Transformation & Tech · IT Risk & Technology Assurance
Information Systems Audit (IS Audit) & ITGC Review
Every Board resolution, every financial close, every regulatory filing your organisation makes today rests on IT systems that most managements have never had independently examined.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Every Board resolution, every financial close, every regulatory filing your organisation makes today rests on IT systems that most managements have never had independently examined. PNPC Global's Information Systems Audit (IS Audit) and IT General Controls (ITGC) Review tests whether the access management, change management, backup/recovery, and IT operations controls around your core systems are actually working — not just documented in a policy manual. We combine the Chartered Accountant's grounding in financial control objectives with structured IT audit methodology to give the Board, Audit Committee, and statutory auditor independent assurance that the technology layer supporting your financial statements, data, and operations is under control.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
An Information Systems Audit (IS Audit) is an independent examination of an organisation's IT environment — covering the governance, security, and operational controls around the hardware, software, networks, and data that support business processes and financial reporting. IT General Controls (ITGC) Review is the specific, most commonly commissioned subset of an IS Audit that focuses on four control domains recognised globally under frameworks such as COBIT and ISO 27001, and referenced by the Institute of Chartered Accountants of India (ICAI) in its Guidance Note on Audit of Internal Financial Controls: (1) access management — how user accounts are provisioned, modified, and revoked across applications, databases, operating systems, and network devices; (2) change management — how changes to programs, system configuration, and infrastructure are requested, tested, approved, and moved into production; (3) IT operations — how batch jobs, interfaces, backups, and incident/problem management are run and monitored; and (4) physical and environmental security over data centres and server rooms.
In the Indian regulatory context, ITGCs are not an optional technical nicety — they are the foundation on which application-level and financial reporting controls rest. Under Section 134(5)(e) of the Companies Act 2013, the Board of every listed company (and several classes of unlisted companies as prescribed) must state that the company has laid down internal financial controls and that such controls were adequate and operating effectively. The statutory auditor separately reports on the adequacy and operating effectiveness of Internal Financial Controls over Financial Reporting (IFC-FR) under the Companies (Auditor's Report) Order (CARO) and the applicable Standards on Auditing. Because most modern application controls — three-way matching, approval workflows, automated postings, system-calculated depreciation or GST — depend entirely on the integrity of the underlying IT environment, a weakness in ITGCs (for example, an exited employee whose ERP access was never revoked, or an unauthorised direct change made to a production database) can undermine the reliability of every application control that sits on top of it. This is why statutory auditors, internal auditors, and audit committees routinely commission a dedicated ITGC review — either as a discrete assurance exercise or as a structured input into the annual IFC-FR testing cycle.
An IS Audit / ITGC Review is distinct from a cybersecurity audit or VAPT (Vulnerability Assessment and Penetration Testing) engagement, which tests the external attack surface and technical exploitability of systems, and from an ERP/application controls audit, which goes deeper into module-specific configuration, segregation of duties within a single application, and business-process automated controls. ITGC Review sits underneath both — it is the control environment that application controls and, to a large extent, cybersecurity posture depend upon. For companies preparing for statutory audit, IPO, PE/VC due diligence, SOC 1/SOC 2 reporting to customers, or responding to a regulator's or lender's request for IT control assurance, an independent ITGC review conducted by a CA firm with IT audit capability is frequently the single highest-leverage assurance engagement available — because its findings cascade into, and materially de-risk, every other control-reliant audit and certification the organisation undergoes.
PNPC's IS Audit / ITGC methodology is scoped to the specific in-scope systems — which may be a single ERP and its hosting infrastructure, a broader landscape spanning core banking or transaction-processing systems (for BFSI and NBFC clients), or a cloud-native SaaS stack — rather than applied as a generic, one-size-fits-all checklist. Our reports are written for two audiences simultaneously: technically precise enough for the IT team to action, and plain-language enough for a non-technical Audit Committee member to understand the business risk and approve the remediation roadmap.
