HomeServicesTransformation & TechInformation Systems Audit (IS Audit) & ITGC Review

Transformation & Tech · IT Risk & Technology Assurance

Information Systems Audit (IS Audit) & ITGC Review

Every Board resolution, every financial close, every regulatory filing your organisation makes today rests on IT systems that most managements have never had independently examined.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Every Board resolution, every financial close, every regulatory filing your organisation makes today rests on IT systems that most managements have never had independently examined. PNPC Global's Information Systems Audit (IS Audit) and IT General Controls (ITGC) Review tests whether the access management, change management, backup/recovery, and IT operations controls around your core systems are actually working — not just documented in a policy manual. We combine the Chartered Accountant's grounding in financial control objectives with structured IT audit methodology to give the Board, Audit Committee, and statutory auditor independent assurance that the technology layer supporting your financial statements, data, and operations is under control.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Information Systems Audit (IS Audit) & ITGC Review is

An Information Systems Audit (IS Audit) is an independent examination of an organisation's IT environment — covering the governance, security, and operational controls around the hardware, software, networks, and data that support business processes and financial reporting. IT General Controls (ITGC) Review is the specific, most commonly commissioned subset of an IS Audit that focuses on four control domains recognised globally under frameworks such as COBIT and ISO 27001, and referenced by the Institute of Chartered Accountants of India (ICAI) in its Guidance Note on Audit of Internal Financial Controls: (1) access management — how user accounts are provisioned, modified, and revoked across applications, databases, operating systems, and network devices; (2) change management — how changes to programs, system configuration, and infrastructure are requested, tested, approved, and moved into production; (3) IT operations — how batch jobs, interfaces, backups, and incident/problem management are run and monitored; and (4) physical and environmental security over data centres and server rooms.

In the Indian regulatory context, ITGCs are not an optional technical nicety — they are the foundation on which application-level and financial reporting controls rest. Under Section 134(5)(e) of the Companies Act 2013, the Board of every listed company (and several classes of unlisted companies as prescribed) must state that the company has laid down internal financial controls and that such controls were adequate and operating effectively. The statutory auditor separately reports on the adequacy and operating effectiveness of Internal Financial Controls over Financial Reporting (IFC-FR) under the Companies (Auditor's Report) Order (CARO) and the applicable Standards on Auditing. Because most modern application controls — three-way matching, approval workflows, automated postings, system-calculated depreciation or GST — depend entirely on the integrity of the underlying IT environment, a weakness in ITGCs (for example, an exited employee whose ERP access was never revoked, or an unauthorised direct change made to a production database) can undermine the reliability of every application control that sits on top of it. This is why statutory auditors, internal auditors, and audit committees routinely commission a dedicated ITGC review — either as a discrete assurance exercise or as a structured input into the annual IFC-FR testing cycle.

An IS Audit / ITGC Review is distinct from a cybersecurity audit or VAPT (Vulnerability Assessment and Penetration Testing) engagement, which tests the external attack surface and technical exploitability of systems, and from an ERP/application controls audit, which goes deeper into module-specific configuration, segregation of duties within a single application, and business-process automated controls. ITGC Review sits underneath both — it is the control environment that application controls and, to a large extent, cybersecurity posture depend upon. For companies preparing for statutory audit, IPO, PE/VC due diligence, SOC 1/SOC 2 reporting to customers, or responding to a regulator's or lender's request for IT control assurance, an independent ITGC review conducted by a CA firm with IT audit capability is frequently the single highest-leverage assurance engagement available — because its findings cascade into, and materially de-risk, every other control-reliant audit and certification the organisation undergoes.

PNPC's IS Audit / ITGC methodology is scoped to the specific in-scope systems — which may be a single ERP and its hosting infrastructure, a broader landscape spanning core banking or transaction-processing systems (for BFSI and NBFC clients), or a cloud-native SaaS stack — rather than applied as a generic, one-size-fits-all checklist. Our reports are written for two audiences simultaneously: technically precise enough for the IT team to action, and plain-language enough for a non-technical Audit Committee member to understand the business risk and approve the remediation roadmap.

When an IS Audit / ITGC Review is the right engagement

Your statutory auditor has flagged IFC-FR deficiencies, CARO qualifications, or management letter observations relating to IT access controls, change management, or system-generated report reliability

You are preparing for an IPO, a PE/VC fundraise, or an acquisition, and need independent evidence that IT controls will withstand due diligence and post-transaction governance scrutiny

A customer, lender, or regulator has requested SOC 1/SOC 2-type assurance or an independent ITGC report as a precondition to a contract, credit facility, or licence renewal

The organisation has grown its IT footprint — new applications, cloud migration, outsourced IT operations, or multiple data centres/hosting providers — faster than its access and change control discipline has kept pace

Internal Audit or the Audit Committee wants a dedicated, IT-audit-trained review because general internal audit procedures do not have the specialist skill set to test access logs, change tickets, or system configuration evidence

A recent security incident, unauthorised change, or discovered access anomaly (an exited employee's account still active, an unreviewed privileged access grant) has raised Board-level concern about the broader control environment

Your organisation is a bank, NBFC, insurance company, or other RBI/IRDAI/SEBI-regulated entity subject to specific IT governance and outsourcing circular requirements that mandate periodic independent IS audit

You are a service organisation whose customers rely on your systems for their own financial reporting, and you need to produce a report on your control environment for their auditors

When a different engagement may fit better

You need to know whether your network and applications can be technically breached from outside — a VAPT/penetration testing engagement, not an ITGC review, is the correct scope for exploitability testing

Your primary concern is segregation of duties and automated control configuration within a single ERP module (approval matrices, tolerance limits, three-way match) — a dedicated ERP/application controls audit goes deeper into that specific layer

