Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Internal Control in an IT Environment — Manual vs Automated

## Internal Control in an IT Environment

### 1. Controls in Manual and Automated Systems

Manual system controls include:

  • Approvals and reviews of transactions
  • Reconciliation and follow-up of reconciling items

Automated system controls include:

  • Controls embedded in computer programs (application controls)
  • Combination of automated and manual elements

When automated systems are used, electronic records replace paper documents.

---

### 2. IT Benefits to Internal Control

IT enables an entity to:

BenefitDetail
Process large volumesTimeliness, availability, and accuracy of information improved
Facilitate additional analysisEnhances ability to monitor performance against policies
Reduce risk of circumventionSegregation of duties enforced through security controls

---

### 3. IT-Specific Risks to Internal Control

RiskDescription
Inaccurate processingReliance on programs that process data inaccurately, or process inaccurate data
Unauthorised data accessDestruction or improper changes to data
Excessive access privilegesIT personnel gaining rights beyond their assigned duties
Unauthorised master file changesAlterations to standing data (e.g., vendor bank accounts)
Unauthorised system/program changesModifications to systems without proper authorisation
Failure to update systemsNecessary changes not made to systems or programs
Inappropriate manual interventionBypassing automated controls manually
Loss of data / inaccessibilityInability to access data as required

---

### 4. Suitability: When Manual Elements Are Preferred

Manual elements are more suitable when judgement and discretion are required (e.g., evaluating customer creditworthiness, reviewing unusual transactions).

### 5. Reliability: Automated vs Manual

Manual elements are less reliable than automated ones because they can be more easily:

  • Bypassed
  • Ignored
  • Overridden

### 6. Nature of Entity's Information System

The extent and nature of IT risks depends on the characteristics of the entity's IS. The entity must establish controls that respond to risks given its specific IS characteristics.

---

### IFC vs IC over Financial Reporting — Key Distinction

Internal Financial Controls (IFC)IC over Financial Reporting (IC over FR)
SourceSection 134(5)(e), Companies ActAuditing standards
ScopeOrderly conduct of business, safeguarding assets, prevention/detection of fraud & errors, accuracy of accounting records, timely preparation of reliable financial informationSpecifically the controls over the financial reporting process
Auditor's RoleDirector's responsibility statement includes IFCAuditor expresses a separate opinion on effectiveness of IC over FR (in addition to, and distinct from, the FS opinion)

Worked example

### Example 1

IT Benefit — Segregation of Duties: A manufacturing company's ERP system is configured so that the person who creates a supplier in the vendor master file cannot also approve payments to that supplier. The system enforces this automatically — no manual monitoring needed. The auditor tests the system access controls to verify this segregation exists.

### Example 2

IT Risk — Excessive Access Privileges: An IT administrator at a company has system access that allows them to modify vendor bank account numbers in the master file AND approve payments. This combination creates a fraud risk. The auditor identifies this as a control weakness and expands substantive testing of payments.

### Example 3

Suitability of Manual Controls: A bank's credit approval process requires a senior manager to exercise judgement on whether a large loan should be approved, considering qualitative factors. An automated credit-scoring system provides a score, but the final decision is manual. The auditor recognises that automated controls cannot fully replace this judgement-based step.

### Example 4

IFC vs IC over FR: Company ABC's directors state in their report (under Section 134(5)(e)) that IFC are adequate and operating effectively — this covers broad operational controls. Separately, the auditor is required to express an opinion specifically on whether IC over the financial reporting process is effective — this is a narrower, distinct opinion.

⚠️ Common exam mistakes

  • Thinking IT always reduces risk — IT introduces its own specific risks (e.g., data loss, unauthorised access, program errors) that manual systems do not have.
  • Confusing IFC (Section 134 Companies Act) with IC over Financial Reporting (auditing standard concept) — IFC is broader (business operations + financials); IC over FR is narrower (only financial reporting process).
  • Assuming automated controls are always better — for judgement-based decisions, manual controls may be more suitable even though they are less reliable for routine transactions.
  • Ignoring master file changes as a risk — unauthorised changes to standing data (e.g., payroll rates, vendor bank details) are a major fraud vector in IT environments.
Bare-Act text Section 134(5)(e) · Companies Act, 2013 · click to expand
The policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company's policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
← Previous
Inspection as an Audit Procedu
Next →
Internal Control — Definition,
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic