From IT General Controls (ITGC) Gaps to Automated Governance: Fixing Your Lifecycle Processes

You passed the access review, but failed the audit.

It's a frustration that echoes through compliance, security, and IT operations teams every audit cycle. The controls were in place. The policies were documented. Yet somehow, the external auditors flagged critical deficiencies in access management, user reviews, and lifecycle processes. The disconnect often isn't about missing controls—it's about broken, manual, and siloed identity lifecycle processes that can't scale effectively.

The uncomfortable truth: Mismanaged joiner–mover–leaver (JML) processes are the silent killers of IT General Controls (ITGC) effectiveness. Without proper automation and orchestration of identity workflows, even the most well-intentioned organizations accumulate compliance risks, audit findings, and security vulnerabilities that go undetected until it's too late. This post explores why identity lifecycle management is foundational to ITGC success—and what "good" governance looks like when built on automation, policy enforcement, and proper tool orchestration.

What Are ITGCs and Why Do They Fail?

What Are IT General Controls?

IT General Controls are the foundational mechanisms that support financial reporting accuracy and regulatory compliance. They span four critical categories: access management, change management, data backup and recovery, and logical security. Together, ITGCs form the baseline assurance framework required by SOX, ISO 27001, SOC 2, and similar compliance standards.

When auditors evaluate ITGC effectiveness, they focus especially on access control. Specifically, they ask:

• Who has access? Can you identify every user and their permissions across systems?
• How is it provisioned? Are there documented, controlled processes for granting access?
• How is it changed? When users move roles, how are permissions updated and old access revoked?
• How is it revoked? When employees leave, is access removed completely and verifiably?
• Can we prove it? Do you have immutable audit trails demonstrating compliance?

According to recent audit findings, nearly 39% of ITGC audits uncover control or evidence deficiencies, indicating persistent gaps across the industry. Many of these gaps aren't technical failures—they're lifecycle governance failures.

Most Common ITGC Failures in Access Control

Audit reports consistently cite the same recurring findings:

• "Terminated users retained access to critical systems." Former employees still hold active credentials weeks or months after departure, often across disconnected SaaS platforms that IT never knew existed.
• "No evidence of periodic review completion." User access reviews (UARs) happened informally—via spreadsheets, emails, or conversations—leaving no auditable proof that reviews occurred, who reviewed them, or what decisions were made.
• "Lack of documentation for role-based provisioning." New hires received ad hoc access requests without formal justification, approval records, or alignment to predefined role policies.
• "Access changes not approved or documented." When users changed roles, access was added but rarely removed, creating privilege creep and segregation of duties (SoD) violations with no change audit trail.
• "Insufficient controls for exception access." Users granted temporary or emergency access weren't flagged for de-provisioning when access should have expired.

The pattern is clear: these failures stem from manual processes, siloed systems, and lack of real-time visibility—not from missing controls.

How Lifecycle Mismanagement Leads to ITGC Failures

Understanding the failure modes requires looking at each lifecycle stage and the specific gaps that accumulate.

1. Joiner Gaps: Uncontrolled Provisioning

When a new employee joins, the provisioning process should be policy-driven, documented, and traceable. In reality, many organizations handle joiners ad hoc:

• Ad hoc provisioning instead of policy enforcement: Managers submit access requests without formal role definitions. The IT team grants access based on verbal conversations or legacy patterns, not documented provisioning policies. No one knows what the new user should receive—or why.
• No centralized visibility: Access requests flow through multiple channels (emails, ticketing systems, Slack messages, verbal requests). There's no single source of truth for what access was approved, who approved it, or when it was provisioned.
• Missing audit evidence: Once access is granted, there's often no permanent record. Tickets get archived, emails are deleted, and approvals exist nowhere in a retrievable format. When auditors ask "who approved this access and when?" the answer is: we don't have that documented.

ITGC Impact: Failed control testing. Auditors can't verify that provisioning is controlled, policy-based, or properly approved.

2. Mover Gaps: Role Changes That Don't Update Access

Employees change roles. They transfer departments. They get promoted. In these moments, access should be re-evaluated, updated, and cleansed. Instead, most organizations layer new access on top of old:

• Privilege creep: A user promoted from analyst to senior analyst receives expanded access to new tools, but their analyst-level permissions remain active. Three promotions later, they have access to fifteen systems they don't need—many they don't even know about.
• SoD violations: A financial analyst promoted to approver now has both the ability to create purchase orders AND approve them—a classic segregation of duties conflict. No system flags this.
• No revocation record: Access is added, but nothing systematically reviews what should be removed. There's no documented process showing that someone evaluated the user's old access against their new role and made an intentional decision about what to keep.
• Role change sprawl: Users accumulate titles and roles in different systems without coordination. Their AD group membership doesn't match their HRIS job title, which doesn't match their application permissions. When you ask "what access should this person have?" the answer varies depending on which system you check.

