Does testing General IT controls provide assurance over reports?
This is a commonly held belief. It is misplaced.
The simple answer is that it does not. But it can contribute to assurance over reporting.
Typically they focus on:
access control (security)
IT change control incl. testing
some facets of IT operations
backups (in certain cases).
The specific objective drives the scope of the work. As an example, for external audits the scope will include systems that relate to financial reporting.
Report integrity: they don’t typically include controls over accuracy and completeness of reports.
Access: yes, they cover access restrictions, but they don't typically extend to access flexibility. That is, whether the access controls limit the outputs (a separate topic, covered here).
ITGCs can be useful ... but they don’t provide assurance over reports
Some of the work can be reused ... but reporting integrity can’t be confirmed by them alone.
ITGCs are a good starting point:
But this needs to be extended. It can include:
There are other checks, but the areas above provide good coverage.