In the IFC session, you learned to assess whether controls over financial reporting processes are adequately designed and operating effectively. You examined approvals, reconciliations, and segregation of duties.
You also encountered the NovaTech case — where a batch processing failure, an audit trail gap in the TMS system, and access control weaknesses were flagged as IT-related risks. Those observations were symptoms of weak ITGC. This session names and explains what was happening underneath.
Consider this scenario:
Scenario. A manufacturing company has a perfectly designed three-way match control in its ERP. Purchase order, goods receipt, and invoice must all match before a payment is released. On paper, this is a strong preventive control.
But the IT team can log into the ERP using a shared administrator password, override the three-way match, and process any payment they want. There is no log of who did what.
The IFC control exists. The IFC control is meaningless.
This is the gap ITGC fills. ITGC does not control what the system does. It controls whether the system can be trusted to do what it is supposed to do.
The Dependency Chain
The relationship between ITGC and the financial statements runs through a chain. Every link must hold:
ITGC
→
Application Controls
→
Financial Data
→
Financial Statements
Break the first link — weak ITGC — and the rest of the chain is unreliable, regardless of how well-designed the process controls are. This is why SA 330 requires ITGC to be tested before the auditor can rely on automated controls.
Carry this into the session. When a client says "our controls are automated — the system handles everything," the correct auditor response is not comfort but curiosity. An automated control is only as reliable as the IT environment around it.
✦ Comprehension Check — Section 1▼
Reflect on the section above before reading on. Attempt each question, then reveal the suggested answer.
1.1
A colleague says: "We tested the three-way match control in the client's ERP and it's well-designed. We can rely on it for trade payables." What question should you ask before agreeing?
Suggested Answer
Have the ITGC supporting the ERP been tested? A well-designed application control can be bypassed or rendered unreliable if the IT environment around it is not controlled — for example, if privileged users can override the control, or if the system was modified without proper change controls. SA 330 requires ITGC testing before reliance on automated controls can be placed.
1.2
In the dependency chain — ITGC → Application Controls → Financial Data → Financial Statements — what happens to the reliability of the financial statements if ITGC is found to be weak, even if the application controls appear well-designed?
Suggested Answer
The financial statements cannot be considered reliable on the basis of those automated controls. Weak ITGC means the auditor cannot rely on the application controls sitting above them in the chain, because those controls may have been bypassed, overridden, or corrupted without detection. The auditor must increase substantive testing to compensate.
1.3
What is the distinction between IFC (as covered in the previous session) and ITGC? Are they the same thing?
Suggested Answer
They are not the same. IFC covers controls over financial reporting processes — approvals, reconciliations, SoD at the process level. ITGC covers controls over the IT environment that those processes run on — access to systems, change management, system operations. IFC assumes the IT environment is reliable. ITGC is what validates that assumption.
2 — Legal & Standards Basis
Read this section once to understand why ITGC is not optional in Indian statutory audit. You do not need to memorise these — understanding the logic of each requirement is sufficient.
Companies Act, 2013
Section 143(3)(i)
The auditor must report whether the company has adequate internal financial controls and whether such controls are operating effectively. When financial processes run on IT systems, ITGC is part of this assessment — because the reliability of IT-dependent controls cannot be assumed.
Section 134(5)(e)
Directors must state in the Board's Report that internal financial controls are adequate and operating effectively. The auditor independently verifies this assertion. IT control weaknesses directly affect whether the auditor can support or contradict the Board's statement.
Standards on Auditing — ICAI
SA 315
Identifying and Assessing Risks of Material Misstatement. Requires the auditor to obtain an understanding of the entity's IT environment, including general IT controls. Para 18–22 are directly relevant. This requirement is not discretionary.
SA 330
Auditor's Responses to Assessed Risks. If the auditor plans to rely on an automated control, the ITGC supporting that control must be tested first. No ITGC testing = no reliance on automated controls = increased substantive procedures. This is the direct link between ITGC and audit strategy.
SA 402
Audit Considerations Relating to an Entity Using a Service Organisation. When the client's IT is managed by a third party — a cloud ERP vendor, an outsourced payroll processor, a hosted banking platform — the auditor must still understand what controls operate at that vendor. Audit responsibility does not transfer to the vendor.
SA 265
Communicating Deficiencies in Internal Control. ITGC deficiencies are classified and communicated like other control deficiencies — as significant deficiencies or material weaknesses. The same framework from the IFC session applies here.
