Welcome

Tests of controls - Examples of IT controls

ResourcesTests of controls - Examples of IT controls

Learning Outcomes

After reading this article, you will be able to explain the purpose and examples of tests of controls in an IT environment, distinguish between general IT controls and information processing controls, and describe how auditors test these controls in practice. You will also recognize the relevance of IT controls to the reliability of accounting systems and audit evidence.

ACCA Foundations in Audit (FAU) Syllabus

For ACCA Foundations in Audit (FAU), you are required to understand the importance of IT controls in modern audits and how they affect audit procedures. Focus your studies on the following syllabus areas as they are directly examined under this topic:

  • The purpose of tests of controls and how they relate to IT systems
  • The distinction between information processing controls and general IT controls
  • Objectives and examples of information processing controls (e.g. batch totals, input validation)
  • Objectives and examples of general IT controls (e.g. password controls, backup procedures)
  • How auditors perform and document tests of controls over IT systems
  • The impact of IT controls on gathering sufficient, appropriate audit evidence

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What is the primary difference between an information processing control and a general IT control?
  2. Which of the following is a general IT control? a) Range check on data input
    b) Programme access is restricted by password
    c) Batch totals checked by software
    d) Control account reconciliations
  3. True or false? Tests of controls over IT systems only involve review of IT policies, not transaction-level procedures.
  4. Briefly explain why auditors often use test data when performing tests of controls in computer-based systems.

Introduction

Organisations today rely on computer systems to process financial information accurately and efficiently. As a result, IT controls play a significant role in maintaining effective accounting systems. For the auditor, understanding and testing these controls is essential to obtain reasonable assurance that transactions are processed correctly and financial statements are reliable.

Testing controls over IT systems requires knowledge of control objectives, types of IT controls, and audit approaches appropriate for computer environments. This article clarifies these concepts and provides practical examples relevant to the ACCA FAU exam.

Key Term: test of control
An audit procedure designed to assess the operating effectiveness of a control in preventing or detecting and correcting material misstatements at the assertion level.

Purpose and Types of IT Controls

Modern accounting systems often rely on automated processes, with controls built into both individual applications and across the IT environment as a whole. For exam purposes, it is essential to distinguish between two main types of IT control:

Key Term: information processing control
Controls embedded in specific application systems to ensure the completeness, accuracy, and validity of transaction processing (e.g. input, processing, output, and reference file controls).

Key Term: general IT control
Controls over the wider IT environment designed to support the continued operation and integrity of all applications, including areas such as access management, backup, change management, and system development.

Information Processing Controls: Practical Examples

Information processing controls apply directly to the way data is entered, processed, and output within specific accounting applications.

Common examples include:

  • Batch total checks: System calculates total of invoice amounts before and after input to confirm completeness and accuracy.
  • Range checks: The software refuses payroll amounts that fall outside normal salary bands.
  • Format checks: Account numbers must follow a preset structure; errors prompt a message.
  • Sequence checks: Ensures all invoices have been accounted for by checking for missing or duplicate document numbers.
  • Hash totals: System processes and checks control totals from non-meaningful fields (such as employee IDs) to detect missing records.
  • Authorisation controls: Certain transactions (e.g. supplier payment runs) require electronic approval before processing.
  • Exception reports: System automatically highlights and logs transactions that deviate from expected norms for independent review.

General IT Controls: Practical Examples

General IT controls provide a secure and reliable environment for all applications, ensuring systematic functioning and protection of information assets.

Examples include:

  • Password and access controls: Access to the accounting system is limited to authorised personnel; users must change passwords regularly.
  • Data backup procedures: Automated daily backups are kept offsite; restoration processes are tested periodically.
  • Change management: Programme changes require approval, documentation, and testing before deployment.
  • Physical security: Server rooms are locked and monitored; only IT staff have key access.
  • Virus protection and firewalls: Security software is installed and updated to prevent unauthorised data breaches.
  • Disaster recovery planning: Formal plans exist for system restoration in the event of major failures or disasters.

Audit Approach: Testing IT Controls

When testing controls in IT environments, auditors must obtain sufficient, appropriate evidence about the operation of both information processing controls and general IT controls.

Tests of controls may include:

  • Enquiry and observation: Asking users about security procedures and observing their application.
  • Inspection: Reviewing system logs, access reports, or documented procedures.
  • Reperformance: Using special techniques such as test data to check automated controls.
  • Computer-assisted audit techniques (CAATs): Running predetermined data through a client system to validate programmed controls (e.g. to check that errors are properly rejected by the system).

Tests should be documented in the audit working papers, with clear reference to the control and evidence gathered.

Worked Example 1.1

A retail company uses an automated sales system. Every transaction must be authorised by a barcode scan, and all daily sales are automatically posted to the general ledger. What tests of controls could the auditor perform to provide assurance that sales are not understated?

Answer:

  • Inspect configuration settings to confirm that the system rejects manual entries and requires barcode scans.
  • Observe sales staff at point of sale to confirm procedures are followed in practice.
  • Inspect system logs for evidence of daily automated postings.
  • Reperform a sequence check for sales invoices to identify any gaps.

Worked Example 1.2

An audit team is reviewing payroll. The payroll application uses batch totals and access to payroll is restricted to the HR manager and payroll clerk. How might the auditor test these IT controls?

Answer:

  • Inspect access listings to confirm only authorised users can access payroll data.
  • Test the batch control process by checking a sample of payroll runs for correct calculation and review of batch totals.
  • Observe processing of payroll at month-end to verify that only users with suitable credentials execute payroll runs.

Exam Warning

Many students confuse general IT controls and information processing controls. Remember: general IT controls are broad (e.g., passwords, backups), while information processing controls are specific to how transactions are processed in an application (e.g., validation checks, exception reports).

Revision Tip

In the exam, be specific with examples. Instead of "access control," specify "system restricts invoice processing to authorised users confirmed by password logs."

Summary

IT controls are critical in both the design and operation of modern accounting systems. Tests of controls over IT systems provide auditors with evidence of the reliability of automated processes. Clearly distinguishing between information processing controls and general IT controls—and giving precise examples of each—is key for exam success.

Key Point Checklist

This article has covered the following key knowledge points:

  • Define and explain tests of controls in the IT context
  • Distinguish between information processing controls and general IT controls
  • Provide practical examples of each type of IT control
  • Understand how auditors test IT controls using enquiry, inspection, observation, and CAATs
  • Recognise the importance of documentation as audit evidence

Key Terms and Concepts

  • test of control
  • information processing control
  • general IT control

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.