When an IS Audit / ITGC Review is the right engagement
Your statutory auditor has flagged IFC-FR deficiencies, CARO qualifications, or management letter observations relating to IT access controls, change management, or system-generated report reliability
You are preparing for an IPO, a PE/VC fundraise, or an acquisition, and need independent evidence that IT controls will withstand due diligence and post-transaction governance scrutiny
A customer, lender, or regulator has requested SOC 1/SOC 2-type assurance or an independent ITGC report as a precondition to a contract, credit facility, or licence renewal
The organisation has grown its IT footprint — new applications, cloud migration, outsourced IT operations, or multiple data centres/hosting providers — faster than its access and change control discipline has kept pace
Internal Audit or the Audit Committee wants a dedicated, IT-audit-trained review because general internal audit procedures do not have the specialist skill set to test access logs, change tickets, or system configuration evidence
A recent security incident, unauthorised change, or discovered access anomaly (an exited employee's account still active, an unreviewed privileged access grant) has raised Board-level concern about the broader control environment
Your organisation is a bank, NBFC, insurance company, or other RBI/IRDAI/SEBI-regulated entity subject to specific IT governance and outsourcing circular requirements that mandate periodic independent IS audit
You are a service organisation whose customers rely on your systems for their own financial reporting, and you need to produce a report on your control environment for their auditors
When a different engagement may fit better
You need to know whether your network and applications can be technically breached from outside — a VAPT/penetration testing engagement, not an ITGC review, is the correct scope for exploitability testing
Your primary concern is segregation of duties and automated control configuration within a single ERP module (approval matrices, tolerance limits, three-way match) — a dedicated ERP/application controls audit goes deeper into that specific layer
You are selecting or evaluating a new ERP or core system vendor — that is a systems selection/advisory engagement, distinct from an audit of an existing live environment
A specific fraud or irregularity is already suspected and evidentiary standards matter — a forensic/digital investigation engagement uses different procedures and chain-of-custody discipline than a control-assurance IS Audit
You are a very early-stage or small business with a single cloud accounting application, no dedicated IT team, and no regulatory or investor requirement for IT control assurance — a lighter-touch IT process review may be more proportionate than a full ITGC methodology
You need a one-time pre-go-live sign-off on a new system implementation — an ERP implementation review, timed around cutover and data migration, is the more relevant engagement at that stage
IS Audit / ITGC Review vs other IT and assurance engagements
| Feature | IS Audit / ITGC Review | IFC Testing (Statutory Audit) | VAPT / Cybersecurity Audit | ERP/Application Controls Audit | SOC 1 / SOC 2 Reporting |
|---|---|---|---|---|---|
| Primary objective | Assurance that access, change management, IT operations & physical/environmental controls are designed and operating effectively | Auditor's opinion on whether IFC over financial reporting is adequate and effective | Identify exploitable technical vulnerabilities in network, infrastructure & applications | Assurance on application-layer configuration, segregation of duties & automated controls within a specific system | Independent assurance report on a service organisation's controls for use by customer auditors |
| Governing/reference framework | COBIT, ISO 27001-aligned practice, ICAI Guidance Note on IFC | Section 134(5)(e) Companies Act, CARO, Standards on Auditing | OWASP, ISO 27001, PCI-DSS where applicable | COBIT, application-specific control frameworks | AICPA SSAE 18 / ISAE 3402-aligned criteria (Trust Services Criteria for SOC 2) |
| Who typically commissions it | Audit Committee, Board, CFO, Internal Audit | Statutory auditor, as part of the annual audit | CISO, IT Head, Board | Audit Committee, CFO, Internal Audit | Service organisation management, for its customers' benefit |
| Scope focus | User access lifecycle, change management, IT operations, backup/DR, physical/environmental security across in-scope systems | Controls relevant to material financial statement line items only | Network perimeter, servers, endpoints, application vulnerabilities | Module-level access, SoD, workflow configuration, interfaces, data integrity | Controls mapped to specific Trust Services Criteria (security, availability, confidentiality etc.) |
| Frequency | Periodic — typically annual, or triggered by a control concern or transaction event | Every year, as part of the annual statutory audit cycle | Periodic — typically annual, or after major infrastructure change | Periodic — typically annual or bi-annual | Type 1 (point-in-time) or Type 2 (period-of-time), typically annual |
| Depth of technical testing | Deep on control design and operating effectiveness evidence (logs, tickets, approvals); moderate on technical exploitability | Limited to controls material to financial statements | Deep on technical exploitability of infrastructure and applications | Deep on application configuration and access within the specific system | Deep on evidence of control operation across the reporting period |
| Typical output | Findings report rated by severity with a remediation roadmap, feeding the IFC/CARO process | Management letter points and an IFC opinion within the audit report | Vulnerability report with severity ratings and technical remediation steps | Findings report on application-specific control gaps | Formal SOC 1/SOC 2 report with auditor's opinion, for external distribution |
| Overlap with statutory audit | Frequently commissioned specifically to deepen or support the statutory auditor's IFC-FR work | Is itself part of the statutory audit | Generally independent of the statutory audit scope | Complements ITGC review — application controls rely on sound ITGCs beneath them | Independent formal reporting exercise, often run alongside or after an internal ITGC review |
These engagements are frequently complementary rather than substitutable, and ITGCs are the foundation that most of the others rely on. The right combination and scope for your organisation should be confirmed with a practising CA based on your systems landscape, regulatory profile, and the assurance your Board, lenders, or customers actually require.
