ITGC certification and access reviews: what teams miss most

TL;DR: ITGC certification is presented as a way to validate access, change management, logging, and documentation controls against SOX, ISO 27001, HIPAA, and PCI DSS expectations, according to Zluri. The real governance issue is not certification itself, but whether organisations can prove controls work before an audit exposes orphaned access and weak evidence chains.

NHIMG editorial — based on content published by Zluri: ITGC Certification: What It Is & How To Obtain It?

Questions worth separating out

Q: What breaks when ITGC access controls are not tied to lifecycle management?

A: Access can remain active after employment ends, which means the control exists in policy but not in practice.

Q: Why do ITGC audits focus so heavily on access reviews and logging?

A: Because access reviews show whether entitlements are still justified, while logging shows whether system activity can be traced and defended.

Q: How do organisations know if ITGC controls are actually working?

A: They test whether approvals, deprovisioning, and logging produce consistent evidence across the same systems auditors will sample.

Practitioner guidance

• Reconcile leaver access before certification testing Cross-check terminated users against application entitlements, privileged accounts, and shared access paths before auditors sample the environment.
• Standardise evidence for access and change controls Require each review, approval, and modification to produce a durable artefact that can be retraced during the audit window.
• Tie ITGC ownership to identity operations Assign explicit control owners for joiner-mover-leaver activity, privileged access, logging, and escalation so gaps do not drift between teams.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance for assessing your current ITGC framework and closing control gaps before an audit.
• Practical examples of how SOX, ISO 27001, HIPAA, and PCI DSS map to access control, logging, and change management.
• A walkthrough of the certification process, including how external auditors assess control evidence.
• Examples of how access review reports can support internal audit preparation and external evidence collection.

👉 Read Zluri's guide to ITGC certification and audit-ready controls →

ITGC certification and access reviews: what teams miss most?

Explore further

View Full Forum →  |  NHI Foundation Course →