Types of Controls

what are internal controls

In the context of performing a System and Organization Control (SOC) audit, questions arise as to what are internal controls and what are the types of internal controls. Auditors often take it for granted that everyone knows and agrees on the definitions of internal controls. We wish it were so. Let’s go over the most commonly used definitions, at least the ones commonly used by the big four audit firms and the Public Company Accounting Oversight Board (PCAOB).

What is An Internal Control?

Definition of internal control: An internal control exists when the design or operation of a control allows management or employees, in the normal course of performing their assigned functions, to prevent or detect problems in a timely manner.

There are four main types of internal controls

Four Types of Internal Controls

There are basically four main types of internal controls that service organizations and their service auditors should be concerned with, which are namely:

  • Manual Controls
  • IT Dependent Manual Controls
  • Application Controls
  • IT General Controls

These four control types are the ones service organizations and their auditors should concern themselves since they are pervasive (or at least should be) in the processes that support the systems and services provided by service organizations to their user organizations (i.e., clients and customers).

Manual Controls

Manual controls are performed by individuals outside of a system.

Examples of manual controls could be a supervisor review and sign-off of a document, or bank reconciliation, or having an employee sign a privacy policy acknowledgement. Another example of a manual control could be the manual application (or matching) of cash received in an organization’s lockbox bank account against a client’s open accounts receivable (A/R) balance. In many organizations, these controls are done manually, hence the term manual controls.

IT Dependent Manual Controls

Similar to manual controls, IT dependent manual controls require some level of system involvement.

For example, a system-generated report lists users that have not accessed (e.g., logged into a system) a particular system within the past 90 days. The internal control may require an administrator to review such report and disable certain users as a result.

The IT dependent portion of this control is the system generated report. The manual portion of this control is the administrator review of the report and disabling certain users as a result.

Application Controls

There are a great many different forms of application controls. Virtually any configuration setting in a system that can be used to prevent or detect problems might be classified as a type of application control.

For example, Google G-Suite and Microsoft’s Office 365 can be configured to require two-factor authentication (e.g., 2FA, MFA) in order for users to login and access system resources and data. Enabling 2FA helps prevent unauthorized users from logging in to the system.

Another example, if the system is configured to lock-out a user that enters an incorrect password after three attempts, it has an application control that detects problems possibly associated with unauthorized access attempts.

A third example, could be that the system is configured to automatically download and apply security patches or updates to software (this would have likely helped prevent the Equifax hack (Google search Equifax).

IT General Controls

This type of control is usually the focal point of most SOC audits. IT general controls are comprised of logical access, change management, and physical security.

For example, user access administration controls are used so that the right people have the right access to system resources (i.e., right people & right access). These processes and the controls supporting these processes are IT general controls.

Another example could be the organization’s change management process tracks and documents that changes are authorized, tested, approved, and implemented into production. Moreover, that all these changes happen in an environment where there is proper segregation of duties.

preventative vs. detective

Preventative & Detective Controls

In addition to the types of controls named, internal controls are either preventative or detective in nature (note: sometimes corrective is added; however, it really should be part of detective, as-in detective and corrective).

All other things being equal, preventative controls are generally superior to detective controls. The reason is this, it is usually easier to correct a situation before a problem occurs than to correct a problem after detection. Those implementing internal controls into their environment will be well served by implementing a combination of preventative and detective controls with a greater focus on the former.

Summary

If the controls in the SOC audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control.

Linford & Company service auditors work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives in a SOC 1 (f. SSAE 16) audit examination or Trust Services Criteria (TSC) for a SOC 2 audit examination.

It’s also important to note that these definitions and descriptions work equally well for an audit of internal control in a financial statement audit or internal audits.

Leave a Reply

Your email address will not be published. Required fields are marked *