Module · Compliance Enablers

ITGeneralControls

The ITGC Matrix Auditors Expect — Minus the Spreadsheet

IT General Controls testing for SOX, SOC 2, and audit readiness, organized across the four classic domains: access management, change management, IT operations, and SDLC. Plan test runs by period, record samples tested and failed, and conclude on operating effectiveness — the matrix external auditors expect, maintained as structured data instead of a workbook emailed between teams. GRC tools aimed at startups skip ITGC entirely; audit-grade programs cannot.

All Modules
Before → After

The problem we solve.

Why teams switch to Compliance Enablers for it general controls.

Industry challenges

  • The ITGC matrix is a workbook with versions scattered across email threads
  • Sample selections and results reconstructed months later when auditors ask
  • No review step between tester conclusions and what external audit sees
  • Separate ITGC efforts for SOX and SOC 2 duplicate the same testing twice

How we solve it

  • Structured test runs across the four ITGC domains with periods, samples, and conclusions
  • Failure rates and evidence captured at test time, ready for auditor sampling
  • Awaiting-review workflow quality-gates conclusions before audit exposure
  • Framework tagging lets one program satisfy multiple assurance obligations
Capabilities

Built for depth,
out of the box.

Every capability is production-ready on day one. No add-ons, no extra subscriptions.

Flagship capability

Four-Domain ITGC Matrix

Organize controls and test runs across access management, change management, IT operations, and SDLC — the domain structure SOX and SOC 2 auditors work in.

Period-Based Test Runs

Define test runs with period start and end dates, supporting the period-of-coverage testing that Type II reports and SOX cycles demand.

Sample-Based Testing

Record samples tested and samples failed per run, with failure rates calculated from the data — for example, a quarterly joiners and leavers access review.

Effectiveness Conclusions

Conclude each test run as effective, partially effective, or ineffective, with an awaiting-review state so conclusions are quality-checked before they reach auditors.

Framework Tagging

Tag test runs to the framework they serve — SOX, SOC 2, ISO 27001 — so one testing program feeds multiple assurance obligations.

The impact

Why it matters.

Walk into external audit with a complete, current ITGC matrix instead of a fragile workbook
Sample counts and failure rates are recorded at test time, not reconstructed under deadline
Effectiveness conclusions carry review status, protecting quality before auditor scrutiny
One testing program serves SOX, SOC 2, and ISO simultaneously
Unified data model

Part of a connected whole.

IT General Controls shares a unified data model with every other module. Zero silos, by design.

Audit Management
Controls Library
Evidence Collection
Explore all 52 modules
14-day free trial · no card required

See IT General Controls
in action.

Book a 30-minute demo and we'll walk you through it general controls tailored to your team, frameworks, and priorities.

Book a Demo