You are selecting or evaluating a new ERP or core system vendor — that is a systems selection/advisory engagement, distinct from an audit of an existing live environment

A specific fraud or irregularity is already suspected and evidentiary standards matter — a forensic/digital investigation engagement uses different procedures and chain-of-custody discipline than a control-assurance IS Audit

You are a very early-stage or small business with a single cloud accounting application, no dedicated IT team, and no regulatory or investor requirement for IT control assurance — a lighter-touch IT process review may be more proportionate than a full ITGC methodology

You need a one-time pre-go-live sign-off on a new system implementation — an ERP implementation review, timed around cutover and data migration, is the more relevant engagement at that stage

Structure Comparison

IS Audit / ITGC Review vs other IT and assurance engagements

FeatureIS Audit / ITGC ReviewIFC Testing (Statutory Audit)VAPT / Cybersecurity AuditERP/Application Controls AuditSOC 1 / SOC 2 Reporting
Primary objectiveAssurance that access, change management, IT operations & physical/environmental controls are designed and operating effectivelyAuditor's opinion on whether IFC over financial reporting is adequate and effectiveIdentify exploitable technical vulnerabilities in network, infrastructure & applicationsAssurance on application-layer configuration, segregation of duties & automated controls within a specific systemIndependent assurance report on a service organisation's controls for use by customer auditors
Governing/reference frameworkCOBIT, ISO 27001-aligned practice, ICAI Guidance Note on IFCSection 134(5)(e) Companies Act, CARO, Standards on AuditingOWASP, ISO 27001, PCI-DSS where applicableCOBIT, application-specific control frameworksAICPA SSAE 18 / ISAE 3402-aligned criteria (Trust Services Criteria for SOC 2)
Who typically commissions itAudit Committee, Board, CFO, Internal AuditStatutory auditor, as part of the annual auditCISO, IT Head, BoardAudit Committee, CFO, Internal AuditService organisation management, for its customers' benefit
Scope focusUser access lifecycle, change management, IT operations, backup/DR, physical/environmental security across in-scope systemsControls relevant to material financial statement line items onlyNetwork perimeter, servers, endpoints, application vulnerabilitiesModule-level access, SoD, workflow configuration, interfaces, data integrityControls mapped to specific Trust Services Criteria (security, availability, confidentiality etc.)
FrequencyPeriodic — typically annual, or triggered by a control concern or transaction eventEvery year, as part of the annual statutory audit cyclePeriodic — typically annual, or after major infrastructure changePeriodic — typically annual or bi-annualType 1 (point-in-time) or Type 2 (period-of-time), typically annual
Depth of technical testingDeep on control design and operating effectiveness evidence (logs, tickets, approvals); moderate on technical exploitabilityLimited to controls material to financial statementsDeep on technical exploitability of infrastructure and applicationsDeep on application configuration and access within the specific systemDeep on evidence of control operation across the reporting period
Typical outputFindings report rated by severity with a remediation roadmap, feeding the IFC/CARO processManagement letter points and an IFC opinion within the audit reportVulnerability report with severity ratings and technical remediation stepsFindings report on application-specific control gapsFormal SOC 1/SOC 2 report with auditor's opinion, for external distribution
Overlap with statutory auditFrequently commissioned specifically to deepen or support the statutory auditor's IFC-FR workIs itself part of the statutory auditGenerally independent of the statutory audit scopeComplements ITGC review — application controls rely on sound ITGCs beneath themIndependent formal reporting exercise, often run alongside or after an internal ITGC review

These engagements are frequently complementary rather than substitutable, and ITGCs are the foundation that most of the others rely on. The right combination and scope for your organisation should be confirmed with a practising CA based on your systems landscape, regulatory profile, and the assurance your Board, lenders, or customers actually require.

How it works
#Stage & What PNPC DoesWhat Generic IT Auditors SkipTimeline
1Scoping & Systems Landscape MappingWe identify every in-scope application, database, operating system, and network layer relevant to the audit objective — financial reporting systems for an IFC-linked engagement, or the full technology stack for a broader IS Audit — rather than accepting management's initial list at face value. A generic provider without CA-level financial risk understanding often under-scopes systems that feed the general ledger indirectly.Week 1
2Risk Assessment & Control Objective MappingEach in-scope system is mapped to the specific financial or operational risk it creates if access, change, or operations controls fail — rather than running a generic checklist unrelated to your actual environment and risk profile.Week 1–2
3Audit Charter, Independence Confirmation & Data AccessWe formalise scope, confidentiality terms, and the evidence (access logs, change tickets, backup logs, org charts) we will need, and agree read-only or evidence-extract access — never requiring any change to production systems or live credentials.Week 2
4Access Management TestingWe test the full user access lifecycle — new-joiner provisioning, role/transfer changes, and exit de-provisioning — across applications, databases, operating systems, and network devices, and specifically test whether exited employees' access was actually revoked. This single test area produces findings in the large majority of first-time ITGC reviews we conduct.Week 2–4
5Privileged Access & Segregation ReviewAdministrator, superuser, and database-level privileged accounts are inventoried and tested for appropriate restriction, monitoring, and periodic recertification — accounts that, if compromised or misused, bypass application-level controls entirely.Week 3–5
6Change Management TestingWe sample changes made to programs, system configuration, and infrastructure over the audit period and trace each to a documented request, testing evidence, and appropriate approval before it moved into production — testing whether the documented change process was actually followed, not just whether it exists on paper.Week 4–6
7IT Operations, Batch & Job Scheduling ReviewScheduled jobs, interfaces, and batch processes critical to financial close and reporting are reviewed for monitoring, failure-alerting, and evidence that failures are followed up and resolved rather than silently rerun.Week 5–6
8Backup, Recovery & Business Continuity TestingWe review backup schedules, retention, and — critically — evidence of periodic restore testing, since an untested backup is not a control, merely a hope. Disaster recovery and business continuity documentation is reviewed against actual test evidence where available.Week 6–7
9Physical & Environmental Security ReviewData centre and server room access controls, environmental monitoring (fire suppression, temperature/humidity, power backup), and visitor log discipline are reviewed for on-premise infrastructure; for cloud-hosted environments, we review the relevant cloud provider's SOC/ISO attestations and the organisation's shared-responsibility understanding.Week 6–7
10Findings Rating & Draft ReportEvery finding is rated by severity (Critical/High/Medium/Low), linked to the specific control objective and downstream financial or operational risk, and accompanied by a practical, implementable recommendation. Draft findings are circulated to IT and process owners for factual accuracy validation before finalisation.Week 7–8
11Management Response & Remediation RoadmapWe require a documented management response — agree, partially agree, or disagree with reasons — plus a named remediation owner and committed timeline for every accepted finding, converting the report into an actionable governance document rather than a static PDF that is filed and forgotten.Week 8–9
12Audit Committee / Board PresentationFindings, ratings, and the remediation roadmap are presented directly to the Audit Committee or Board by the engagement CA in plain-language terms a non-technical director can act on — connecting technical IT findings to the financial reporting and governance risk they actually represent.Week 9
13Follow-Up Validation CycleIn the subsequent audit cycle (or sooner for Critical findings, where we recommend an interim check), we independently verify that remediation was actually implemented in the live environment — not merely marked closed in a tracker — closing the loop most one-time IT reviews leave open.Next cycle, or as agreed