| # | Stage & What PNPC Does | What Generic IT Auditors Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & Systems Landscape Mapping | We identify every in-scope application, database, operating system, and network layer relevant to the audit objective — financial reporting systems for an IFC-linked engagement, or the full technology stack for a broader IS Audit — rather than accepting management's initial list at face value. A generic provider without CA-level financial risk understanding often under-scopes systems that feed the general ledger indirectly. | Week 1 |
| 2 | Risk Assessment & Control Objective Mapping | Each in-scope system is mapped to the specific financial or operational risk it creates if access, change, or operations controls fail — rather than running a generic checklist unrelated to your actual environment and risk profile. | Week 1–2 |
| 3 | Audit Charter, Independence Confirmation & Data Access | We formalise scope, confidentiality terms, and the evidence (access logs, change tickets, backup logs, org charts) we will need, and agree read-only or evidence-extract access — never requiring any change to production systems or live credentials. | Week 2 |
| 4 | Access Management Testing | We test the full user access lifecycle — new-joiner provisioning, role/transfer changes, and exit de-provisioning — across applications, databases, operating systems, and network devices, and specifically test whether exited employees' access was actually revoked. This single test area produces findings in the large majority of first-time ITGC reviews we conduct. | Week 2–4 |
| 5 | Privileged Access & Segregation Review | Administrator, superuser, and database-level privileged accounts are inventoried and tested for appropriate restriction, monitoring, and periodic recertification — accounts that, if compromised or misused, bypass application-level controls entirely. | Week 3–5 |
| 6 | Change Management Testing | We sample changes made to programs, system configuration, and infrastructure over the audit period and trace each to a documented request, testing evidence, and appropriate approval before it moved into production — testing whether the documented change process was actually followed, not just whether it exists on paper. | Week 4–6 |
| 7 | IT Operations, Batch & Job Scheduling Review | Scheduled jobs, interfaces, and batch processes critical to financial close and reporting are reviewed for monitoring, failure-alerting, and evidence that failures are followed up and resolved rather than silently rerun. | Week 5–6 |
| 8 | Backup, Recovery & Business Continuity Testing | We review backup schedules, retention, and — critically — evidence of periodic restore testing, since an untested backup is not a control, merely a hope. Disaster recovery and business continuity documentation is reviewed against actual test evidence where available. | Week 6–7 |
| 9 | Physical & Environmental Security Review | Data centre and server room access controls, environmental monitoring (fire suppression, temperature/humidity, power backup), and visitor log discipline are reviewed for on-premise infrastructure; for cloud-hosted environments, we review the relevant cloud provider's SOC/ISO attestations and the organisation's shared-responsibility understanding. | Week 6–7 |
| 10 | Findings Rating & Draft Report | Every finding is rated by severity (Critical/High/Medium/Low), linked to the specific control objective and downstream financial or operational risk, and accompanied by a practical, implementable recommendation. Draft findings are circulated to IT and process owners for factual accuracy validation before finalisation. | Week 7–8 |
| 11 | Management Response & Remediation Roadmap | We require a documented management response — agree, partially agree, or disagree with reasons — plus a named remediation owner and committed timeline for every accepted finding, converting the report into an actionable governance document rather than a static PDF that is filed and forgotten. | Week 8–9 |
| 12 | Audit Committee / Board Presentation | Findings, ratings, and the remediation roadmap are presented directly to the Audit Committee or Board by the engagement CA in plain-language terms a non-technical director can act on — connecting technical IT findings to the financial reporting and governance risk they actually represent. | Week 9 |
| 13 | Follow-Up Validation Cycle | In the subsequent audit cycle (or sooner for Critical findings, where we recommend an interim check), we independently verify that remediation was actually implemented in the live environment — not merely marked closed in a tracker — closing the loop most one-time IT reviews leave open. | Next cycle, or as agreed |
Realistic end-to-end timeline for a first IS Audit / ITGC Review of a mid-sized single-location organisation: 7–9 weeks from kickoff to Board presentation, depending on the number of in-scope systems, locations, and whether infrastructure is on-premise, cloud, or hybrid. Multi-entity organisations, regulated BFSI entities, and organisations with significant outsourced IT operations typically require a longer first cycle; subsequent annual cycles are faster once baseline documentation and evidence templates exist.