ICAI Guidance & International Frameworks
ICAI Guidance Note (2015)
The Guidance Note on Audit of Internal Financial Controls over Financial Reporting explicitly addresses ITGC as a prerequisite for relying on automated application controls. This is the framework Indian firms use for IFC reporting.
COBIT 2019
The dominant global framework for IT governance and management, published by ISACA. Defines the control objectives that ITGC audits are mapped to. Firms use COBIT domains to classify ITGC findings.
COSO 2013
The internal control framework underpinning both IFC and ITGC assessment. ICAI's guidance note is aligned to COSO. The IT environment falls primarily under the Control Environment, Control Activities, and Monitoring components — the same five components from the IFC session.
One-sentence summary of the framework stack. The Companies Act mandates the outcome (reliable ICFR). The SAs tell the auditor how to assess IT-related risks. COBIT and COSO provide the taxonomy of what to look for.
The Standards Chain
SA 315
Understand the IT environment — mandatory for all audits where IT systems are used in financial reporting
SA 330
Relying on automated controls? → Test ITGC first
SA 402
IT outsourced to a vendor? → Extend procedures to the service organisation
Section 143(3)(i)
Report on adequacy and operating effectiveness of ICFR
✦ Comprehension Check — Section 2▼
Reflect on the section above before reading on.
2.1
What is the auditor's obligation under SA 315 with respect to the IT environment? Is this optional?
Suggested Answer
SA 315 requires the auditor to obtain an understanding of the entity's IT environment, including general IT controls. This is not optional — it applies wherever IT systems are used in financial reporting. Understanding the IT environment is a prerequisite for the auditor's risk assessment.
2.2
A client's entire payroll system is hosted and managed by a third-party vendor on their own servers. The client's own IT team has no access to the underlying infrastructure. Does the statutory auditor have any obligation with respect to that vendor's systems? Which standard applies?
Suggested Answer
Yes. SA 402 applies. When a service organisation performs processes or maintains records that are relevant to the client's financial reporting, the auditor must understand what controls operate at that service organisation. The fact that the client does not manage the system does not transfer audit responsibility to the vendor. The auditor must obtain assurance — either through a SOC report from the vendor or through direct procedures.
2.3
Under Section 143(3)(i) of the Companies Act, 2013, what must the auditor report? How does ITGC connect to this reporting requirement?
Suggested Answer
The auditor must report whether the company has adequate internal financial controls over financial reporting and whether those controls are operating effectively. ITGC connects to this because when financial processes are IT-dependent, the reliability of the controls over those processes depends on the IT environment being controlled. An ITGC gap can directly impair the auditor's ability to conclude that ICFR is adequate and effective.
3 — The Four ITGC Domains
ITGC covers four areas. Read this section to understand what question each domain answers and why it matters for audit. The session will work through all four in depth.
The Factory Floor Mental Model
Think of an IT system as a factory floor. The business events are the raw material. The financial reports are the finished product. ITGC controls the factory floor itself — the machines, the workers, who has keys to which room, and whether the night shift ran correctly — not the raw material and not the product.
Domain
The question it answers
What goes wrong without it
1Access to Programs and Data
Who can get into the system, and what can they do once inside?
Unauthorized transactions; fraud; same person creates and approves payments; ex-employees retain access after leaving
2Program Development
When new systems or features are built, is the process controlled?
Untested systems go live with coding errors in financial logic; unauthorized functionality deployed without review
3Program Changes
When existing systems are modified, are changes authorized and tested before going live?
Depreciation formula changed mid-year without authorization; no rollback if an error is introduced
4Computer Operations
Are systems running correctly? Are failures detected? Is data protected?
Silent batch failures; overnight NPA reclassification does not run; backups exist but have never been tested for recovery
One thing to notice. Everything you will ever test in an ITGC audit fits into one of these four buckets. When you encounter an IT-related control gap on any engagement, your first question should always be: which domain does this belong to?
ITGC vs. Application Controls — The Distinction
ITGC
Application Controls
What it governs
The IT environment (access, changes, operations)
Specific processing logic within an application
Example
Only IT admins can create new user accounts in the ERP
System automatically blocks duplicate vendor invoices
Typical owner
IT department
Business / process owner
Testing sequence
Tested first
Tested only after ITGC adequacy is established
✦ Comprehension Check — Section 3▼
Reflect on the section above before reading on.
