32 control templates across 4 categories

Everything your ITGC testing needs — in one platform

32 control templates across four categories — A1 through A11 for Access (including A11 Third-Party / Sub-processor Risk Review for vendor management), C1 through C5 for Change, O1 through O10 for Operations, S1 through S6 for Security. Structured 8–9 step workflow per control. AI-powered testing with full provenance. Reviewer-ready export.

Access Controls

Stop chasing user lists across systems. Test provisioning, terminations, privileged access, and periodic reviews from one structured workflow.

A1: User Provisioning Approvals
A2: User Terminations Timeliness
A3: Privileged Access Grant & Justification
A4: Privileged Access Periodic Review
A5: Break-Glass Emergency Access
A6: User Access Reviews (UAR)
A7: Service Accounts Lifecycle
A8: Authentication Controls
A9: Cloud IAM Policy and Identity Review
A10: MFA Enrollment and Resilience
A11: Third-Party / Subprocessor Risk Review

Change Management

Trace every change through 5-node traceability: ticket → approval → testing → deployment → closure. No more manual cross-referencing between ticketing and release logs. These controls fall within auditors' SOX 404 IT-general-controls scope as a standard PCAOB AS 2110 testing area.

C1: Normal Change Approvals
C2: Emergency Changes
C3: Release Controls
C4: CI/CD Pipeline Controls
C5: Configuration/IaC Changes

IT Operations

Backups, monitoring, incidents, DR — the controls nobody wants to test manually. Scoping step handles environment selection so nothing gets missed. Covers backup, DR, and monitoring controls within auditors' PCAOB AS 2110 IT-general-controls scope.

O1: Backup Success Monitoring
O2: Restore Testing
O3: Batch Job Monitoring
O4: Monitoring & Alert Response
O5: Incident Management
O6: Problem Management
O7: Patch Management
O8: Logging & Audit Log Review
O9: DR/BCP Testing
O10: Backup Immutability and Ransomware Readiness

Security

Vulnerability scanning, security monitoring, and endpoint governance. Test once with structured methodology instead of ad-hoc evidence collection. These controls fall within auditors' SOX 404 IT-general-controls scope and are relevant to SOC 2 Common Criteria.

S1: Security Event Logging
S2: Segregation of Duties
S3: Vulnerability Management
S4: Access Review Authorization
S5: Encryption Key Management
S6: AI-Governance Controls

Six new controls

Recently added

Cloud IAM, MFA enforcement, third-party / sub-processor risk, ransomware readiness, encryption-key lifecycle, and AI-model governance — six post-2024 control areas earlier ITGC programs typically left to ad-hoc walkthroughs rather than formal sample-tested controls.

A9A10A11O10S5S6

Cloud IAM Policy and Identity Review

Tests IAM provisioning, role drift, service-principal hygiene, and federated-identity controls across cloud platforms (AWS, Azure, GCP).

Cloud-first audit programs need cloud-native IAM testing — not file-share-era access reviews.

A10

MFA Enrollment and Resilience

Verifies MFA enrollment coverage, exception tracking, and challenge-bypass conditions across the in-scope user population.

MFA is now a baseline SOX 404 expectation; auditors need defensible evidence of enforcement, not just "policy says enabled."

A11

Third-Party / Subprocessor Risk Review

Tests third-party / sub-processor risk reviews — onboarding due-diligence, ongoing monitoring, contract-renewal triggers.

Sub-processor concentration risk has become a baseline enterprise-procurement question; auditors must show the review cadence is real.

O10

Backup Immutability and Ransomware Readiness

Tests immutability + isolation of backup tiers, restore validation, and ransomware-readiness drills.

Mutable backups offer no recovery guarantee against ransomware — auditors need evidence of tier isolation and restore-validation cadence.

Encryption Key Management

Tests KMS key rotation, separation-of-duties on key administration, and customer-managed key (CMK) coverage.

Key management is the load-bearing control under most data-protection assertions; KMS hygiene is now first-class in ITGC scope.

AI-Governance Controls

Tests model inventory, AI risk classification, prompt-injection guardrails, and human-in-the-loop checkpoints for AI-driven business processes.

NIST AI RMF and EU AI Act drive auditor focus on AI controls; the platform tests the AI-governance controls that customers' AI deployments now require auditors to verify.

What you receive

From $1,499/month, every engagement produces these deliverables.

13-section workpaper (PDF/HTML) — structured for reviewer workflow, subject to auditor professional judgment
Population analysis + risk-based sampling documentation (per AICPA AU-C 530 and PCAOB AS 2315)
AI test results with evidence excerpts, confidence scores, and full provenance
Exception log with severity, root cause, and remediation plan
24+ automated quality checks with severity classification and acknowledgment workflow
Complete audit trail — every action logged, every conclusion linked to evidence

Purpose-built testing platform

Not a spreadsheet add-on — a dedicated platform with enforced workflow gates, built-in quality review, and structured output your reviewers can trust.

Methodology

control templates: 32
step workflow: 8–9
sampling methodology: AU-C 530 / AS 2315
quality checks: 24+

See these features in a real workpaper

Browse a sample workpaper produced by the platform — same controls, same methodology, same output format.

See sample workpaper View pricing