## Types of Controls in an Automated Environment

There are three types of controls relevant to IT audit:

---

### 1. General IT Controls (GITC)

Definition: Policies and procedures that relate to many applications and support the effective functioning of application controls.

Key characteristics:

Applied commonly across multiple IT systems, applications, and business processes
Also known as "pervasive" controls or "indirect" controls
Designed to mitigate IT-specific risks at an infrastructure/environment level

Categories of GITC:

1. Data centre and network operations

2. Program change management

3. Access security

4. Application system acquisition, development, and maintenance

---

### 2. Application Controls

Definition: Controls (automated or manual) that operate at a business process level, embedded into specific IT applications.

Key characteristics:

Embedded in ERPs and application software
Ensure completeness, accuracy, and integrity of data within those systems

Examples of automated application controls:

Edit checks and input validation
Sequence number checks
User limit checks (transaction amount limits)
Reasonableness checks
Mandatory data fields

---

### 3. IT-Dependent Controls

Definition: Manual controls that make use of data, information, or reports produced from IT systems.

Key characteristics:

The control activity itself is performed manually
But the effectiveness depends on the reliability of IT-generated source data
Since they depend on IT output, they inherit IT risks

Implication for auditor: Effectiveness of both application controls and IT-dependent controls requires GITC to be operating effectively.

---

### Relationship Between GITC and Application Controls

```

General IT Controls (Foundation)

↓

Application Controls (Rely on GITC)

↓

IT-Dependent Controls (Rely on Application Controls + GITC)

```

GITC support the functioning of application controls
Both together ensure complete and accurate information processing
If GITC fails → application controls and IT-dependent controls become unreliable

Worked example

### Example 1

Example – GITC vs Application Control: A company's 'Access Security' policy restricts who can approve purchase orders above ₹10 lakhs (GITC). Within the ERP, the system automatically blocks any PO above ₹10 lakhs unless it carries an approval flag (Application Control). If the access security policy (GITC) is weak – say, too many users have 'admin' access – then the application-level block can be circumvented, making the application control ineffective.

### Example 2

Example – IT-Dependent Control: The Accounts Payable manager reviews a system-generated 'Vendor Dues Aging Report' every month and approves payments manually. The review is a manual control, but it depends entirely on the accuracy of the system-generated report. If the underlying data in the ERP is corrupted (e.g., due to a failed GITC like inadequate program change management), the manager's manual review becomes useless even if performed diligently.

⚠️ Common exam mistakes

Confusing 'IT-dependent controls' with 'application controls' – the key difference is: application controls are automated controls embedded IN the system; IT-dependent controls are MANUAL controls that use IT-generated outputs.
Stating that GITC operate only at the application level – they are 'pervasive/indirect' and span across multiple systems and business processes.
Failing to mention that if GITC is ineffective, application controls and IT-dependent controls also become unreliable – this cascading dependency is a common exam point.
Listing only automated controls as examples of application controls – application controls can be both automated AND manual (though the automated ones are more common in ERP contexts).

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Types of Controls in Automated Environment

Worked example

⚠️ Common exam mistakes