List of all in-scope systems — applications, databases, operating systems, and network infrastructure — with version, hosting model (on-premise, private cloud, SaaS), and criticality classification
IT organisation chart showing reporting lines for IT operations, security, and any outsourced/managed service provider arrangements
IT policies and standard operating procedures — access management, change management, backup and DR, incident management, acceptable use
Details of any recent infrastructure migration, cloud transition, or major system upgrade in the last 24 months, with go-live dates and any post-go-live issues log
Prior internal audit, statutory audit management letter, or previous IS Audit/ITGC report, including status of prior findings
Complete current user access listing across all in-scope applications, databases, operating systems, and network devices, with role/privilege level for each user
New-joiner, role-change, and exit (leaver) access request forms and approvals for a sample period covering the full audit cycle
List of all privileged/administrator accounts across in-scope systems, with justification for each and evidence of periodic access recertification
HR exit reports for the audit period, to be cross-checked against IT de-provisioning records for evidence of timely access revocation
Change management log/ticket register for the audit period, covering application, configuration, and infrastructure changes
Sample of change requests with evidence of business justification, testing/UAT sign-off, and appropriate authorisation before deployment to production
Segregation evidence between development, testing, and production environments, and confirmation of who holds access to move changes between them
Emergency/break-glass change procedure documentation and log of any emergency changes made during the audit period
Batch job/scheduler configuration and failure/exception log for critical financial-close-related jobs and interfaces
Backup schedule and retention policy documentation, plus evidence of periodic restore/recovery testing — not merely confirmation that backups run
Business Continuity Plan (BCP) and Disaster Recovery (DR) plan documentation, plus evidence of the most recent DR test or drill
Incident and problem management log for the audit period, including any security incidents, outages, or data integrity issues and their resolution
Data centre/server room access control list and visitor log for the audit period (for on-premise or co-located infrastructure)
Environmental control evidence — fire suppression, power backup/UPS, temperature and humidity monitoring records
Cloud service provider attestations relevant to in-scope hosted systems — SOC 2 report, ISO 27001 certificate, or equivalent — and the organisation's documented understanding of the shared-responsibility model
Contracts and service level agreements with any outsourced IT operations or managed security service provider, including their obligations around access control and incident notification
For banks/NBFCs/insurers: relevant RBI/IRDAI IT governance and outsourcing circular compliance documentation and any prior regulatory IS audit findings
For listed companies: the Board's Section 134(5)(e) IFC certification basis documentation and the statutory auditor's prior-year IFC/CARO observations relating to IT
For companies pursuing SOC 1/SOC 2: the specific Trust Services Criteria or control objectives the report needs to address and the intended report period
Data protection/privacy policy and any data localisation or cross-border data transfer documentation relevant to the Digital Personal Data Protection Act, 2023 framework where applicable to the organisation's data processing activities
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Planning | Decision to commission an IS Audit / ITGC review | Systems landscape mapping, risk assessment, control objective mapping, and audit charter agreed before any testing begins — ensuring the scope actually covers systems material to financial reporting or the specific assurance need, not just what management first lists. | Under-scoped audit that misses a system feeding directly into the general ledger or a regulator-mandated control area, producing a false sense of assurance. |
| Fieldwork & Testing | Audit charter agreed, evidence access granted | Access management, privileged access, change management, IT operations, backup/DR, and physical/environmental controls tested against actual evidence — logs, tickets, approvals — not merely policy documents and management representations. | Reliance placed on documented policy that is not actually followed in practice; control weaknesses (unrevoked exit access, untested backups, unauthorised production changes) remain undetected until an incident forces discovery. |
| Findings & Reporting | Fieldwork substantially complete | Every finding rated by severity, linked to financial/operational risk, validated for factual accuracy with process owners, and delivered with a specific, implementable recommendation — not a generic checklist of 'best practices.' | Vague or unprioritised findings that management cannot act on; Critical issues buried among low-value observations and never remediated. |
| Management Response & Remediation | Draft report issued | A documented management response and committed remediation owner/timeline obtained for every accepted finding, converting the report into a governance-actionable roadmap presented to the Audit Committee or Board. | Findings acknowledged verbally but never formally tracked; the same weaknesses recur in the next audit cycle with no accountability trail. |
| Follow-Up & Validation | Next audit cycle, or sooner for Critical findings | Independent verification in the live environment that remediation was actually implemented — not just marked closed in a tracker — with an interim check recommended for Critical-rated findings ahead of the next full cycle. | Remediation marked 'closed' administratively while the underlying control gap remains open, surfacing again as a statutory audit qualification or, worse, an actual incident. |
| Integration with Statutory Audit / IFC-FR | Annual statutory audit cycle | ITGC review findings and evidence are structured to directly support the statutory auditor's IFC-FR testing under CARO and Section 134(5)(e), reducing duplication of effort and strengthening the Board's IFC certification basis. | Statutory auditor independently identifies the same ITGC gaps during year-end audit, resulting in management letter points, potential CARO qualification, and audit fee escalation for additional testing. |
| Regulatory / Customer Reporting Cycle | RBI/IRDAI IT governance requirement, or customer request for SOC 1/SOC 2 | ITGC review evidence and findings feed directly into regulatory IS audit submissions or a formal SOC 1/SOC 2 reporting engagement, avoiding duplicate evidence-gathering exercises across multiple assurance requirements. | Separate, uncoordinated evidence requests from regulators, customers, and auditors create audit fatigue for the IT team and inconsistent representations across reports. |
| System Change / Migration Event | New ERP, cloud migration, or infrastructure change | A scoped interim ITGC review or readiness assessment is recommended before the change goes live, and access/change control baselines are re-established immediately post-go-live rather than waiting for the next annual cycle. | New system inherits none of the prior environment's control discipline; access grants and change practices drift uncontrolled for a full year before the next audit catches it. |
What exactly is an Information Systems Audit (IS Audit)?
