Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Risk Assessment and Internal Control
Microlesson · 5-min read

Controls in an Automated Environment – General IT Controls vs Application Controls

## Controls in an Automated Environment

In entities with significant IT systems, controls fall into two broad categories:

### 1. General IT Controls (GITCs)

Controls that relate to the overall IT environment — they govern how systems are managed, maintained, and secured. They affect all applications and data.

Examples:

  • Controls over data centre and network operations
  • Controls over application system acquisition, development, and maintenance
  • Program change controls (managing changes to software)
  • Access controls, disaster recovery, backup controls

> Think of GITCs as the 'infrastructure layer' — if GITCs fail, application controls may not be reliable.

### 2. Application Controls

Controls that operate within specific applications to ensure completeness, accuracy, and validity of transactions.

Examples:

  • Reasonableness checks (e.g., system rejecting a salary of ₹0 or a negative inventory quantity)
  • Range checks, format checks, duplicate checks

### Quick Reference Table

Control DescriptionType
Reasonableness checksApplication Control
Controls over data centre and network operationsGeneral IT Control
Controls over application system acquisition, development, and maintenanceGeneral IT Control
Program change controlsGeneral IT Control

### Digital Technology in Audit

As entities digitise operations, auditors are also evolving:

  • Use of Artificial Intelligence (AI) and data analytics to understand business processes.
  • Digital audit tools help identify risks more effectively.
  • Auditors can devote greater attention to high-risk areas by automating routine procedures.

Worked example

### Example 1

Z and Associates are auditing Realton Ltd., a company digitising its manufacturing operations. They plan a digital audit.

The auditors identify the following controls:

  • The ERP system flags any purchase order exceeding ₹10 lakh without CFO approval → Application Control (reasonableness/limit check within the application).
  • The IT team follows a formal process for deploying software patches → General IT Control (program change control).
  • Network access is managed through a centralised firewall and user authentication → General IT Control (data centre and network operations).

Digital audit benefits for Realton:

  • AI tools analyse all purchase transactions (not just samples) to detect anomalies.
  • Data analytics identify unusual patterns in production cost data.
  • Auditors focus human judgment on flagged high-risk items.

⚠️ Common exam mistakes

  • Classifying reasonableness checks as General IT Controls — they are Application Controls because they operate within a specific application on specific data.
  • Thinking that program change controls protect against viruses — they govern the authorised modification of software code, which is a governance/integrity control.
  • Assuming GITCs are less important than application controls — in practice, weak GITCs undermine the reliability of all application controls built on top of them.
  • Describing digital audit only as 'using computers' — it specifically involves AI, data analytics, and risk-identification technologies that change how evidence is gathered.
Reference:
← Previous
Control Environment – Componen
Next →
Data Analytics and CAATs in Au
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic