Types of Controls
What are the different types of internal controls?
There are basically four main types of internal controls that service organizations and their service auditors should be concerned with, which are namely: manual controls, IT dependent manual controls, application controls, and IT general controls. Of course there are innumerable variations on the specifics of controls, though these four control types are the focus.
Manual Controls: Examples of manual controls could be a supervisor review and sign-off of a document, or bank reconciliation. Manual controls are performed by individuals outside of a system.
IT Dependent Manual Controls: Similar to manual controls, these controls require some level of system involvement. For example, a system generated inventory shortage report that is reviewed and addressed, or sales orders that require controller approval in the system.
Application controls: These types of controls may also be system configuration settings. For example, if the system is configured to alert a supervisor for problem tickets that are not resolved within 60 minutes, or a firewall rule-set is configured to limit certain types of practice.
IT General Controls: This type of control is usually the focal point of most SAS 70 audit examinations. IT general controls comprise of logical access, program change, and physical security. For example, user access administration controls are used so that the right people have the right access to system resources. This process and the controls supporting the process are IT general controls.
In addition to the types of controls named, these controls are either preventative or detective in nature. All other things being equal, preventative controls are superior to detective. It is usually easier to correct a situation before a problem occurs than to detect a problem after it happens.
If the controls in the SAS 70 audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control. Service auditors should work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives.
About Linford & Company
We are specialists in the performance of SSAE 16/SOC 1, SOC 2, and royalty audits across technical disciplines. We issue SSAE 16/SOC 1 and SOC 2 reports for a wide variety of service organizations that go to many of the largest user organizations in the world. We also perform royalty audits on some of the largest consumer brands in the world.
 |
Follow us on our blog where we provide information about our firm, insight on guidance relevant to our services. |
 |
Subscribe to our newsletter. |