An IS Audit is an independent examination of the governance, security, and operational controls around an organisation's IT environment — the applications, databases, operating systems, networks, and data centres that support business processes and financial reporting. It assesses whether the organisation's IT controls are properly designed and are actually operating as intended, rather than merely documented in a policy.
What are IT General Controls (ITGCs), specifically?
ITGCs are the foundational controls over the IT environment that all application-level and automated financial controls depend on. They fall into four domains: access management (how user access is granted, changed, and revoked), change management (how changes to programs and configuration are tested and approved before going live), IT operations (batch jobs, interfaces, backups, incident management), and physical/environmental security (data centre and server room controls).
Why do ITGCs matter for financial reporting specifically?
Under Section 134(5)(e) of the Companies Act 2013, the Board must certify that internal financial controls are adequate and operating effectively. Most modern financial controls — automated postings, system-calculated tax, approval-workflow-enforced payment authorisation — depend entirely on the IT environment underneath them. A weak ITGC (an exited employee's access left active, an unauthorised production change) can silently undermine every application control built on top of it, which is why statutory auditors test ITGCs as part of Internal Financial Controls over Financial Reporting (IFC-FR) assessment.
Is an IS Audit / ITGC review mandatory for all companies?
There is no single blanket statutory mandate requiring every company to commission a standalone IS Audit. However, the underlying obligation — adequate and effective internal financial controls — is mandatory for listed companies and prescribed classes of unlisted companies under Section 134(5)(e), and the statutory auditor is required to test and report on IFC-FR under CARO for applicable companies. In practice, most such companies find that a dedicated ITGC review is the most reliable way to demonstrate and evidence that obligation. Regulated entities — banks, NBFCs, insurers — face additional sector-specific IT governance and outsourcing circular requirements from RBI or IRDAI that may mandate periodic independent IS audit.
How is an ITGC Review different from a cybersecurity audit or VAPT?
A VAPT (Vulnerability Assessment and Penetration Testing) engagement tests whether your network and applications can be technically exploited from outside or inside the perimeter — it is an attack-simulation exercise. An ITGC review tests whether your governance controls around access, change, and operations are properly designed and consistently followed — it is a control-assurance exercise, closer in nature to a financial controls audit than to ethical hacking. The two are complementary: a VAPT can find a technical vulnerability, while an ITGC review finds the governance gap (weak access recertification, unmonitored privileged accounts) that made the vulnerability exploitable or the breach undetected for longer.
How is this different from an ERP or application controls audit?
An ERP/application controls audit goes deep into a single application's configuration — segregation of duties within specific modules, approval workflow settings, tolerance limits, three-way matching. An ITGC review sits at a broader, foundational layer — access and change management across all in-scope systems (which may include the ERP, but also databases, operating systems, and network infrastructure), IT operations, and physical security. ITGCs are, in effect, the control environment that application-level controls rely on for their own integrity.
What is the typical timeline for a first IS Audit / ITGC Review?
For a mid-sized single-location organisation with a defined systems landscape, a realistic timeline from kickoff to Board presentation is 7–9 weeks, covering scoping, testing across all four ITGC domains, findings validation, and reporting. Multi-entity organisations, regulated BFSI entities, and organisations with significant outsourced IT operations typically require a longer first cycle because of the additional evidence-gathering and coordination involved.
What does an IS Audit / ITGC review actually cost?
Fees depend on the number of in-scope systems, locations, whether infrastructure is on-premise, cloud, or hybrid, and whether the engagement is a standalone review or coordinated with statutory audit IFC testing. PNPC agrees a fixed, written scope and fee before any fieldwork begins — there are no open-ended time-and-material surprises. We are transparent that a properly resourced ITGC review, conducted by CAs with IT audit training rather than a generic checklist provider, costs more than a template-driven review — and consistently delivers findings that a template approach misses.
Who typically commissions an IS Audit / ITGC Review — the Board, Audit Committee, or CFO?
It can be commissioned by any of the three, and often is a joint decision. Audit Committees commission it as part of their governance oversight responsibility. CFOs commission it to support the IFC-FR certification and to pre-empt statutory audit management letter points. Internal Audit functions commission it because most internal audit teams lack the specialist skills to test access logs, change tickets, and system configuration evidence to the depth required.
What happens if the review finds a Critical-rated finding — what does that actually mean?
A Critical rating means the control gap creates a material and immediate risk — for example, several exited employees with active privileged access to the financial system, or evidence of unauthorised changes made directly to production without any approval trail. Critical findings are escalated to the Audit Committee or Board immediately upon identification during fieldwork, rather than held back for the final report, and PNPC recommends an interim validation check (rather than waiting for the next full annual cycle) to confirm remediation before it becomes a statutory audit issue.
Our IT is entirely outsourced to a managed service provider. Does that change the scope?
It changes the evidence sources but not the underlying control objectives — the organisation remains accountable for the effectiveness of controls even when IT operations are outsourced. We review the managed service provider's contractual obligations around access control, change management, and incident notification, request relevant third-party attestations (SOC 2 report, ISO 27001 certificate) where available, and test the organisation's own oversight controls over the outsourced arrangement — because 'we outsourced it' is not itself a control.
We are entirely cloud-hosted (SaaS applications, cloud infrastructure). Is an ITGC review still relevant?
Yes — cloud hosting shifts some control responsibilities to the cloud provider under a shared-responsibility model, but the organisation retains responsibility for access management within the applications, user provisioning and de-provisioning, configuration of security settings, and oversight of the cloud provider's own control attestations. We review the cloud provider's SOC 2 report or ISO 27001 certificate as evidence of infrastructure-level controls, and focus our direct testing on the layers the organisation itself controls — user access, application configuration, and data governance.
Does PNPC test the operating effectiveness of controls, or just whether policies exist on paper?
Operating effectiveness — meaning we test actual evidence (access logs, change tickets, approval records, backup restore logs) over the audit period, not just whether a policy document exists. A documented access management policy that is not actually followed provides no real assurance, and testing only the existence of policy would give a false sense of comfort to the Board.
How does the ITGC review interact with our statutory auditor's work?
A well-scoped ITGC review can directly support and reduce duplication in the statutory auditor's IFC-FR testing — evidence gathered and findings validated in the ITGC review can be shared with (or independently relied upon by) the statutory auditor, subject to their own professional judgement on the extent of reliance permitted under the Standards on Auditing. This typically results in a smoother year-end audit with fewer surprises and can reduce incremental statutory audit fees for IT-control testing.
What is the difference between an ITGC review and SOC 1 / SOC 2 reporting?
SOC 1 and SOC 2 are formal, structured assurance reports (aligned to AICPA SSAE 18 / ISAE 3402-type standards) that a service organisation commissions specifically to give its own customers' auditors independent assurance over its controls — SOC 1 focused on controls relevant to customers' financial reporting, SOC 2 focused on the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). An internal ITGC review, by contrast, is commissioned for the organisation's own Board and Audit Committee. Many organisations use an internal ITGC review as preparation before pursuing a formal SOC 1/SOC 2 engagement, since the underlying control domains substantially overlap.
What does PNPC actually test for access management — walk through a real example?
We obtain the full current user access listing for each in-scope system, cross-reference it against HR's exit report for the audit period, and identify any exited employee whose system access was not revoked (or not revoked within a reasonable timeframe). We also sample new-joiner and role-change requests to confirm access was granted only after proper approval, and review whether privileged/administrator accounts are subject to periodic recertification. This is consistently one of the highest-finding-rate test areas in first-time reviews.
What does change management testing actually look like in practice?
We pull the change log or ticketing system record for the audit period, select a sample of changes (weighted towards higher-risk changes — configuration changes affecting financial postings, tax calculation logic, or access controls themselves), and trace each sampled change to a documented business justification, evidence of testing or UAT sign-off, and appropriate authorisation before it was deployed to the production environment. We also test whether development, testing, and production environments are properly segregated, and who holds the ability to move changes between them.
Do you test whether our backups actually work, or just that backups are scheduled?
We specifically look for evidence of periodic restore or recovery testing — an untested backup provides no real assurance of recoverability and is, in practical terms, not yet a proven control. We review the backup schedule and retention policy, and separately request evidence (a restore test log, a DR drill report) confirming that a backup was actually restored successfully within the audit period.
What frameworks or standards does PNPC's methodology follow?
Our methodology draws on COBIT (Control Objectives for Information and Related Technologies) for the control domain structure, ISO 27001-aligned practice for information security control benchmarks, and the ICAI Guidance Note on Audit of Internal Financial Controls for the linkage to Section 134(5)(e) and CARO reporting requirements. For regulated BFSI clients, we additionally incorporate the relevant RBI or IRDAI IT governance and outsourcing circular requirements into scope.
How does PNPC rate findings, and what do the severity levels mean?
Findings are rated Critical, High, Medium, or Low based on the combination of the likelihood of the control failing and the potential financial or operational impact if it does. Critical findings represent immediate, material exposure (active access for terminated employees with financial system privileges, unauthorised production changes with no approval trail) and are escalated to management as soon as identified during fieldwork, not held for the final report. High and Medium findings are documented with clear remediation recommendations and realistic timelines; Low findings are typically process-hygiene observations that strengthen the control environment without representing immediate risk.
