Skip to main content
Image coming soon

ITGC Audit Evidence for Assurance Associates

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

ITGC Audit Evidence for Assurance Associates

Learn to scope, sample, and conclude on IT general controls so your working papers clear first review.

You returned the access review workpaper. Your senior sent it back with four annotations: incomplete IPE documentation, no completeness assertion, exception narrative that describes the fact but not the risk, and a missing rollforward cross-reference. The testing was fine. The working paper was not.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

IT General Controls testing is one of the first substantive areas assurance associates own end-to-end. The procedures are straightforward. The evidence standards are not. Population completeness documentation, sampling rationale that survives scrutiny without verbal explanation, exception narratives that link the finding to an audit assertion, remediation re-testing that holds up if the file is reviewed by a regulator: these are not intuitive, and they are not taught in university. Most associates learn them review-note by review-note across two or three busy seasons. This course compresses that learning into twelve structured modules, each anchored to the specific artefacts senior reviewers check in the first read.

What you walk away with

  • Define a defensible ITGC population with IPE completeness documentation that does not require a client callback.
  • Select and document a sampling methodology with a rationale paragraph that stands on its own.
  • Write an exception narrative that connects the finding to the relevant financial statement assertion.
  • Determine when an exception is isolated and when it indicates the monitoring control is not operating.
  • Complete a rollforward update assessment that documents your basis for continuing or re-testing.
  • Submit working papers that clear first-review without a revision note on conclusion quality.

The 12 modules

Module 1. What ITGC Actually Tests
The four ITGC domains (access management, change management, computer operations, application development) and how each one connects to financial statement assertions. Why auditors need more than evidence that a control ran; they need evidence that maps the control operation to the specific assertion it protects. The distinction between an ITGC deficiency and an application control deficiency, and why it affects the extent of substantive testing required.
Module 2. Population Scoping and IPE Completeness
Why population completeness is the first annotation on every access review workpaper, and how to get it right before submitting. The query approach to population generation, the IPE testing checklist (parameters, report name, run date, who ran it, completeness assertion), and the two-paragraph population note structure that documents completeness without requiring the reviewer to ask a follow-up question.
Module 3. Sampling Methodology and Rationale Documentation
When attribute sampling is required and when judgmental sampling is defensible under AUASB standards. How to calculate sample sizes for low, moderate, and high tolerable exception rates. The four-line rationale paragraph that documents your selection basis, expected deviation rate, tolerable deviation rate, and conclusion scope, so the rationale survives the file review without a verbal explanation from you.
Module 4. Access Review Evidence Standards
How to document user access reviews, privileged access testing, separation of duties exception analysis, and terminated user access in a single coherent workpaper. The confirmed-or-denied log pattern for access owner responses, the matrix approach to SoD conflict documentation, and how to handle mid-period role changes without reopening the population. What APRA-regulated entity audits require beyond the standard access review procedures.
Module 5. Change Management Ticket Documentation
The five artefacts every change management sample needs: the request, the approval chain, the testing evidence, the implementation authorisation, and the post-implementation review. How to document emergency change procedures as a separately assessed control rather than an exception to standard change. The common incomplete-approval exception and how to write it as a finding narrative rather than a description of what was missing.
Module 6. Computer Operations Evidence
Backup logs, job scheduling exception reports, and incident response records are the three computer operations populations most associates undertest. How to scope the backup population to the systems that support financial reporting, document job failure resolution and the authorised deviation register, and assess whether a pattern of scheduling exceptions indicates the monitoring control itself is not operating rather than a series of isolated incidents.
Module 7. Exception Analysis and Conclusion Writing
How to move from a documented exception to a written conclusion that says whether the control is operating effectively, operating with exceptions, or not operating. The frequency calculation for statistical samples versus the narrative approach for judgmental samples. The three-part exception narrative: what was observed, what the control was designed to do, and what assertion is at risk. When to escalate to deficiency classification before the workpaper is submitted.
Module 8. Remediation Testing and Re-Performance
What re-testing looks like when a client remediates a control finding during the audit. The AUASB standard for re-performance, the updated population approach when the remediation changes the control design, and how to document that the remediated control was operating effectively for the period relevant to the audit opinion. The working paper note that shows the reviewer the original exception, the remediation, and the re-test conclusion in one place.
Module 9. Rollforward Documentation
How the current-year workpaper connects to prior-year testing without requiring the reviewer to pull the prior file. The update assessment checklist: changes to the control owner, changes to the system, changes to the underlying process, and changes to the relevant assertion. The trigger list for full re-testing versus update procedures, and the one-paragraph rollforward conclusion that documents your basis and cross-references the prior-year finding.
Module 10. IPE Testing for Non-System-Generated Reports
How to test reports the client produced specifically for the audit population. The IPE completeness and accuracy checklist, the parameters documentation note, and the conclusion that protects your workpaper if the source report is later found to include errors. The four most common IPE failures in ITGC workpapers: missing parameters, unverified completeness, undocumented run date, and conclusions that depend on an IPE that was not independently tested.
Module 11. Deficiency Identification and Escalation
How to move from a control exception to a formal deficiency classification, and when to escalate before the workpaper is finalised. The aggregation step across all ITGC domains, the threshold guidance for significant deficiency versus material weakness under AUASB and ASA 265, the communication protocol with the engagement manager, and the working paper documentation that demonstrates you identified and escalated, regardless of how the engagement team ultimately responds to the finding.
Module 12. Working Paper Self-Review Before Submission
The eight-point checklist a senior reviewer applies in the first three minutes on an ITGC workpaper. Assertion linkage, cross-reference to the risk assessment matrix, exception narrative completeness, conclusion format, IPE documentation, sampling rationale, rollforward reference, and open-item resolution. Two specific gaps that generate a review note every time they are missing, and the self-review habit that gets workpapers to first-pass clearance within the first two busy seasons.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You scoped the population from the HR termination report but did not document IPE completeness. Modules 2 and 10.
Your sample rationale says 'judgmental, 25 items' with no basis statement. Module 3.
You found three access exceptions and described each one. Your senior needs to know which assertion each one affects. Module 7.
The client fixed the terminated-user access gap in week six of the audit. You need to re-test and document the re-performance basis. Module 8.