3.1
A developer at an IT company has direct read and write access to the production database, allowing them to modify transaction records. Which ITGC domain does this gap belong to, and why?
Suggested Answer
Access to Programs and Data. This gap concerns who has access to a system and what they can do once inside. The developer's ability to modify production transaction records directly represents unauthorized or excessive access — the defining risk of this domain. It also raises a segregation of duties concern: the same person who may write code can also alter the data that code processes.
3.2
An NBFC's loan management system runs an overnight batch job that reclassifies loans based on days-past-due. No one monitors whether this job completes successfully each night. Which domain does this gap belong to? What is the financial statement risk?
Suggested Answer
Computer Operations — specifically, the absence of batch job monitoring. If the job fails silently, NPA classification is not updated, which means provisioning amounts on the Balance Sheet may be understated. For an NBFC, this is particularly significant because provisioning is governed by RBI prudential norms, not just internal policy.
3.3
What is the difference between an Application Control and an ITGC? Give one example of each from a payroll context.
Suggested Answer
An Application Control governs specific processing within an application — for example, the payroll system automatically caps overtime hours at 50 per week and rejects entries above that threshold. An ITGC governs the environment the application runs in — for example, only the HR Manager and payroll administrator have access to modify employee salary records in the system. The application control enforces a business rule. The ITGC controls who can access and change the system that enforces that business rule.
3.4
A software change was made to a manufacturing company's ERP depreciation module. The change was coded and deployed to the live system by the same developer, without any test records or authorization sign-off. Which domain does this belong to? What is the specific risk?
Suggested Answer
Program Changes. The risk is that an unauthorized or untested modification was made directly to the live system. The depreciation calculation for the current year — and potentially prior periods — may be incorrect. Because the same developer both coded and deployed the change, there was no independent review to catch errors or unauthorized modifications. There is also no documented rollback capability if the error is discovered later.
4 — Infrastructure Layers
Understanding the four ITGC domains tells you what to assess. Understanding infrastructure layers tells you where to look — and why a control at one level does not protect against a bypass at a lower level.
The Layered Architecture of an IT System
Every application that processes financial data sits on top of several technology layers. Each layer is distinct, has its own access controls and configuration, and must be considered when scoping an ITGC engagement.
L1
Application Layer
The software itself — the ERP, the payroll system, the loan management platform, the Excel consolidation model. This is the layer most visible to users. Application controls (input validations, system-enforced SoD, automated calculations) operate here. Most IFC and business process testing focuses on this layer.
Examples: SAP, Oracle EBS, Tally Prime, an in-house HRMS, a custom billing system.
L2
Database Layer
The database management system that stores all the data the application uses and produces. This layer is particularly sensitive — a person with direct database access can read, modify, or delete records without going through the application's controls and without triggering any application-level audit trail.
Examples: Oracle Database, Microsoft SQL Server, MySQL, PostgreSQL.
Why it matters for ITGC: If a developer can run SQL queries directly against the production database, they can alter transaction records, user balances, or journal entries in ways the application will never detect. Access to Programs and Data must be assessed at the database layer, not just the application.
L3
Operating System Layer
The OS on which the application and database run. Access to the OS gives a person the ability to start, stop, or restart applications, access file systems, read unencrypted data files, and in some cases modify application configuration files directly — bypassing application-level access controls entirely.
Examples: Windows Server, Red Hat Linux, Ubuntu Server.
Why it matters for ITGC: OS-level admin access is one of the most powerful forms of privileged access. Users who should not have application access may effectively have it if they can reach the OS and manipulate application files or configurations.
L4
Network Layer
The infrastructure that connects systems to each other and to the internet. Network controls determine who can communicate with which systems, whether data is encrypted in transit, and how the environment is segmented to prevent unauthorized lateral movement between systems.
Why it matters for ITGC: A production database that is accessible from any device on the corporate network — without restriction — presents access risk even if the application requires a password. Network controls define the perimeter of what is reachable.
L5
Physical Layer
The physical hardware — servers, storage, networking equipment — and the data centre or server room in which they reside. Physical access controls govern who can enter the server room, handle hardware, or remove storage media.
Examples: locked server rooms, access badge systems, CCTV, hardware encryption.
Why it matters for ITGC: Physical access is the last line and the most fundamental. If an unauthorized person can physically access a server, OS-level and application-level controls can be circumvented entirely. For cloud-hosted systems, physical security is the vendor's responsibility — another reason SA 402 matters.
