Internal controls are essential process steps that allow for one to determine or confirm whether certain requirements are being done per a certain expectation, law, or policy. Additionally, internal controls allow auditors to perform tests to gain assurance that a process is designed and operating properly. In this post, we will discuss what internal controls are and the types of internal controls that are used that certain processes take place. Finally, we will also discuss how auditors rely on internal controls and how understanding that can help a company prepare for an upcoming SOC 1, SOC 2, HIPAA, or other type of audit.
What are Internal Controls?
According to the Committee of Sponsoring Organizations’ (COSO), an “internal control is a process, effected by an entity’s board of directors, management, or other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” The main goal of having internal controls is to setup key points in a process which allows companies to track progress and sustainability of performance. In the next section, we will review the types of internal controls as well as provide examples for each.
What are the Types of Internal Controls?
When performing an audit, auditors will look to see that they can gain assurance over a process by focusing on four main types of internal controls. These types of controls consist of the following:
- Manual Controls
- IT Dependent Manual Controls
- Application Controls
- IT General Controls
The four types of internal controls mentioned above are key as they are pervasive (or at least should be) in the processes that support the systems and services provided by service organizations to their user organizations (i.e., clients and customers).
Manual controls are performed by individuals outside of a system.
Since the operation of these controls depends on a human, it is key that these process points have owners. When manual controls are not owned by key personnel within the organization, they often will not operate consistently. This generally poses an issue because to properly test manual controls, a sample of transactions is chosen to confirm that the control has operated a defined period of time. If the control did not operate consistently, a deviation or exception will be noted within the audit report.
IT-Dependent Manual Controls
IT Dependent Manual Controls are similar to manual controls as they rely on a manual process from personnel but differ as a portion of the control requires some level of system involvement.
For example, a system-generated report lists users that have not accessed (e.g., logged into a system) a particular system within the past 90 days. The internal control may require an administrator to review such reports and disable certain users whose accounts have not been accessed within the defined 90 days, as a result.
The IT-dependent portion of this control is the system-generated report. The manual portion of this control is the administrator review of the report and disabling certain users as a result.
Much like manual controls, IT-dependent manual controls should have a process owner. This will facilitate the consistent operation of these controls and avoid any exceptions being noted within an audit report.
There are many different forms of application controls. Virtually any configuration setting in a system that can be used to prevent or detect problems might be classified as a type of application control.
For example, Google G-Suite and Microsoft’s Office 365 can be configured to require two-factor authentication (e.g., 2FA, MFA) in order for users to log in and access system resources and data. Enabling 2FA helps prevent unauthorized users from logging in to the system.
Another example, if the system is configured to lock-out a user that enters an incorrect password after three attempts, it has an application control that detects problems possibly associated with unauthorized access attempts.
A third example could be that the system is configured to automatically download and apply security patches or updates to software (this would have likely helped prevent the Equifax hack (Google search Equifax and hack).
Application controls which are also known as automated controls have a few benefits. One benefit is that because the control is the result of a configuration, they generally do rely on an individual to operate consistently. That being said, it is always a good idea to periodically check to confirm that the configuration has not been disabled for any reason or the configuration has not been modified. In the event that a configuration has been modified or is no longer enabled, this can result in an exception within the report. Another benefit of having application or automated controls is that there is generally only a sample of one versus many since it is based upon a system configuration. This creates efficiency in a process and saves time during an audit.
IT General Controls
This type of control is usually the focal point of most SOC audits. IT general controls are comprised of policy management, logical access, change management, and physical security.
For example, user access administration controls are used so that the right people have the right access to system resources (i.e., right people & right access). These processes and the controls supporting these processes are IT general controls.
Another example could be the organization’s change management process tracks and documents that changes are authorized, tested, approved, and implemented into production. Moreover, that all these changes happen in an environment where there is proper segregation of duties.
IT General Controls can be a combination of manual and application controls. As such, the type of sampling to test these controls varies by control type.
Preventative & Detective Controls
In addition to the types of controls named, internal controls are either preventative or detective in nature (note: sometimes corrective is added; however, it really should be part of detective, as-in detective and corrective).
All other things being equal, preventative controls are generally superior to detective controls. The reason is this, it is usually easier and more cost-effective to correct a situation before a problem occurs than to correct a problem after detection. Those implementing internal controls into their environment will be well served by implementing a combination of preventative and detective controls with a greater focus on the former.
If the controls in the SOC audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control.
Linford & Company service auditors work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives in a SOC 1 audit examination or Trust Services Criteria (TSC) for a SOC 2 audit examination.
It’s also important to note that these definitions and descriptions work equally well for an audit of internal control in a financial statement audit, or for internal audits.
For more information check out some other Linford & Company posts that relate to this one below:
- What is an Integrated Audit? Assessing Internal Controls
- Establishing an Effective Internal Control Environment
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.