L Lumina Risk Advisory

ITGC Advisory

IT controls,
done thoroughly.

IT General Controls underpin every audit, every compliance framework, and every year-end financial close. We deliver risk-based ITGC scoping, testing, and documentation — as a co-source for your internal audit function, or as a standalone engagement ahead of your external audit.

Book a scoping call Engagement types

Project · Retainer · Co-source · Fixed fee or time-and-materials

Timeline

Project or retainer

Engagement

Fixed fee or T&M

Best for

Internal audit functions

Output

Controls documentation

What we cover

Four domains.
Fully scoped.

Every ITGC engagement is scoped against your specific risk profile — not every organization needs every control in every domain. We focus effort where the audit risk is highest.

AC

Access to Programs & Data

  • User provisioning/de-provisioning
  • Privileged access management
  • Periodic access reviews
  • Segregation of duties
  • MFA and authentication
CM

Change Management

  • SDLC methodology documentation
  • Code review and approval workflows
  • Testing requirements (dev/UAT/prod)
  • Emergency change procedures
  • Production separation controls
CO

Computer Operations

  • Job scheduling and monitoring
  • Backup and recovery procedures
  • Incident and problem management
  • Capacity and availability monitoring
  • Data center / cloud environment controls
SD

System Development (SDLC)

  • Requirements and design controls
  • Development and testing standards
  • Acceptance testing and sign-off
  • Implementation and cutover controls
  • Post-implementation review

Engagement types

Four ways
to engage.

ITGC work looks different depending on where you are in your audit cycle and what's driving the need. We scope each engagement to match your situation.

01

Internal audit co-source

We plug into your internal audit function as an IT specialist, scoping, testing, and reporting on IT controls for your annual audit plan. You get specialist IT audit capability without the cost of a full-time hire.

Annual planRisk-basedFindings & recs
02

External audit support

Your external auditors rely on you to provide well-organized ITGC evidence. We build and maintain your evidence library so your external audit runs faster and cleaner.

Evidence libraryWalkthrough prepAuditor liaison
03

ITGC remediation project

You've received audit findings or management letter points on IT controls. We assess the root cause, design remediation, implement controls, and verify the fix before your next audit cycle.

Findings remediationRoot causeVerification
04

ITGC program build

You don't have an ITGC program yet. We build one from scratch: risk assessment, control framework, policy library, evidence procedures, and ongoing monitoring cadence.

Program designPolicy libraryMonitoring

FAQ

Common questions.

Do I need ITGCs if I'm not public or going public?

ITGCs matter for any organization with a financial audit or compliance program. Many private companies face ITGC requirements through their external auditors, SOC 1 engagements, customer contracts, or internal audit charters. If your auditors are testing IT controls, or if you're building toward any compliance framework, an ITGC program is foundational.

How is ITGC Advisory different from SOX IT controls work?

SOX IT controls work is a specific engagement focused on the PCAOB/SEC requirements for public company financial reporting. ITGC Advisory is broader. It covers the same four domains (access, change, operations, SDLC) but for any purpose: internal audit support, external audit prep, SOC 1/2 alignment, or general risk management. The controls are similar; the audience and documentation standards vary.

We have an internal audit team. How do you fit in?

Most internal audit functions have strong financial audit and operational audit capabilities but limited IT audit depth. We co-source the IT portion of your audit plan, executing IT-specific walkthroughs, testing controls, and writing findings, so your team can focus on what they do best.

Can you help us respond to management letter points?

Yes, this is a common engagement for us. If your external auditors issued management letter points or control deficiency findings related to IT, we assess root cause, design the remediation, implement it, and document the fix in a format your auditors will accept as evidence of remediation.

Let's scope
your ITGC work.

Tell us your audit cycle, your current controls state, and what's driving the need. We'll scope an engagement and send a proposal within 48 hours.

Book a scoping call Compare all services