What you get with this course

  • Twelve self-paced written modules covering the full ITGC evidence standard from population scoping to deficiency escalation.
  • Downloadable working paper templates for each module: IPE note, sampling rationale, exception narrative, rollforward assessment, deficiency memo.
  • The hand-built implementation playbook delivered alongside course access: a customised ITGC workpaper review checklist based on your specific client type and the AUASB standards that apply to the engagements you are currently running.

What you will have in hand by Day 1, Week 1, Month 1

Access provisioned within 24 hours of purchase.

Hand-built implementation playbook delivered alongside course access, tailored to the ITGC populations and client types on your current engagements.

Before and after

Before

Submitting an ITGC workpaper and receiving four annotations: incomplete IPE, weak sampling rationale, exception described but not concluded on, rollforward missing. The revision cycle adds two days to the close.

After

Submitting an ITGC workpaper that documents population completeness, sampling basis, exception conclusion, and rollforward in the first read. Review notes shift from 'please complete this section' to substantive questions about the control design.

What happens if you do not address this

Working paper quality is the visible output that senior reviewers, engagement managers, and eventually partners assess when evaluating whether an associate is progressing. Associates who move through the review-note cycle without building the underlying documentation standard spend more time on revisions than on higher-value work. The gap compounds: by the time it becomes a performance conversation, two or three seasons of pattern have formed.

Who it is for

Assurance associates in public accounting who spend their days executing ITGC procedures under senior guidance and who regularly receive review notes about working paper quality rather than testing execution. They know how to run the test. They want to understand how to document it so the reviewer does not have to reconstruct the logic.

Who this is NOT for. Experienced audit seniors who have already internalized working paper standards through years of reviewing others work. IT audit specialists who design and assess control frameworks for enterprise architecture purposes. Internal audit professionals whose documentation standards are set by a distinct internal methodology.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules, designed to be completed in one to two hours each. Most associates work through two or three modules between busy-season peaks, applying each template to a live workpaper before moving to the next.

Why $199 is the right number

AUASB guidance documents cover the standard but not the documentation practice. Internal training at public accounting firms addresses firm methodology but not the underlying evidence logic. University accounting programmes cover financial reporting standards, not working paper construction. This course covers the gap between what the standard requires and what a self-standing workpaper looks like in practice.

FAQ

Is this specific to Australian auditing standards?
The sampling rationale and deficiency classification modules reference AUASB standards and ASA 265 specifically. The evidence documentation principles apply across jurisdictions, but the APRA-regulated entity module and the AUASB sample size guidance are Australia-specific.
Do I need prior ITGC experience to follow the modules?
No. Module 1 covers the foundational domain structure. The course is designed for associates who have been assigned ITGC procedures but want to understand the evidence standard behind each step.
How does the implementation playbook get tailored to me?
When you enrol, you share the client type and the specific ITGC populations you are currently testing. The playbook is built to match: a working paper review checklist calibrated to your engagement, the AUASB references that apply, and the exception narrative templates for the specific control domains in scope.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.