# Categories of Controls in an Automated Environment

When an entity uses IT systems for processing financial information, the auditor must understand the layers of controls that ensure the system produces reliable data. These controls fall into three interconnected categories.

## A. General IT Controls (GITC)

General IT Controls are policies and procedures that relate to many applications and support effective functioning of application controls. They cover:

### 1. Program Change Controls

Objective: Ensure that modified systems continue to meet Financial Reporting (FR) objectives.
Activities covered: Change management process, recording, managing & tracking change requests, testing of changes before deployment.

### 2. Access Security Controls

Objective: Ensure access to data is authenticated and authorized to meet FR objectives.
Activities covered:
Security organisation and management
Security policy and procedures
Application security
Data security
Operating system security
Network security
Physical security

### 3. Application System Acquisition, Development & Maintenance

Objective: Ensure systems are developed, configured and implemented to meet FR objectives.
Activities covered: Overall management of development activities, project initiation, analysis & design, construction, testing & quality assurance, etc.

## B. Application Controls

Application controls are automated or manual controls operating at the business process level. They help ensure Completeness, Accuracy and Integrity (C-A-I) of data.

Examples:

Edit checks
Sequence number checks
User limit checks
Reasonableness checks

## C. IT Dependent Controls

These are manual controls that make use of data produced from IT systems and applications. Because the manual control uses system-generated data, its effectiveness depends on the IT system being reliable.

## Relationship Between General IT Controls & Application Controls

These two control types are interrelated:

General IT Controls are needed to support functioning of application controls.
Both are needed together to ensure complete and accurate information processing.

> Key takeaway: Without strong GITCs, you cannot rely on application controls — even if the application control itself looks well-designed, the underlying environment may corrupt the data it operates on.

Worked example

### Example 1

Example 1 — Identify the control category:

The bank's system rejects any sale invoice where invoice number is not in sequence. Which control is this?

Answer: This is an Application Control (a sequence number check) operating at the business process level to ensure completeness of recorded transactions.

### Example 2

Example 2 — Identify the control category:

Before a developer's code is moved to production, it must be tested in UAT environment and approved by the IT manager.

Answer: This is a General IT Control — specifically a Program Change Control — ensuring modifications continue to meet FR objectives.

### Example 3

Example 3 — IT Dependent Control:

The finance manager reviews a system-generated exception report of all sales above ₹10 lakh and investigates each.

Answer: This is an IT Dependent Control — a manual review that depends on data produced by the IT system.

⚠️ Common exam mistakes

Confusing Application Controls (which operate at business-process level) with General IT Controls (which support the IT environment broadly).
Treating IT Dependent Controls as Application Controls — IT Dependent Controls are manual, not automated.
Forgetting that even strong Application Controls cannot be relied on if General IT Controls are weak.
Listing 'edit checks' as a General IT Control — edit checks are Application Controls.

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Automated Environment - Categories of IT Controls

Worked example

⚠️ Common exam mistakes