package with one or two users and no meaningful segregation-of-duties risk — a basic access-hygiene checklist within the accounting engagement is more proportionate than a formal ITGC engagement
Organisation has not yet implemented any ERP or centralised system and finance runs substantially on spreadsheets — the priority should be system implementation and basic control design, not a formal audit of controls that do not yet exist
You need a penetration test or vulnerability assessment of a specific application or network perimeter — that is a specialised cybersecurity/VAPT engagement with a different skill set and toolset than an ITGC review, though the two are complementary and often sequenced together
The immediate need is a one-time technology architecture review or software selection advisory ahead of an ERP implementation — that is a pre-implementation advisory engagement, not a post-implementation controls audit
Your only requirement is a management representation letter for a bank or tender that does not call for actual control testing — a narrower scoped confirmation may be sufficient without a full IS Audit
ISA / ITGC Review vs related audit and assurance engagements
| Feature | ISA / ITGC Review | IFC Review (Financial Controls) | Internal Audit | VAPT / Cybersecurity Audit | Statutory Audit (Sec 143) |
|---|---|---|---|---|---|
| Primary objective | Assess design & effectiveness of IT general controls — access, change, operations | Assess design & effectiveness of controls over financial reporting (COSO-based) | Assurance on risk management, governance, controls across all functions | Identify technical vulnerabilities and exploitable weaknesses in systems/network | Opine on true & fair view of financial statements |
| Governing framework | COBIT (ISACA), ISO/IEC 27001, RBI IS audit circulars where applicable | COSO 2013 Internal Control – Integrated Framework | Standards on Internal Audit (SIA) issued by ICAI | OWASP, PTES, ISO 27001 Annex A controls | Standards on Auditing (SAs) issued by ICAI |
| Statutory basis | Feeds Section 143(3)(i)/IFC opinion; mandatory for RBI-regulated entities per applicable circular | Section 134(5)(e) — Board certification; Section 143(3)(i) — auditor reporting | Section 138, Companies Act 2013 (mandatory for prescribed class of companies) | Not mandated under Companies Act — driven by security policy, client, or regulatory requirement | Section 139–147, Companies Act 2013 |
| Who performs it | IS-audit qualified CA/CISA professional or specialised technology risk team | Independent CA firm or specialised risk advisory team | In-house internal audit function or outsourced CA firm reporting to Audit Committee | Certified ethical hackers / security testers, often with CA-firm technology risk teams | Independent statutory auditor appointed under Sec 139 |
| Scope focus | Access management, change management, IT operations, backup/DR, physical/environmental security | Revenue, procurement, payroll, treasury, financial close process controls | Risk-based — processes, controls, governance, compliance, IT, across the business | Technical — exploitable vulnerabilities in applications, networks, and infrastructure | Financial statement assertions — accuracy, completeness, valuation |
| Output | ITGC gap report, control matrix mapped to COBIT/ISO objectives, remediation roadmap | Risk Control Matrix (RCM), gap report, remediation roadmap, management letter | Internal audit reports to Audit Committee each quarter/half-year | Vulnerability report with CVSS-rated findings and remediation guidance | Audit opinion + CARO report + Annexure on IFC (where applicable) |
| Mandatory for which entities | RBI-regulated entities per specific master direction; effectively required wherever Sec 143(3)(i) relies on IT controls | Effectively mandatory support work for companies where Sec 143(3)(i) applies to the auditor | Listed companies, and public/private companies meeting prescribed capital/turnover/borrowing thresholds under Sec 138 | Not mandatory — increasingly expected by enterprise customers, investors, and cyber-insurers | Statutory audit itself is mandatory for every company under Sec 139; only the auditor's IFC opinion under Sec 143(3)(i) is exempted for OPCs, small companies, and certain private companies below prescribed turnover/borrowing thresholds |
| Timing relative to year-end | Typically pre-audit (Q3/Q4) so gaps are fixed before year-end IFC testing | Typically conducted pre-audit (Q3/Q4) so gaps are fixed before year-end testing | Ongoing, throughout the year | Ad hoc or periodic (annual/half-yearly) per security policy | Post year-end, on completed financial statements |
| Relationship to statutory audit | Directly de-risks the auditor's reliance on IT-dependent and automated controls | Feeds directly into and de-risks the auditor's Sec 143(3)(i) opinion and CARO commentary | Independent function; statutory auditor may place limited reliance on internal audit work | Generally outside statutory audit scope, though findings may be relevant to IFC risk assessment | The audit itself |
| Typical engagement length | 3–8 weeks depending on number of applications/systems in scope | 4–10 weeks depending on process scope and entity size | Continuous / cyclical through the year | 1–4 weeks per application or network segment tested | Concurrent with year-end audit — several weeks to months |
ISA/ITGC and IFC reviews are frequently run together, since IT general controls are a foundational input to the financial-controls opinion. Whether your organisation needs a standalone IS Audit, an ITGC component within a broader IFC review, or a regulator-mandated Information Systems Audit depends on your sector, regulatory status, and system landscape. A scoping conversation with a practising CA is the right starting point.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Scoping & Regulatory Mapping — understanding which framework governs your review | We first confirm which driver applies to you — Section 143(3)(i)/IFC support, an RBI IS audit circular specific to your category of regulated entity, ISO/IEC 27001 certification readiness, or a standalone Board-requested assurance review — because the applicable framework, evidence standard, and reporting format differ meaningfully across these drivers. A generic checklist vendor applies the same template regardless of which driver actually applies to you. | Week 1 |
