Home Up Principals Get Your Files Cost of Service Feedback Search Contents

Internal Controls
Up 2004 Tax News Business Resources Consulting Tax Services Tax Help & Tips Tax Problems Non for Profit Accounting Svc. Audit Service Estate Planning Pay on-line

Home
Up

  

 

CLASSIFICATION OF CONTROLS

Introduction

Internal controls related to information systems (IS) are classified into several different types.  Most IT professionals place such classifications into the following five classifications:

  • Preventive, detective, and corrective controls

  • Discretionary and non-discretionary controls

  •  Voluntary and mandated controls

  •  Manual and automated controls

  •  Application and general IS controls

The purpose of classification is to provide a method by which the significance, purpose, and cost of a control procedure can be evaluated in the context of alternative control procedures.  Each classification scheme helps one to focus on different aspects of a given control technique.  For example, the description “preventative, voluntary, manual, general control” tells the following:

  • The control prevents errors from being made initially.

  • The use of the control is voluntary and could easily be changed.

  • The control is performed by a human and is, therefore, subject to human frailties.  

  • The control is general in that it addresses the environment within which other controls operate.  As such, a breakdown in the control could have far reaching implications.

Controls are necessary to achieve specific objectives.  They are needed because things can go wrong that can negatively impact the organization.  Such negative impact can include erroneous record keeping, erroneous decision-making, excessive costs, loss or destruction of assets, business disruption, regulatory sanction, and competitive disadvantage.  Controls are needed to reduce or eliminate the causes of these situations. 

Just as one problem can result in multiple negative consequences, so can individual controls help mitigate multiple risks.  There is no one-to-one relationship between risks and controls, and one control may fit into multiple classifications.  Some controls function independently of other controls, while others only function in combination with complementary controls. 

Controls are not perfect solutions to problems but should reduce risks to an acceptable level.  In some cases, a combination of control techniques provides better protection at a lower overall cost than any single control.  For example, a control may be 90% effective, thereby allowing a 10% error rate that is not acceptable; however, a complementary control that is also 90% effective could, I combination with the first control, reduce the effective error rate to 1%, which may be acceptable. 

By classifying controls and relating them to specific risks, the auditor can systematically determine the controls that are key to the proper operation of the system or function.  Control classification is important in determining the controls on which reliance is placed and how they can best be tested during an audit.  By classifying and evaluating controls as the their purpose and effectiveness, the auditor can assure that the appropriate controls are tested and that valuable audit time is not wasted testing controls that are of little or no consequence.

 

 

Home ] Up ]

Send mail to Webmaster@txcpa.net with questions or comments about this web site.
Copyright © 1998 - 20004 Richard A. Chichakli, P.C. Certified Public Accountants & Information System Auditors
Last modified: February 19, 2007