In the context of performing a System and Organization Control (SOC) audit, questions arise as to what are internal controls and what are the types of internal controls. Auditors often take it for granted that everyone knows and agrees on the definitions of internal controls. We wish it were so. Let’s go over the most commonly used definitions, at least the ones commonly used by the big four audit firms and the Public Company Accounting Oversight Board (PCAOB).
What is An Internal Control?
Definition of internal control: An internal control exists when the design or operation of a control allows management or employees, in the normal course of performing their assigned functions, to prevent or detect problems in a timely manner.
Four Types of Internal Controls
There are basically four main types of internal controls that service organizations and their service auditors should be concerned with, which are namely:
- Manual Controls
- IT Dependent Manual Controls
- Application Controls
- IT General Controls
These four control types are the ones service organizations and their auditors should concern themselves since they are pervasive (or at least should be) in the processes that support the systems and services provided by service organizations to their user organizations (i.e., clients and customers).
Manual controls are performed by individuals outside of a system.
IT Dependent Manual Controls
Similar to manual controls, IT dependent manual controls require some level of system involvement.
For example, a system-generated report lists users that have not accessed (e.g., logged into a system) a particular system within the past 90 days. The internal control may require an administrator to review such report and disable certain users as a result.
The IT dependent portion of this control is the system generated report. The manual portion of this control is the administrator review of the report and disabling certain users as a result.
There are a great many different forms of application controls. Virtually any configuration setting in a system that can be used to prevent or detect problems might be classified as a type of application control.
For example, Google G-Suite and Microsoft’s Office 365 can be configured to require two-factor authentication (e.g., 2FA, MFA) in order for users to login and access system resources and data. Enabling 2FA helps prevent unauthorized users from logging in to the system.
Another example, if the system is configured to lock-out a user that enters an incorrect password after three attempts, it has an application control that detects problems possibly associated with unauthorized access attempts.
A third example, could be that the system is configured to automatically download and apply security patches or updates to software (this would have likely helped prevent the Equifax hack (Google search Equifax).
IT General Controls
This type of control is usually the focal point of most SOC audits. IT general controls are comprised of logical access, change management, and physical security.
For example, user access administration controls are used so that the right people have the right access to system resources (i.e., right people & right access). These processes and the controls supporting these processes are IT general controls.
Another example could be the organization’s change management process tracks and documents that changes are authorized, tested, approved, and implemented into production. Moreover, that all these changes happen in an environment where there is proper segregation of duties.
Preventative & Detective Controls
In addition to the types of controls named, internal controls are either preventative or detective in nature (note: sometimes corrective is added; however, it really should be part of detective, as-in detective and corrective).
All other things being equal, preventative controls are generally superior to detective controls. The reason is this, it is usually easier to correct a situation before a problem occurs than to correct a problem after detection. Those implementing internal controls into their environment will be well served by implementing a combination of preventative and detective controls with a greater focus on the former.
If the controls in the SOC audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control.
Linford & Company service auditors work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives in a SOC 1 (f. SSAE 16) audit examination or Trust Services Criteria (TSC) for a SOC 2 audit examination.
It’s also important to note that these definitions and descriptions work equally well for an audit of internal control in a financial statement audit or internal audits.