The PCAOB has issued updated staff guidance under AS 2201 addressing the testing of IT General Controls in cloud-hosted ERP environments. For auditors of public companies running SAP BTP, Oracle Cloud, Workday, or Microsoft Dynamics 365, this guidance changes how ITGC scope must be defined and tested.
Traditional ITGC frameworks (logical access, change management, operations/backup) were designed for on-premise environments where the company fully controlled the infrastructure. Cloud ERPs introduce a shared responsibility model where the cloud provider manages infrastructure controls, the ISV manages application controls, and the company manages configuration and access controls.
Inspections found that auditors were often scoping only the company-managed layer — missing the ISV-managed controls that directly affect the reliability of automated controls relied upon in the financial statement audit.
Auditors should obtain the cloud provider's SOC 1 Type II report and evaluate whether the relevant platform controls support the company's application controls. CUECs must be documented and tested.
For major ERP vendors, a separate SOC 1 Type II report may exist for the application layer. Auditors should evaluate whether this report covers the relevant period and control objectives.
The company's configuration management, access controls, and change management procedures at the application configuration layer remain in-scope and must be tested directly.