Skip Ribbon Commands
Skip to main content
Sign In
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorTraining and EventsBreadcrumb SeparatorCoursesBreadcrumb SeparatorHow to Perform an Information Technology General Controls Review
Course Description Course Outline Bring Us On Site  

How to Perform an Information Technology General Controls Review

Course Description

Print-friendly Course Description and Outline

The basis for all auditing is the reliance on a control environment. The general controls review assesses the IT control environment and, through the evaluation of specific control activities, monitoring, communications, and risk assessment, provides the basis for the assessment’s conclusion. The process itself focuses on numerous areas affecting IT management, data integrity, accuracy, and security, as well as availability. ​

This course focuses on the planning, execution, and reporting of a general IT controls review. Recognizing that the scope of the review is too wide to perform as one omnibus review, the facilitator provide attendees with an approach to assessing the highest risk areas, focusing on these on a routine basis, and developing a cycle approach to review the less significant control processes. In addition, the facilitator encourages utilizing a maturity model, an objective repeatable assessment basis, which provides management with a measurement that can show improvement of controls over time.​

This course is appropriate for IT audit professionals responsible for managing and performing general controls reviews and internal audit departments seeking to establish a focused and responsive presence with their audit customers.

In this course, we will discuss:

  • The IT general control review components.
  • Frameworks to support the audit process.
  • Compliance requirements (AS5, PCI-DSS, GLBA, HIPAA, state/federal privacy legislation).
  • The scope of a full-scope general controls review.
  • Planning the scope of the general controls review.
  • Integrating compliance requirements into the planning process.
  • How to execute the review.
  • Effective reporting processes using scorecards and maturity models. 
Course Duration: 2 day(s)
CPE Hours Available: 14
Knowledge Level: Intermediate
Field of Study: Auditing

Because this course focuses on the audit approach to general IT control reviews, participants should understand IT delivery and support concepts and processes.​​

Advance Preparation: 
Delivery Format: On-site Training (Group-Live)

​What is the Objective of the IT-GCR?​​

  • Satisfy a compliance requirement
  • Satisfy an assurance requirement
  • Rationalize requirements

Defining the IT-GCR Components

  • IT management
  • Data integrity, accuracy, and security
  • Availability

Framework to Support Controls Review

  • Why a framework?
  • Which framework (The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework, COBIT, or ITIL)
  • Building a case for a lead framework

The Full-scope General Controls Review

  • IT management
  • Data integrity, accuracy, and security
  • Availability

Practical Performance of IT-GCR

  • Impractical to “DO IT ALL” in one review
  • Risk assessment of IT general controls universe
  • IT general controls review for obtaining and customizing the work plan; walk through of general control areas; and discussing the scope and major control issues for access controls, identity management, incident and problem reporting, configuration management, networks, systems development/change management/project management, production control/scheduling, help desk, and business continuity planning

Maturity Assessment

  • Using a CMM model to assess control maturity
  • Building the maturity model into the audit process
  • Preparing scorecards with the maturity assessment results
  • Presenting findings to management
  • Building a maturity model-based reporting cycle​

​​Most courses can be delivered through on-site training. You might be surprised that the organization leading the profession is just as committed to the delivery of affordable training.​​​​

Contact us by calling +1-407-937-1388 or send an e-mail to​