02: Foundation - Control Types Definitions

Question 1

Control Type Dimensions (1/4)

Preventive

Timing (1/2)

Answer 1

Stops errors/fraud BEFORE they occur (blocks the action)

Example: SoD enforcement blocking conflicting access = preventive

Question 2

Control Type Dimensions (1/4)

Detective

Timing (2/2)

Answer 2

Identifies errors/fraud AFTER they occur (finds it later)

Example: Quarterly access review finding terminated users = detective

Question 3

Control Type Dimensions (2/4)

Manual

Execution (1/3)

Answer 3

Human performs entirely

(e.g., manager reviews and approves)

Question 4

Control Type Dimensions (2/4)

Automated

Execution (2/3)

Answer 4

System performs without human intervention

(e.g., system rejects duplicate invoice)

Question 5

Control Type Dimensions (2/4)

IT-Dependent Manual

Execution (3/3)

Answer 5

Human reviews system-generated output

(e.g., manager reviews exception report from system)

Most real-world controls are IT-dependent manual

Question 6

Control Type Dimensions (3/4)

Key

Significance (1/2)

Answer 6

Directly mitigates a risk of material misstatement; if it fails, financials could be wrong.

Always tested by auditors

“If control fails, could financials be materially missated?” Y = Key

Question 7

Control Type Dimensions (3/4)

Non-Key

Significance (2/2)

Answer 7

Supports key controls or mitigates lower risks; may not be tested every period

“If control fails, could financials be materially missated?” N = Non-Key

Question 8

Control Type Dimensions (4/4)

Entity-Level

Level (1/3)

Answer 8

Pervasive controls affecting entire organization

E.g., tone at top, code of conduct, IT security policy, board oversight

Question 9

Control Type Dimensions (4/4)

Process-Level

Level (2/3)

Answer 9

Controls over a specific business process

E.g., revenue cycle, payroll, procure-to-pay, etc.,

Question 10

Control Type Dimensions (4/4)

Application-Level

Level (3/3)

Answer 10

Controls embedded in application software

E.g.,input validation, automated calculations, system-enforced approvals

Question 11

Control Classification

TIMING

The 4 Dimensions Framwork (1 of 4)

Answer 11

Question to Ask: Does it STOP or FIND?

Options (2): Preventive (blocks before) / Detective (finds after)

Question 12

Control Classification

Approvals, authorizations, validations BEFORE action → ?

Memory Patterns: Timing (1/3)

Answer 12

Preventive

Approvals, authorizations, validations BEFORE action → Preventative

Question 13

Control Classification

Human reads a system report then decides → ?

Memory Patterns: Execution (1/3)

Answer 13

IT-Dependent
Manual

Human reads a system report then decides → IT-Dependent Manual

Question 14

Control Classification

System enforces automatically (no human in the loop) → ?

Memory Patterns: Execution (2/3)

Answer 14

Automated

System enforces automatically (no human in the loop) → Automated

Question 15

Control Classification

Human does it entirely (no system output involved) → ?

Memory Patterns: Execution (3/3)

Answer 15

Manual

Human does it entirely (no system output involved) → Manual

Question 16

Control Classification

Touches money directly (revenue, expenses, payroll, cash) → ?

Memory Patterns: Key vs. Non-Key (1 of 2)

Answer 16

Almost always Key

Touches money directly (revenue, expenses, payroll, cash) → Key

Ask: “If this fails, could the financial statements be wrong by a material amount?”

Question 17

Control Classification

Supporting/operational (logging, documentation, alerts) → ?

Memory Patterns: Key vs. Non-Key (2 of 2)

Answer 17

Usually Non-key

Supporting/operational (logging, documentation, alerts) → Non-key

Ask: “If this fails, could the financial statements be wrong by a material amount?”

Question 18

Control Classification

Org-wide governance, tone at top, policies → ?

Memory Patterns: Level (1 of 3)

Answer 18

Entity

Org-wide governance, tone at top, policies → Entity

Question 19

Control Classification

Embedded in software code/configuration → ?

Memory Patterns: Level (3 of 3)

Answer 19

Application

Embedded in software code/configuration → Application

Question 20

Control Classification

EXECUTION

The 4 Dimensions Framwork (2 of 4)

Answer 20

Question to Ask: Who/what does the work?

Options (3): Manual / Automated / IT-Dependent Manual

Question 21

Control Classification

SIGNIFICANCE

The 4 Dimensions Framwork (3 of 4)

Answer 21

Question to Ask: Could financials be materially
wrong if it fails?

Options (2): Key / Non-Key

Question 22

Control Classification

LEVEL

The 4 Dimensions Framwork (4 of 4)

Answer 22

Question to Ask: Where does it operate?

Options (3): Entity / Process / Application

Question 23

Control Classification

**Reviews, reconciliations, monitoring AFTER action ** → ?

Memory Patterns: Timing (2/3)

Answer 23

Detective

Reviews, reconciliations, monitoring AFTER action → Detective

Question 24

Control Classification

If the word ends in -“review,”, “reconciliation”, “monitoring”, it’s which TIMING option?

Memory Patterns: Timing (3/3)

Answer 24

Preventive

Approvals, authorizations, validations BEFORE action → Preventative

Question 25

# Control Classification Specific business cycle (revenue, payroll, procurement) → ? | Memory Patterns: Level (2 of 3)

Answer 25

Process | Specific business cycle (revenue, payroll, procurement) → Process