A
AcadiFi
AUD`, `ISCcpa

ITGC Dependencies for CPA Audit and ISC: Link the System Control to the Assertion

AcadiFi Editorial·2026-05-21·6 min read

ITGC Dependencies for CPA Audit and ISC: Link the System Control to the Assertion

CPA audit and ISC questions often describe technology work in broad terms: risk assurance, IT audit, systems controls, or process controls. The exam task is more precise. You need to identify which system control supports which business process and which financial statement assertion.

The clean model is:

  • IT general controls protect the environment that runs applications.
  • Application controls enforce or calculate rules inside a specific process.
  • Manual business controls rely on people, but may still depend on system reports or configuration.

Once you separate those layers, IT control questions stop sounding like vague technology language and start becoming normal audit evidence questions.

The Three-Layer Control Map

flowchart TD A["Financial reporting assertion"] --> B["Business process control"] B --> C{"Control type?"} C --> D["Manual review"] C --> E["Application control"] C --> F["IT general control"] D --> G["Evidence: reviewer sign-off and support"] E --> H["Evidence: configuration, exception logs, test results"] F --> I["Evidence: access, change, and operations controls"] H --> J["Can the system output be relied upon?"] I --> J

Layer 1: Financial Reporting Assertion

Start with the assertion. For revenue, the assertion might be occurrence, completeness, accuracy, cutoff, or classification. For inventory, it may be existence, completeness, valuation, or rights and obligations.

The assertion tells you what can go wrong. The control tells you how management prevents or detects that problem.

Layer 2: Business or Application Control

A business control may be manual, automated, or mixed. An automated three-way match in a purchasing system is an application control. A controller's review of an exception report is a manual control that relies on system-generated information.

Layer 3: IT General Controls

IT general controls support the reliability of systems and automated controls. Common categories include:

ITGC areaWhat it protectsAudit concern
Logical accessWho can enter, change, approve, or override dataUnauthorized transactions or changes
Change managementHow system changes are approved, tested, and deployedBroken or altered application logic
Computer operationsJobs, interfaces, backups, and incident handlingIncomplete processing or data loss
Program developmentNew systems and major buildsUnreliable design before go-live

Worked Example: Automated Credit Limit Control

Blue Maple Supply uses an ERP system that blocks shipment orders when a customer's unpaid balance exceeds the approved credit limit. Management relies on that automated block to reduce bad-debt exposure.

The application control is the automated credit-limit block. But the control depends on several ITGCs:

  • only authorized credit managers can change limits,
  • changes to the credit-limit logic are approved and tested,
  • nightly customer balance updates process completely,
  • override access is restricted and logged.

If the access and change controls are weak, the auditor may not be able to rely on the automated block without additional testing.

Worked Example: Manual Review With a System Report

Northbank Foods has a controller review a weekly exception report showing vendor payments over 25,000. The controller investigates unusual payments and signs off electronically.

At first glance, this looks manual. But the review depends on the report being complete and accurate. The auditor should ask:

  1. Which system generated the report?
  2. What report parameters were used?
  3. Can users edit the report before review?
  4. Are access and change controls over the source system reliable?
  5. Does the reviewer investigate exceptions rather than merely sign the report?

The manual signature alone does not prove the control worked. The evidence must support both the review and the report used in the review.

How IT Dependencies Affect Audit Responses

An IT dependency exists when a business control depends on a system, report, interface, configuration, or automated calculation.

If ITGCs Are Effective

The auditor may be able to place more reliance on system-generated reports and automated controls, assuming the application control is also properly designed and tested.

If ITGCs Are Weak

The auditor may need to:

  • increase substantive testing,
  • test report completeness and accuracy directly,
  • select samples from independent source data,
  • test manual compensating controls,
  • evaluate whether the control deficiency affects multiple processes.

If the Application Control Changed Midyear

The auditor should not assume that a successful test in March covers the whole year. A configuration change, patch, or new workflow may require testing before and after the change.

Exam Framing

For CPA exam questions, look for verbs:

  • restrict, approve, provision, and terminate often point to access controls.
  • develop, modify, test, and migrate often point to change management.
  • run, interface, backup, and monitor often point to computer operations.
  • calculate, match, block, and validate often point to application controls.
  • review, investigate, and reconcile often point to manual controls that may depend on system-generated evidence.

The strongest answer usually ties the control to the assertion and then asks whether the supporting IT environment is reliable enough for the auditor's planned reliance.

Ready to level up your exam prep?

Join 2,400+ finance professionals using AcadiFi to prepare for CFA, FRM, and other certification exams.

Start Free Trial — $19/moCompare Plans

Related Articles

CPA Exam Prep

Section 351 Corporate Formations: A CPA REG Decision Map for Basis, Boot, and Gain Recognition

22 min read

Audit and Attestation

Audit Transaction Cycles for CPA AUD: From Journal Entry to Assertion

6 min read

FAR

CPA FAR Bank Reconciliation TBS: Make the Bank Side and Book Side Tie

6 min read