Internal Control
Domain 1 — Information Systems Auditing Process
Definition
Internal controls are the policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business objectives are achieved and undesired events are prevented, detected, or corrected. Controls are classified as preventive (stop errors before they occur), detective (identify errors after they occur), or corrective (remediate errors). IS auditors evaluate the design and operating effectiveness of internal controls to assess risk and recommend improvements.
Real-World Audit Scenario
I once audited a company that had an excellent preventive control — all payment files required dual authorisation. But nobody had ever checked whether the dual authorisation was actually enforced by the system. I tested it by requesting a single approver payment file, and the system processed it without error. The preventive control existed on paper but had zero operating effectiveness because the system configuration had been changed during a software upgrade and nobody noticed for 14 months.
Common Exam Trap
The exam frequently tests the difference between "design" and "operating effectiveness." A control that looks good on paper but is not actually working has a design deficiency. A control that works but is not applied consistently has an operating effectiveness deficiency.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →