TYPES OF CONTROLS
MODULE 3
INTERNAL CONTROLS
A process, effected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
● Reliability of financial reporting
● Effectiveness and efficiency of operations
○ Nirereview din ng auditor kung ginagawa
nang maayos
● Compliance with applicable laws and
regulations
- Hindi nagdedesign and nag-iimplement ang
auditor. For reasonable assurance lang sila.
Nagrereview lang siya if reliable
- Hindi nagbibigay ng 100% assurance
- Pag implement and ensure → management
function yun
LIMITATIONS OF INTERNAL CONTROLS
● Only provides reasonable assurance on
achieving the business objectives
● Subject to human judgment
decision-making
● Subject to circumvention such as collusion
and override of controls
○ Collusion - sabwatan
○ Walang silbi yung control if nagsabwatan
sila
● Controls may be assessed individually or in
combination with others
○ Di naman lahat ng controls kaya nating
i-implement sa isang organization
○ Ex. Di kayang i-implement SOD kasi
kulang sa tao → compensating controls
● Some controls encompass different business
objectives
● Not all controls are relevant to the audit
○ Yung relevant lang dapat sa audit yung
titignan mo
● Obtaining understanding of controls is not
sufficient to test their operating effectiveness,
unless there is some automation that provides
for consistent application controls
○ Dapat pag-aralan mo yung buong
process, may policies and procedures
lahat ng business process nila
○ Maganda pagkakadesign ng SOD
○ Lahat ng naiidentify mo na risk may
corresponding control
○ Maganda nga yung design pero di
effective, kaya kailangan muna i-test
CONTROL ENVIRONMENT
● Set of standards, processes, and structures
that provide the basis for carrying out internal
control across the organization
● The Board and Management establish the
“Tone at the Top” regarding internal control
● The auditor should evaluate whether the
Management, with the oversight function has
created and maintained a culture of honesty
and ethical behavior
○ Management philosophy - pag may
in nagkakamali ba pinaparusahan nila
■ Pinakamahalagang component
● Satisfactory control environment may reduce
the risk of fraud but not an absolute deterrent
of fraud
○ Fraud triangle
■ Opportunity
■ Pressure
■ Rationalization
● Operating under weak control environment
does not necessarily equates to the existence
of fraud
○ Pag weak control environment,
nagkakaroon ka ng opportunity to commit
fraud
● The control environment in itself, does not
mitigate a material misstatement
RELEVANT ELEMENTS TO BE ASSESSED BY THE
AUDITOR
● Communication and enforcement of integrity
and ethical values
● Commitment to competence
● Participation by those charged with
governance
● Management’s philosophy and operating style
● Organizational structure
● Assignment of authority and responsibility
● Human resource policies and practices
1
 Module 3: Types of Controls
RISK ASSESSMENT
● Dynamic and iterative process for identifying
and assessing risks to the achievement of
business objectives
○ Business objective ng organization - profit
○ Yung risk ay baka hindi magbayad ng
utang yung debtor.
● Allows an entity to consider how potential
events might affect the achievement of
objectives.
● Management assesses events from two
perspectives: likelihood and impact
○ Likelihood - chance na mangyari, the
probability of the risk from happening
■ Usually presented in percentage
○ Impact - effect sa organization, more on
monetary amount
● Internal controls
CONTROL ACTIVITIES
● Process by which an enterprise strives to
achieve its business objectives
● Policies and procedures are established and
implemented to help ensure the risk responses
are effectively carried out
● By using professional judgment, the IS
auditor should obtain understanding control
activities relevant to the audit
INFORMATION AND COMMUNICATION
● Management obtains and uses relevant and
quality information from both internal and
external sources to support the functioning of
other components of internal controls
● Internal (between management and those in
charge of governance) and external
(regulatory authorities)
○ Nagbabago naman yung business
environment
○ Pag may changes dapat mag-adapt
○ Important na macommunicate yung
changes
MONITORING ACTIVITIES
● To assess the effectiveness of internal controls
over time
○ Yung mga controls hindi naman siya
stagnant, possible na magbago talaga
siya
● Achieved through ongoing evaluations and
separate evaluations or combination of the
two
● May include using information from
communications from external parties
● IS auditor should understand the sources of
the information used in monitoring and the
management’s basis to consider it sufficient
and reliable
○ Dapat tignan kung gaano kareliable ang
information na ginagamit ng management
○ Pag mali yung data na ginamit, of course
mali rin ang basis ng desisyon ng
management
CONTROL OBJECTIVES
● Objective of one or more operational area(s)
or role(s) to be achieved in order to contribute
to the fulfillment of strategic goal(s) of the
company
● Explicitly related to the strategy of the
company
● Statements of the desired result or purpose to
be achieved by implementing control
activities (procedures)
● Applies to all controls (manual, automated,
combination)
● Control measure is an activity contributing to
the fulfillment of a control objective
MANAGEMENT SHOULD…
● Select those that are applicable
● Decide on those what will be implemented
● Choose how to implement (frequency, span,
automation, etc.)
INFORMATION SYSTEMS CONTROL
OBJECTIVES
● Statements of the desired result or purpose to
be achieved by implementing controls around
information systems processes
● Comprised of policies, procedures, practices
and organizational structures
● Designed to provide reasonable assurance
that business objectives will be achieved and
undesired events will be prevented, or
detected and corrected
○ Reassurance lang prinoprovide ng
internal control
SPECIFIC INFORMATION SYSTEMS CONTROL
OBJECTIVES
● Safeguarding assets: information on
automated systems being up to date and
secure from improper access
2
 Module 3: Types of Controls

