## **Learning Outcomes**

After reading this article, you will be able to explain the difference between information processing controls and general IT controls, describe their objectives, and identify typical examples of each within audit testing. You will also know how these controls support reliance on computer-based systems and be able to design relevant test procedures for the ACCA FAU exam.

## **ACCA Foundations in Audit (FAU) Syllabus**

For ACCA Foundations in Audit (FAU), you are required to understand how internal control systems are structured, with emphasis on the role and testing of IT controls in a computerised accounting environment. In particular, this article addresses:

- The distinction between information processing controls and general IT controls
- The objectives and purposes of each type of control
- Examples of information processing controls (e.g., batch totals, sequence checks)
- Examples of general IT controls (e.g., backups, password protection)
- Evaluating and testing IT controls as part of audit work

## **Test Your Knowledge**

_Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision._

1. What is the main difference between an information processing control and a general IT control?
2. Which of the following is a general IT control?
   a) Batch total verification  
   b) Bank reconciliation  
   c) Backup procedures  
   d) Sequence check on sales invoices
3. Explain why general IT controls are important even when information processing controls appear strong.
4. Give one example of a test of control you might perform to verify that password controls are operating effectively.

## **Introduction**

Modern audit work takes place in a computerised environment. The reliability of financial data depends not only on manual controls but also on the design and functioning of IT-based controls. As an auditor, you must understand how controls built into computer systems work and how to test them effectively—not just for the ACCA exam, but for professional practice. This article explains two essential categories: information processing controls and general IT controls.

## Distinguishing Control Types in IT Environments

Every computer-based accounting system depends on controls to ensure that data remains complete, accurate, and valid. These controls are grouped into two categories:

- Information processing controls: Operate at the level of specific applications (e.g., payroll, sales).
- General IT controls: Support the overall reliability and security of the computing environment (e.g., backup routines, user access management).

Understanding the difference is critical because both types must function well for an auditor to rely on data from an IT system.

> **Key Term: Information processing controls**
> Controls related to how specific transactions are processed within an IT application, ensuring completeness, accuracy, and validity of accounting data.
>
> **Key Term: General IT controls**
> Controls that support the continued reliable operation of IT systems as a whole, helping to safeguard programs, data, and hardware from loss or unauthorised change.

## Information Processing Controls

Information processing controls are built into individual accounting applications (like payroll, purchases, or sales). These controls are designed to prevent, detect, and correct errors or irregularities arising from processing transactions.

Typical objectives of information processing controls include:

- Verifying completeness and accuracy of input data
- Preventing unauthorised transactions from being processed
- Ensuring the correct processing and output of data
- Protecting the integrity of standing data files (such as employee or supplier records)

Common practical examples include:

- **Batch total checks:** Total amounts are recorded before and after processing to detect missing or extra transactions.
- **Hash totals:** Totals of non-financial data fields are compared before and after processing as a check for completeness and validity.
- **Sequence checks:** Ensuring that, for instance, all sales invoices are processed in order and none are missing or duplicated.
- **Field validation checks:** Rejecting input data that is outside permitted numeric or text ranges.
- **Authorisation checks:** Confirming that only transactions approved by appropriate personnel are processed.

### **Worked Example 1.1**

An auditor is reviewing the payroll system at EasyServe Ltd. The software requires that every payroll batch be accompanied by a batch total indicating the net amount to be paid. After processing, the output total is matched to the input. However, on one occasion, an input error caused the batch to be processed with one employee omitted.

**How does a batch total control help here, and which category of IT control is this?**

> **Answer:**
>
> The batch total check (an information processing control) detects that the output does not match the input total, indicating that a record may be missing or incorrectly processed. This prompts follow-up to identify and correct the omission.

### Testing Information Processing Controls

Tests of control for information processing controls might include:

- Inspecting system reports to confirm batch and hash totals are checked and reviewed
- Re-performing data entry with test data containing errors to ensure edits and field checks are triggered
- Tracing pre-numbered documents through the system to verify sequence checks

## General IT Controls

General IT controls apply to the wider IT environment rather than individual transactions or processes. Their main objectives are to maintain overall system integrity, ensure authorised and continuous system operation, and protect hardware and data from physical and cyber risks.

Key areas include:

- **Access controls:** Limiting system access to authorised users via passwords, user IDs, and access rights
- **Backup and recovery:** Ensuring regular backup of data and programs; maintaining recovery procedures for system failures
- **Change management:** Requiring approval, testing, and documentation of changes to programs or standing data
- **Physical security:** Preventing unauthorised physical access to computer hardware and data storage
- **IT operations controls:** Overseeing the scheduling and running of regular processes and maintaining system logs

General IT controls are fundamental—if they are weak, even strong information processing controls may be unreliable, since systems or data files could be altered or destroyed.

### **Worked Example 1.2**

A firm's audit team visits Omega Retailers, which relies on a cloud-based inventory management system. The company backs up data only monthly and stores backups on the same hard drive as the live data. Shortly after year-end, a cyber incident corrupts both the live and backup files, resulting in lost inventory records.

**Was this a failure of general IT controls or information processing controls? Explain.**

> **Answer:**
>
> This situation reflects inadequate general IT controls—particularly weak backup and recovery arrangements, and poor data storage segregation. Proper information processing controls alone would not prevent this type of data loss.

### Testing General IT Controls

Tests of control for general IT controls may include:

- Inspecting access logs and password management systems to confirm only authorised users have access
- Reviewing backup schedules and inspecting a sample backup files for completeness and safe storage
- Examining documentation showing that program changes are authorised and tested prior to implementation
- Observing physical controls over server rooms and data storage media

### **Exam Warning**

> A frequent error in exams is confusing information processing controls with general IT controls. Remember: batch totals and sequence checks relate to specific transactions (information processing), while backups and password security relate to the IT environment as a whole (general IT).

## Relationship Between Information Processing and General IT Controls

Strong information processing controls cannot compensate for weak general IT controls—if the core IT environment is not secure, any application control can be bypassed or overridden. An audit approach must therefore evaluate and, where appropriate, test both types. Only if general IT controls are adequate should reliance be placed on information processing controls.

## **Summary**

Information processing controls and general IT controls are both essential in computerised systems. Information processing controls safeguard the accuracy and completeness of data at the transaction or application level. General IT controls ensure the overarching integrity and security of the whole IT environment. Both must be tested by auditors when deciding whether to place reliance on computer-generated information.

## **Key Point Checklist**

_This article has covered the following key knowledge points:_

- Distinguish between information processing controls and general IT controls in audit contexts
- Explain the objectives and applications of both control types
- State examples of each, including batch totals (information processing) and backup procedures (general IT)
- Describe audit tests for each category of control
- Understand that effective testing requires both control types to be functioning properly

## **Key Terms and Concepts**

- Information processing controls
- General IT controls


Tests of controls - Information processing and general IT controls