ITGC Vocabulary for IT Audit Analysts: Controls, Evidence, and SOX Language
A practical vocabulary guide for IT audit analysts covering ITGC controls, SOX compliance language, deficiency classification, and audit evidence terminology.
Why IT Audit Has Its Own Language
IT General Controls (ITGC) auditing sits at the intersection of information technology, finance, and regulatory compliance. The vocabulary is formal, precise, and — for IT professionals who move into audit roles or work alongside auditors — often unfamiliar.
This guide covers the core terminology you will encounter in ITGC audits, particularly those conducted under the Sarbanes-Oxley Act (SOX) framework. Developing fluency in this vocabulary allows you to understand audit requests clearly, communicate findings precisely, and discuss remediation without ambiguity.
Core ITGC Control Categories
ITGC auditors typically assess controls in four domains. Understanding the vocabulary within each is essential.
Access Management Controls
| Term | Definition |
|---|---|
| Privileged access | System access with elevated permissions, such as administrator or root rights |
| Segregation of duties (SoD) | The principle that no single individual should have access to perform conflicting functions |
| Provisioning | The process of granting a user access to a system |
| De-provisioning | The process of revoking access when a user no longer requires it |
| Recertification | A periodic review confirming that existing access rights are still appropriate |
| Access control matrix | A document mapping users or roles to the systems and permissions they can access |
Change Management Controls
| Term | Definition |
|---|---|
| Change request | A formal record documenting a proposed modification to a system or configuration |
| Approval workflow | The sequence of authorisations required before a change can be implemented |
| Emergency change | A change deployed outside the normal approval process due to urgent circumstances |
| Rollback plan | A documented procedure to reverse a change if it causes problems |
| Segregation of duties in change | Ensuring developers cannot promote their own code to production without a second approval |
Computer Operations Controls
| Term | Definition |
|---|---|
| Batch processing | Automated execution of a group of transactions or processes at a scheduled time |
| Job scheduling | The automated sequencing and timing of batch processes |
| Incident management | The process of identifying, logging, and resolving system incidents |
| Backup and recovery | Procedures to copy data and restore it if lost or corrupted |
SOX Compliance Vocabulary
SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting. The language used in this process is highly specific.
| Term | Definition |
|---|---|
| Internal control over financial reporting (ICFR) | Controls designed to provide reasonable assurance of reliable financial reporting |
| Control deficiency | A gap in the design or operation of a control that could allow a misstatement |
| Significant deficiency | A control deficiency important enough to merit attention from financial statement oversight parties |
| Material weakness | A deficiency severe enough that there is a reasonable possibility of a material misstatement in financial statements |
| Remediation | The corrective actions taken to address a control deficiency |
| Management’s assessment | The formal evaluation by company management of the effectiveness of ICFR |
| External auditor reliance | The degree to which an external auditor uses management’s ITGC testing in their own audit |
The classification hierarchy — control deficiency → significant deficiency → material weakness — represents increasing severity. A material weakness is the most serious finding and requires disclosure in public financial filings. When writing audit observations, classifying the finding correctly is critical.
Evidence and Testing Vocabulary
| Term | Definition |
|---|---|
| Evidence | Documentation or data that demonstrates a control is operating effectively |
| Walkthrough | A test where the auditor traces a transaction through the control process |
| Test of design | An assessment of whether a control, as designed, is capable of preventing or detecting a misstatement |
| Test of operating effectiveness | An assessment of whether a control operated as designed over the audit period |
| Population | The complete set of transactions or events from which a sample is drawn |
| Sample | A subset of items selected from the population for testing |
| Exception | An item in the sample that does not comply with the control’s requirements |
When responding to audit evidence requests, use precise language: “The attached export from the identity management system shows all provisioning and de-provisioning events for the in-scope systems during the audit period.” Avoid vague phrases like “here is the access stuff.”
Example Sentences
- “The access recertification for privileged accounts was not completed within the required 90-day cycle, which constitutes a control deficiency in access management.”
- “We identified three emergency changes that were deployed without documented post-implementation approval — management will need to assess whether this rises to a significant deficiency.”
- “The remediation plan addresses the segregation of duties gap by implementing a secondary approval requirement for all production deployments.”
- “Our test of operating effectiveness covered a sample of 25 change requests from the audit period; two exceptions were noted where the approval workflow was bypassed.”
- “The external auditor has requested evidence that the quarterly access recertification was completed, including the sign-off from the system owner and the list of any access revoked as a result.”
Register Notes
Audit language uses the passive voice extensively: “Evidence was requested… Controls were assessed… Exceptions were identified.” This is intentional — it describes process steps without assigning personal blame. When writing your own audit responses or findings, follow this convention.
The phrase “reasonable assurance” is a term of art in auditing. It does not mean complete assurance. When an auditor writes that controls provide “reasonable assurance,” they are using the standard definition from auditing standards — not hedging.