ITGC Impact: Privilege escalation and SoD control failures. Auditors find users with conflicting permissions that should never coexist.

3. Leaver Gaps: Incomplete Offboarding

Offboarding is perhaps the most critical lifecycle stage and the most frequently mismanaged:

• HR-IT misalignment: When a user is marked as terminated in Workday or BambooHR, IT isn't automatically notified. There's no integration triggering deprovisioning. Weeks later, IT discovers the departure through an ad hoc audit or a security incident.
• SaaS sprawl: Modern organizations use an average of 660 SaaS applications, with 12 new apps added monthly. Most terminated users retain access to Notion, Salesforce, GitHub, Slack, and dozens of other cloud applications because IT never discovered the accounts existed. These "zombie accounts" are among the leading ITGC audit findings in mid-sized companies.
• Orphaned accounts: Even on-premises systems like Active Directory may retain user accounts indefinitely. If the account isn't explicitly disabled, it remains live—sometimes indefinitely. An ex-employee could theoretically sign in months later if they know their password.
• Sensitive data exposure: Terminated users retain access to financial systems, HR records, intellectual property repositories, and customer databases. This is both a compliance failure and a serious insider threat risk.
• Manual tracking: Many organizations use spreadsheets to track offboarding. A department head checks off boxes: "Laptop returned? ✓ Access revoked? ✓" But there's no proof that the access was actually revoked—only a checkbox.

ITGC Impact: Failed access revocation controls. Auditors find terminated users with active system access. This is one of the top audit findings and a direct control failure.

4. Manual Controls That Lack Evidence

Even when organizations conduct user access reviews, many lack the rigor needed for compliance:

• Spreadsheet-based reviews: UAR data is collected in Excel. Managers receive a list of users they oversee and certify "yes, John still needs database access." But where are the details? When did the review happen? Who is the manager? What's the decision rationale? Why wasn't Maria's orphaned access revoked?
• No audit trail: Spreadsheets are mutable. Someone adds a column, deletes a row, or changes a value. There's no timestamp, no change history, no immutable evidence of what was originally certified.
• Unverifiable approvals: A manager might say they reviewed and approved access—but there's no digital signature, no approval workflow, no proof. Auditors must take their word for it. If the manager leaves the company, there's no record at all.
• Incomplete scope: Manual reviews often cover only a sample of users or a limited set of systems. Critical applications get reviewed annually; minor tools aren't reviewed at all. The review is incomplete but treated as comprehensive.

ITGC Impact: Failed evidence requirements. Even if the control intention is good, auditors can't verify that it was designed, operating, and effective without an immutable, timestamped audit trail.

What Good Looks Like: From Lifecycle Chaos to Automated Governance

Effective ITGC requires moving from manual, decentralized processes to integrated, policy-driven automation. Here's what the "future state" looks like:

1. HR-Driven Access Lifecycle

The principle: Your HRIS (Human Resource Information System) is the system of record for identity. Employment status, role, department, manager, and location flow from HR—automatically—into your identity platform and downstream systems.

How it works:

• Real-time joiner provisioning: When a new hire is entered in Workday or BambooHR, the system automatically maps them to a predefined role (e.g., "Software Engineer" or "Financial Analyst"). Policies associated with that role trigger provisioning to all appropriate systems.
• Automatic role re-evaluation: When a user's job level or department changes in HR, their access profile is automatically re-evaluated. The system identifies what new access they should receive, what old access should be cleansed, and flags any potential SoD violations for review.
• Deprovisioning on termination: When HR marks an employee as terminated, a deprovisioning workflow is immediately triggered. Within hours, the employee's access is revoked across all connected systems.

ITGC benefit: Eliminates delays and manual ticketing. Creates a clear, auditable chain from employment status change to access change, with timestamps and decision records.

2. Role- and Attribute-Based Provisioning

The principle: Access is granted by role, not by individual request. Policies are centrally defined, consistently applied, and automatically enforced.

How it works:

• Role templates: Define what access each role should have. A "Customer Support Analyst" gets read access to the CRM, help desk system, and customer documentation. A "DevOps Engineer" gets CI/CD pipeline access, infrastructure dashboards, and on-call rotation systems.
• Attribute-based rules: Access is further refined by attributes like geography, seniority level, or team. A "Senior Analyst" might get broader permissions than a "Junior Analyst," and access might differ by region for regulatory reasons.
• Automatic re-evaluation on moves: When a user's role or attributes change, the system automatically re-evaluates against policies. If the new role is incompatible with existing access (SoD conflict), the system flags it and routes it for approval. Otherwise, access is automatically adjusted.
• No more privilege accumulation: The system sees the user's complete access profile (across AD, cloud apps, applications) and aligns it to their target role. Old, unnecessary access is removed.