The Critical Principle: Controls Must Hold at Every Layer
A control at a higher layer does not protect against a bypass at a lower layer.
Example: A manufacturing company has a strong application-level control requiring dual authorization for any journal entry above ₹10 lakh. But the database administrator has direct write access to the journal entry table in the database. The application control is bypassed entirely — any entry can be posted directly at the database level, without dual authorization, without appearing in the application's audit log.
This is why the scoping question "what infrastructure supports this application?" is not academic. If you scope only the application layer, you will miss the layers below it — and those layers may contain significant access gaps.
How the Layers Map to ITGC Domains
Layer
Primary ITGC Domains Affected
Example risk
Application
Access, Program Changes, Program Development, Operations
Application user with excessive role permissions; unauthorized code change deployed to application
Database
Access (most critical here), Program Changes
DBA with direct write access to financial tables; data modified outside the application
Operating System
Access, Program Changes
OS admin can replace application configuration files; read unencrypted password files
Network
Access
Production database accessible from the internet; no segmentation between development and production environments
Physical
Access, Operations (backup/recovery)
Server room accessible to all staff; backup tapes stored in an unlocked cabinet
Practical Scoping Note
At orientation level, you will not be expected to test every layer independently on your first ITGC engagement. What you are expected to do is:
Know that each layer exists and represents a distinct access and control boundary.
Ask the right scoping question: for each in-scope application, what database, OS, and network infrastructure supports it?
Flag layering issues when you see them — particularly when a person with application-level restrictions appears to have unrestricted access at the database or OS level.
Cloud-hosted systems. When an application is hosted by a third-party vendor (as in SA 402 scenarios), the vendor typically manages the database, OS, network, and physical layers. The client manages only the application layer — user access, configurations, and business use. This is why the SOC report from the vendor is so important: it covers the layers the client cannot directly inspect.
✦ Comprehension Check — Section 4▼
Reflect on the section above before reading on.
4.1
A client's ERP has strong access controls — only the Finance team can post journal entries. However, the database administrator (DBA) for the underlying database has not been included in the ITGC scope. Why is this a problem?
Suggested Answer
The DBA has access to the layer below the application. With direct database access, the DBA can read, insert, update, or delete records in the journal entry table without going through the application's access controls and without triggering the application's audit log. The application-level control is bypassed entirely. Excluding the DBA from scope means a significant access risk goes untested.
4.2
A cloud-hosted loan management system is used by an NBFC. The vendor manages the database, operating system, network, and physical infrastructure. The NBFC's IT team manages only user access within the application. Which layers are the auditor's primary concern at the NBFC itself, and which layers would be assessed via the vendor's SOC report?
Suggested Answer
At the NBFC: the application layer — specifically user access provisioning and deprovisioning, access rights and role assignments, and how the client uses the system. Via the vendor's SOC report: the database, OS, network, and physical layers — which the vendor manages and which the client cannot directly inspect. The SOC report should cover vendor-managed controls at all lower layers. Controls that are the client's own responsibility (Complementary User Entity Controls, or CUECs) must still be tested at the NBFC regardless of what the SOC report covers.
4.3
In your own words, explain why "a control at a higher layer does not protect against a bypass at a lower layer." Use a concrete example.
Suggested Answer
Each layer is independently accessible — access to a lower layer does not require going through the higher layer's controls. For example: a payroll application requires manager approval before a salary can be modified. But if a payroll developer has direct access to the operating system, they can edit the application's configuration files to temporarily disable the approval requirement, make the salary change, and re-enable it — all without the application logging the change or triggering the approval workflow. The application control was present and well-designed. The OS-level access rendered it irrelevant.
5 — How ITGC is Tested — First Look
When auditors test ITGC, they use four basic methods. Have the names and their logic in your head before the session — the session will work through these in depth with domain-specific examples.
Method
What it means
Key limitation
Inquiry
Asking people how a control works — "Who performs the access review? How often? What happens when someone leaves?"
Never sufficient alone. People describe how a process should work. Inquiry opens the door; it does not close the test.
Observation
Watching a control being performed in real time
Covers only what you witnessed. Behaviour may change when you are watching. Used selectively for controls that leave no documentary evidence.
Inspection
Examining a document, log, report, or system record that evidences the control occurred
Most commonly used in ITGC. Your job is to find the record, verify it is complete, and verify it supports the control objective.