| 2 | IT Environment & Application Landscape Mapping | We build a complete inventory of in-scope systems — ERP, core banking/lending system, payment gateway, HRMS, data warehouse, cloud infrastructure (AWS/Azure/GCP), and the interfaces between them — because ITGC risk concentrates at integration points and legacy systems that generic reviews often miss entirely. | Week 1–2 |
| 3 | Entity-Level IT Governance Assessment | Before testing individual controls, we assess IT governance at the entity level — is there a documented IT policy, an IT steering committee, a defined CISO/IT head with reporting line to the Board or Audit Committee, and a risk register that actually gets reviewed? A control matrix built without this foundation gives false comfort, the same way a financial control matrix without entity-level controls does. | Week 2 |
| 4 | User Access Management Review — provisioning, de-provisioning, privileged access | We test the full access lifecycle: is access granted only after documented approval, mapped to a defined role, and revoked promptly on transfer or exit? We specifically test for dormant accounts, shared/generic logins, and excessive privileged (admin/superuser) access — the single most common ITGC finding across Indian mid-market companies, and one that manual walkthroughs alone routinely miss because the access list itself is never pulled and reconciled against the current HR headcount. | Week 2–3 |
| 5 | Segregation of Duties (SoD) Analysis Within ERP Roles | A well-designed maker-checker control on paper is worthless if the same user's ERP role permits both creating a vendor master and approving a payment to that vendor. We extract the actual role-to-transaction mapping from the system and test for SoD conflicts — not just review the documented policy, which is frequently aspirational rather than descriptive of the live configuration. | Week 3 |
| 6 | Change Management Review — application, infrastructure, and configuration changes | We test whether changes to applications, database configurations, or infrastructure follow a documented change request, approval, testing, and deployment process, with segregation between the developer/requester and the approver, and evidence retained for each change in the review period — not just a sample of two or three "clean" changes selected by the IT team itself. | Week 3–4 |
| 7 | IT Operations Review — backup, batch processing, incident and problem management | We test backup frequency, retention, and — critically — whether a restore has actually been tested (a backup that has never been restored is an unverified assumption, not a control), batch job monitoring and exception handling, and whether IT incidents are logged, triaged, and tracked to closure through a formal process rather than ad hoc WhatsApp messages to the IT team. | Week 4 |
| 8 | Physical & Environmental Security Assessment | For on-premise data centres or server rooms: access control logs, CCTV coverage, fire suppression, and environmental monitoring (temperature, humidity, power). For cloud-hosted environments, we review the shared-responsibility boundary and the client's own controls over cloud console access, key management, and configuration — since "it's in the cloud" is not itself a control. | Week 4–5 |
| 9 | Cybersecurity & Regulatory-Specific Testing (Where Applicable) | For RBI-regulated entities, we test against the specific circular applicable to that category of institution — covering areas such as cyber-security framework compliance, vendor/outsourcing risk management, and business continuity/disaster recovery testing. For entities pursuing ISO/IEC 27001, we map findings against the relevant Annex A control objectives to give a head start on formal certification readiness. | Week 4–6 |
| 10 | Gap Classification — mapped to COBIT/ISO control objectives and financial-reporting risk | Every finding is classified by severity and explicitly mapped to the business or financial-reporting risk it creates — a dormant privileged account is not just an "IT hygiene" item, it is a fraud and unauthorised-transaction risk that the statutory auditor and Audit Committee need framed in those terms, not buried in technical jargon. | Week 5–6 |
| 11 | Draft Report & Process Owner Validation | We walk every finding through with the IT team and relevant process owners before finalising the report — both to validate the facts (system configurations can be misread without the right context) and to begin remediation planning immediately rather than after a surprise report lands on the CIO's desk. | Week 6–7 |
| 12 | Remediation Roadmap — prioritised, owner-assigned, dated action plan | A list of ITGC gaps without a remediation plan and named owner simply recurs next year — and, for RBI-regulated entities, an unremediated finding from a prior IS audit cycle draws heightened regulatory scrutiny. We build a dated roadmap with interim compensating controls flagged for any material weakness pending permanent fix. | Week 7 |
| 13 | Audit Committee / Board Presentation and Statutory Auditor Handover | We present findings directly to the Audit Committee or Board, and — where the review is intended to support the year-end statutory audit — hand over our workpapers and testing evidence directly to the statutory auditor's team in the format they need to place reliance on the work, avoiding duplicate testing effort and audit fee escalation. | Week 7–8 |
Realistic timeline: 3–4 weeks for a focused single-ERP ITGC review at a mid-sized company; 6–8 weeks for a multi-entity or RBI-regulated engagement covering core banking/lending systems, cybersecurity framework compliance, and business continuity testing. Timelines depend materially on the number of in-scope applications, the quality of existing IT documentation, and the responsiveness of the client's IT team in extracting system-generated access and change logs.