Realistic end-to-end timeline for a first IS Audit / ITGC Review of a mid-sized single-location organisation: 7–9 weeks from kickoff to Board presentation, depending on the number of in-scope systems, locations, and whether infrastructure is on-premise, cloud, or hybrid. Multi-entity organisations, regulated BFSI entities, and organisations with significant outsourced IT operations typically require a longer first cycle; subsequent annual cycles are faster once baseline documentation and evidence templates exist.

Document Checklist
IT Landscape & Governance Documentation

List of all in-scope systems — applications, databases, operating systems, and network infrastructure — with version, hosting model (on-premise, private cloud, SaaS), and criticality classification

IT organisation chart showing reporting lines for IT operations, security, and any outsourced/managed service provider arrangements

IT policies and standard operating procedures — access management, change management, backup and DR, incident management, acceptable use

Details of any recent infrastructure migration, cloud transition, or major system upgrade in the last 24 months, with go-live dates and any post-go-live issues log

Prior internal audit, statutory audit management letter, or previous IS Audit/ITGC report, including status of prior findings

Access Management Evidence

Complete current user access listing across all in-scope applications, databases, operating systems, and network devices, with role/privilege level for each user

New-joiner, role-change, and exit (leaver) access request forms and approvals for a sample period covering the full audit cycle

List of all privileged/administrator accounts across in-scope systems, with justification for each and evidence of periodic access recertification

HR exit reports for the audit period, to be cross-checked against IT de-provisioning records for evidence of timely access revocation

Change Management Evidence

Change management log/ticket register for the audit period, covering application, configuration, and infrastructure changes

Sample of change requests with evidence of business justification, testing/UAT sign-off, and appropriate authorisation before deployment to production

Segregation evidence between development, testing, and production environments, and confirmation of who holds access to move changes between them

Emergency/break-glass change procedure documentation and log of any emergency changes made during the audit period

IT Operations, Backup & Continuity Evidence

Batch job/scheduler configuration and failure/exception log for critical financial-close-related jobs and interfaces

Backup schedule and retention policy documentation, plus evidence of periodic restore/recovery testing — not merely confirmation that backups run

Business Continuity Plan (BCP) and Disaster Recovery (DR) plan documentation, plus evidence of the most recent DR test or drill

Incident and problem management log for the audit period, including any security incidents, outages, or data integrity issues and their resolution

Physical, Environmental & Third-Party Evidence

Data centre/server room access control list and visitor log for the audit period (for on-premise or co-located infrastructure)

Environmental control evidence — fire suppression, power backup/UPS, temperature and humidity monitoring records

Cloud service provider attestations relevant to in-scope hosted systems — SOC 2 report, ISO 27001 certificate, or equivalent — and the organisation's documented understanding of the shared-responsibility model

Contracts and service level agreements with any outsourced IT operations or managed security service provider, including their obligations around access control and incident notification

Regulatory & Compliance Context (Where Applicable)

For banks/NBFCs/insurers: relevant RBI/IRDAI IT governance and outsourcing circular compliance documentation and any prior regulatory IS audit findings

For listed companies: the Board's Section 134(5)(e) IFC certification basis documentation and the statutory auditor's prior-year IFC/CARO observations relating to IT

For companies pursuing SOC 1/SOC 2: the specific Trust Services Criteria or control objectives the report needs to address and the intended report period

Data protection/privacy policy and any data localisation or cross-border data transfer documentation relevant to the Digital Personal Data Protection Act, 2023 framework where applicable to the organisation's data processing activities

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Scoping & PlanningDecision to commission an IS Audit / ITGC reviewSystems landscape mapping, risk assessment, control objective mapping, and audit charter agreed before any testing begins — ensuring the scope actually covers systems material to financial reporting or the specific assurance need, not just what management first lists.Under-scoped audit that misses a system feeding directly into the general ledger or a regulator-mandated control area, producing a false sense of assurance.
Fieldwork & TestingAudit charter agreed, evidence access grantedAccess management, privileged access, change management, IT operations, backup/DR, and physical/environmental controls tested against actual evidence — logs, tickets, approvals — not merely policy documents and management representations.Reliance placed on documented policy that is not actually followed in practice; control weaknesses (unrevoked exit access, untested backups, unauthorised production changes) remain undetected until an incident forces discovery.
Findings & ReportingFieldwork substantially completeEvery finding rated by severity, linked to financial/operational risk, validated for factual accuracy with process owners, and delivered with a specific, implementable recommendation — not a generic checklist of 'best practices.'Vague or unprioritised findings that management cannot act on; Critical issues buried among low-value observations and never remediated.
Management Response & RemediationDraft report issuedA documented management response and committed remediation owner/timeline obtained for every accepted finding, converting the report into a governance-actionable roadmap presented to the Audit Committee or Board.Findings acknowledged verbally but never formally tracked; the same weaknesses recur in the next audit cycle with no accountability trail.
Follow-Up & ValidationNext audit cycle, or sooner for Critical findingsIndependent verification in the live environment that remediation was actually implemented — not just marked closed in a tracker — with an interim check recommended for Critical-rated findings ahead of the next full cycle.Remediation marked 'closed' administratively while the underlying control gap remains open, surfacing again as a statutory audit qualification or, worse, an actual incident.
Integration with Statutory Audit / IFC-FRAnnual statutory audit cycleITGC review findings and evidence are structured to directly support the statutory auditor's IFC-FR testing under CARO and Section 134(5)(e), reducing duplication of effort and strengthening the Board's IFC certification basis.Statutory auditor independently identifies the same ITGC gaps during year-end audit, resulting in management letter points, potential CARO qualification, and audit fee escalation for additional testing.
Regulatory / Customer Reporting CycleRBI/IRDAI IT governance requirement, or customer request for SOC 1/SOC 2ITGC review evidence and findings feed directly into regulatory IS audit submissions or a formal SOC 1/SOC 2 reporting engagement, avoiding duplicate evidence-gathering exercises across multiple assurance requirements.Separate, uncoordinated evidence requests from regulators, customers, and auditors create audit fatigue for the IT team and inconsistent representations across reports.
System Change / Migration EventNew ERP, cloud migration, or infrastructure changeA scoped interim ITGC review or readiness assessment is recommended before the change goes live, and access/change control baselines are re-established immediately post-go-live rather than waiting for the next annual cycle.New system inherits none of the prior environment's control discipline; access grants and change practices drift uncontrolled for a full year before the next audit catches it.
Frequently asked
What exactly is an Information Systems Audit (IS Audit)?

An IS Audit is an independent examination of the governance, security, and operational controls around an organisation's IT environment — the applications, databases, operating systems, networks, and data centres that support business processes and financial reporting. It assesses whether the organisation's IT controls are properly designed and are actually operating as intended, rather than merely documented in a policy.

Practitioner noteMost managements assume their IT team's internal confidence in the systems is equivalent to independent assurance. It is not — an IS Audit exists precisely because self-assessment by the team that built and runs a system carries an inherent blind spot.
What are IT General Controls (ITGCs), specifically?

ITGCs are the foundational controls over the IT environment that all application-level and automated financial controls depend on. They fall into four domains: access management (how user access is granted, changed, and revoked), change management (how changes to programs and configuration are tested and approved before going live), IT operations (batch jobs, interfaces, backups, incident management), and physical/environmental security (data centre and server room controls).

Practitioner noteThink of ITGCs as the foundation of a building. A perfectly configured approval workflow in your ERP (an application control) is worthless if someone with unrevoked access can bypass it entirely at the database level — that is an ITGC failure undermining an application control.
Why do ITGCs matter for financial reporting specifically?

Under Section 134(5)(e) of the Companies Act 2013, the Board must certify that internal financial controls are adequate and operating effectively. Most modern financial controls — automated postings, system-calculated tax, approval-workflow-enforced payment authorisation — depend entirely on the IT environment underneath them. A weak ITGC (an exited employee's access left active, an unauthorised production change) can silently undermine every application control built on top of it, which is why statutory auditors test ITGCs as part of Internal Financial Controls over Financial Reporting (IFC-FR) assessment.

Practitioner noteWe frequently see companies invest heavily in application-level controls — sophisticated approval matrices, tolerance limits — while the ITGC layer beneath remains untested. It is the equivalent of installing an expensive lock on a door while leaving a window open.
Is an IS Audit / ITGC review mandatory for all companies?

There is no single blanket statutory mandate requiring every company to commission a standalone IS Audit. However, the underlying obligation — adequate and effective internal financial controls — is mandatory for listed companies and prescribed classes of unlisted companies under Section 134(5)(e), and the statutory auditor is required to test and report on IFC-FR under CARO for applicable companies. In practice, most such companies find that a dedicated ITGC review is the most reliable way to demonstrate and evidence that obligation. Regulated entities — banks, NBFCs, insurers — face additional sector-specific IT governance and outsourcing circular requirements from RBI or IRDAI that may mandate periodic independent IS audit.

Practitioner noteEven where not strictly mandated, we routinely see growth-stage and PE/VC-backed companies commission an ITGC review voluntarily — because the alternative is discovering the gaps during investor or lender due diligence, at a far less convenient moment.
How is an ITGC Review different from a cybersecurity audit or VAPT?

A VAPT (Vulnerability Assessment and Penetration Testing) engagement tests whether your network and applications can be technically exploited from outside or inside the perimeter — it is an attack-simulation exercise. An ITGC review tests whether your governance controls around access, change, and operations are properly designed and consistently followed — it is a control-assurance exercise, closer in nature to a financial controls audit than to ethical hacking. The two are complementary: a VAPT can find a technical vulnerability, while an ITGC review finds the governance gap (weak access recertification, unmonitored privileged accounts) that made the vulnerability exploitable or the breach undetected for longer.