Re-performance
Independently executing the control yourself and comparing your result to the client's
Most resource-intensive. Used when inspection alone is not sufficient — e.g., extracting a user list yourself rather than accepting the client's version.
In practice: Multiple methods are combined. Inquiry and observation are used to understand how a control works. Inspection and re-performance are used to conclude whether it worked. A workpaper that relies only on inquiry is insufficient.
✦ Comprehension Check — Section 5▼
Reflect on the section above before reading on.
5.1
You ask the IT Manager how the quarterly access review process works. He explains it clearly and says it is done on the last Friday of each quarter. Is this sufficient evidence that the control operated effectively? What would you do next?
Suggested Answer
No — inquiry alone is never sufficient. The IT Manager's explanation describes how the process should work, not whether it actually happened or produced the correct outcome. The next step is inspection: request the access review documentation for all four quarters — the sign-off emails, the reviewed user list, evidence of deactivations actioned. Then consider re-performance: independently extract the current user list and check whether accounts reviewed in the last cycle remain consistent with what is live in the system today.
5.2
For each of the following ITGC controls, identify which testing method(s) you would primarily use and why:
(a) Password complexity requirements enforced by Active Directory
(b) Change request approval before deployment to production
(c) Overnight batch job completion log
Suggested Answer
(a) Re-performance — extract or screenshot the Active Directory password policy settings directly from the system. This is a configuration control; there is no population of instances to inspect. You verify the configuration is active.
(b) Inspection — request change request documentation for a sample of changes during the year. Each change ticket should evidence an approval before deployment. Inspect the tickets and approvals for completeness and authorization.
(c) Inspection — request batch completion logs for the full period. Verify that logs exist for each scheduled run, and that logs show a success status. For any failure or missing log, inquire about what happened and whether it was detected and resolved.
5.3
Why is re-performance considered stronger evidence than inspection for access control testing? Give an example of when you would use re-performance rather than accept the client's documentation.
Suggested Answer
Re-performance is stronger because the auditor generates the evidence independently, without relying on documentation prepared by the client. The client cannot selectively present a curated view of what the auditor sees. For access controls: if the client provides a printout of active users claiming only Finance team members have GL access, the auditor cannot verify whether the printout is complete or accurate. By independently extracting the user list directly from the system — or requesting it from the vendor — the auditor obtains evidence that has not passed through the client's hands. If the independent extraction reveals users that were not on the client's list, the gap is exposed.
6 — Sampling — First Look
You cannot test every instance of a control across a full year. A company might run 365 batch jobs, process 500 change requests, or conduct 12 monthly access reviews. Sampling is the structured approach to selecting a subset of instances that gives you a reasonable basis to draw a conclusion about the whole population.
Two Things to Carry Into the Session
Not all controls have a population to sample from
Some controls are configured into the system — either password complexity is enforced or it is not. There is no recurring instance to sample. You test the configuration once and confirm it is active. Other controls are performed repeatedly by a person (monthly reviews, per-change approvals, daily batch monitoring) — these generate a population, and sampling applies.
The auditor selects the sample — not the client
Always obtain the full population first, then make your selection from it. If the client selects which evidence to show you, you have not sampled the population — you have reviewed a curated list. This is a fundamental audit principle, not a preference.
Sampling in depth — dedicated session. Sample sizes, statistical vs. non-statistical sampling, and the full methodology for ITGC testing will be covered in a separate session. The two points above are what you need for this session.
✦ Comprehension Check — Section 6▼
Reflect on the section above before reading on.
6.1
A client says: "We have a control where the system enforces that no user can have both vendor creation and payment approval access at the same time." Is this a control that requires sampling? What is the appropriate testing approach?
Suggested Answer
No — this is a configuration control baked into the system's role design. It either blocks the combination or it does not. There is no population of recurring instances to sample. The appropriate approach is to test the configuration: extract the role matrix or access control settings from the system and verify that the conflicting combination is indeed blocked. You might also independently attempt to assign both roles to a test user (in a non-production environment if possible) to confirm the system prevents it. Test once; document the configuration as evidence.
6.2
You ask a client for evidence of their change management process. The IT Manager hands you 15 change request tickets that he has pre-selected from the year's population of 200 changes. All 15 have complete documentation and approvals. Can you conclude that the change management control operated effectively? Why or why not?
