Skip to content

Report Assurance and IT General Controls

Does testing General IT controls provide assurance over reports?

This is a commonly held belief. It is misplaced.

The simple answer is that it does not. But it can contribute to assurance over reporting.

What do they cover?

  1. Typically they focus on:

    • access control (security)

    • IT change control incl. testing

    • some facets of IT operations

    • backups (in certain cases).

  2. The specific objective drives the scope of the work. As an example, for external audits the scope will include systems that relate to financial reporting.

What don’t they cover?

  1. Report integrity: they don’t typically include controls over accuracy and completeness of reports.

  2. Access: yes, they cover access restrictions, but they don't typically extend to access flexibility. That is, whether the access controls limit the outputs (a separate topic, covered here).

What does this mean?

  • ITGCs can be useful ... but they don’t provide assurance over reports

  • Some of the work can be reused ... but reporting integrity can’t be confirmed by them alone.

How can you obtain assurance over reports?

ITGCs are a good starting point:

  1. Access restrictions are important because they help ensure integrity of inputs, etc.
  2. Change control is important because it helps ensure the systems and reports are changed appropriately, and the testing aspect is particularly useful.
  3. IT operations, where relevant, help with things like ensuring data is processed through systems.
  4. Backups are important, but not significant for report assurance.

But this needs to be extended. It can include:

  1. Access flexibility: making sure that 
  2. Report integrity: controls over accuracy and integrity of reports. This could include specific change control, including testing, related specifically to the reports that you need covered.
  3. Direct report checking: what you need here will vary in depth, depending on the level of assurance you need. This can focus on checking other controls. Often it will involve checking data sources, transformations and report configuration. 

There are other checks, but the areas above provide good coverage.