.avif)
%201.svg)
HIPAA Compliance Checklist for 2025
When did you last verify that a terminated employee's access was revoked across every SaaS app your team uses?
If that answer involves a manual ticket process, you already have an IT general controls audit finding waiting to surface. Nearly 48% of former employees retain app access months after leaving.
This article covers what falls inside the ITGC audit scope, which frameworks govern it, and where modern SaaS environments quietly break controls that look perfectly fine on paper.
TL;DR
- An IT general controls audit examines whether the controls protecting your IT systems are well-designed and actually operating as intended.
- Scope covers four domains: access controls, change management, IT operations, and physical/logical security.
- Key frameworks include SOX Section 404, SOC 2, COBIT, NIST SP 800-53, and ISO 27001, each with different audiences and consequences.
- SaaS environments introduce three failure points that traditional IT general controls frameworks were never built to handle: shadow IT, access drift, and missing audit trails across unmanaged apps.
- CloudEagle.ai addresses all three through continuous SaaS visibility, automated access reviews, and on-demand audit evidence across the full stack.
1. What Actually Falls Inside the Scope of an IT General Controls Audit?
Scope confusion is where most IT teams lose time before an audit even begins.
An IT general controls audit does not review every system in the organization. It reviews the systems that support financial reporting integrity, data security, and regulatory compliance. The auditor's starting question is: which IT systems, if they failed or were compromised, would create a material risk to the business?
That typically means:
One important nuance: scope is not static. Every SaaS app your teams adopt that touches financial data, customer PII, or system access expands the IT general controls audit perimeter, often without IT knowing it happened. 56% of SaaS purchases are made outside IT, which means scope management has become an ongoing operational challenge rather than a pre-audit exercise.
The IT general controls audit applies across both internal and external audit contexts. Internal audits run more frequently and focus on operational readiness. External audits, conducted by certified third-party auditors, result in the compliance certifications that regulators and customers actually ask for.
2. The Four Domains Every IT General Controls Audit Examines
Regardless of which framework governs your audit, the IT general controls audit consistently tests the same four domains:
Access controls generate the most findings by far. 95% of enterprises still rely on manual access reviews, making consistent execution nearly impossible at scale.
For a full breakdown of what auditors sample per domain, what evidence they expect, and how to classify deficiencies, see the ITGC Testing guide.
3. The Frameworks That Govern IT General Controls
The framework governing your IT general controls audit depends on your regulatory context, industry, and audit objective.
SOX and SOC 2 test the same four ITGC domains but serve different audiences. SOX deficiencies become public disclosures with direct stock price implications. SOC 2 exceptions affect customer trust and sales cycles, particularly for vendors going through enterprise security reviews.
ISO 27001 and ITGC are frequently confused. ISO 27001 governs your entire information security management system. ITGC testing under SOX or SOC 2 covers a specific subset: controls that protect financial reporting integrity.
Holding ISO 27001 does not exempt an organization from ITGC audit requirements. They have different evidence standards and different audiences.
COBIT provides a governance framework that many enterprises use to structure their IT controls program before entering a formal audit cycle. It does not produce a compliance certification on its own, but it aligns well with both SOX and SOC 2 requirements.
4. Where SaaS Environments Break IT General Controls
Traditional IT general controls frameworks were designed for environments with locked server rooms, on-premise databases, and physical perimeters that were actually perimeters. The frameworks have not fundamentally changed. The environments have.
Here is where SaaS creates specific failures across each of the four ITGC domains:
a) Access drift across an expanding app stack
In an on-premise world, access provisioning was slow and visible. In a SaaS environment, an employee can sign up for a new tool in three minutes using a corporate email with no IT review.
When they leave, that access frequently stays open. Every dormant account is a live access control finding waiting to surface.
b) Shadow IT expands the audit perimeter invisibly
Every unsanctioned SaaS app in the environment is a potential IT general controls audit scope item that nobody catalogued. Finance adopts an invoicing tool. Engineering spins up a cloud environment. A team adds an AI assistant that processes sensitive data.