Suggested Answer
No. The sample was selected by the client, not by the auditor. The IT Manager may have selected the 15 best-documented changes from the population, presenting a misleading picture. To conclude on operating effectiveness, the auditor must obtain the complete population of 200 changes, then make an independent selection. This is a fundamental requirement — accepting a client-curated sample is not sampling, it is reviewing a pre-filtered list.
7 — Self-Check Quiz
Complete this after reading all sections above. These questions test application of concepts — not memorisation of definitions. Answers are revealed individually.
Quiz Complete — Your Score: 0 / 6 Review any incorrect answers before the session.
Q1 The Dependency Chain▼
Which of the following best describes the relationship between ITGC and application controls?
A) Application controls and ITGC are independent — a failure in one does not affect the other
B) ITGC is tested after application controls, once automated processing has been confirmed
C) Weak ITGC means the auditor cannot rely on application controls, regardless of how well they are designed
D) ITGC applies only when the client uses a cloud-based system managed by a third party
Correct Answer: C
ITGC is the foundation. If the IT environment is not controlled, the application controls running on it cannot be trusted — even if they are well-designed. The dependency runs: ITGC → Application Controls → Financial Data → Financial Statements.
Q2 SA 330 Requirement▼
An auditor plans to rely on the automated three-way match control in a client's ERP to reduce substantive testing on trade payables. What must the auditor do first, per SA 330?
A) Obtain management's written representation that the system has been tested
B) Test the ITGC supporting the ERP, particularly access and change management controls
C) Document the system description and confirm it with the IT Manager
D) Verify that the control has been in place for at least two full years
Correct Answer: B
SA 330 is explicit: reliance on automated controls requires prior testing of the ITGC that supports them. Management representations and system documentation are useful inputs but do not substitute for ITGC testing.
Q3 Domain Classification▼
A client's payroll system was modified by the IT team last month to update the tax calculation logic. There is no documentation of what was changed, no test records, and no management sign-off. Which ITGC domain does this gap belong to?
A) Access to Programs and Data
B) Computer Operations
C) Program Changes
D) Program Development
Correct Answer: C
Modifications to existing live systems fall under Program Changes. The absence of documentation, testing, and authorization is a change management failure. Program Development covers new system builds; this was a modification to an existing system.
Q4 Infrastructure Layers▼
A client's ERP has strong application-level access controls — only Finance team members can post journal entries. However, the database administrator has direct write access to the underlying journal entry table. What is the implication for the auditor's reliance on the application control?
A) The application control is still reliable because the DBA is a trusted employee
B) The auditor should report the DBA's access as a material weakness and qualify the opinion
C) The application control covers the DBA because it applies to all users of the system
D) The auditor cannot rely on the application control — the DBA can bypass it at the database layer without the application logging the activity
Correct Answer: D
A control at a higher layer does not protect against a bypass at a lower layer. The DBA's direct database access means journal entries can be posted without going through the application's authorization workflow, and without appearing in the application's audit trail. The application control is rendered unreliable.
Q5 SA 402 Trigger▼
A client's loan management system is hosted and managed by a third-party vendor on cloud servers. The client's IT team has no access to the underlying infrastructure. Which standard becomes relevant for the statutory auditor?
A) SA 315 only — understanding the IT environment is sufficient
B) The auditor has no obligation for vendor-managed systems — the vendor carries the risk
C) SA 330 — the auditor must re-perform all controls at the vendor site
D) SA 402 — the auditor must extend procedures to understand controls at the service organisation
Correct Answer: D
SA 402 applies when a service organisation performs processes or maintains records relevant to the client's financial reporting. Audit responsibility does not transfer to the vendor. The auditor must understand what controls operate there — typically through a SOC report or direct procedures.
Q6 ITGC Finding — Correct Conclusion▼
During ITGC testing, the auditor finds that 14 ex-employee accounts are still active in the client's ERP, some with finance-level access. What is the correct conclusion to document in the workpaper?
A) The financial statements are materially misstated due to the access control failure
B) The finding is immaterial because no fraudulent transactions have been identified
C) The access deprovisioning control did not operate effectively; reliance on access-dependent automated controls cannot be placed; substantive testing must be expanded in affected areas
D) The auditor should issue a qualified opinion based on the ITGC deficiency
Correct Answer: C
An ITGC finding does not automatically mean there is a misstatement — it means the auditor cannot rely on automated controls in that area. The correct conclusion is about audit strategy (expand substantive testing), not about the financial statements directly. Determining whether a misstatement exists requires further substantive work.