Practitioner noteOrganisations sometimes commission a VAPT expecting it to also validate their access management and change control discipline. It does not — the two engagements test fundamentally different things, and we recommend both where budget allows, scoped clearly to avoid overlap and gaps.
How is this different from an ERP or application controls audit?

An ERP/application controls audit goes deep into a single application's configuration — segregation of duties within specific modules, approval workflow settings, tolerance limits, three-way matching. An ITGC review sits at a broader, foundational layer — access and change management across all in-scope systems (which may include the ERP, but also databases, operating systems, and network infrastructure), IT operations, and physical security. ITGCs are, in effect, the control environment that application-level controls rely on for their own integrity.

Practitioner noteWe often recommend organisations start with an ITGC review before commissioning a deep ERP application audit — a weak ITGC environment can undermine confidence in application-level findings, so establishing the foundation first produces a more reliable overall assurance picture.
What is the typical timeline for a first IS Audit / ITGC Review?

For a mid-sized single-location organisation with a defined systems landscape, a realistic timeline from kickoff to Board presentation is 7–9 weeks, covering scoping, testing across all four ITGC domains, findings validation, and reporting. Multi-entity organisations, regulated BFSI entities, and organisations with significant outsourced IT operations typically require a longer first cycle because of the additional evidence-gathering and coordination involved.

Practitioner noteThe first cycle is always the slowest — largely because baseline documentation (access lists, change logs in a usable format) often does not exist in a ready state. Once that baseline is established, subsequent annual cycles are noticeably faster.
What does an IS Audit / ITGC review actually cost?

Fees depend on the number of in-scope systems, locations, whether infrastructure is on-premise, cloud, or hybrid, and whether the engagement is a standalone review or coordinated with statutory audit IFC testing. PNPC agrees a fixed, written scope and fee before any fieldwork begins — there are no open-ended time-and-material surprises. We are transparent that a properly resourced ITGC review, conducted by CAs with IT audit training rather than a generic checklist provider, costs more than a template-driven review — and consistently delivers findings that a template approach misses.

Practitioner noteAsk any provider for a sample findings report (with client details redacted) before engaging them. The difference between a checklist provider and a properly scoped ITGC review is immediately visible in the depth and specificity of the findings.
Who typically commissions an IS Audit / ITGC Review — the Board, Audit Committee, or CFO?

It can be commissioned by any of the three, and often is a joint decision. Audit Committees commission it as part of their governance oversight responsibility. CFOs commission it to support the IFC-FR certification and to pre-empt statutory audit management letter points. Internal Audit functions commission it because most internal audit teams lack the specialist skills to test access logs, change tickets, and system configuration evidence to the depth required.

Practitioner noteWe recommend the engagement letter name a specific sponsor — usually the Audit Committee Chair or CFO — so that findings have a clear escalation path and remediation accountability from day one.
What happens if the review finds a Critical-rated finding — what does that actually mean?

A Critical rating means the control gap creates a material and immediate risk — for example, several exited employees with active privileged access to the financial system, or evidence of unauthorised changes made directly to production without any approval trail. Critical findings are escalated to the Audit Committee or Board immediately upon identification during fieldwork, rather than held back for the final report, and PNPC recommends an interim validation check (rather than waiting for the next full annual cycle) to confirm remediation before it becomes a statutory audit issue.

Practitioner noteWe do not sit on Critical findings until the report is finalised. If we find something that represents live, exploitable exposure, we flag it to management the same week — an ITGC review is an assurance exercise, not a game of withholding bad news until the final slide deck.
Our IT is entirely outsourced to a managed service provider. Does that change the scope?

It changes the evidence sources but not the underlying control objectives — the organisation remains accountable for the effectiveness of controls even when IT operations are outsourced. We review the managed service provider's contractual obligations around access control, change management, and incident notification, request relevant third-party attestations (SOC 2 report, ISO 27001 certificate) where available, and test the organisation's own oversight controls over the outsourced arrangement — because 'we outsourced it' is not itself a control.

Practitioner noteOne of the most common gaps we find in outsourced-IT organisations is the absence of any structured vendor oversight — no periodic review of the MSP's access grants, no confirmation that exit tickets were actioned by the vendor. Accountability for control effectiveness cannot be outsourced even when the operational task is.
We are entirely cloud-hosted (SaaS applications, cloud infrastructure). Is an ITGC review still relevant?

Yes — cloud hosting shifts some control responsibilities to the cloud provider under a shared-responsibility model, but the organisation retains responsibility for access management within the applications, user provisioning and de-provisioning, configuration of security settings, and oversight of the cloud provider's own control attestations. We review the cloud provider's SOC 2 report or ISO 27001 certificate as evidence of infrastructure-level controls, and focus our direct testing on the layers the organisation itself controls — user access, application configuration, and data governance.

Practitioner noteA common misconception is that moving to the cloud transfers all IT control responsibility to the provider. It does not — access management within your SaaS applications remains entirely your organisation's responsibility, and it is the area we find the most unaddressed gaps in cloud-native companies.
Does PNPC test the operating effectiveness of controls, or just whether policies exist on paper?

Operating effectiveness — meaning we test actual evidence (access logs, change tickets, approval records, backup restore logs) over the audit period, not just whether a policy document exists. A documented access management policy that is not actually followed provides no real assurance, and testing only the existence of policy would give a false sense of comfort to the Board.

Practitioner noteThe gap between 'policy exists' and 'policy is followed' is where nearly every finding in our experience originates. We have reviewed beautifully written IT policy manuals sitting alongside access lists that show dozens of exited employees with active credentials — the two facts coexist far more often than management expects.
How does the ITGC review interact with our statutory auditor's work?

A well-scoped ITGC review can directly support and reduce duplication in the statutory auditor's IFC-FR testing — evidence gathered and findings validated in the ITGC review can be shared with (or independently relied upon by) the statutory auditor, subject to their own professional judgement on the extent of reliance permitted under the Standards on Auditing. This typically results in a smoother year-end audit with fewer surprises and can reduce incremental statutory audit fees for IT-control testing.

Practitioner noteWe coordinate timing with the statutory audit cycle wherever the CA firm is different from PNPC, so that our ITGC review evidence is available and relevant when the statutory auditor performs IFC-FR testing — rather than the two exercises running on unrelated timelines and duplicating effort.
What is the difference between an ITGC review and SOC 1 / SOC 2 reporting?

SOC 1 and SOC 2 are formal, structured assurance reports (aligned to AICPA SSAE 18 / ISAE 3402-type standards) that a service organisation commissions specifically to give its own customers' auditors independent assurance over its controls — SOC 1 focused on controls relevant to customers' financial reporting, SOC 2 focused on the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). An internal ITGC review, by contrast, is commissioned for the organisation's own Board and Audit Committee. Many organisations use an internal ITGC review as preparation before pursuing a formal SOC 1/SOC 2 engagement, since the underlying control domains substantially overlap.

Practitioner noteIf your organisation is a SaaS provider or BPO whose customers are asking for SOC 2 assurance, we recommend a readiness-focused ITGC review first — it surfaces and lets you remediate gaps before they appear as exceptions in a formal, externally distributed SOC report.
What does PNPC actually test for access management — walk through a real example?

We obtain the full current user access listing for each in-scope system, cross-reference it against HR's exit report for the audit period, and identify any exited employee whose system access was not revoked (or not revoked within a reasonable timeframe). We also sample new-joiner and role-change requests to confirm access was granted only after proper approval, and review whether privileged/administrator accounts are subject to periodic recertification. This is consistently one of the highest-finding-rate test areas in first-time reviews.

Practitioner noteIn nearly every first-time ITGC review we perform, this specific test — matching HR exits against IT access revocation — surfaces at least one gap. It is the single most common finding across industries and company sizes, and one of the easiest to remediate with a documented joiner-mover-leaver process.
What does change management testing actually look like in practice?

We pull the change log or ticketing system record for the audit period, select a sample of changes (weighted towards higher-risk changes — configuration changes affecting financial postings, tax calculation logic, or access controls themselves), and trace each sampled change to a documented business justification, evidence of testing or UAT sign-off, and appropriate authorisation before it was deployed to the production environment. We also test whether development, testing, and production environments are properly segregated, and who holds the ability to move changes between them.

Practitioner noteA frequent finding: developers holding direct production access 'for emergencies,' with no compensating control such as logged and reviewed emergency-change procedures. This defeats the purpose of environment segregation entirely and is a red flag statutory auditors specifically look for.
Do you test whether our backups actually work, or just that backups are scheduled?

We specifically look for evidence of periodic restore or recovery testing — an untested backup provides no real assurance of recoverability and is, in practical terms, not yet a proven control. We review the backup schedule and retention policy, and separately request evidence (a restore test log, a DR drill report) confirming that a backup was actually restored successfully within the audit period.

Practitioner noteWe have seen organisations discover during an actual incident that their backups had been silently failing for months, because no one had tried to restore from them. Scheduled backups without restore testing is one of the most dangerous false-comfort gaps in IT operations.
What frameworks or standards does PNPC's methodology follow?

Our methodology draws on COBIT (Control Objectives for Information and Related Technologies) for the control domain structure, ISO 27001-aligned practice for information security control benchmarks, and the ICAI Guidance Note on Audit of Internal Financial Controls for the linkage to Section 134(5)(e) and CARO reporting requirements. For regulated BFSI clients, we additionally incorporate the relevant RBI or IRDAI IT governance and outsourcing circular requirements into scope.

Practitioner noteWe do not apply frameworks rigidly regardless of organisational context — a 200-person SaaS company and a multi-branch NBFC need materially different depth and emphasis even under the same underlying framework. Scoping conversations at the outset are where this gets calibrated correctly.
How does PNPC rate findings, and what do the severity levels mean?

Findings are rated Critical, High, Medium, or Low based on the combination of the likelihood of the control failing and the potential financial or operational impact if it does. Critical findings represent immediate, material exposure (active access for terminated employees with financial system privileges, unauthorised production changes with no approval trail) and are escalated to management as soon as identified during fieldwork, not held for the final report. High and Medium findings are documented with clear remediation recommendations and realistic timelines; Low findings are typically process-hygiene observations that strengthen the control environment without representing immediate risk.

Practitioner noteWe resist the temptation to inflate minor observations to High or Critical to make the report look more thorough — an over-rated report loses management's trust and makes it harder to get attention for the findings that genuinely matter.
Can this review help with our SEBI-listed company's IFC-FR certification specifically?

Yes — this is one of the most common reasons listed companies commission a dedicated ITGC review. The findings and remediated evidence directly support the Board's basis for its Section 134(5)(e) internal financial controls certification, and give the CFO and Audit Committee documented assurance ahead of the statutory auditor's own IFC-FR testing, reducing the risk of a late-discovered gap becoming a CARO qualification or audit management letter point at year-end.

Practitioner noteWe time engagements for listed clients specifically to complete well ahead of year-end statutory audit fieldwork — findings discovered in March, when the statutory auditor is already testing IFC-FR, leave far less room for orderly remediation than findings discovered in the preceding quarter.
Our NBFC/bank has an internal audit function already. Why do we need a separate IS Audit?