Board-approved IT policy / Information Security Policy, and evidence of periodic review
IT organisation chart — CISO/IT Head, reporting lines to Board/Audit Committee, and defined roles and responsibilities
IT risk register and any prior internal audit, ITGC, or ISO 27001 gap assessment reports, with closure status
List of all in-scope applications, systems, and cloud environments — ERP, core system, payment gateway, HRMS, data warehouse, and key integrations between them
Vendor/outsourcing register for any IT services, data processing, or infrastructure hosted or managed by third parties
Current user access list for each in-scope system, with role/privilege level for every user
Access request, approval, and provisioning records for new joiners and role changes during the review period
Employee exit list from HR, cross-referenced against system de-provisioning timestamps for the same period
List of privileged/administrator accounts, with justification for each and evidence of periodic access recertification
Password policy configuration and evidence of enforcement (complexity, expiry, multi-factor authentication settings)
Change management policy/SOP describing the request, approval, testing, and deployment process
Log of all application, configuration, and infrastructure changes made during the review period, with approver identity and date
Evidence of testing/UAT (user acceptance testing) sign-off prior to production deployment for a sample of changes
Emergency/break-glass change records, if any, with post-facto approval and justification
Backup policy, backup logs/schedule for the review period, and evidence of at least one restore test performed
Batch job schedule and exception/failure logs, with evidence of monitoring and resolution
Incident and problem management log — security incidents, system outages, and their resolution timeline
Business Continuity Plan (BCP) and Disaster Recovery (DR) plan, with evidence of the last DR drill/test performed
Data centre or cloud hosting agreement, and — for cloud environments — the shared-responsibility matrix with the cloud provider
ERP/system role definitions and the transaction codes or permissions mapped to each role
Any existing SoD conflict matrix or rule set configured within the ERP (e.g., GRC modules in SAP/Oracle), if in use
Sample of key automated/system controls relied upon for financial reporting — three-way match configuration, system-calculated depreciation, automated revenue recognition rules — with configuration evidence
List of interfaces between systems (e.g., e-commerce platform to ERP, payroll to accounting) with reconciliation controls documented
RBI IS audit circular/master direction applicable to your category of regulated entity, and any prior RBI inspection or IS audit observations
ISO/IEC 27001 Statement of Applicability (SoA) and internal audit reports, if the organisation already holds or is pursuing certification
Data protection and privacy policy, and any Digital Personal Data Protection Act, 2023 (DPDP Act) compliance documentation relevant to personal data processed within in-scope systems
Cyber-insurance policy documentation and any breach notification or incident-reporting obligations applicable to the entity's sector
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Readiness (Week 1–2) | Engagement kick-off — statutory driver, regulatory mandate, or Board request identified | Confirm the governing framework (IFC support, RBI circular, ISO 27001 readiness, or standalone assurance), map the full application landscape, and assess IT governance maturity before any control testing begins. | Scoping the wrong framework wastes engagement time and produces a report the statutory auditor or regulator cannot rely on, forcing a repeat exercise. |
| Access & Change Testing (Week 2–4) | Fieldwork begins | Full-population extraction and testing of user access lists, privileged accounts, joiner/leaver reconciliation, SoD conflicts within ERP roles, and change management records — not a token sample selected by the IT team. | Dormant privileged accounts and unrevoked exit access are the most common vector for unauthorised transactions and fraud; undocumented changes undermine the statutory auditor's ability to rely on system-generated financial figures. |
| Operations, BCP/DR & Physical Security (Week 4–5) | Fieldwork continues | Backup restore testing (not just backup completion logs), batch monitoring review, incident management assessment, and — for on-premise environments — physical/environmental security walkthrough. | An untested backup is an unverified assumption; a business disruption without a tested DR plan can halt operations and financial reporting for an extended, unplanned period. |
