Types of Controls

What are the different types of internal controls noted in a SOC audit?

There are basically four main types of internal controls that service organizations and their service auditors should be concerned with, which are namely: manual controls, IT dependent manual controls, application controls, and IT general controls. Of course there are innumerable variations on the specifics of controls, though these four control types are the ones service organizations and their auditors should concern themselves.

Manual Controls: Manual controls are performed by individuals outside of a system. Examples of manual controls could be a supervisor review and sign-off of a document, or bank reconciliation, or having an employee sign a privacy policy acknowledgement.

IT Dependent Manual Controls: Similar to manual controls, these controls require some level of system involvement. For example, a system generated report that lists users that have not accessed a particular system within the past 90 days. The control may require an administer to review such list and disable certain users as a result.

Application controls: These types of controls may be system configuration settings. For example, if the system is configured to lock-out a user that enters an incorrect password after three attempts. Another example, could be the system is configured to automatically download and apply updates to malware detection software.

IT General Controls: This type of control is usually the focal point of most SOC audits. IT general controls comprise of logical access, program change, and physical security. For example, user access administration controls are used so that the right people have the right access to system resources (i.e., right people & right access). This processes and the controls supporting these processes are IT general controls.

In addition to the types of controls named, internal controls are either preventive or detective in nature. All other things being equal, preventive controls are superior to detective. It is usually easier to correct a situation before a problem occurs than to detect a problem after it happens. Those implementing internal controls into their environment will be well served by implementing preventive controls rather than the other type.

If the controls in the SOC audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control. Service auditors should work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives [SOC 1 (formerly SSAE 16)] or control criteria (SOC 2).


Leave a Reply

Your email address will not be published. Required fields are marked *