Most internal audit teams, even well-resourced ones, are staffed primarily with finance and operations audit skills rather than IT audit specialists trained to independently test access logs, change tickets, database configuration, and system-level evidence. RBI's IT governance and outsourcing frameworks for regulated entities typically expect a level of specialist IT audit rigour that general internal audit resourcing does not always provide. A dedicated IS Audit/ITGC review, whether performed by PNPC directly or used to strengthen and train the internal audit function's approach, closes that specialist gap.

Practitioner noteWe often work alongside a client's existing internal audit function rather than replacing it — providing the specialist IT audit depth for the ITGC domains while internal audit continues to own the broader annual audit plan.
What is the difference between IT General Controls and IT Application Controls?

IT General Controls (ITGCs) are pervasive controls that apply across an entire IT environment — access management, change management, IT operations, physical security — and support the reliability of every system running within that environment. IT Application Controls are specific, automated controls built into a particular application — a mandatory three-way match before payment, a system-enforced approval limit, a validation rule preventing negative inventory. Application controls can only be relied upon if the ITGC environment beneath them is sound; a weak ITGC environment (someone with unauthorised database access) can bypass even a well-designed application control.

Practitioner noteWe explain this distinction to Audit Committees using a simple analogy: ITGCs are the building's structural integrity and security system; application controls are the individual locks on individual office doors. A strong lock on a weak door frame is not real security.
Does the review cover data privacy and the Digital Personal Data Protection Act, 2023?

Access management and change management controls tested as part of an ITGC review directly support data protection objectives — since unauthorised access is the most common root cause of a personal data breach — but a full DPDP Act compliance assessment (consent management, data processing agreements, breach notification readiness, data localisation) is a distinct and broader engagement. Where relevant to the organisation's data processing footprint, we flag DPDP-related control gaps we observe during the ITGC review and recommend a dedicated compliance assessment where warranted.

Practitioner noteAs DPDP Act enforcement matures, we expect ITGC-adjacent findings — particularly around access controls over personal data and breach detection capability — to become increasingly relevant evidence for an organisation's broader data protection compliance posture.
How often should we repeat an IS Audit / ITGC Review?

Annual is the typical cadence for organisations with an ongoing IFC-FR certification obligation, regulatory IT governance requirement, or customer SOC reporting need — aligning with the statutory audit and Board certification cycle. Organisations without a recurring formal obligation often commission it every 18–24 months, or trigger an interim review after a major system change, security incident, or before a significant transaction (fundraise, acquisition) where IT control assurance will be scrutinised.

Practitioner noteWe advise against treating this as a one-time exercise regardless of your regulatory obligation. Access grants drift, staff turnover continues, and new systems get added — an environment reviewed once and never again reverts to an unreviewed state within a year or two.
Can a smaller company with a lean IT team still commission this review, or is it only for large enterprises?

Yes, though the scope and depth should be proportionate. A smaller company with a single ERP, limited applications, and a lean team can still commission a scoped ITGC review — often focused primarily on access management and change management, the two domains that carry the highest risk-to-effort ratio — without the full multi-system, multi-location scope a large enterprise would require. PNPC scopes the engagement to the organisation's actual risk profile and size rather than applying a one-size-fits-all enterprise checklist.

Practitioner noteWe regularly right-size this engagement for growth-stage companies preparing for their first institutional fundraise — a focused access-and-change-management review, rather than the full enterprise scope, is often exactly what due diligence requires at that stage.
What deliverables do we actually receive at the end of the engagement?

A detailed findings report with each finding rated by severity, mapped to the relevant control domain and risk, accompanied by a specific recommendation; a management response and remediation roadmap document with named owners and timelines; and an executive summary presentation delivered directly to the Audit Committee or Board in plain-language terms. For engagements linked to statutory audit or regulatory submission, we also prepare a summary memo cross-referencing findings to the relevant CARO/IFC-FR or regulatory reporting requirement.

Practitioner noteWe deliberately produce two versions of the findings — a full technical report for the IT team to action, and an executive summary for the Board — because a 40-page technical document with control-domain jargon does not serve a non-technical director's decision-making needs.
What if management disagrees with a finding — how is that handled?

Every finding is shared in draft with the relevant process owner for factual accuracy review before the report is finalised — if management believes a finding is factually incorrect (for example, evidence exists that we did not receive during fieldwork), we review the additional evidence and revise the finding if warranted. Where management disagrees with our assessment of risk or the recommended remediation despite the facts being accurate, that disagreement — and management's stated rationale — is documented transparently in the final report rather than silently omitted.

Practitioner noteWe do not water down or remove a finding simply because management is uncomfortable with it. Our obligation is to the Audit Committee and Board who commissioned independent assurance — a report edited to avoid disagreement stops being independent assurance.
Does PNPC only review the environment, or does it help fix the gaps too?

The IS Audit / ITGC review itself is an independent assurance engagement — consistent with maintaining independence, PNPC does not implement the remediation for gaps we have audited, since doing so would create a self-review conflict for any subsequent assurance cycle. We do provide practical, specific, implementable recommendations for each finding, and can advise on remediation approach and best practice, but implementation is carried out by the organisation's own IT team or a separate implementation partner.

Practitioner noteThis separation matters more than it might initially seem — an auditor who also implements the fix loses the independence to objectively assess whether that fix actually worked in the next cycle. We maintain this boundary deliberately, even when clients ask us to simply 'take care of it.'
We use multiple ERPs and legacy systems across different business units. Can PNPC handle a multi-system scope?

Yes. We scope multi-system, multi-entity landscapes explicitly at the outset — identifying which systems are material to financial reporting or the specific regulatory/customer assurance requirement, and prioritising testing depth accordingly rather than spreading effort thinly and evenly across every system regardless of materiality. Legacy systems with limited vendor support often carry elevated ITGC risk (unpatched vulnerabilities, informal change processes) and are specifically flagged for closer review.