| Reporting & Remediation (Week 6–8) | Fieldwork complete | Findings classified by severity and mapped to financial-reporting or regulatory risk, validated with process owners, and converted into a dated remediation roadmap with named owners before Audit Committee presentation. | Unclassified or unranked findings get deprioritised by management; an unremediated finding carried into the next statutory audit or RBI inspection cycle draws materially heightened scrutiny. |
| Statutory Audit Handover | Year-end audit begins | Workpapers and testing evidence shared directly with the statutory auditor's team in a format that supports reliance on the ITGC work, reducing duplicate testing and controlling audit fee escalation. | Statutory auditor unable to place reliance re-performs testing independently — extending audit timelines, increasing audit fees, and risking a qualified IFC opinion if gaps surface late in the audit cycle. |
| Regulatory Filing (RBI-Regulated Entities) | Annual or periodic IS audit due under applicable RBI circular | IS audit report finalised and filed per the timeline and format prescribed by the relevant RBI master direction for that category of regulated entity, with Board/Audit Committee sign-off documented. | Missed or inadequate IS audit filing can trigger regulatory scrutiny, supervisory action, or restrictions specific to the regulated entity's licence conditions. |
| Annual Refresh & Continuous Monitoring | Next audit cycle or material IT environment change | Risk assessment and scope refreshed for new systems implemented, cloud migrations, or M&A-driven IT integration since the last review; prior-cycle findings re-tested for actual closure, not just management assertion. | A static, unchanged scope misses new risk introduced by system changes; unverified 'closed' findings that were never actually remediated resurface — often discovered by the statutory auditor or regulator instead of by the company. |
What is the difference between an Information Systems Audit and an IT General Controls (ITGC) review?
Information Systems Audit (IS Audit) is the broader term — an independent examination of an organisation's IT environment covering governance, security, applications, infrastructure, and data. ITGC review is typically the specific subset of an IS Audit that focuses on controls operating across the entire IT environment (access management, change management, IT operations) rather than within a single application — and is the form most directly relevant to financial-reporting reliance under Section 143(3)(i) of the Companies Act. In practice, an ITGC review is one component of a fuller IS Audit; the two terms are often used together because the scope substantially overlaps for most engagements.
Is ITGC review mandatory for our company, or is it only relevant for banks and NBFCs?
There is no standalone Companies Act section that makes ITGC review mandatory by name. It becomes effectively necessary wherever Section 143(3)(i) requires your statutory auditor to opine on the adequacy and operating effectiveness of internal financial controls, and your financial reporting relies on automated or IT-dependent manual controls — which is the case for the large majority of companies running any ERP today. Separately, it is directly mandatory (in the sense of being required under specific regulatory circulars) for RBI-regulated entities — banks, NBFCs, payment aggregators, and similar categories — under the applicable master direction for that category of institution.
We are a mid-sized private company using Tally or Zoho Books with a handful of users. Do we really need a formal ITGC review?
It depends on scale and reliance, not just the software name. A single-entity company with two or three users on a straightforward accounting package and no meaningful segregation-of-duties risk generally does not need a formal COBIT/ISO-referenced ITGC engagement — a lighter access-hygiene review within the regular audit or accounting engagement is proportionate. The calculus changes once you add multiple locations, multiple users with differentiated roles, integrations to e-commerce or payment systems, or investor/lender requirements for control assurance.
What framework does PNPC use for ITGC and IS Audit engagements?
We reference COBIT (Control Objectives for Information and Related Technologies), issued by ISACA, as the primary control-objective framework for ITGC engagements, since it maps cleanly to the IT governance and control domains referenced in the ICAI Guidance Note on Audit of Internal Financial Controls. For engagements focused on information security maturity or ISO/IEC 27001 certification readiness, we additionally map findings against the relevant ISO 27001 Annex A control objectives. For RBI-regulated entities, we test against the specific circular or master direction applicable to that category of institution.
How does ITGC review relate to our statutory auditor's work — will it reduce our audit fees or timeline?
