Auditors can use the comprehensive framework in our IT General Controls Guide to assess and ensure the effectiveness of an organization's IT general controls. It outlines a step-by-step approach for identifying critical applications and associated IT processes, evaluating risks at each technology layer (application, database, operating system and network), and determining control objectives without specifying key controls. The guide emphasizes a risk-based methodology to scope IT process controls in alignment with financial reporting requirements.

It includes tools for validating application functionality, assessing the design and operational effectiveness of IT general control processes, standardizing/automating IT processes for compliance efficiency, and linking entity-level controls to IT processes. Additionally, it integrates principles from Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT) to maintain a top-down risk assessment approach. This enables auditors to focus efforts on areas most likely to impact financial integrity and establish a tailored control environment that addresses specific organizational risks and regulatory compliance needs. Key processes covered in this document include:

• Identifying application controls relied upon by the application.
• Identifying key reports and functionality relied upon in performing the business process.
• Determining reliance on IT and companywide entity-level controls.
• Determining if locations share application instances.