Practitioner noteMulti-system landscapes accumulated through M&A or organic growth over many years are where we most often find inconsistent control discipline — a well-governed core ERP alongside a legacy system with essentially no access review process at all. Identifying and addressing that inconsistency is usually one of the most valuable outputs of the engagement.
Does PNPC's Dubai office offer this service for UAE-based entities as well?

Yes. For clients with operations or group entities in both India and the UAE, PNPC coordinates IS Audit / ITGC engagements across both jurisdictions from our Chennai/Bangalore/Hyderabad and Dubai offices under a single engagement team — relevant where a UAE entity's systems feed into an Indian parent's consolidated financial reporting, or where UAE Corporate Tax and VAT compliance depend on system-generated data whose integrity needs independent assurance.

Practitioner noteFor India-UAE group structures, we find real value in a single team reviewing both entities' IT environments together — inconsistent access or change management discipline between the two often only becomes visible when someone looks at both sides at once, rather than two disconnected local reviews.
Why should we engage PNPC rather than a generic IT audit or cybersecurity firm?

A generic IT/cybersecurity firm brings technical infrastructure expertise but often lacks the Chartered Accountant's grounding in financial reporting risk, IFC-FR, CARO, and Companies Act governance requirements — meaning their findings, however technically sound, may not translate cleanly into what the Board and statutory auditor actually need. PNPC combines practising CA judgement on financial control objectives with structured IT audit methodology, so findings are framed in terms the Audit Committee can act on and that map directly to statutory and regulatory reporting obligations.

Practitioner noteWe have been engaged by clients specifically to re-scope and re-run a review previously performed by a pure IT security firm, because the original report — while technically detailed — did not connect findings to the financial reporting or governance risk the Board actually needed addressed.
How much CA and IT staff involvement is required from our side during the engagement?

We minimise disruption by requesting evidence in structured batches rather than ad-hoc, and scheduling interviews with IT and process owners in defined windows rather than open-ended access. For a mid-sized single-location engagement, realistic internal effort is typically a designated IT coordinator's part-time involvement across the fieldwork period, plus brief interview time from a handful of process owners (access administrator, change manager, backup/DR owner).

Practitioner noteWe ask clients to nominate a single internal coordination point at kickoff — engagements where evidence requests are scattered across multiple uncoordinated IT staff consistently take longer and produce more incomplete evidence trails than those with one clear coordinator.
Why PNPC Global
FeatureGeneric IT/Cybersecurity FirmBig-4 / Large Firm ITGC PracticePNPC Global
Financial reporting linkage (IFC-FR, CARO, Sec 134(5)(e))Often absent — technical findings not mapped to statutory obligationsPresent, but delivered through large, less accessible teamsDeep CA-level linkage — findings explicitly connected to IFC-FR, CARO and Board certification needs
Scoping approachOften a generic technical checklist applied regardless of contextStructured, but standardised across large-firm methodology with less flexibilityScoped specifically to your systems landscape, financial materiality, and regulatory profile
Reporting for non-technical Board membersHighly technical language, difficult for Audit Committee to actionGenerally strong, but with less direct engagement CA accessPlain-language executive summary plus full technical report — presented directly by the engagement CA
Critical finding escalationOften held for the final reportGenerally escalated, but through account management layersEscalated to management the same week a Critical issue is identified during fieldwork
India-UAE coordinationRare — most firms are single-jurisdictionAvailable, but through separate regional teams with handoff frictionSingle engagement team across Chennai/Bangalore/Hyderabad and Dubai offices
Pricing structureVariable — sometimes open-ended time-and-materialPremium pricing reflecting large-firm overheadFixed, written scope and fee agreed before fieldwork begins
Follow-up validationRarely offered as standardAvailable as a separate paid engagementBuilt into the engagement approach — remediation verified in the live environment, not just tracker status
Direct access to the reviewing professionalOften routed through account managers or junior staffSenior partner access limited by large-client portfolioDirect access to your engagement CA by phone and WhatsApp throughout and after the engagement

What the PNPC package includes

  1. 01

    Systems landscape mapping and risk-based scoping — tailored to your actual environment, not a generic checklist

  2. 02

    Access management lifecycle testing — provisioning, role changes, and exit de-provisioning across all in-scope systems

  3. 03

    Privileged/administrator access review and recertification testing

  4. 04

    Change management testing — sampled changes traced to documented approval, testing evidence, and authorised deployment

  5. 05

    IT operations review — batch jobs, interfaces, and exception/failure monitoring for financial-close-critical processes

  6. 06

    Backup, recovery, and business continuity testing — including evidence of actual restore/DR test results, not just scheduling

  7. 07

    Physical and environmental security review for on-premise infrastructure, or cloud provider attestation review for hosted environments

  8. 08

    Severity-rated findings report (Critical/High/Medium/Low) with specific, implementable recommendations for each

  9. 09

    Management response tracking and remediation roadmap with named owners and committed timelines

  10. 10

    Direct Audit Committee / Board presentation by the engagement CA, in plain-language governance terms

  11. 11

    Follow-up validation cycle confirming remediation was actually implemented in the live environment

  12. 12

    Coordination with your statutory auditor's IFC-FR testing to reduce duplication and strengthen the Board's certification basis

Speak directly with a PNPC Chartered Accountant who understands both IT audit methodology and the financial reporting obligations your Board actually needs to satisfy — not a generic checklist provider, and not a large-firm account manager. A practising CA who will present findings your Audit Committee can act on, and who will still be reviewing your systems next cycle to confirm the fixes actually held.

← Back to Transformation & Tech
Talk to a CA