Where an ITGC review is completed before year-end fieldwork and the statutory auditor is satisfied with the scope, methodology, and evidence, the auditor may place reliance on the work to reduce the extent of their own IT-related substantive testing — which can help control fee escalation and compress the audit timeline. This is not automatic: the statutory auditor independently assesses whether to rely on any third-party work, including our own, based on their own risk assessment and professional judgement under the applicable Standards on Auditing.
Can PNPC perform an ITGC review if PNPC is also the statutory auditor for the same company?
Independence rules under the Companies Act and the ICAI Code of Ethics restrict a statutory auditor's ability to provide certain non-audit services to the same audit client, and the specific restrictions depend on the client's listing status and the nature of the service. Where PNPC is the statutory auditor, we assess independence requirements before agreeing to also perform an ITGC review for the same entity, and in some cases will recommend a different qualified firm perform the ITGC work to preserve auditor independence — particularly for listed companies and companies meeting the thresholds under Section 144 of the Companies Act.
What does PNPC actually test during a user access review, beyond just requesting the access list?
We extract the current, system-generated user access list (not a manually maintained spreadsheet that may be stale) for every in-scope system, cross-reference it against the current HR headcount to identify access held by employees who have since exited, review the approval trail for access granted during the review period, identify dormant accounts that have not logged in for an extended period, and specifically test privileged/administrator accounts for business justification and periodic recertification. This is full-population testing wherever the system allows extraction, not a small manually-selected sample.
What is segregation of duties (SoD) testing within an ERP, and why does it need a specialist rather than a general auditor?
SoD testing examines whether a single user's system role permits them to perform conflicting functions that should be split between two people — for example, creating a vendor master record and approving payment to that same vendor, or posting a journal entry and approving it. Testing this properly requires extracting the actual role-to-transaction-code mapping configured in the system (SAP, Oracle, or similar) and analysing it for conflicts — a documented policy statement that 'maker and checker are separate' is not evidence that the system configuration actually enforces it. This requires familiarity with how ERP role and authorisation objects are structured, which is a distinct skill set from general financial statement auditing.
What counts as a 'material weakness' versus a 'significant deficiency' versus a 'control deficiency' in ITGC findings?
These classifications follow the same severity framework used in the broader IFC review context. A Control Deficiency exists when a control is designed or operating in a way that does not allow timely prevention or detection of a misstatement, but the impact is limited. A Significant Deficiency is a deficiency, or combination of deficiencies, that is less severe than a material weakness but merits attention by those responsible for governance. A Material Weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. ITGC findings are classified using this same scale because ITGC gaps ultimately create financial-reporting risk, not just an operational IT inconvenience.
How long does a typical ISA/ITGC engagement take, and what does it depend on?
A focused ITGC review at a single-entity company running one ERP typically takes 3–4 weeks from scoping to final report. A multi-entity engagement, or one involving a core banking/lending system with RBI-specific cybersecurity and business continuity testing, typically runs 6–8 weeks. The main variables are the number of in-scope applications and integrations, the quality and completeness of existing IT documentation, and — most significantly in our experience — how quickly the client's IT team can extract system-generated access and change logs rather than relying on manually maintained records.
Do you test cloud environments (AWS, Azure, GCP) the same way as on-premise data centres?
No — the testing approach differs because responsibility is shared with the cloud provider. For cloud environments, we review the shared-responsibility boundary (the provider secures the underlying infrastructure; the client remains responsible for configuration, access management, and data within their environment), and focus our testing on client-side controls — cloud console/IAM access management, key and secrets management, security group and network configuration, and logging/monitoring of the cloud environment. For on-premise data centres or server rooms, we additionally test physical access controls, environmental monitoring, and fire suppression systems, which are not relevant in a cloud context.
What RBI circulars or master directions govern IS Audit for regulated entities?
RBI has issued sector-specific master directions and circulars covering information security, cyber-security frameworks, and IS audit requirements for different categories of regulated entities — including banks, NBFCs, and payment system operators — with the specific requirements, frequency, and reporting format varying by the category and risk profile of the institution. Because these requirements are periodically updated by RBI and differ by entity category, we confirm the current applicable circular for your specific licence category and asset size at the start of every regulated-entity engagement rather than relying on a generic checklist.
Does an ITGC review help with ISO/IEC 27001 certification, or are they completely separate exercises?
