Top 10 IT General Control (ITGC) Deficiencies Found in Audits

IT general control (ITGC) deficiencies remain one of the most common issues identified during internal and external audits. Based on real-world assessments across mid-market and enterprise organizations, many companies face recurring control gaps that impact audit outcomes and increase compliance risk.

Understanding these common deficiencies is the first step toward strengthening your control environment.

Why ITGC Deficiencies Matter

Weak IT controls can lead to:

• Audit findings and remediation costs

• Increased regulatory scrutiny

• Financial reporting risks

• Operational disruptions

  
  

Organizations that proactively address these gaps are better positioned for smoother audits and stronger governance.

Top 10 Common ITGC Deficiencies

1. Inadequate User Access Reviews

   Periodic access reviews are not performed consistently or lack proper documentation.

   
   

2. Excessive User Privileges

   Users have access beyond what is required for their role, increasing risk of unauthorized activity.

   
   

3. Weak Password and Authentication Controls

   Password policies do not meet complexity or rotation standards, or multi-factor authentication is not enforced.

   
   

4. Lack of Segregation of Duties (SoD)

   Conflicting access rights are not identified or mitigated, particularly in ERP systems.

   
   

5. Ineffective Change Management Processes

   Changes to systems and applications are not properly approved, tested, or documented.

   
   

6. Insufficient Logging and Monitoring

   System activity logs are not reviewed regularly, limiting visibility into potential issues.

   
   

7. Inadequate Backup and Recovery Procedures

   Backups are not tested or cannot be restored in a timely manner.

   
   

8. Lack of Formal Policies and Procedures

   IT control policies are outdated, incomplete, or not enforced.

   
   

9. Vendor and Third-Party Risk Gaps

   Third-party access and controls are not adequately assessed or monitored.

   
   

10. Incomplete Documentation of Controls

    Controls exist but are not documented in a way that supports audit requirements.

    
    

How to Strengthen Your ITGC Environment

Organizations can improve their IT control environment by:

• Establishing formal control frameworks aligned with business objectives

• Performing regular control testing and monitoring

• Implementing role-based access and segregation of duties controls

• Enhancing documentation and audit trails

Final Thought

Addressing ITGC deficiencies proactively can significantly improve audit readiness and reduce compliance risk.

If your organization is preparing for an audit or looking to strengthen its IT control environment, ClearPath IT Advisors can provide practical, risk-based support.