Which IT general controls are most relevant to cybersecurity, and how should an auditor assess their design and operating effectiveness?

Understanding IT general controls that underpin cybersecurity means focusing on the controls that create a secure operating environment for all information systems. The most relevant set includes access controls to prevent unauthorized use, change management to ensure only approved changes are made, configuration management to keep systems in secure, known baselines, backup and recovery to protect data availability, and IT operations to sustain monitoring, scheduling, and incident response. This combination covers the major ways cybersecurity risks can materialize—through improper access, untested or unauthorized changes, insecure configurations, data loss, or unaddressed operational weaknesses. When assessing design, look for documented policies and standards for each area and evidence that the controls are properly embedded in the organization’s control environment. For operating effectiveness, examine real-world execution: walkthroughs of processes, evidence such as access reviews, change tickets, configuration baselines, backup and recovery logs, and incident records, plus sampling to confirm that procedures are consistently followed. If a primary control isn’t fully in place, verify that compensating controls exist and are appropriate, and that they provide equivalent assurance. Physical security or password policies alone don’t provide the same comprehensive protection as the full suite of IT general controls, which is why the broader set is the best answer.