They are related but distinct. ISO/IEC 27001 is a formal Information Security Management System (ISMS) standard, and certification requires an accredited certification body to conduct the actual certification audit — PNPC does not issue ISO 27001 certificates. However, an ITGC review substantially overlaps with several ISO 27001 Annex A control domains — access control, operations security, and physical security among them — so a well-executed ITGC review gives an organisation a meaningful head start and gap-closure runway ahead of a formal certification audit, reducing the risk of nonconformities being raised for the first time by the certification body.
What is the difference between ITGC review and a penetration test (VAPT)?
ITGC review assesses whether governance processes and controls — access approval, change management, backup discipline — are properly designed and consistently followed. A penetration test (or Vulnerability Assessment and Penetration Testing, VAPT) is a technical exercise that actively attempts to identify and, in a controlled manner, exploit technical vulnerabilities in a specific application, network, or system. They are complementary rather than substitutes: an organisation can have well-documented, consistently followed change-management processes (a strong ITGC finding) and still have an unpatched, exploitable vulnerability in a public-facing application (a VAPT finding), or vice versa.
Our IT team says our systems are secure because we have never had an incident. Is that a reasonable basis to skip an ITGC review?
The absence of a known incident is not evidence of control adequacy — it may equally mean an incident occurred and was not detected, given weak monitoring and logging, which is itself one of the more common ITGC findings we identify. Control testing exists precisely because self-assessment by the team responsible for operating the controls carries an inherent bias, however well-intentioned. An independent review tests actual configuration and evidence, not the operating team's own confidence in their environment.
What documentation should we prepare before the ITGC review begins to avoid delays?
The most time-saving preparation is having your IT team ready to extract, rather than manually compile, system-generated data: current user access lists per system, privileged account lists, the change log for the review period, backup logs, and batch job exception logs. Alongside this, gather your Board-approved IT policy (if one exists), the current HR headcount/exit list for cross-referencing against access, and any prior internal audit or ITGC findings with their closure status. We provide a detailed document and data-extract request list at engagement kick-off, tailored to your specific application landscape.
Can a startup with a lean IT team realistically implement the remediation you recommend?
Yes, and we design the remediation roadmap with exactly that constraint in mind. For organisations with limited IT headcount, we prioritise findings by risk severity and recommend proportionate, often low-cost fixes first — enforcing a documented joiner/leaver access checklist, enabling multi-factor authentication on privileged accounts, scheduling a periodic access recertification — rather than prescribing an enterprise-grade control framework that assumes a much larger IT function. Compensating controls are explicitly considered where a full technical fix is not immediately feasible.
How does PNPC handle sensitive findings — for example, evidence suggesting a specific individual bypassed a control?
Any finding suggesting potential misconduct, fraud, or deliberate control circumvention by a specific individual is escalated confidentially and promptly to the Audit Committee or the Board (not routed through the process owner or department implicated), consistent with our professional obligations. Where the evidence suggests a matter requiring specialist investigation beyond the scope of an ITGC review — such as a suspected deliberate fraud — we recommend a dedicated forensic engagement rather than attempting to investigate it within the ITGC scope, which is designed for control assessment, not evidentiary fraud investigation.
Is a review of our WhatsApp-based or email-based approval process considered a valid control?
It can be, provided the approval is documented, retained, and traceable to a specific approver and decision — but email or messaging-app approvals are inherently weaker evidence than a system-enforced workflow approval, because they are easier to fabricate, backdate, or lose, and typically lack any system-enforced segregation of duties. We assess these as a design gap in most cases and recommend migrating critical approvals (payment release, vendor master changes, user access grants) into the ERP's native workflow wherever the system supports it.
What happens if the ITGC review identifies a material weakness right before our year-end statutory audit?
We flag material weaknesses to management and the Audit Committee as soon as they are identified during fieldwork — not held back for the final report — specifically so remediation, or at minimum an interim compensating control, can be put in place before year-end testing by the statutory auditor. A material weakness identified and disclosed proactively, with a credible remediation plan already underway, is viewed very differently by a statutory auditor and by the Audit Committee than the same weakness discovered independently and for the first time during year-end audit fieldwork.
Does PNPC provide ongoing ITGC monitoring, or is this strictly a point-in-time review?
Both models are available. A point-in-time review is appropriate for a first-time engagement, a specific regulatory filing, or ISO 27001 readiness. For companies where IT controls need continuous assurance — particularly those with PE investors, lending covenants, or RBI regulatory obligations — we offer an ongoing programme with periodic (typically half-yearly or annual) re-testing cycles, tracked findings closure, and updated scope as new systems or integrations are added to the environment.
What is the realistic cost range for an ISA/ITGC engagement, and what drives the fee?