Shadow IT now accounts for up to 40% of total SaaS usage. When the auditor asks for a complete inventory of systems handling financial or sensitive data, any app on that list that IT cannot account for is an immediate finding.
c) No audit trails in unmanaged apps
ITGC auditors expect timestamped, continuous access logs across every in-scope system.
SaaS tools not integrated into the identity and access management layer generate no centralized logs. Manual reconstruction after the fact is unreliable, and experienced auditors can usually identify it.
d) Change management blind spots
Configuration changes in SaaS applications often happen without the approval and documentation rigor applied to on-premise systems. A permissions change in a financial SaaS tool, or an admin enabling a new integration quietly, may never appear in the change management trail at all.
As Nidhi Jain, CEO of CloudEagle.ai, puts it: "The SaaS sprawl problem is fundamentally an access governance problem. IT teams are not failing because they lack policies. They are failing because they lack visibility into what is actually running in their environment."
Dealing with shadow IT and access drift across your stack? The SaaS Compliance Checklist maps every control layer, from app discovery to vendor governance, with the specific actions security and IT teams need at each stage.
5. Staying IT General Controls Audit-Ready in a SaaS-Heavy Environment
ITGC audit readiness in 2026 is less about documentation and more about continuous operational controls. Four things matter most:
Continuous SaaS discovery, not annual inventories
A point-in-time inventory is stale the moment it is completed. Live visibility into every application, including shadow IT and shadow AI tools, needs to exist before the auditor asks for the list.
Automated access reviews on a defined cycle
Manual reviews run inconsistently, miss populations, and generate evidence that does not hold up under sampling. Automated reviews that run on schedule and store timestamped records close the gap between policy and proof.
Integrated offboarding that covers the full SaaS stack
Deprovisioning failures are among the most common access control findings. Access revocation needs to happen across every connected application immediately, not through a manual ticket process that may miss systems.
Evidence that builds continuously, not at audit time
When the auditor requests a sample, the response should be immediate because the records have been built all year.
CloudEagle.ai surfaces every application in the stack through direct integrations, finance data, and SSO signals. It automates access reviews across the full SaaS portfolio, generates continuous provisioning logs, and triggers immediate access revocation when HR systems signal a termination.
ICEYE, a satellite technology company, reduced manual access reviews by 90% and saved over 1,500 hours annually after centralizing its review process on CloudEagle.ai. Audit evidence that previously required ad hoc preparation became available on demand.
“We lacked confidence in our access certifications. Reviews were happening, but we couldn’t clearly answer who had access, why it existed, or whether it was still valid. CloudEagle brought structure and accountability to user access reviews without reviewer fatigue.”
~ Michal Lipinski, Director of IT & Security, ICEYE
SOX compliance carries its own specific access control requirements around financial systems. SOX 302 Compliance: Guide for IT Teams and Checklist covers exactly what auditors check and the evidence IT teams need to produce quarterly.
48% of Ex-Employees Still Have Active App Access.
6. FAQs
What are the 4 domains of an IT general controls audit?
Access controls, change management, IT operations, and physical and logical security. Each domain requires both design evidence and operating effectiveness evidence.
What are the 5 steps of the ITGC audit process?
Scoping, walkthroughs, testing, gap analysis, and reporting with remediation recommendations. Full breakdown in the ITGC Testing guide.
What is the role of an ITGC auditor?
To assess whether IT controls are designed correctly and operating effectively, using interviews, walkthroughs, and sample-based testing. External auditors issue certifications valid for one year.
7. The Audit Is Not the Hard Part
Passing an IT general controls audit is not the hard part. The hard part is building an environment where passing is the natural outcome of how IT runs day-to-day, not a six-week sprint before fieldwork begins.
SaaS sprawl has made that harder. Every unsanctioned tool, every dormant account, every configuration change with no approval trail is a control failure that already happened, waiting to surface when an auditor runs a sample.
The organizations that stay clean are the ones with real-time visibility into every application, automated governance across every user, and evidence that exists before anyone asks for it.
See how CloudEagle.ai helps IT and security teams maintain continuous IT general controls audit readiness across a sprawling SaaS stack. Book a demo.
.avif)
.avif)
.avif)
.png)
