Information systems and data management
The Control Classifier
Sort the control: general controls govern the whole IT environment, application controls guard one system's input, processing, and output.
How the exam words it
- -The stem describes a control and asks whether it is an IT general control or an application control.
- -It names an edit check (a limit or range test, a check digit, a validity check) and asks which input error it catches.
- -It contrasts a hash total with a financial total or a record count and asks which is a control total.
- -It asks why reliance on an automated application control depends on the strength of general controls.
The playbook
- 1Classify by scope: general controls (access, change management, operations, program development) cover the environment, while application controls are input, processing, and output checks inside one system.
- 2Map the edit check to its error: a limit or range test catches out-of-bounds values, a check digit catches transposition, and a validity check rejects unauthorized codes.
- 3Treat a hash total as a control total on an otherwise meaningless field (account numbers) used only to prove completeness, not a dollar value.
- 4Recognize that automated application controls can be relied on only when general controls over change and access are effective, so weak ITGCs undercut every application control.
The trap
Treating a strong application control as sufficient on its own. Without effective general controls over access and change, the automated control can be altered or bypassed.
How the exam varies it
The same pattern, re-skinned along these axes:
General control versus application control classificationWhich edit check: limit or range, check digit, or validityInput versus processing versus output control, and hash versus financial total
Drill this pattern
8 questions of The Control Classifier from across the AUD topics. Clear it by getting 5 right with a streak of 3.