INTERNAL CONTROL
Manual Controls
IT-Dependent Manual Controls
IT General Control
Application Control
DEFINITION
- Performed by individuals outside of a system
- Depends on human
- Manually nag-aaudit/nagchecheck
- Rely on manual process from personnel but a portion
of the control requires some level of system
involvement
- should have a process owner. (This will facilitate the
consistent operation of these controls and avoid any
exceptions being noted within an audit report)
- Iccheck kung tama ba yung record sa hard copy docs
(manual) at yung naka-record sa system
- Rechecking or recomputation
- the focal point of most SOC audits
- are comprised of policy management, logical access,
change management, and physical security
- IT General Controls can be a combination of manual
and application controls. As such, the type of sampling
to test these controls varies by control type.
- more on access sa AIS
- Virtually any configuration setting in a system that can
be used to prevent or detect problems
- In-app controls
EXAMPLE
- Nagchecheck if tama ba yung details sa delivery oreder at yung niloload sa truck
- Matching of cash received in the firm’s bank account against a clients’ AR balance
- A system-generated report lists users that have not accessed (e.g., logged into a
system) a particular system within the past 90 days. The internal control may require
an administrator to review such reports and disable certain users whose accounts have
not been accessed within the defined 90 days, as a result.
* IT-dependent: system-generated report
* manual: administrator review of the report and disabling certain users as a result
- organization’s change management process tracks and documents that changes are
authorized, tested, approved, and implemented into production. Moreover, it helps an
organization gain assurance that changes happen in an environment where there is
proper segregation of duties
- User access administration controls are used so that the right people have the right
access to system resources (i.e., right people & right access). These processes and
the controls supporting these processes are IT general controls.
- Google G-Suite and Microsoft’s Office 365 can be configured to require two-factor
authentication (e.g., 2FA, MFA) in order for users to log in and access system
resources and data. Enabling 2FA helps prevent unauthorized users from logging in to
the system.
- the system is configured to lock out a user that enters an incorrect password after
three attempts, it has an application control that detects problems possibly associated
with unauthorized access attempts
- that the system is configured to automatically download and apply security patches or
updates to software