Control is any positive and negative action taken by management that would result in accomplishment of the organization’s goals, objectives, and mission. Controls should not lead to compulsion or become a constraint on employees. Controls should be natural and should be embedded in the organizational functions and operations. More so, controls should be accepted by the employees using or affected by them. Use and implementation of controls should be inviting, not inhibiting. Controls should be seen as beneficial from the employee’s personal and professional viewpoints.
The auditor needs to understand the control requirements of an application system or a business operation before assessing control strengths and weaknesses. In other words, there should be a basis or baseline in place (i.e., standards, guidelines, and benchmarks) prior to control measurement and assessment. In the absence of a baseline of standards, auditor’s findings, conclusions, and recommendations will be questioned and will not be accepted by the auditee.
Rarely would a single control suffice to meet control objectives. Rather, a combination of controls or complementary controls is needed to make up a whole and to provide a synergistic effect.
Complementary controls (hand-in-hand controls) have an important place in both the manual and the automated ...