Can this review help with our SEBI-listed company's IFC-FR certification specifically?
Yes — this is one of the most common reasons listed companies commission a dedicated ITGC review. The findings and remediated evidence directly support the Board's basis for its Section 134(5)(e) internal financial controls certification, and give the CFO and Audit Committee documented assurance ahead of the statutory auditor's own IFC-FR testing, reducing the risk of a late-discovered gap becoming a CARO qualification or audit management letter point at year-end.
Our NBFC/bank has an internal audit function already. Why do we need a separate IS Audit?
Most internal audit teams, even well-resourced ones, are staffed primarily with finance and operations audit skills rather than IT audit specialists trained to independently test access logs, change tickets, database configuration, and system-level evidence. RBI's IT governance and outsourcing frameworks for regulated entities typically expect a level of specialist IT audit rigour that general internal audit resourcing does not always provide. A dedicated IS Audit/ITGC review, whether performed by PNPC directly or used to strengthen and train the internal audit function's approach, closes that specialist gap.
What is the difference between IT General Controls and IT Application Controls?
IT General Controls (ITGCs) are pervasive controls that apply across an entire IT environment — access management, change management, IT operations, physical security — and support the reliability of every system running within that environment. IT Application Controls are specific, automated controls built into a particular application — a mandatory three-way match before payment, a system-enforced approval limit, a validation rule preventing negative inventory. Application controls can only be relied upon if the ITGC environment beneath them is sound; a weak ITGC environment (someone with unauthorised database access) can bypass even a well-designed application control.
Does the review cover data privacy and the Digital Personal Data Protection Act, 2023?
Access management and change management controls tested as part of an ITGC review directly support data protection objectives — since unauthorised access is the most common root cause of a personal data breach — but a full DPDP Act compliance assessment (consent management, data processing agreements, breach notification readiness, data localisation) is a distinct and broader engagement. Where relevant to the organisation's data processing footprint, we flag DPDP-related control gaps we observe during the ITGC review and recommend a dedicated compliance assessment where warranted.
How often should we repeat an IS Audit / ITGC Review?
Annual is the typical cadence for organisations with an ongoing IFC-FR certification obligation, regulatory IT governance requirement, or customer SOC reporting need — aligning with the statutory audit and Board certification cycle. Organisations without a recurring formal obligation often commission it every 18–24 months, or trigger an interim review after a major system change, security incident, or before a significant transaction (fundraise, acquisition) where IT control assurance will be scrutinised.
Can a smaller company with a lean IT team still commission this review, or is it only for large enterprises?
Yes, though the scope and depth should be proportionate. A smaller company with a single ERP, limited applications, and a lean team can still commission a scoped ITGC review — often focused primarily on access management and change management, the two domains that carry the highest risk-to-effort ratio — without the full multi-system, multi-location scope a large enterprise would require. PNPC scopes the engagement to the organisation's actual risk profile and size rather than applying a one-size-fits-all enterprise checklist.
What deliverables do we actually receive at the end of the engagement?
A detailed findings report with each finding rated by severity, mapped to the relevant control domain and risk, accompanied by a specific recommendation; a management response and remediation roadmap document with named owners and timelines; and an executive summary presentation delivered directly to the Audit Committee or Board in plain-language terms. For engagements linked to statutory audit or regulatory submission, we also prepare a summary memo cross-referencing findings to the relevant CARO/IFC-FR or regulatory reporting requirement.
What if management disagrees with a finding — how is that handled?
Every finding is shared in draft with the relevant process owner for factual accuracy review before the report is finalised — if management believes a finding is factually incorrect (for example, evidence exists that we did not receive during fieldwork), we review the additional evidence and revise the finding if warranted. Where management disagrees with our assessment of risk or the recommended remediation despite the facts being accurate, that disagreement — and management's stated rationale — is documented transparently in the final report rather than silently omitted.
Does PNPC only review the environment, or does it help fix the gaps too?
The IS Audit / ITGC review itself is an independent assurance engagement — consistent with maintaining independence, PNPC does not implement the remediation for gaps we have audited, since doing so would create a self-review conflict for any subsequent assurance cycle. We do provide practical, specific, implementable recommendations for each finding, and can advise on remediation approach and best practice, but implementation is carried out by the organisation's own IT team or a separate implementation partner.
We use multiple ERPs and legacy systems across different business units. Can PNPC handle a multi-system scope?