Fees are driven primarily by the number of in-scope applications, the complexity of the IT environment (single ERP versus multiple integrated systems), whether regulatory-specific testing (RBI circular compliance, for example) is required, and the entity's size and transaction volume. Because these variables differ so significantly between a single-location mid-market company and a multi-entity regulated financial institution, we do not quote a standard fee without first completing the scoping conversation — but we always confirm the engagement fee in writing before fieldwork begins.
Can PNPC support both the India entity and a related UAE entity's IT controls review under one engagement?
Yes. For groups with operations in both India and the UAE, we coordinate the review across both entities from our Chennai/Bangalore/Hyderabad and Dubai offices under a single engagement, which is particularly useful where a shared ERP instance, shared IT infrastructure, or a common cloud environment spans both jurisdictions. UAE-specific regulatory requirements — including sector-specific cybersecurity requirements set by UAE regulators for financial and other regulated entities — are assessed separately by our Dubai team where applicable, alongside any India-specific requirements.
What is the ICAI Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, and why does it matter for ITGC?
It is guidance issued by the Institute of Chartered Accountants of India to help statutory auditors form and support their opinion under Section 143(3)(i) of the Companies Act on whether a company has an adequate internal financial controls system operating effectively. The guidance explicitly addresses the role of IT general controls as a foundation for reliance on automated and IT-dependent manual controls — meaning an auditor cannot reasonably conclude financial controls are effective if the underlying IT environment (access, change management) has not been assessed. This is the direct link between ITGC work and the statutory IFC opinion your Board must ultimately stand behind.
How does the Digital Personal Data Protection Act, 2023 (DPDP Act) intersect with an ITGC or IS Audit engagement?
The DPDP Act establishes obligations for entities processing personal data of individuals in India — including consent management, data security safeguards, and breach notification. While DPDP compliance is a distinct legal obligation from ITGC/IS Audit, there is meaningful overlap: access controls, encryption, and incident management practices tested during an ITGC review are also foundational to DPDP's 'reasonable security safeguards' requirement. Where personal data is processed within in-scope systems, we flag relevant DPDP-related observations as part of the review, though a dedicated DPDP compliance assessment is a distinct and more comprehensive engagement.
What if our ITGC review finds that our IT vendor (outsourced IT support or SaaS provider) is the source of the control gap, not us?
We test both your organisation's own controls and, where feasible, request evidence of the outsourced vendor's relevant controls — for example, a SOC 1 or SOC 2 report if the vendor produces one, or direct confirmation of their access-management and change-management practices. Where a vendor will not or cannot provide adequate assurance, this itself becomes a reportable finding, because outsourcing an IT function does not outsource the accountability for the control — your Board remains responsible for the adequacy of controls over your financial reporting regardless of who operates the underlying system.
Do you test controls over spreadsheet-based reporting (Excel models used for consolidation, valuation, or MIS)?
Yes, where spreadsheets are used for material financial reporting purposes — such as group consolidation, complex valuation models, or key MIS feeding into the financial statements — we assess End-User Computing (EUC) controls: version control, access restriction, formula integrity checks, and independent review before the output is used. Spreadsheets sit outside the core ERP's system-enforced controls and are a frequently under-controlled area, since they can be altered by anyone with file access and without any audit trail unless specific EUC discipline is imposed.
What is the role of the Audit Committee in an ISA/ITGC engagement?
The Audit Committee (or the Board, where no Audit Committee is mandated) is the primary governance recipient of the ITGC review — approving the scope where relevant, receiving the findings and severity classification directly from the review team, and holding management accountable for the remediation roadmap. This mirrors the reporting-line design used for internal audit, and is intended to preserve independence: findings are not filtered through the same IT management whose controls are being assessed before reaching the body responsible for oversight.
Can an ITGC review be performed remotely, or does PNPC need physical access to our server room and offices?
Access management, change management, and IT operations testing can largely be performed remotely through secure access to system-generated data extracts, screen-shares for configuration walkthroughs, and video-based interviews with IT and process owners. Physical and environmental security testing of an on-premise data centre or server room does require an on-site visit, since CCTV coverage, fire suppression, and physical access controls cannot be meaningfully assessed remotely. For cloud-only environments, the engagement can typically be conducted fully remotely.
How does PNPC ensure the confidentiality of sensitive system access data and vulnerability information gathered during the review?
All system access lists, configuration details, and findings are handled under our standard client confidentiality obligations and, for sensitive technical findings such as unremediated access gaps, are communicated through secure channels rather than plain email attachments where the sensitivity warrants it. Draft reports identifying specific control weaknesses are shared only with the agreed engagement contacts and the Audit Committee — not broadly circulated — until remediation is substantially underway, to avoid the findings themselves becoming a roadmap for misuse before they are fixed.