ITGC benefit: Enforces consistent policy application. Removes discretion and personal judgment, reducing the risk of over-provisioning or SoD violations.

3. Event-Based Revocation

The principle: Access removal is triggered by events (termination, role change, inactivity) rather than discovered during manual reviews.

How it works:

• Termination triggers deprovisioning: When an employee is marked as terminated in HRIS, deprovisioning workflows are automatically activated for all connected systems—both on-premises (AD, file servers) and cloud (SaaS applications).
• SaaS app connectors: Most organizations don't have complete discovery of where users have access. Connectors to Salesforce, Slack, GitHub, Notion, and other SaaS platforms allow for comprehensive deprovisioning. If the account is in the system but the user is no longer in HRIS, the account is deprovisioned.
• Dormant account auto-deactivation: Users who haven't logged in for 90 days are automatically flagged for review. If business justification for dormancy isn't confirmed, the account is deactivated.
• Real-time revocation verification: After revocation actions are executed, the system validates that access has actually been removed (by querying the target system). If revocation fails—for example, if the SaaS platform didn't receive the request—alerts are generated.

ITGC benefit: Minimizes "leaver" gaps. Ensures access is removed completely and immediately, reducing orphaned account and insider threat risk.

4. Centralized, Immutable Audit Trails

The principle: Every identity lifecycle event—provisioning, change, review, exception approval, revocation—is logged in an immutable, queryable system with full context.

How it works:

• Event logging: Every provisioning decision, access change, approval, and revocation action is timestamped and recorded. The log captures: WHO made the change, WHEN it occurred, WHAT was changed, WHY (justification), and any APPROVALS required.
• Contextual information: Logs include not just the action, but the context: the user's role, department, manager, access baseline, and the business reason for the change.
• Immutable storage: Audit logs are stored in a system that prevents modification or deletion. Even administrators can't alter historical records.
• Audit-ready exports: At review or audit time, the system generates exportable reports that demonstrate:
  • All access provisioning with approval records
  • All access reviews conducted (who reviewed, when, what was approved/removed)
  • All access changes and the business justification
  • All deprovisioning actions and their completion status
  • SoD violations identified and remediated
• Continuous availability: Logs aren't archived and deleted. They're retained for the full regulatory period (typically 7 years for SOX) and queryable for investigation or audit purposes.

ITGC benefit: Demonstrates control design and operating effectiveness. Auditors can trace any access decision to its source, see the approvals, and verify that the control was actually in place and functioning.

Building the Right Tool Stack for Lifecycle Governance

Fixing lifecycle processes requires the right combination of tools, integrations, and governance frameworks. Here's what needs to be in place:

1. Identity Source of Truth

Your HRIS must be the authoritative system of record for identity. Employee data (name, department, role, manager, status) flows from HRIS into all downstream systems.

• Integration priority: HRIS must integrate with your identity and access management (IAM) platform, not the reverse. Active Directory or Okta should sync FROM HRIS, not serve as the source.
• Avoid silos: Don't maintain identity in AD and separately in BambooHR. That guarantees misalignment and manual reconciliation work.

2. Lifecycle Automation Platform

A dedicated lifecycle automation platform orchestrates the JML process across your entire identity stack. This platform should:

• Connect HRIS to IAM: Consume employee data and trigger provisioning/deprovisioning workflows based on employment status, role, and attributes.
• Automate policy enforcement: Apply centrally defined role policies, SoD rules, and approval workflows consistently across all provisioning requests.
• Manage periodic reviews: Launch quarterly or monthly access certification campaigns, automatically populate them with entitlement data, route reviews to appropriate approvers, and capture audit evidence.
• Enable exception handling: Provide workflows for temporary access, emergency access, or policy exceptions, with approval records and auto-expiration.

3. System Integrations and Connectors

Your lifecycle platform must integrate with the full scope of identity and access systems:

• On-premises: Active Directory, file servers, legacy applications, mainframe systems.
• Cloud infrastructure: AWS IAM, Azure AD, Google Workspace, Okta.
• SaaS applications: Salesforce, Slack, Microsoft 365, GitHub, Notion, Workday, ADP, and dozens of others.
• Specialized systems: Financial systems, ERP platforms, HR analytics tools, security tools.