Yes. We scope multi-system, multi-entity landscapes explicitly at the outset — identifying which systems are material to financial reporting or the specific regulatory/customer assurance requirement, and prioritising testing depth accordingly rather than spreading effort thinly and evenly across every system regardless of materiality. Legacy systems with limited vendor support often carry elevated ITGC risk (unpatched vulnerabilities, informal change processes) and are specifically flagged for closer review.
Does PNPC's Dubai office offer this service for UAE-based entities as well?
Yes. For clients with operations or group entities in both India and the UAE, PNPC coordinates IS Audit / ITGC engagements across both jurisdictions from our Chennai/Bangalore/Hyderabad and Dubai offices under a single engagement team — relevant where a UAE entity's systems feed into an Indian parent's consolidated financial reporting, or where UAE Corporate Tax and VAT compliance depend on system-generated data whose integrity needs independent assurance.
Why should we engage PNPC rather than a generic IT audit or cybersecurity firm?
A generic IT/cybersecurity firm brings technical infrastructure expertise but often lacks the Chartered Accountant's grounding in financial reporting risk, IFC-FR, CARO, and Companies Act governance requirements — meaning their findings, however technically sound, may not translate cleanly into what the Board and statutory auditor actually need. PNPC combines practising CA judgement on financial control objectives with structured IT audit methodology, so findings are framed in terms the Audit Committee can act on and that map directly to statutory and regulatory reporting obligations.
How much CA and IT staff involvement is required from our side during the engagement?
We minimise disruption by requesting evidence in structured batches rather than ad-hoc, and scheduling interviews with IT and process owners in defined windows rather than open-ended access. For a mid-sized single-location engagement, realistic internal effort is typically a designated IT coordinator's part-time involvement across the fieldwork period, plus brief interview time from a handful of process owners (access administrator, change manager, backup/DR owner).
| Feature | Generic IT/Cybersecurity Firm | Big-4 / Large Firm ITGC Practice | PNPC Global |
|---|---|---|---|
| Financial reporting linkage (IFC-FR, CARO, Sec 134(5)(e)) | Often absent — technical findings not mapped to statutory obligations | Present, but delivered through large, less accessible teams | Deep CA-level linkage — findings explicitly connected to IFC-FR, CARO and Board certification needs |
| Scoping approach | Often a generic technical checklist applied regardless of context | Structured, but standardised across large-firm methodology with less flexibility | Scoped specifically to your systems landscape, financial materiality, and regulatory profile |
| Reporting for non-technical Board members | Highly technical language, difficult for Audit Committee to action | Generally strong, but with less direct engagement CA access | Plain-language executive summary plus full technical report — presented directly by the engagement CA |
| Critical finding escalation | Often held for the final report | Generally escalated, but through account management layers | Escalated to management the same week a Critical issue is identified during fieldwork |
| India-UAE coordination | Rare — most firms are single-jurisdiction | Available, but through separate regional teams with handoff friction | Single engagement team across Chennai/Bangalore/Hyderabad and Dubai offices |
| Pricing structure | Variable — sometimes open-ended time-and-material | Premium pricing reflecting large-firm overhead | Fixed, written scope and fee agreed before fieldwork begins |
| Follow-up validation | Rarely offered as standard | Available as a separate paid engagement | Built into the engagement approach — remediation verified in the live environment, not just tracker status |
| Direct access to the reviewing professional | Often routed through account managers or junior staff | Senior partner access limited by large-client portfolio | Direct access to your engagement CA by phone and WhatsApp throughout and after the engagement |
What the PNPC package includes
- 01
Systems landscape mapping and risk-based scoping — tailored to your actual environment, not a generic checklist
- 02
Access management lifecycle testing — provisioning, role changes, and exit de-provisioning across all in-scope systems
- 03
Privileged/administrator access review and recertification testing
- 04
Change management testing — sampled changes traced to documented approval, testing evidence, and authorised deployment
- 05
IT operations review — batch jobs, interfaces, and exception/failure monitoring for financial-close-critical processes
- 06
Backup, recovery, and business continuity testing — including evidence of actual restore/DR test results, not just scheduling
- 07
Physical and environmental security review for on-premise infrastructure, or cloud provider attestation review for hosted environments
- 08
Severity-rated findings report (Critical/High/Medium/Low) with specific, implementable recommendations for each
- 09
Management response tracking and remediation roadmap with named owners and committed timelines
- 10
Direct Audit Committee / Board presentation by the engagement CA, in plain-language governance terms
- 11
Follow-up validation cycle confirming remediation was actually implemented in the live environment
- 12
Coordination with your statutory auditor's IFC-FR testing to reduce duplication and strengthen the Board's certification basis
Speak directly with a PNPC Chartered Accountant who understands both IT audit methodology and the financial reporting obligations your Board actually needs to satisfy — not a generic checklist provider, and not a large-firm account manager. A practising CA who will present findings your Audit Committee can act on, and who will still be reviewing your systems next cycle to confirm the fixes actually held.