What is the single most common finding PNPC identifies across ITGC engagements in the Indian mid-market?
Access management gaps — specifically, terminated or transferred employees whose system access was not promptly revoked, and privileged/administrator accounts with no documented business justification or periodic recertification. This consistently outranks change-management or backup-related findings in both frequency and severity, largely because the process trigger connecting HR exit processing to IT de-provisioning is often informal or entirely absent, even in companies with otherwise reasonably mature finance controls.
Why should we engage PNPC rather than a pure-technology IT audit firm or a Big 4 for this review?
A pure-technology firm can test technical controls competently but often lacks the statutory-audit and Companies Act context needed to frame findings in the language your Board, Audit Committee, and statutory auditor actually need — material weakness classification, Section 143(3)(i) implications, CARO commentary risk. A large firm brings brand recognition but often at a cost and turnaround timeline disproportionate to a mid-market engagement, with more junior staff doing the actual fieldwork. PNPC combines practising-CA statutory audit context with dedicated IS-audit expertise, sized appropriately for mid-market and growth-stage companies, and backed by four decades of practice across India and the UAE.
PNPC Global vs typical alternatives for ISA / ITGC engagements
| Dimension | PNPC Global | Generic IT Audit Vendor | Big 4 / Large Firm | In-House IT Team Self-Assessment |
|---|---|---|---|---|
| Statutory-audit context | Deep — practising CA firm, findings framed for Sec 143(3)(i)/IFC reliance | Often limited — technically focused, weak Companies Act framing | Strong, but at premium pricing and slower turnaround for mid-market scope | None — no independent assurance value |
| IS-audit / COBIT / ISO depth | Dedicated technology risk expertise alongside audit practice | Variable — depends heavily on individual vendor | Strong, typically delivered by a separate specialist team | Limited to whatever the internal team already knows |
| Regulatory (RBI) familiarity | Direct experience with applicable circulars for regulated-entity categories | Inconsistent — not all vendors specialise in regulated entities | Strong, but engagement minimums may not suit smaller regulated entities | Internal — no independent regulatory assurance |
| Turnaround for mid-market scope | 3–8 weeks, sized to the engagement | Fast, but often superficial checklist-based testing | Can be slower and costlier relative to engagement size | Immediate, but carries no independence or assurance value |
| India–UAE coordination | Single engagement across both jurisdictions via Chennai/Bangalore/Hyderabad + Dubai offices | Rarely offered as a coordinated service | Available, but typically via separate regional teams with handoff friction | Not applicable |
| Remediation partnership | Named-owner roadmap, re-tested at next cycle, direct auditor handover support | Report delivered; follow-through often limited | Thorough, but follow-up cycles priced as separate engagements | No independent verification of remediation |
| Fee transparency | Scoped and confirmed in writing before fieldwork begins | Varies — sometimes bundled with unclear inclusions | Generally transparent but priced at large-firm rate cards | No fee, but also no assurance value |
This comparison reflects typical positioning in the Indian mid-market. The right fit for your organisation depends on your regulatory category, group structure, and existing statutory auditor relationship — we are happy to have that conversation directly and recommend against engaging us where we are not the best fit.
What the PNPC package includes
- 01
Scoping and regulatory-driver mapping — confirming whether IFC support, RBI mandate, ISO 27001 readiness, or standalone assurance governs your engagement
- 02
Full IT environment and application landscape inventory, including cloud and third-party integrations
- 03
Entity-level IT governance assessment — policy, reporting lines, risk register maturity
- 04
Full-population user access review with joiner/leaver reconciliation against current HR records
- 05
Privileged/administrator account review and recertification assessment
- 06
Segregation of duties (SoD) analysis within actual ERP role configurations, not just policy documents
- 07
Change management testing across application, configuration, and infrastructure changes
- 08
IT operations review — backup restore testing, batch monitoring, incident/problem management
- 09
Physical and environmental security assessment for on-premise data centres, or cloud shared-responsibility review for cloud-hosted environments
- 10
Findings classified by severity and mapped explicitly to financial-reporting and regulatory risk
- 11
Dated remediation roadmap with named owners and interim compensating controls for material weaknesses
- 12
Direct Audit Committee/Board presentation and statutory auditor workpaper handover
Your financial controls are only as strong as the IT environment running underneath them — talk to PNPC before your statutory auditor, your regulator, or an attacker finds the gap first.