The challenge: Most organizations have at least some disconnected or legacy applications that don't have modern APIs. The platform must still track access to these systems (via manual import or periodic audit), manage exceptions, and ensure they're included in access reviews.

4. Policy + Exception Management

Not all access follows standard role policies. Some requires exceptions: temporary elevated access, emergency access, time-limited access for projects.

• Structured exception workflows: When an exception is requested, capture: what access is needed, why, for how long, who's approving it.
• Auto-expiration: Temporary access automatically expires on the specified date. Users don't need to request removal; the system handles it.
• Exception tracking: Maintain a searchable log of all exceptions, who approved them, and when they expired. This is critical for audit purposes—it shows that access was controlled even when policy was overridden.
• Periodic exception review: At access certification time, review all active exceptions. If business justification has lapsed, revoke the access.

5. UAR Engine + Review Analytics

User access reviews are the detective control—the mechanism to catch governance gaps that slipped through preventive controls.

• Automated campaign execution: The system launches reviews on a schedule (quarterly is standard), populates them with current entitlements, and routes them to the right approvers (managers, security teams, data owners).
• Risk-based prioritization: Don't review every user equally. Prioritize high-privilege users, users with SoD violations, dormant accounts, and users with recent access changes.
• Usage and risk context: Show reviewers not just what access each user has, but also:
  • When was the access granted?
  • How frequently is it used?
  • Are there SoD violations?
  • Is the user dormant (no recent login)?
  • Does the user's access match their current role?
• Actionable workflows: Reviewers can quickly certify, revoke, or escalate access. Remediation workflows automatically execute approved changes.
• Audit-ready reporting: Generate summary reports showing review completion rates, access removed, and any outstanding exceptions. This evidence demonstrates the operating effectiveness of the access control.

How Automated Lifecycle Governance Closes ITGC Gaps

Let's translate this into ITGC control categories:

Access Control (Joiner): Policy-driven provisioning ensures new users receive only the access their role requires, with documented approvals. Auditors can verify control design (policies exist and are current) and operating effectiveness (provisioning follows policies).

Access Control (Mover): Automatic role re-evaluation prevents privilege creep. SoD rules prevent conflicting access. Auditors can trace each role change and see that access was intentionally evaluated, not left to accumulate.

Access Control (Leaver): Event-based deprovisioning triggered by HRIS status change ensures timely revocation. Integration with SaaS platforms eliminates zombie accounts. Auditors can see that termination triggers were in place and that access was removed.

Access Review & Certification: Immutable audit trails of access reviews demonstrate that the control was designed, operating, and effective. Auditors see who reviewed, when, what was approved, and what was removed. This is the evidence that makes the difference between "control failure" and "control passed."

Segregation of Duties: Automated SoD rule evaluation prevents violations at the point of provisioning or role change. Access certification campaigns highlight remaining SoD conflicts for remediation. Auditors see that SoD was actively managed, not discovered during investigation.

Audit Trail & Evidence: Centralized, immutable logging of all lifecycle events creates the audit evidence that auditors require. Without this, even well-intentioned controls fail the "evidence" portion of ITGC testing.

The Path Forward: If You're Failing ITGCs, Look at Your Lifecycle

ITGC failures aren't always about missing controls—they're about broken, manual, and siloed lifecycle processes.

A few critical signs that your lifecycle is broken:

• More than 50% of your access reviews are manual spreadsheets. This is one of the clearest indicators. If you can't produce immutable, timestamped evidence of access reviews, ITGC testing will fail.
• You discover deprovisioning gaps during audit, not proactively. If terminated users still have active access weeks later, your leaver process is failing.
• You have no centralized policy for role-based provisioning. If joiner access is decided ad hoc, ITGC testers will ask: "What controls ensure new users don't get over-provisioned?" You won't have a good answer.
• You don't know which SaaS applications your users have access to. If you discover zombie accounts during SaaS audits, deprovisioning is incomplete.
• Your access reviews take weeks and still aren't comprehensive. If manual review is too slow or too resource-intensive to cover all users and systems, the control isn't operating effectively.

The fastest way to fix audit failures is to fix your lifecycle.

Start with the HRIS integration. Establish a source of truth for identity. Then layer in automated provisioning, policy enforcement, and event-based revocation. Finally, implement an access review platform that makes periodic certification continuous, evidence-based, and audit-ready.

The result? ITGC controls that are designed, operating, and demonstrably effective—exactly what auditors are looking for.

Next Steps

Book a walkthrough to see how BalkanID automates ITGC access controls—from HR-driven provisioning to evidence-ready access reviews.

Explore the Access Lifecycle Management Buyer's Guide to understand what to look for in a lifecycle automation platform.