● Ensuring system development life cycle ● Reduces likelihood of risk

(SDLC) processes are established, in place ● Ex. CCTV - can be preventive or detective
and operating effectively to provide ● Preventive control examples: password, security
reasonable assurance that business, financial guards, fence, background check pag may
and/or industrial software systems and nag-aapply
applications are developed in a repeatable
and reliable manner to assure business DETECTIVE CONTROLS
objectives are met
● Detect the occurrence of undesirable events
● Ensuring integrity of general OS
● Reduces the likelihood of risk
environments, including network
● Ex. audit trail, audit logs, alarm system,
management and operations
reconciliation
● Ensuring integrity of sensitive and critical
application system environments, including
DIRECTIVE CONTROLS
accounting/financial and management
information (information objectives) and ● Encourage desired behaviors and outcomes
customer data ● Reduces likelihood and impact
● Ensuring appropriate identification and ● Ex. policies and procedures, authorized
authentication of users of IS resources (end personnel only, manuals, guidelines
users as well as infrastructure support)
● Ensuring the efficiency and effectiveness of CORRECTIVE CONTROLS
operations (operational objectives) ● To stop or limit the possibility of an
● Complying with users’ requirements, undesirable event.
organizational policies and procedures, and ● Reduces impact of risk
applicable laws and regulations (compliance ● Ex. fire extinguisher, sprinkler system
objectives)
● Ensuring availability of IT services by
AUTOMATED CONTROLS
developing efficient business continuity plans
and disaster recovery plans that include ADVANTAGES DISADVANTAGES
backup and recovery processes ● Consistent application ● Heavy reliance on
● Enhancing protection of data and systems by of processes defective systems
developing an incident response plan ○ Tuloy-tuloy yung ● Unauthorized access
● Ensuring integrity and reliability of systems by gagawin niya to information assets
implementing effective change management ● Enhance timeliness, ● Failure to effect the
procedures availability and necessary changes
● Ensuring that outsourced IS processes and accuracy of ● Data loss and
information non-availability of
services have clearly defined service level
● Minimize data
agreements and contract terms and circumvention of ○ Kung wala kang
conditions to ensure the organization’s assets controls business continuity
are properly protected and meet business ● Enhances the plan, heavily reliant
goals and objectives segregation of duties ka sa business
automated
controls, pag
COMPENSATING CONTROL nawala yan paano
● An activity that, if key controls do not fully na yung business
operate effectively, may help to reduce the mo
related risk.
● Can back up or duplicate multiple controls MANUAL CONTROLS
and may operate across multiple processes
ADVANTAGES DISADVANTAGES
and risks.
● A compensating control will not, by itself, ● Large/unusual/non-re ● High volume and
reduce risk to an acceptable level curring transactions recurring transactions
○ Consider cost ○ Operational risk -
benefit analysis possible mapagod
PREVENTIVE CONTROLS ● Errors which are yung tao at
● To stop or limit the possibility of an difficult to define and magkamali rin
undesirable event anticipate (real)

3
 Module 3: Types of Controls

● Outside scope of ● Adequately designed ● Organizational security policies and

existing IT controls automated controls procedures to ensure proper usage of assets
● Monitoring the can effectively ● Overall policies for the design and use of
effectiveness of address the control adequate documents and records
automated controls objectives (manual/automated) to help ensure proper
○ Di naman ibig
recording of transactions – transaction audit
sabihin na
trail
automated
controls pure ● Procedures and practices to ensure
computer na siya, adequate safeguards over access to and use
mayroon pa ring of assets and facilities
human interaction ● Physical and logical security policies for all
○ Audit logs - facilities, data centers and IT resources
nirereview pa rin
siya
○ Job scheduling IS SPECIFIC CONTROLS

HARD CONTROLS
● Controls that are effected by policies,
processes, and structure
○ Reviews
○ Policies
○ Structure
○ Inspections
○ Reconciliations
○ Inventory - Dapat yung general control nakaalign siya sa
○ User IDs and passwords gusto mangyari ng IS specific control
○ Limits of authority
IS CONTROL PROCEDURES
SOFT CONTROLS
● Strategy and direction of the IT function
● Controls that rely on the behavior and ● General organization and management of the
attitude of individuals IT function
○ Openness ● Access to IT resources, including data and
○ Shared values programs
○ Commitment to competence ● Systems development methodologies and
○ High expectations change control
○ Clarity ● Operations procedures
● Mas mahirap i-evaluate, medyo mahirap ● Systems programming and technical support
siyang tignan functions
● Quality assurance (QA) procedures
GENERAL CONTROLS ● Physical access controls
● BCP/DRP
● Internal accounting controls that are ● Networks and communication technology
primarily directed at accounting (e.g., local area networks, wide area networks,
operations—controls that concern the wireless)
safeguarding of assets and reliability of ● Database administration
financial records ● Protection and detective mechanisms against
● Operational controls that concern internal and external attacks
day-to-day operations, functions and
activities, and ensure that the operation is
meeting the business objectives
○ Dapat pirmado yung reports, gumagawa
ng reconciliations, inventory, etc.
● Administrative controls that concern
operational efficiency in a functional area
and adherence to management policies