CPA Exam Lab
All patterns
Information systems and data management

The Control Classifier

Sort the control: general controls govern the whole IT environment, application controls guard one system's input, processing, and output.

How the exam words it

The playbook

  1. 1Classify by scope: general controls (access, change management, operations, program development) cover the environment, while application controls are input, processing, and output checks inside one system.
  2. 2Map the edit check to its error: a limit or range test catches out-of-bounds values, a check digit catches transposition, and a validity check rejects unauthorized codes.
  3. 3Treat a hash total as a control total on an otherwise meaningless field (account numbers) used only to prove completeness, not a dollar value.
  4. 4Recognize that automated application controls can be relied on only when general controls over change and access are effective, so weak ITGCs undercut every application control.

The trap

Treating a strong application control as sufficient on its own. Without effective general controls over access and change, the automated control can be altered or bypassed.

How the exam varies it

The same pattern, re-skinned along these axes:

General control versus application control classificationWhich edit check: limit or range, check digit, or validityInput versus processing versus output control, and hash versus financial total

Drill this pattern

8 questions of The Control Classifier from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 1 ISC topic